41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Size

104KB
MD5

41beeee2e36acf7c231ddd5b5956e38b
SHA1

5b178def14f47eb7469cb98cf8b793e72ef72d49
SHA256

41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2
SHA512

790fd24f3951ef3fdb8741fdfaa6c2bbd3ca18463b425747a5882013d07a1543ea7967647ea192d9e0dfd812a3180a6547a116c9acb2b9a2535e81e5bcdc3805
SSDEEP

768:RVo0gkvyCr9ktojRMLorOylxVR075gNObwyBeI9TAAmn6Wl606TAAi1ESiMXg+T5:vgU7xQoBBrf07mdpIBF0vrgE+kAA

Score

9^/10

discovery evasion persistence

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions\Version = "4.2.10"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions\VersionExt = "4.2.10"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions\Revision = "84104"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions\InstallDir = "C:\\Program Files (x86)\\Oracle\\VirtualBox Guest Additi"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe

Looks for VirtualBox executables on disk 2 TTPs 1 IoCs

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\SysWOW64\VBoxService.exe	VBoxService.exe

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\vmx_svga.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\vsock.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\VBoxVideo.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\vmusbmouse.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\vmxnet.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\vmci.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\vmhgfs.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\vmmouse.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\vmscsi.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\VBoxGuest.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\VBoxMouse.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\drivers\VBoxSF.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe

Executes dropped EXE 5 IoCs

pid	Process
5072	VBoxTray.exe
2092	VBoxService.exe
2512	vmtoolsd.exe
3020	ollydbg.exe
4996	vmacthlp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VBoxTray = "C:\\Windows\\system32\\VBoxTray.exe"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VMware User Process = "C:\\Program Files (x86)\\VMware\\VMware Tools\\vmtoolsd.e"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 59 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\VBoxMRXNP.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxOGL.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIchs.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIhun.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\vmGuestLibJava.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\vmwogl32.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxDisp.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxOGLarrayspu.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIita.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxControl.exe	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\PSCRIPT.NTF	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIesn.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxTray.exe	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\TPVMMonUIjpn.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\TPVMMondeu.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPRN.DLL	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIptb.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPS.DLL	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\tprdpw32.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\vmhgfs.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\vmx_mode.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxOGLfeedbackspu.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIcht.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\TPSvc.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\TPVMMon.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\PS5UI.DLL	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\prtprocs\w32x86\TPWinPrn.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxOGLpassthroughspu.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxService.exe	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIrus.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VMUpgradeAtShutdownWXP.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxOGLerrorspu.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\config\ThinPrin.evt	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPS.PPD	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxOGLcrutil.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIcsy.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIdeu.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIell.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIjpn.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\TPVMMonUI.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\vsocklib.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPOG.chm	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\TPVMMonjpn.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\vmx_fb.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUI.DLL	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPS.INI	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxOGLpackspu.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIfra.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIplk.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIsve.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\VBoxHook.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUIkor.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPPrnUItha.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\TPVMW32.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\vmGuestLib.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\TPOG.bin	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\SysWOW64\TPVMMonUIdeu.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Windows\system32\spool\drivers\w32x86\3\PSCRIPT.HLP	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File created	C:\Windows\SysWOW64\vmGuestLib.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VMware\VMware Tools\messages\de\hgfsUsability.vmsg	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\VMwareToolboxCmd.exe	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPPrnUIjpn.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\messages\fr\hgfsUsability.vmsg	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\plugins\vmsvc\hwUpgradeHelper.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\vmacthlp.exe	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxMouse.inf	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\video_xpdm\vmx_svga.inf	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\TPAutoConnect.exe	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\TPVCGateway.exe	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxWHQLFake.exe	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPPrnUIcsy.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPOG.bin	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPOG.chm	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPPrnUIchs.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPPrnUIell.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\vmci\device\vmci.inf	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\vmxnet3\vmxnet3ndis5ver.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\mouse\vmmouse.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\mouse\vmusbmouse.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\plugins\vmsvc\guestInfo.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\vmtools.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\messages\ko\desktopEvents.vmsg	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\messages\ko\hgfsUsability.vmsg	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPPrnUIfra.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\vmxnet\vmware-nic.inf	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\gthread-2.0.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\messages\de\vmtoolsd.vmsg	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\messages\fr\vmtoolsd.vmsg	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\resume-vm-default.bat	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxGuest.cat	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPPrnUI.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\VMwareResolutionSet.exe	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\tpprint.cat	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\vmci\device\vsock.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\glib-2.0.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\video_xpdm\vmx_svgaver.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\vmxnet3\vmxnet3n51x86.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\gio-2.0.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\gobject-2.0.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\messages\ja\desktopEvents.vmsg	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\vmacthlp.txt	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\win32\vmGuestLibJava.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxVideo.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\video_xpdm\vmx_svga.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\vmxnet\vmxnetver.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\poweron-vm-default.bat	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxMouse.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPPrnUIsve.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPPrnUIptb.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\vmxnet\vmxnet.inf	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\glibmm-2.4.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\gmodule-2.0.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\messages\it\hgfsUsability.vmsg	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\plugins\vmusr\vmtray.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\mouse\vmmouse.inf	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\scsi\txtsetup.oem	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\sigc-2.0.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\dbghelp.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\VMware\VMware Tools\Drivers\hgfs\vmhgfs.sys	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\vmxnet3\vmxnet3ndis5.cat	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxGuest.inf	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
File created	C:\Program Files (x86)\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386\TPPrnUIplk.dll	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D3967E5-6AAC-11D7-908B-0003476A1D2A}	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\19 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TPAutoConnectLib.TPAutoConnect.1\ = "TPAutoConnect Class"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\Assignment = "1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D3967E5-6AAC-11D7-908B-0003476A1D2A}\ProgID\ = "TPAutoConnDll.TPAutoConnect.1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\4 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56CA9E11-6AAA-11D7-908B-0003476A1D2A}\1.0\HELPDIR	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6594DB-04AD-490F-A447-DC8E2772E9CB}\	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6594DB-04AD-490F-A447-DC8E2772E9CB}\InprocServer32\ThreadingModel = "Apartment"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\microsoft_dlls_x86 = "Common"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\Transforms = ":1033"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\PackageName = "VMware Tools.msi"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\7 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\20 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\23 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D3967E4-6AAC-11D7-908B-0003476A1D2A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2c6594dd-04ad-490f-a447-dc8e2772e9cb}	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2c6594dc-04ad-490f-a447-dc8e2772e9cb}\LocalServer32	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\VMXNet3 = "Drivers"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\17 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56CA9E11-6AAA-11D7-908B-0003476A1D2A}\1.0\0	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\Language = "0"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\1 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\5 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\AuthorizedLUAApp = "0"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Net	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TPAutoConnectLib.TPAutoConnect.1	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2c6594dd-04ad-490f-a447-dc8e2772e9cb}\ = "TPVCGateway WMI Provider"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\Unity = "Toolbox"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\MouseUsb = "Drivers"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\9 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\22 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TPAutoConnectLib.TPAutoConnect\ = "TPAutoConnect Class"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\TrayIcon = "Plugins"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D3967E4-6AAC-11D7-908B-0003476A1D2A}\ProxyStubClsid32	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D3967E4-6AAC-11D7-908B-0003476A1D2A}\TypeLib	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\DiskPrompt = "[1]"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D3967E4-6AAC-11D7-908B-0003476A1D2A}\TypeLib\ = "{56CA9E11-6AAA-11D7-908B-0003476A1D2A}"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D3967E5-6AAC-11D7-908B-0003476A1D2A}\ProgID	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\AdvertiseFlags = "388"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TPAutoConnectLib.TPAutoConnect.1\CLSID	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2c6594dd-04ad-490f-a447-dc8e2772e9cb}\LocalService = "TPVCGateway"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\Mouse = "Drivers"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\VMXNet = "Drivers"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\10 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\11 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56CA9E11-6AAA-11D7-908B-0003476A1D2A}\1.0\0\win32	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2c6594dc-04ad-490f-a447-dc8e2772e9cb}	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D3967E5-6AAC-11D7-908B-0003476A1D2A}\TypeLib\ = "{56CA9E11-6AAA-11D7-908B-0003476A1D2A}"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\Hgfs = "VMCI"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\Drivers	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\Clients = 3a0000	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\21 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D3967E4-6AAC-11D7-908B-0003476A1D2A}	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56CA9E11-6AAA-11D7-908B-0003476A1D2A}\1.0\HELPDIR\	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TPAutoConnectLib.TPAutoConnect.1\CLSID\ = "{8D3967E5-6AAC-11D7-908B-0003476A1D2A}"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\2 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56CA9E11-6AAA-11D7-908B-0003476A1D2A}\1.0\FLAGS	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TPAutoConnectLib.TPAutoConnect\CLSID\ = "{8D3967E5-6AAC-11D7-908B-0003476A1D2A}"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\SVGA = "Drivers"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\26F2A77378F13A348B673086F0D88D59\BootCamp = "Drivers"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\26F2A77378F13A348B673086F0D88D59\SourceList\Media\16 = "DISK1;1"	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
5072	VBoxTray.exe
5072	VBoxTray.exe
5072	VBoxTray.exe
5072	VBoxTray.exe
2092	VBoxService.exe
2092	VBoxService.exe
2092	VBoxService.exe
2092	VBoxService.exe
1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
2512	vmtoolsd.exe
2512	vmtoolsd.exe
2512	vmtoolsd.exe
2512	vmtoolsd.exe
3020	ollydbg.exe
3020	ollydbg.exe
4996	vmacthlp.exe
4996	vmacthlp.exe
4996	vmacthlp.exe
4996	vmacthlp.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 5072	1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe	83
PID 1052 wrote to memory of 5072	1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe	83
PID 1052 wrote to memory of 5072	1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe	83
PID 5072 wrote to memory of 2092	5072	VBoxTray.exe	84
PID 5072 wrote to memory of 2092	5072	VBoxTray.exe	84
PID 5072 wrote to memory of 2092	5072	VBoxTray.exe	84
PID 1052 wrote to memory of 2512	1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe	85
PID 1052 wrote to memory of 2512	1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe	85
PID 1052 wrote to memory of 2512	1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe	85
PID 1052 wrote to memory of 3020	1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe	86
PID 1052 wrote to memory of 3020	1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe	86
PID 1052 wrote to memory of 3020	1052	41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe	86
PID 2512 wrote to memory of 4996	2512	vmtoolsd.exe	87
PID 2512 wrote to memory of 4996	2512	vmtoolsd.exe	87
PID 2512 wrote to memory of 4996	2512	vmtoolsd.exe	87

C:\Users\Admin\AppData\Local\Temp\41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe
"C:\Users\Admin\AppData\Local\Temp\41f98d67e9537ad119b3d181132bc00196708a5fc1cf76a5fd65cedef3037ad2.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Drops file in Drivers directory
- Looks for VMWare Tools registry key
- Adds Run key to start application
- Drops file in System32 directory
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxTray.exe
  C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxTray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\VBoxService.exe
    C:\Windows\system32\VBoxService.exe
    3⤵
    - Looks for VirtualBox executables on disk
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2092
- C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe
  C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Program Files (x86)\VMware\VMware Tools\vmacthlp.exe
    C:\Program Files (x86)\VMware\VMware Tools\vmacthlp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4996
- C:\Program Files (x86)\ollydbg\ollydbg.exe
  C:\Program Files (x86)\ollydbg\ollydbg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Oracle\VirtualBox Guest Additions\VBoxWHQLFake.exe

Filesize
13KB

MD5
0043d2c0d39e977e999f581534f72f71

SHA1
e2c5b60463fcedea3365f3849a77d847966710fb

SHA256
9882426ce9e3357b16ff823f5fceaad31555d189b2748cfe34828692c906f98d

SHA512
11ab45b5609f547fee1687e8979960b7e934bd9082e58b3e41a323e7785643047b0805ed3fc59ce2d98346f03d3a43439727fde6485693223b65e8835d905a16

Download Submit
C:\Program Files (x86)\VMware\VMware Tools\vmacthlp.exe

Filesize
13KB

MD5
1755b50d11f76663959526fe2011098b

SHA1
33fd944cca7c1ea6459cb872befae88bb8e4cd56

SHA256
c96a604ab35a745ba1b2403f27c0e83220cbcd9e074e440ef8665dd8ca99c72d

SHA512
b77b85af29573afedac0e0284178164d27a38d9de5874f2f9b3c30552f1b370f52c84a4fe6f438e0d91d72251cc7cdf4cee82caa651981a33d7c8a43548093be

Download Submit
C:\Program Files (x86)\ollydbg\ollydbg.exe

Filesize
13KB

MD5
339b1790181080f69ea0ea19b3547ae7

SHA1
a8f32eff34a0d736d934f1a4772cf9d5fe6bd062

SHA256
0e95472beec6b9bce64b93a0a2eeb2d832294567fe3363a31f0e0e072e325404

SHA512
a30367b1a0c228c8cb4462e055bda0d01c6cd263daa98aec9b4e5370ae051116f7944a3c8912db9dd01572568bca1cf2e59f69a2e20962fb09ef8dd099ebd45a

Download Submit
C:\Windows\SysWOW64\VBoxMRXNP.dll

Filesize
12KB

MD5
17e02d62ea3ff4bf8428d77a72a099e5

SHA1
adc3ca460325d753cfce65b27c471227383742e4

SHA256
295410a1ae544788babe92c953a3ba533d7353b9222fabf8ad61bfcdac800d0a

SHA512
9f2343eff5dd1efda8a9c91acb9e95f298ad6e4a79962c92f3b756bf3c79417276583d1cdd2e68577bec02490c8fe954c85cf370e0ad7ce643729cad571098ad

Download Submit
memory/1052-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2092-267-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2512-268-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3020-269-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4996-270-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5072-266-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download