Analysis

  • max time kernel
    99s
  • max time network
    111s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31/05/2024, 15:49

General

  • Target

    VirtualBox-7.0.18-162988-Win.exe

  • Size

    104.6MB

  • MD5

    6a046a57ca3dd222d8bf1410b8172f81

  • SHA1

    49888a74780ac09ab6ec99bbcca5950890e5a227

  • SHA256

    4c83894c00aa9f55f7e0f70807210896ba32e1222d4ff1d0b9487af81f328f36

  • SHA512

    cb19129d62253bde686618cba40449ed05d5435ae11dbbb83ebc9a1b308fc7e9387cb964cb4cf26e91d7e38b9e8b75ebcb5de8039379986bf95cc77456a65a4b

  • SSDEEP

    3145728:aTdp/Gww7IEwmuQYIuSwHn9B4mzL8M6Wfwf:aFw70RQYIfwM6Q7+wf

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 12 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 48 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 41 IoCs
  • Registers COM server for autorun 1 TTPs 19 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe
    "C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
      "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:3464
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Registers COM server for autorun
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:424
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding FA6D6A135EC3275B5BAE5803823096BF C
      2⤵
      • Loads dropped DLL
      PID:4616
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3184
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 90CB6E367090ED2BEC232FA0AFC06FC1
        2⤵
        • Loads dropped DLL
        PID:3344
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding EEEED849BDC03DCAAEDCE23F97CEE6A9
        2⤵
        • Loads dropped DLL
        PID:4188
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding EFBB24C7EF95813B082674AF7683F894 E Global\MSI0000
        2⤵
        • Drops file in Drivers directory
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:4972
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 8D6F2CAA08BC00DCC3DC3CF4E9DD20C5 M Global\MSI0000
        2⤵
          PID:4804
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:4596
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
          2⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:3124
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "000000000000010C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
          2⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:4908
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000168" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
          2⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:1012
      • C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
        "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1480
      • C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
        "C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
        1⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3676

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Config.Msi\e58b34e.rbs

              Filesize

              2.6MB

              MD5

              0f17979ccf3c794bfc8a34dafe6bb2aa

              SHA1

              4469a20717e7477121e4956d2c593b149a31910e

              SHA256

              6cc0062eedcbf0290924ee2bf48a5670e9904c9eef84e28a61fde8cb9e74f48a

              SHA512

              81a7a0dfe92d92517b32d8e789ee94122b1522f38fc3d5ba16d4513fe37da015a6ec142d6914b186823b317b26207bc30f6693207e3f1c60b987e2f43caccc91

            • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

              Filesize

              11KB

              MD5

              e01c0f59ee96483ee31dd70fb1218795

              SHA1

              4dc98fcfa6dffdcc9fdb9733b58a0cfbb0957e39

              SHA256

              775427086b53136855c0d6b65bf32412a06c92155e67351033cc4ff8be565d49

              SHA512

              2ac8c7363fa40f5c2dc4e1e69905670ec890506b2cac7ba6b8ecfd1ed0b7abb65d252c3c2982c829393e3dea1712b5a2cf2dc728d49c36ebedc431f0eaca1a3d

            • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

              Filesize

              184KB

              MD5

              1f50fa5bf6487796d2913e78ed8cb8b0

              SHA1

              8be143b0a7d6963e9ab911cfba9d3e4ec508f368

              SHA256

              d38854405d1b7e9602bc288e2db9b8492d82f14410b44f655f5505ba9e41aa90

              SHA512

              bfebbd90662901ea80a2f7eff4446c02bd0549f823b310908fc4e2e11b8cc370fc70a0da6945aa4335de81d61dd95980cd3a7bd58acdd06b015d5b4e163c6a29

            • C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

              Filesize

              874KB

              MD5

              bfd6b0969fa03a7d0559d226cb227a1c

              SHA1

              b68951fffc275c680577f8389f15bb1031c5a5a8

              SHA256

              895cd205aa5d3b046203e9c019f1b5bd0a9fd0dd2f2400f2211d79cc38a3f324

              SHA512

              a95ce7b5e9ea076cfb63af8026013fcb3bab5d6ab72e850c6af383a9ee940073f01bf3225ddc4a4ea28accc742e6ad3b22767c518785e567644fe15490ec4db2

            • C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

              Filesize

              2.5MB

              MD5

              798dda25ae933ec87d20974df6b998c7

              SHA1

              28f97c07cb49b679ca71d415067987f339097631

              SHA256

              6c7420e68eb52e3d998b953b1c004496878bf151a147dc66e2211c8ec29599b5

              SHA512

              e8ba3d3db8f19be0417057294cbc4526d5af064171c0ffd9fde5b9ab2c81af830101a9753c18a3ead4939daf4c0c91ad2af635d8582c26c276fadb6d36e244f6

            • C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

              Filesize

              2KB

              MD5

              35806a0ffff129546450cdcaffafc06b

              SHA1

              11251df1fbe7ab027059768154077eb985cca790

              SHA256

              66a137a1a716e2d673666e74074b69b6f68f46072b359b4c17fee5055a3b98f3

              SHA512

              ac3d4a434b75b22d3334c9e7c6dd2be51e55d5439c78b8e05c83ce84da78016d111a95f3890f950de57431b03cfc136fce7563ef7931b3e1724ada6f19defc4d

            • C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

              Filesize

              11KB

              MD5

              af2bb27f5dd42782f344a03672ea428c

              SHA1

              76c300885a3bef8eb122594dd2b3d02a309d39c3

              SHA256

              34450ab69b7ae1d286c1dc6a7aae1a82647d37c4a18c3222a8a7db975cd99b52

              SHA512

              c88a10298b6bcbdb43fcb2a974525b715d6b8f14d352298c923988ef57cd6736634a7a9649320bf2a6464a5c89325fb4bb0d8080f6a5c12008dd17a9f50412af

            • C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

              Filesize

              3KB

              MD5

              07bbbda4185e4ee2acc39cbbf3587d39

              SHA1

              690d99470d0611e5d4341f78d468354e24516b45

              SHA256

              4ca28bcb2f7a024df37830aa6314d2f6c0fc0ec6b46231a9255abb32a39502ac

              SHA512

              ed55425344f5158b0e5ad46228a223bfebd246df32ef628c177d514b8e3677c4e12ac4d64f5989329f6283cecf1a5f3a7f5516296ed0dbeec703cb71cc0985e4

            • C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

              Filesize

              199KB

              MD5

              6bc9768cdd545c056faeaa153e73c686

              SHA1

              8dbfeff04cb7a6a32f3f2a09fbbfaff31dd34792

              SHA256

              2e19d29e7e6b1d1a9093eb7f0bd2e2825ed08785d6042b90e3748f3d087e59c9

              SHA512

              7b4e293dd8c1e7cb466d71c5a2b98814ebc973d717e46fcf5e63dcde925d9905fd5ec87f729c1feace5baba74eef9a8a769b47e191df6651d1122432fb8e6739

            • C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

              Filesize

              3KB

              MD5

              4dee77e6d95b41afa3cf5582706438d7

              SHA1

              7e6914f9ca78d2b0022f1ba5db083a72165b3cda

              SHA256

              81ac95d678978f9f82dccebe5887f52a9660a729f564698af7a4253e29032a88

              SHA512

              7a3cf6a9d64ab9456206a066eb89968d64f9b459e5e7947c6201c25722e6122bfd8f2d24bdc57338db149a81f3e68cc3b3b9ac085059fe4cff1d9674903f1eb7

            • C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

              Filesize

              11KB

              MD5

              e881b08efbf1537d69492e92d0053bc4

              SHA1

              c1568b0197f11f03068219f1fc3418496ea5f1e1

              SHA256

              5d2b1de4402457fd908ef206bde69a6213dc9d7252a91db83fe3861675479484

              SHA512

              9e0030a0a92c9fd2e7c120f143b6ce734c521038e3d0ddb30c1c7ae9f2992c48b82c5a6d77cff603b1a459505e3ee3450fb5c175e275ed6986a268990f76b1e3

            • C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

              Filesize

              3KB

              MD5

              18344eb15d0a3efb7b72eb6e75b18811

              SHA1

              9f88f5eac5bb5e9a9b6894d1d78ee0887bd94dd8

              SHA256

              80e3772271bf6f6c35062e6e163d81392cfc65b837f638f2ca4808429909cd91

              SHA512

              10458bace0531bba2296bc50fd9e2dba339abb1e04ed8601f958472502552010fb8f5b58b6a351dd51245d056fa2abbf8ea176a21ae051e8e2a4bd3b314add90

            • C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

              Filesize

              1.0MB

              MD5

              8dc26c500f411c68a1cbd2523fe85dfc

              SHA1

              c43446b2005130ad83579132c979def6841ff43f

              SHA256

              5eddb05714b93fcbf3d9dc9210f2e29a7d49d738fecb63f89021a2b17cebc382

              SHA512

              78974b608dc671eff7f1d7b31435d3bda4bb7897f8dd835b265cbf4d8a5f1367f1f7e09b387d1199046a44797bac5d180f488400a35d2946373b1f9fa576d0a4

            • C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

              Filesize

              654KB

              MD5

              7234da69902f8d9af9e20a20919a786b

              SHA1

              dc7f87dca6f3ae2ae56cb519cb7cb7a746ce8a31

              SHA256

              217e2e07b15ed0a57ce536821292139ce3326cd158892a5eb474157fe6c51918

              SHA512

              3bdf2a04fe263f4e38a14057cf4ab6887e2b72fd58b23cbb984a914ea13a9a2ffe633e7cb79dcd1072e3aa58e9b5250b542fe01486ed5a5a4350a62eff4a9414

            • C:\Users\Admin\.VirtualBox\VirtualBox.xml

              Filesize

              1KB

              MD5

              d9d28bd2ef7192fb0efb99607d7a0807

              SHA1

              7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

              SHA256

              dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

              SHA512

              e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

              Filesize

              471B

              MD5

              872a1f94ee3eec12def97c9e437c4d9f

              SHA1

              f61fd955c0a533fc5404b19476804ef8e2523206

              SHA256

              757b2057febaa6ed1a8585525d48e6238711b1fd334091c1385d5d265c44fe20

              SHA512

              7be41e53df2b9fc06467564dc5d1f63a7bfb4545841223e15186c00bf574d82c81d465ba0a856aa210d8589f6a3039bb1d1735f59bfb61af41719958aa187d33

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

              Filesize

              727B

              MD5

              e9630eddcf798c9b9f17d3ab17b7b328

              SHA1

              0531a5f5e55ed4dd019a33adf0500a2ab6df20a7

              SHA256

              5a706f02d55d11fb1ae6c99d25241e8399c800d5262e82f0edc837e6c21aa019

              SHA512

              5f807f19dea1fdcf49fdd5f9b4e78fa1e714f0fa65d46e469a3c4fb9ef74cfb81f6fbd2db606fefb76c125f3ce788cc427fd194954468183c23cc4373c52e07e

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

              Filesize

              727B

              MD5

              d90b241db1039fd2122e2386d692427e

              SHA1

              eb2e224d6205d90df1101b024c8234369ef24654

              SHA256

              7c81c821d465fe2e0584934503d4006e8fb18f3f4ae6a6cc46ef418641de85aa

              SHA512

              dafe924d6e81d03e90a89922ae2e68957f4425483f096192004d52cf0dde217ce56d49c76ceb14bda8bf64b2d5c2039318be6818d00a9a638374ca1434ea2522

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

              Filesize

              400B

              MD5

              cc51fb79bd21243ac498b54da8e2a21c

              SHA1

              9d10aab72fcd89cce3f1f1742d053c9ea60cde95

              SHA256

              d8f234a198f1e7fce24a823b3d0176d228418f0a91d65fb2b1274cded335f848

              SHA512

              e6e729ded383205f14f6514b3de0400d9c89cd8acdabe71d9cd9a272f607efdf73ee3b0dc89fed7e538f7b67dc1a42d86525c115fde4b139379cf6eeb6c34f35

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

              Filesize

              412B

              MD5

              28f06a492e308192a4b781a9a35b4f60

              SHA1

              c02f78c84c0959ce07227301cb5d75acfa493242

              SHA256

              dab94e437880b56506b49dfc948bba5a31622ee9520d79570b2e185f543ed2f1

              SHA512

              122e5305b69658e41b85c8ed369cc27d19dfc77e5b27527e9c6708f4a6b4d9bf5cf7213f70bb29c639297e0bb7941e573e3dcdaaad0bfd4c828168bdb274334e

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

              Filesize

              412B

              MD5

              7e0ef0efadc88753665392f7f2f0b91a

              SHA1

              9cd0c8bd9dddd0d579331c54a5da57011c39f522

              SHA256

              ffb860a5beda6b34accc16e573415225296727964d5d587f52907e8a4f10025d

              SHA512

              24572e84441d1156a14c43202c5d310df85eaecf8191d251bf94fe3b283899cc7922072b1fcd0e454a6be344ffab1e35c2d40902ad785d1e36386d06320edd51

            • C:\Users\Admin\AppData\Local\Temp\MSI8CDE.tmp

              Filesize

              324KB

              MD5

              d045098c42378ebe26f6da17977551ee

              SHA1

              80a93acee96419dd9c44d0d15d7518aea21f782a

              SHA256

              92b89b56400e8d01a813513ef8af685fb23adcaba49d7775853e650266b2f63a

              SHA512

              9e110110c6ec6aa43e64069744901c955ac90253a036b9837d2e0150c5da97cb8f927db4a36e9f289684c3b91724a4d93aa189a3fde9d06d07d62dd4b8c08a35

            • C:\Windows\Installer\MSIB8B0.tmp

              Filesize

              234KB

              MD5

              8edc1557e9fc7f25f89ad384d01bcec4

              SHA1

              98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

              SHA256

              78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

              SHA512

              d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

            • C:\Windows\Installer\MSIBC8C.tmp

              Filesize

              149KB

              MD5

              418322f7be2b68e88a93a048ac75a757

              SHA1

              09739792ff1c30f73dacafbe503630615922b561

              SHA256

              ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

              SHA512

              253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

            • C:\Windows\Installer\MSIC7F9.tmp

              Filesize

              690KB

              MD5

              8deb7d2f91c7392925718b3ba0aade22

              SHA1

              fc8e9b10c83e16eb0af1b6f10128f5c37b389682

              SHA256

              cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

              SHA512

              37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

            • C:\Windows\System32\CatRoot2\dberr.txt

              Filesize

              2KB

              MD5

              f48b3781fc7ebe97071b5dca008b85bf

              SHA1

              9fbecc6afd55cf20b3a65c9106122513f74acc87

              SHA256

              de3edb35bb07f89715ecec15131e3402ad1279e2835826639494ff63e10ac5f4

              SHA512

              78856df1a80c64ef90266234f36e1998e551f0e381df36fa32cf5bce82f7b3dd92aa6c051a5c806549f3bdedf66225ad436059204d39d9269022ac4d79c226d4

            • C:\Windows\System32\CatRoot2\dberr.txt

              Filesize

              2KB

              MD5

              5a7bffa5bc25ae7038d02653d1740fcf

              SHA1

              ea1504c9301fb50ad59ae6a45a213d54bcbbe844

              SHA256

              32f50af16a2a1e610c71c4eb15ff044bb30471cbc44a5e384032cbbccb7fb1dc

              SHA512

              b6487289a8cef6a638b42f2d7bf480814dc3d9efb65bdd7b1feb0805f536bc6a5742de54adfb3a2b915572de59a9ddd44d8e9c5a3bf4d636d3e7cb84a5f86988

            • C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.cat

              Filesize

              11KB

              MD5

              60b2f9f910c1458e203a34fbcf0e1915

              SHA1

              10f1ea3e3ce1fc54d45d1ee2c9fe56e4a2b5dc1f

              SHA256

              73eb94e2977c6b32799037de23da54adbd0f61d5c585dd1b65368c863e98fa7c

              SHA512

              5514903acd301a6d865f37a3b8f8ec90d3b4846e5fc28a1372aa3af5e4201ab8011e1eedf1cf9e88809276bfeeac41b8ab33eea6a5c9b56991451105aae207c4

            • C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.inf

              Filesize

              4KB

              MD5

              7cf28d3145d8b0f9cdde7f94a8729e03

              SHA1

              0cc9adc8322fe07ce03dd1e7e91a276a953fbefe

              SHA256

              2585f5715d6a5ebf1e0ae04f11408bdded6789f677a6c4cc7111cf418a296c85

              SHA512

              7b234e92235bf2422020da65cfcf9c05a884057e921befeda5c61cf0116e6bc549a06b53cec641e31b07bd378f711ad9911e74f0dece057d2660689438c138f9

            • C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.sys

              Filesize

              259KB

              MD5

              98c5be1edffae7850132d9950e8ed658

              SHA1

              3a04c50447bc8e8cf4f72fa3a21ac66e952dc19f

              SHA256

              be8c1e532b226bc5882d62eeed88dfb45a230cf6f78dc65a3ae1de3b142cb171

              SHA512

              7d1d3209fa2bd2123584ec4776ecb5e5e1ff1b239d5d35532cda0c60f26122faa74b0ab3c7e30ed31efc5ebc0d3a134604e2af4d1c8a72068776f6b71376f498

            • C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.cat

              Filesize

              11KB

              MD5

              d8ca5a996bf2d542fc111586aa122cd7

              SHA1

              002d5343fb1a35283f231d5d6d5f3537602ff94e

              SHA256

              d2d1296289411c8c469312a9569549ba24f4b2d3d525047fded6b4cd178154af

              SHA512

              d0e1617f91ebf93488a949d6f8548f0721b66786ef9788e176d5f2aa4daf84e0aeafaad097c22c8dd0f77f560f7cba2f597c7deef13abb0593d337f1d8652cf7

            • C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.sys

              Filesize

              248KB

              MD5

              dd03fbee01f74530584061fe46a3aee5

              SHA1

              49177c7d906c66b322499eaef9b26a0ba36e060e

              SHA256

              44f9d678b6018602bf200772ac5588c2003ae9f413a5a5ef53fb73a70f0fe0be

              SHA512

              4cf701d356a9ae529618e69fc1d9ae518dd20a2d3469f90d5b379f84b748dff4703ddc56e5c9bcc7f44f201bcc422b761b7313e09399f52ec0d2614e5e996dad

            • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

              Filesize

              12.8MB

              MD5

              d87327d0dfd235de9d0483c9d8f0967d

              SHA1

              9b514f65d447cf1b480a43b82795a608f2e7c0f4

              SHA256

              84ec19c2f796aa2d55888edab6af1743d05324f2b4ab592b544d5aa0583fffe7

              SHA512

              12df72e0cd431cab78888bfc0f226b3fcf61dbdc5ff9bdcacd91befabe9a8589cc67ea3fc74c50e08afaa6df61cae17cb30cb4089fef341a0d171e912f827446

            • \??\Volume{453a990c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{17cb499b-a315-4ce0-b85b-fd6a4d55cfb3}_OnDiskSnapshotProp

              Filesize

              6KB

              MD5

              b0fe8f3c958e92f528c78e1fc7624aec

              SHA1

              8dd4ba9ab61968bb53342a4991d269cea4b6cb57

              SHA256

              a16771cf7e0c1eb62fe8fc29dbd58eb2969550cea3acca412cf5b197eee42541

              SHA512

              31f148d36946a50f82a9ec53b7e97f29bd8451b51fcc6bbe48d0acbed89915750ef3f45e4655231a88b2fd86f5a209bea376dcd714a5824f10534029425f40bd

            • memory/3464-554-0x00007FFCDE140000-0x00007FFCDE681000-memory.dmp

              Filesize

              5.3MB

            • memory/3464-552-0x00007FF7E3580000-0x00007FF7E3804000-memory.dmp

              Filesize

              2.5MB

            • memory/3464-553-0x00007FFCDF9E0000-0x00007FFCE15BE000-memory.dmp

              Filesize

              27.9MB