Analysis
-
max time kernel
99s -
max time network
111s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
31/05/2024, 15:49
Static task
static1
Behavioral task
behavioral1
Sample
VirtualBox-7.0.18-162988-Win.exe
Resource
win11-20240508-en
General
-
Target
VirtualBox-7.0.18-162988-Win.exe
-
Size
104.6MB
-
MD5
6a046a57ca3dd222d8bf1410b8172f81
-
SHA1
49888a74780ac09ab6ec99bbcca5950890e5a227
-
SHA256
4c83894c00aa9f55f7e0f70807210896ba32e1222d4ff1d0b9487af81f328f36
-
SHA512
cb19129d62253bde686618cba40449ed05d5435ae11dbbb83ebc9a1b308fc7e9387cb964cb4cf26e91d7e38b9e8b75ebcb5de8039379986bf95cc77456a65a4b
-
SSDEEP
3145728:aTdp/Gww7IEwmuQYIuSwHn9B4mzL8M6Wfwf:aFw70RQYIfwM6Q7+wf
Malware Config
Signatures
-
Drops file in Drivers directory 12 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SETE3D6.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SETE3D6.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SETC87B.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SETC87B.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxSup.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SETDD2E.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxNetLwf.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SETC9D4.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SETC9D4.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxUSBMon.sys MsiExec.exe File created C:\Windows\system32\DRIVERS\SETDD2E.tmp MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\O: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\J: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\Z: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\Y: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\T: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\V: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\K: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\N: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\X: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\P: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\R: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\S: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\M: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\W: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\Q: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\U: VirtualBox-7.0.18-162988-Win.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\VBoxUSB.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEE.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBE5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_3debe5e78bab1bca\netbrdg.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_bc519c177a90877a\c_netservice.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAED.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_8074ac14f1ab2957\netpacer.PNF MsiExec.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1E0.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1E0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1F1.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\VBoxUSB.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_c50c384d0cbfb450\VBoxUSB.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1F1.tmp DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log VBoxSDS.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAED.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\vboxnetlwf.PNF MsiExec.exe File opened for modification C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.inf MsiExec.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_10acfa4b924dd181\netnb.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBE5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\VBoxNetLwf.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\VBoxNetLwf.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_76C300885A3BEF8EB122594DD2B3D02A309D39C3\VBoxUSBMon.sys MsiExec.exe File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_76C300885A3BEF8EB122594DD2B3D02A309D39C3\VBoxUSBMon.cat MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\VBoxUSB.cat DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBD4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBD4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBF6.tmp DrvInst.exe File created C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.sys MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.inf DrvInst.exe File created C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.cat MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.cat DrvInst.exe File opened for modification C:\Windows\system32\DRVSTORE MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_c50c384d0cbfb450\VBoxUSB.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_0525128a3d54207e\netnwifi.PNF MsiExec.exe File created C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.inf MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_108aa80dcbfa6952\VBoxNetAdp6.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\VBoxNetLwf.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_56c163d21e8c2b62\netserv.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1D0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBF6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_108aa80dcbfa6952\VBoxNetAdp6.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_882899f2b1006416\netvwififlt.PNF MsiExec.exe File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_76C300885A3BEF8EB122594DD2B3D02A309D39C3\VBoxUSBMon.inf MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_c50c384d0cbfb450\VBoxUSB.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_108aa80dcbfa6952\VBoxNetAdp6.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEE.tmp DrvInst.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Oracle\VirtualBox\Qt5WinExtrasVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VMMR0.r0 msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UserManual.qch msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqlite.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\platforms\qminimal.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_postinstall.sh msiexec.exe File created C:\Program Files\Oracle\VirtualBox\License_en_US.rtf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_el.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_response_files.rsp msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt5CoreVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxRes.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxC.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_util.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAudioTest.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBox.VisualElementsManifest.xml msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm msiexec.exe -
Drops file in Windows directory 48 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIC980.tmp msiexec.exe File opened for modification C:\Windows\Installer\{7431991E-0534-4E1E-89C8-2AF6968C017C}\IconVirtualBox msiexec.exe File opened for modification C:\Windows\Installer\MSIE162.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE470.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58b34d.msi msiexec.exe File created C:\Windows\SystemTemp\~DFC68B191DE07D8600.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIBC8C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC7F9.tmp msiexec.exe File created C:\Windows\INF\oem1.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSIE4DF.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC111.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDB64.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\SourceHash{7431991E-0534-4E1E-89C8-2AF6968C017C} msiexec.exe File opened for modification C:\Windows\Installer\MSIE141.tmp msiexec.exe File created C:\Windows\INF\oem2.PNF MsiExec.exe File opened for modification C:\Windows\inf\oem5.inf DrvInst.exe File created C:\Windows\INF\oem5.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSIB831.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB890.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICA0E.tmp msiexec.exe File created C:\Windows\Installer\e58b34f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE4CF.tmp msiexec.exe File created C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC160.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIB716.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB830.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF5076B0124C6A168B.TMP msiexec.exe File created C:\Windows\INF\oem0.PNF MsiExec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\SystemTemp\~DF462F058BE183502F.TMP msiexec.exe File created C:\Windows\Installer\e58b34d.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\{7431991E-0534-4E1E-89C8-2AF6968C017C}\IconVirtualBox msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\INF\oem3.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSIB8B0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB92E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBCF.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\SystemTemp\~DF341B4D79B59646FE.TMP msiexec.exe -
Executes dropped EXE 3 IoCs
pid Process 3464 VirtualBox.exe 1480 VBoxSVC.exe 3676 VBoxSDS.exe -
Loads dropped DLL 41 IoCs
pid Process 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe 3344 MsiExec.exe 3344 MsiExec.exe 3344 MsiExec.exe 3344 MsiExec.exe 4188 MsiExec.exe 3344 MsiExec.exe 3344 MsiExec.exe 4972 MsiExec.exe 4972 MsiExec.exe 4972 MsiExec.exe 4972 MsiExec.exe 4972 MsiExec.exe 4972 MsiExec.exe 4972 MsiExec.exe 4972 MsiExec.exe 4972 MsiExec.exe 3344 MsiExec.exe 3344 MsiExec.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 3464 VirtualBox.exe 1480 VBoxSVC.exe 1480 VBoxSVC.exe 3676 VBoxSDS.exe 3676 VBoxSDS.exe 1480 VBoxSVC.exe -
Registers COM server for autorun 1 TTPs 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\"" msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters MsiExec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service MsiExec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000c993a456edcb2280000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000c993a450000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000c993a45000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0c993a45000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000c993a4500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service MsiExec.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\NumMethods VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\TypeLib VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A773393-7A8C-4D57-B228-9ADE4049A81F}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A88033D-82DB-4AC2-97B5-E786C839420E}\ = "IUpdateAgentErrorEvent" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E19913474350E1E4988CA26F69C810C7 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9}\NumMethods VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6AC83D89-6EE7-4E33-8AE6-B257B2E81BE8}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A0A7F210-B857-4468-BE26-C29F36A84345} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E19913474350E1E4988CA26F69C810C7\SourceList\PackageName = "dj7mb20gltxh17s9g54ngsac.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\ProxyStubClsid32 VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A338ED20-58D9-43AE-8B03-C1FD7088EF15}\ProxyStubClsid32 VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{232E9151-AE84-4B8E-B0F3-5C20C35CAAC9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{9B6E1AEE-35F3-4F4D-B5BB-ED0ECEFD8538}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7932CB8-F6D4-4AB6-9CBF-558EB8959A6A}\NumMethods\ = "14" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F01E8B48-F44D-42CC-8A83-512F6A8552F1}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F05D7E60-1BCF-4218-9807-04E036CC70F1} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{243829CB-15B7-42A4-8664-7AA4E34993DA}\ = "IUpdateAgentAvailableEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FAC49A-B7F1-4A5A-A4EF-A11DD9C2A458}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78861431-D545-44AA-8013-181B8C288554}\ProxyStubClsid32 VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B55CF856-1F8B-4692-ABB4-462429FAE5E9}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.vbox\shell\open\ = "Open" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.ova\ = "Open Virtualization Format Archive" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{31587F93-2D12-4D7C-BA6D-CE51D0D5B265}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00892186-A4AF-4627-B21F-FC561CE4473C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\TypeLib VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5045C372-2E8F-4D9E-AD9D-121AB1661146}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{537707F7-EBF9-4D5C-7AEA-877BFC4256BA}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5}\NumMethods\ = "13" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E54F6256-97A7-4947-8A78-10C013DDF4B8}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA11554}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CADEF0A2-A1A9-4AC2-8E80-C049AF69DAC8}\NumMethods\ = "27" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E8F79A21-1207-4179-94CF-CA250036308F} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6F89464F-7773-436A-A4DF-592E4E537FA0}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{AAC6C7CB-A371-4C58-AB51-0616896B2F2C}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C39EF4D6-7532-45E8-96DA-EB5986AE76E4}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\ = "IUpdateAgent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2514881B-23D0-430A-A7FF-7ED7F05534BC}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{758D7EAC-E4B1-486A-8F2E-747AE346C3E9}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DCC633F-7B03-4F0A-9F40-7A784DD0835A}\ = "IHostAudioDeviceChangedEvent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F01E8B48-F44D-42CC-8A83-512F6A8552F1}\ = "IRangedInteger64FormValue" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFD8965-B81B-469F-8649-F717CE97A5D5}\NumMethods VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}\ = "ICloudNetworkGatewayInfo" msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3464 VirtualBox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 424 msiexec.exe 424 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2528 VirtualBox-7.0.18-162988-Win.exe 3464 VirtualBox.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeIncreaseQuotaPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSecurityPrivilege 424 msiexec.exe Token: SeCreateTokenPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeAssignPrimaryTokenPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeLockMemoryPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeIncreaseQuotaPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeMachineAccountPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeTcbPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSecurityPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeTakeOwnershipPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeLoadDriverPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemProfilePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemtimePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeProfSingleProcessPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeIncBasePriorityPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeCreatePagefilePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeCreatePermanentPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeBackupPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeRestorePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeShutdownPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeDebugPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeAuditPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemEnvironmentPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeChangeNotifyPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeRemoteShutdownPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeUndockPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSyncAgentPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeEnableDelegationPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeManageVolumePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeImpersonatePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeCreateGlobalPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeCreateTokenPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeAssignPrimaryTokenPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeLockMemoryPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeIncreaseQuotaPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeMachineAccountPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeTcbPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSecurityPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeTakeOwnershipPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeLoadDriverPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemProfilePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemtimePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeProfSingleProcessPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeIncBasePriorityPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeCreatePagefilePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeCreatePermanentPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeBackupPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeRestorePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeShutdownPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeDebugPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeAuditPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSystemEnvironmentPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeChangeNotifyPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeRemoteShutdownPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeUndockPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeSyncAgentPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeEnableDelegationPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeManageVolumePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeImpersonatePrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeCreateGlobalPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeCreateTokenPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeAssignPrimaryTokenPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe Token: SeLockMemoryPrivilege 2528 VirtualBox-7.0.18-162988-Win.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2528 VirtualBox-7.0.18-162988-Win.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3464 VirtualBox.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 424 wrote to memory of 4616 424 msiexec.exe 80 PID 424 wrote to memory of 4616 424 msiexec.exe 80 PID 424 wrote to memory of 3184 424 msiexec.exe 84 PID 424 wrote to memory of 3184 424 msiexec.exe 84 PID 424 wrote to memory of 3344 424 msiexec.exe 86 PID 424 wrote to memory of 3344 424 msiexec.exe 86 PID 424 wrote to memory of 4188 424 msiexec.exe 87 PID 424 wrote to memory of 4188 424 msiexec.exe 87 PID 424 wrote to memory of 4188 424 msiexec.exe 87 PID 424 wrote to memory of 4972 424 msiexec.exe 88 PID 424 wrote to memory of 4972 424 msiexec.exe 88 PID 3552 wrote to memory of 3124 3552 svchost.exe 90 PID 3552 wrote to memory of 3124 3552 svchost.exe 90 PID 424 wrote to memory of 4804 424 msiexec.exe 92 PID 424 wrote to memory of 4804 424 msiexec.exe 92 PID 424 wrote to memory of 4804 424 msiexec.exe 92 PID 3552 wrote to memory of 4908 3552 svchost.exe 93 PID 3552 wrote to memory of 4908 3552 svchost.exe 93 PID 3552 wrote to memory of 1012 3552 svchost.exe 96 PID 3552 wrote to memory of 1012 3552 svchost.exe 96 PID 2528 wrote to memory of 3464 2528 VirtualBox-7.0.18-162988-Win.exe 98 PID 2528 wrote to memory of 3464 2528 VirtualBox-7.0.18-162988-Win.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3464
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding FA6D6A135EC3275B5BAE5803823096BF C2⤵
- Loads dropped DLL
PID:4616
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3184
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 90CB6E367090ED2BEC232FA0AFC06FC12⤵
- Loads dropped DLL
PID:3344
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EEEED849BDC03DCAAEDCE23F97CEE6A92⤵
- Loads dropped DLL
PID:4188
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding EFBB24C7EF95813B082674AF7683F894 E Global\MSI00002⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4972
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8D6F2CAA08BC00DCC3DC3CF4E9DD20C5 M Global\MSI00002⤵PID:4804
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3124
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "000000000000010C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4908
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000168" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1012
-
-
C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480
-
C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:3676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD50f17979ccf3c794bfc8a34dafe6bb2aa
SHA14469a20717e7477121e4956d2c593b149a31910e
SHA2566cc0062eedcbf0290924ee2bf48a5670e9904c9eef84e28a61fde8cb9e74f48a
SHA51281a7a0dfe92d92517b32d8e789ee94122b1522f38fc3d5ba16d4513fe37da015a6ec142d6914b186823b317b26207bc30f6693207e3f1c60b987e2f43caccc91
-
Filesize
11KB
MD5e01c0f59ee96483ee31dd70fb1218795
SHA14dc98fcfa6dffdcc9fdb9733b58a0cfbb0957e39
SHA256775427086b53136855c0d6b65bf32412a06c92155e67351033cc4ff8be565d49
SHA5122ac8c7363fa40f5c2dc4e1e69905670ec890506b2cac7ba6b8ecfd1ed0b7abb65d252c3c2982c829393e3dea1712b5a2cf2dc728d49c36ebedc431f0eaca1a3d
-
Filesize
184KB
MD51f50fa5bf6487796d2913e78ed8cb8b0
SHA18be143b0a7d6963e9ab911cfba9d3e4ec508f368
SHA256d38854405d1b7e9602bc288e2db9b8492d82f14410b44f655f5505ba9e41aa90
SHA512bfebbd90662901ea80a2f7eff4446c02bd0549f823b310908fc4e2e11b8cc370fc70a0da6945aa4335de81d61dd95980cd3a7bd58acdd06b015d5b4e163c6a29
-
Filesize
874KB
MD5bfd6b0969fa03a7d0559d226cb227a1c
SHA1b68951fffc275c680577f8389f15bb1031c5a5a8
SHA256895cd205aa5d3b046203e9c019f1b5bd0a9fd0dd2f2400f2211d79cc38a3f324
SHA512a95ce7b5e9ea076cfb63af8026013fcb3bab5d6ab72e850c6af383a9ee940073f01bf3225ddc4a4ea28accc742e6ad3b22767c518785e567644fe15490ec4db2
-
Filesize
2.5MB
MD5798dda25ae933ec87d20974df6b998c7
SHA128f97c07cb49b679ca71d415067987f339097631
SHA2566c7420e68eb52e3d998b953b1c004496878bf151a147dc66e2211c8ec29599b5
SHA512e8ba3d3db8f19be0417057294cbc4526d5af064171c0ffd9fde5b9ab2c81af830101a9753c18a3ead4939daf4c0c91ad2af635d8582c26c276fadb6d36e244f6
-
Filesize
2KB
MD535806a0ffff129546450cdcaffafc06b
SHA111251df1fbe7ab027059768154077eb985cca790
SHA25666a137a1a716e2d673666e74074b69b6f68f46072b359b4c17fee5055a3b98f3
SHA512ac3d4a434b75b22d3334c9e7c6dd2be51e55d5439c78b8e05c83ce84da78016d111a95f3890f950de57431b03cfc136fce7563ef7931b3e1724ada6f19defc4d
-
Filesize
11KB
MD5af2bb27f5dd42782f344a03672ea428c
SHA176c300885a3bef8eb122594dd2b3d02a309d39c3
SHA25634450ab69b7ae1d286c1dc6a7aae1a82647d37c4a18c3222a8a7db975cd99b52
SHA512c88a10298b6bcbdb43fcb2a974525b715d6b8f14d352298c923988ef57cd6736634a7a9649320bf2a6464a5c89325fb4bb0d8080f6a5c12008dd17a9f50412af
-
Filesize
3KB
MD507bbbda4185e4ee2acc39cbbf3587d39
SHA1690d99470d0611e5d4341f78d468354e24516b45
SHA2564ca28bcb2f7a024df37830aa6314d2f6c0fc0ec6b46231a9255abb32a39502ac
SHA512ed55425344f5158b0e5ad46228a223bfebd246df32ef628c177d514b8e3677c4e12ac4d64f5989329f6283cecf1a5f3a7f5516296ed0dbeec703cb71cc0985e4
-
Filesize
199KB
MD56bc9768cdd545c056faeaa153e73c686
SHA18dbfeff04cb7a6a32f3f2a09fbbfaff31dd34792
SHA2562e19d29e7e6b1d1a9093eb7f0bd2e2825ed08785d6042b90e3748f3d087e59c9
SHA5127b4e293dd8c1e7cb466d71c5a2b98814ebc973d717e46fcf5e63dcde925d9905fd5ec87f729c1feace5baba74eef9a8a769b47e191df6651d1122432fb8e6739
-
Filesize
3KB
MD54dee77e6d95b41afa3cf5582706438d7
SHA17e6914f9ca78d2b0022f1ba5db083a72165b3cda
SHA25681ac95d678978f9f82dccebe5887f52a9660a729f564698af7a4253e29032a88
SHA5127a3cf6a9d64ab9456206a066eb89968d64f9b459e5e7947c6201c25722e6122bfd8f2d24bdc57338db149a81f3e68cc3b3b9ac085059fe4cff1d9674903f1eb7
-
Filesize
11KB
MD5e881b08efbf1537d69492e92d0053bc4
SHA1c1568b0197f11f03068219f1fc3418496ea5f1e1
SHA2565d2b1de4402457fd908ef206bde69a6213dc9d7252a91db83fe3861675479484
SHA5129e0030a0a92c9fd2e7c120f143b6ce734c521038e3d0ddb30c1c7ae9f2992c48b82c5a6d77cff603b1a459505e3ee3450fb5c175e275ed6986a268990f76b1e3
-
Filesize
3KB
MD518344eb15d0a3efb7b72eb6e75b18811
SHA19f88f5eac5bb5e9a9b6894d1d78ee0887bd94dd8
SHA25680e3772271bf6f6c35062e6e163d81392cfc65b837f638f2ca4808429909cd91
SHA51210458bace0531bba2296bc50fd9e2dba339abb1e04ed8601f958472502552010fb8f5b58b6a351dd51245d056fa2abbf8ea176a21ae051e8e2a4bd3b314add90
-
Filesize
1.0MB
MD58dc26c500f411c68a1cbd2523fe85dfc
SHA1c43446b2005130ad83579132c979def6841ff43f
SHA2565eddb05714b93fcbf3d9dc9210f2e29a7d49d738fecb63f89021a2b17cebc382
SHA51278974b608dc671eff7f1d7b31435d3bda4bb7897f8dd835b265cbf4d8a5f1367f1f7e09b387d1199046a44797bac5d180f488400a35d2946373b1f9fa576d0a4
-
Filesize
654KB
MD57234da69902f8d9af9e20a20919a786b
SHA1dc7f87dca6f3ae2ae56cb519cb7cb7a746ce8a31
SHA256217e2e07b15ed0a57ce536821292139ce3326cd158892a5eb474157fe6c51918
SHA5123bdf2a04fe263f4e38a14057cf4ab6887e2b72fd58b23cbb984a914ea13a9a2ffe633e7cb79dcd1072e3aa58e9b5250b542fe01486ed5a5a4350a62eff4a9414
-
Filesize
1KB
MD5d9d28bd2ef7192fb0efb99607d7a0807
SHA17fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a
SHA256dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5
SHA512e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5872a1f94ee3eec12def97c9e437c4d9f
SHA1f61fd955c0a533fc5404b19476804ef8e2523206
SHA256757b2057febaa6ed1a8585525d48e6238711b1fd334091c1385d5d265c44fe20
SHA5127be41e53df2b9fc06467564dc5d1f63a7bfb4545841223e15186c00bf574d82c81d465ba0a856aa210d8589f6a3039bb1d1735f59bfb61af41719958aa187d33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
Filesize727B
MD5e9630eddcf798c9b9f17d3ab17b7b328
SHA10531a5f5e55ed4dd019a33adf0500a2ab6df20a7
SHA2565a706f02d55d11fb1ae6c99d25241e8399c800d5262e82f0edc837e6c21aa019
SHA5125f807f19dea1fdcf49fdd5f9b4e78fa1e714f0fa65d46e469a3c4fb9ef74cfb81f6fbd2db606fefb76c125f3ce788cc427fd194954468183c23cc4373c52e07e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5d90b241db1039fd2122e2386d692427e
SHA1eb2e224d6205d90df1101b024c8234369ef24654
SHA2567c81c821d465fe2e0584934503d4006e8fb18f3f4ae6a6cc46ef418641de85aa
SHA512dafe924d6e81d03e90a89922ae2e68957f4425483f096192004d52cf0dde217ce56d49c76ceb14bda8bf64b2d5c2039318be6818d00a9a638374ca1434ea2522
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5cc51fb79bd21243ac498b54da8e2a21c
SHA19d10aab72fcd89cce3f1f1742d053c9ea60cde95
SHA256d8f234a198f1e7fce24a823b3d0176d228418f0a91d65fb2b1274cded335f848
SHA512e6e729ded383205f14f6514b3de0400d9c89cd8acdabe71d9cd9a272f607efdf73ee3b0dc89fed7e538f7b67dc1a42d86525c115fde4b139379cf6eeb6c34f35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
Filesize412B
MD528f06a492e308192a4b781a9a35b4f60
SHA1c02f78c84c0959ce07227301cb5d75acfa493242
SHA256dab94e437880b56506b49dfc948bba5a31622ee9520d79570b2e185f543ed2f1
SHA512122e5305b69658e41b85c8ed369cc27d19dfc77e5b27527e9c6708f4a6b4d9bf5cf7213f70bb29c639297e0bb7941e573e3dcdaaad0bfd4c828168bdb274334e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD57e0ef0efadc88753665392f7f2f0b91a
SHA19cd0c8bd9dddd0d579331c54a5da57011c39f522
SHA256ffb860a5beda6b34accc16e573415225296727964d5d587f52907e8a4f10025d
SHA51224572e84441d1156a14c43202c5d310df85eaecf8191d251bf94fe3b283899cc7922072b1fcd0e454a6be344ffab1e35c2d40902ad785d1e36386d06320edd51
-
Filesize
324KB
MD5d045098c42378ebe26f6da17977551ee
SHA180a93acee96419dd9c44d0d15d7518aea21f782a
SHA25692b89b56400e8d01a813513ef8af685fb23adcaba49d7775853e650266b2f63a
SHA5129e110110c6ec6aa43e64069744901c955ac90253a036b9837d2e0150c5da97cb8f927db4a36e9f289684c3b91724a4d93aa189a3fde9d06d07d62dd4b8c08a35
-
Filesize
234KB
MD58edc1557e9fc7f25f89ad384d01bcec4
SHA198e64d7f92b8254fe3f258e3238b9e0f033b5a9c
SHA25678860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5
SHA512d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd
-
Filesize
149KB
MD5418322f7be2b68e88a93a048ac75a757
SHA109739792ff1c30f73dacafbe503630615922b561
SHA256ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef
-
Filesize
690KB
MD58deb7d2f91c7392925718b3ba0aade22
SHA1fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA51237f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c
-
Filesize
2KB
MD5f48b3781fc7ebe97071b5dca008b85bf
SHA19fbecc6afd55cf20b3a65c9106122513f74acc87
SHA256de3edb35bb07f89715ecec15131e3402ad1279e2835826639494ff63e10ac5f4
SHA51278856df1a80c64ef90266234f36e1998e551f0e381df36fa32cf5bce82f7b3dd92aa6c051a5c806549f3bdedf66225ad436059204d39d9269022ac4d79c226d4
-
Filesize
2KB
MD55a7bffa5bc25ae7038d02653d1740fcf
SHA1ea1504c9301fb50ad59ae6a45a213d54bcbbe844
SHA25632f50af16a2a1e610c71c4eb15ff044bb30471cbc44a5e384032cbbccb7fb1dc
SHA512b6487289a8cef6a638b42f2d7bf480814dc3d9efb65bdd7b1feb0805f536bc6a5742de54adfb3a2b915572de59a9ddd44d8e9c5a3bf4d636d3e7cb84a5f86988
-
Filesize
11KB
MD560b2f9f910c1458e203a34fbcf0e1915
SHA110f1ea3e3ce1fc54d45d1ee2c9fe56e4a2b5dc1f
SHA25673eb94e2977c6b32799037de23da54adbd0f61d5c585dd1b65368c863e98fa7c
SHA5125514903acd301a6d865f37a3b8f8ec90d3b4846e5fc28a1372aa3af5e4201ab8011e1eedf1cf9e88809276bfeeac41b8ab33eea6a5c9b56991451105aae207c4
-
Filesize
4KB
MD57cf28d3145d8b0f9cdde7f94a8729e03
SHA10cc9adc8322fe07ce03dd1e7e91a276a953fbefe
SHA2562585f5715d6a5ebf1e0ae04f11408bdded6789f677a6c4cc7111cf418a296c85
SHA5127b234e92235bf2422020da65cfcf9c05a884057e921befeda5c61cf0116e6bc549a06b53cec641e31b07bd378f711ad9911e74f0dece057d2660689438c138f9
-
Filesize
259KB
MD598c5be1edffae7850132d9950e8ed658
SHA13a04c50447bc8e8cf4f72fa3a21ac66e952dc19f
SHA256be8c1e532b226bc5882d62eeed88dfb45a230cf6f78dc65a3ae1de3b142cb171
SHA5127d1d3209fa2bd2123584ec4776ecb5e5e1ff1b239d5d35532cda0c60f26122faa74b0ab3c7e30ed31efc5ebc0d3a134604e2af4d1c8a72068776f6b71376f498
-
Filesize
11KB
MD5d8ca5a996bf2d542fc111586aa122cd7
SHA1002d5343fb1a35283f231d5d6d5f3537602ff94e
SHA256d2d1296289411c8c469312a9569549ba24f4b2d3d525047fded6b4cd178154af
SHA512d0e1617f91ebf93488a949d6f8548f0721b66786ef9788e176d5f2aa4daf84e0aeafaad097c22c8dd0f77f560f7cba2f597c7deef13abb0593d337f1d8652cf7
-
Filesize
248KB
MD5dd03fbee01f74530584061fe46a3aee5
SHA149177c7d906c66b322499eaef9b26a0ba36e060e
SHA25644f9d678b6018602bf200772ac5588c2003ae9f413a5a5ef53fb73a70f0fe0be
SHA5124cf701d356a9ae529618e69fc1d9ae518dd20a2d3469f90d5b379f84b748dff4703ddc56e5c9bcc7f44f201bcc422b761b7313e09399f52ec0d2614e5e996dad
-
Filesize
12.8MB
MD5d87327d0dfd235de9d0483c9d8f0967d
SHA19b514f65d447cf1b480a43b82795a608f2e7c0f4
SHA25684ec19c2f796aa2d55888edab6af1743d05324f2b4ab592b544d5aa0583fffe7
SHA51212df72e0cd431cab78888bfc0f226b3fcf61dbdc5ff9bdcacd91befabe9a8589cc67ea3fc74c50e08afaa6df61cae17cb30cb4089fef341a0d171e912f827446
-
\??\Volume{453a990c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{17cb499b-a315-4ce0-b85b-fd6a4d55cfb3}_OnDiskSnapshotProp
Filesize6KB
MD5b0fe8f3c958e92f528c78e1fc7624aec
SHA18dd4ba9ab61968bb53342a4991d269cea4b6cb57
SHA256a16771cf7e0c1eb62fe8fc29dbd58eb2969550cea3acca412cf5b197eee42541
SHA51231f148d36946a50f82a9ec53b7e97f29bd8451b51fcc6bbe48d0acbed89915750ef3f45e4655231a88b2fd86f5a209bea376dcd714a5824f10534029425f40bd