fa3544162eee87b660999bd913f76ccb2e5a706928ef2c2e29811e4ac76fb166

Analysis

max time kernel
74s
max time network
79s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/08/2024, 16:50

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

VirtualBox-7.0.20-163906-Win.exe
Size

105.1MB
MD5

b822835698e76fff193342effc92d286
SHA1

e049adb24caf0153b94e801da9835d485c67e38c
SHA256

fa3544162eee87b660999bd913f76ccb2e5a706928ef2c2e29811e4ac76fb166
SHA512

0381b27478dc25d4b3707fb21a34be66ca42eb18d93ce8ec90be7325015f540a39ebfea58b7992a38cc2c861e6e86d89c67f5b3a84ddb65e339fcca0dc314bed
SSDEEP

3145728:VuwDpzeIGwA7iKVCv8hxxgFYHey3WCfEOiP1e48TetH+H9:VuwDpz9A70Cno1XZBtHC9

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET61F3.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET61F3.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET5139.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET5139.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET6792.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET6792.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetLwf.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET4FE0.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET4FE0.tmp	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9c08f02c-e495-7e4b-9f83-05940667cddc}\SET5251.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9c08f02c-e495-7e4b-9f83-05940667cddc}\VBoxUSB.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_bc519c177a90877a\c_netservice.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_eb4066015771f3db\VBoxNetLwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_10acfa4b924dd181\netnb.PNF	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log	VBoxSDS.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_7417ee86f5328abf\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_eb4066015771f3db\VBoxNetLwf.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_555BF96062BAD5F61973AF420575FECDF748F53D\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_868224FB61115FF0B90F68D1722423187EB14CFE\VBoxUSBMon.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_868224FB61115FF0B90F68D1722423187EB14CFE\VBoxUSBMon.sys	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{9c08f02c-e495-7e4b-9f83-05940667cddc}\SET5253.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}\SET60AA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}\SET60BB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_7417ee86f5328abf\VBoxNetAdp6.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_eb4066015771f3db\VBoxNetLwf.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a9022bf4ead6c18b\VBoxUSB.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{9c08f02c-e495-7e4b-9f83-05940667cddc}\SET5251.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\SET6628.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_3debe5e78bab1bca\netbrdg.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_eb4066015771f3db\vboxnetlwf.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_0525128a3d54207e\netnwifi.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a9022bf4ead6c18b\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a9022bf4ead6c18b\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\VBoxNetLwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\SET6629.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9c08f02c-e495-7e4b-9f83-05940667cddc}\SET5253.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\SET6618.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\SET6628.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9c08f02c-e495-7e4b-9f83-05940667cddc}\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9c08f02c-e495-7e4b-9f83-05940667cddc}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}\SET60A9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}\SET60BB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\VBoxNetLwf.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_868224FB61115FF0B90F68D1722423187EB14CFE\VBoxUSBMon.inf	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{9c08f02c-e495-7e4b-9f83-05940667cddc}\SET5252.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\SET6629.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\VBoxNetLwf.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_7417ee86f5328abf\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_56c163d21e8c2b62\netserv.PNF	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_555BF96062BAD5F61973AF420575FECDF748F53D\VBoxSup.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a9022bf4ead6c18b\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}\SET60A9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}\VBoxNetAdp6.inf	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_555BF96062BAD5F61973AF420575FECDF748F53D\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9c08f02c-e495-7e4b-9f83-05940667cddc}\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\SET6618.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}\SET60AA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f0ee031-973f-254d-883d-99747e8a6b8d}\VBoxNetAdp6.cat	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_555BF96062BAD5F61973AF420575FECDF748F53D\VBoxSup.inf	MsiExec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5HelpVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.VisualElementsManifest.xml	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRes.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxClient-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\License_en_US.rtf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxManage.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qminimal.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_hu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fa.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm	msiexec.exe

Drops file in Windows directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6589.tmp	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MsiExec.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\e583e1d.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8E6C6B6A21A8A33E.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4558.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI681C.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4BD479EE4E160600.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65C9.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI41CA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4931.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\e583e1f.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File created	C:\Windows\Installer\{95DEBF01-7029-4E37-BDB1-94EFEA3B263C}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI685C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI411B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5192.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3FDFA785ADB5A053.TMP	msiexec.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI684C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4189.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41B9.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{95DEBF01-7029-4E37-BDB1-94EFEA3B263C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI448C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4981.tmp	msiexec.exe
File created	C:\Windows\INF\oem5.PNF	MsiExec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6078.tmp	msiexec.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	MsiExec.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\Installer\e583e1d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{95DEBF01-7029-4E37-BDB1-94EFEA3B263C}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI4249.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\SystemTemp\~DF51D963DD234B3FB5.TMP	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
4720	VirtualBox.exe
4188	VBoxSVC.exe
1656	VBoxSDS.exe

Loads dropped DLL 42 IoCs

pid	Process
2712	MsiExec.exe
2712	MsiExec.exe
2712	MsiExec.exe
2712	MsiExec.exe
2712	MsiExec.exe
2712	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
884	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
2056	MsiExec.exe
2056	MsiExec.exe
2056	MsiExec.exe
2056	MsiExec.exe
2056	MsiExec.exe
2056	MsiExec.exe
2056	MsiExec.exe
2056	MsiExec.exe
2056	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4720	VirtualBox.exe
4188	VBoxSVC.exe
4188	VBoxSVC.exe
4188	VBoxSVC.exe
1656	VBoxSDS.exe
1656	VBoxSDS.exe
4188	VBoxSVC.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirtualBox-7.0.20-163906-Win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006586dee215ef0e8b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006586dee20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006586dee2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6586dee2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006586dee200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6DC83C2C-81A9-4005-9D52-FC45A78BF3F5}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD47AD09-787B-44AB-B343-A082A3F2DFB1}\ = "IMedium"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\NumMethods\ = "69"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7569351-1750-46F0-936E-BD127D5BC264}\1.3	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B31C4052-7BDC-11E9-8BC2-8FFDB8B19219}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52f40b16-520e-473f-9428-3e69b0d915c3}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ea9227c-e9bb-49b3-bfc7-c5171e93ef38}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21637B0E-34B8-42D3-ACFB-7E96DAF77C22}\TypeLib	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6C}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5587D0F6-A227-4F23-8278-2F675EEA1BB2}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{67C50AFE-3E78-11E9-B25E-7768F80C0E07}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{883DD18B-0721-4CDE-867C-1A82ABAF914C}\ = "IRuntimeErrorEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C365FB7B-4430-499F-92C8-8BED814A567A}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C8ADB7B0-057D-4391-B928-F14B06B710C5}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7932CB8-F6D4-4AB6-9CBF-558EB8959A6A}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{758D7EAC-E4B1-486A-8F2E-747AE346C3E9}\ProxyStubClsid32	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28935887-782B-4C94-8410-CE557B9CFE44}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\NumMethods\ = "14"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1E775EA3-9070-4F9C-B0D5-53054496DBE0}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A338ED20-58D9-43AE-8B03-C1FD7088EF15}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E28E227A-F231-11EA-9641-9B500C6D5365}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83795A4C-FCE1-11EA-8A17-636028AE0BE2}\NumMethods\ = "14"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DCF47A1D-ED70-4DB8-9A4B-2646BD166905}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d37fe88f-0979-486c-baa1-3abb144dc82d}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83795A4C-FCE1-11EA-8A17-636028AE0BE2}\NumMethods	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86A98347-7619-41AA-AECE-B21AC5C1A7E6}\ = "IAppliance"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods\ = "18"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{883DD18B-0721-4CDE-867C-1A82ABAF914C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E28E227A-F231-11EA-9641-9B500C6D5365}\ = "ICloudProviderRegisteredEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA11554}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D37FE88F-0979-486C-BAA1-3ABB144DC82D}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0A7F210-B857-4468-BE26-C29F36A84345}\NumMethods	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{232E9151-AE84-4B8E-B0F3-5C20C35CAAC9}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88394258-7006-40D4-B339-472EE3801844}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8d984a7e-b855-40b8-ab0c-44d3515b4528}	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{232E9151-AE84-4B8E-B0F3-5C20C35CAAC9}\NumMethods\ = "15"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ABEF51AE-1493-49F4-AA03-EFAF106BF086}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00892186-A4AF-4627-B21F-FC561CE4473C}\NumMethods\ = "52"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{714A3EEF-799A-4489-86CD-FE8E45B2FF8E}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{AF398A9A-6B76-4805-8FAB-00A9DCF4732B}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D782DBA7-CD4F-4ACE-951A-58321C23E258}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{245D88BD-800A-40F8-87A6-170D02249A55}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24EEF068-C380-4510-BC7C-19314A7352F1}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1844087-EC6B-488D-AFBB-C90F6452A04B}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB000A0E-2079-4F47-BBCC-C6B28A4E50DF}\ = "IUpdateAgentStateChangedEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{2A88033D-82DB-4AC2-97B5-E786C839420E}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{39B4E759-1EC0-4C0F-857F-FBE2A737A256}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DAAF9016-1F04-4191-AA2F-1FAC9646AE4C}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B2F98F8-9641-4397-854A-040439D0114B}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA9227C-E9BB-49B3-BFC7-C5171E93EF38}\ = "IGuestProcessIOEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{234F0627-866D-48C2-91A5-4C9D50F04928}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A85BBA40-1B93-47BB-B125-DEC708C30FC0}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D27C0B3D-6038-422C-B45E-6D4A0503D9F1}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA9227C-E9BB-49B3-BFC7-C5171E93EF38}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8C25D4D-AC97-4C16-B3E2-81BD8A57CC27}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c40c2b86-73a5-46cc-8227-93fe57d006a6}	VirtualBox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4720	VirtualBox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3692	msiexec.exe
3692	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4720	VirtualBox.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncreaseQuotaPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSecurityPrivilege	3692	msiexec.exe
Token: SeCreateTokenPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeLockMemoryPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncreaseQuotaPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeMachineAccountPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeTcbPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSecurityPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeTakeOwnershipPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeLoadDriverPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemProfilePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemtimePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeProfSingleProcessPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncBasePriorityPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePagefilePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePermanentPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeBackupPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeRestorePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeShutdownPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeDebugPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeAuditPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemEnvironmentPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeChangeNotifyPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeRemoteShutdownPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeUndockPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSyncAgentPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeEnableDelegationPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeManageVolumePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeImpersonatePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateGlobalPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateTokenPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeLockMemoryPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncreaseQuotaPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeMachineAccountPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeTcbPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSecurityPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeTakeOwnershipPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeLoadDriverPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemProfilePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemtimePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeProfSingleProcessPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncBasePriorityPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePagefilePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePermanentPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeBackupPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeRestorePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeShutdownPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeDebugPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeAuditPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemEnvironmentPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeChangeNotifyPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeRemoteShutdownPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeUndockPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeSyncAgentPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeEnableDelegationPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeManageVolumePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeImpersonatePrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateGlobalPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateTokenPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe
Token: SeLockMemoryPrivilege	2656	VirtualBox-7.0.20-163906-Win.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2656	VirtualBox-7.0.20-163906-Win.exe
2656	VirtualBox-7.0.20-163906-Win.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4720	VirtualBox.exe
1156	LogonUI.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 2712	3692	msiexec.exe	84
PID 3692 wrote to memory of 2712	3692	msiexec.exe	84
PID 3692 wrote to memory of 1432	3692	msiexec.exe	88
PID 3692 wrote to memory of 1432	3692	msiexec.exe	88
PID 3692 wrote to memory of 3424	3692	msiexec.exe	90
PID 3692 wrote to memory of 3424	3692	msiexec.exe	90
PID 3692 wrote to memory of 884	3692	msiexec.exe	91
PID 3692 wrote to memory of 884	3692	msiexec.exe	91
PID 3692 wrote to memory of 884	3692	msiexec.exe	91
PID 3692 wrote to memory of 2056	3692	msiexec.exe	92
PID 3692 wrote to memory of 2056	3692	msiexec.exe	92
PID 2168 wrote to memory of 3504	2168	svchost.exe	94
PID 2168 wrote to memory of 3504	2168	svchost.exe	94
PID 3692 wrote to memory of 3448	3692	msiexec.exe	95
PID 3692 wrote to memory of 3448	3692	msiexec.exe	95
PID 3692 wrote to memory of 3448	3692	msiexec.exe	95
PID 2168 wrote to memory of 2760	2168	svchost.exe	96
PID 2168 wrote to memory of 2760	2168	svchost.exe	96
PID 2168 wrote to memory of 3792	2168	svchost.exe	99
PID 2168 wrote to memory of 3792	2168	svchost.exe	99
PID 2656 wrote to memory of 4720	2656	VirtualBox-7.0.20-163906-Win.exe	100
PID 2656 wrote to memory of 4720	2656	VirtualBox-7.0.20-163906-Win.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
  "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4720

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E9640D458EEB02E43480E09B035D0F9F C
  2⤵
  - Loads dropped DLL
  PID:2712
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1432
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 8F289E68D928678C33E051D61DCFF448
  2⤵
  - Loads dropped DLL
  PID:3424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2D420E80D8AE03CF95CAA9EC91813F77
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:884
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 55B915870E8B63D07F05FD75F2DEA7E6 E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5C2ABCBD25F279CF396320C98F4BDA1 M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000154" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3504
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000160" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2760
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000168" "WinSta0\Default" "0000000000000080" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3792

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4188

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:1656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583e1e.rbs

Filesize
2.6MB

MD5
94689a0de1602fdee10db56cd1c142b0

SHA1
5f5fafa85f78f0f33103174ff70ef820dacfb39c

SHA256
1e56a0e123a7401a0f11625062cb9998d9c73db293df4f2818b6818aa6e727b6

SHA512
0e155515c1db3d821905123dc52cd54449fe0e3767e12d6f93d0f75ed45fceb4ae1ca8102d2df3afe61c2b8a61046914987d61c7a0cb8c506613b921749ddd81

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

Filesize
11KB

MD5
709158bcc41950578c9a1e36b1ba8162

SHA1
34decc49a892356ca9c81a269f23588f5075f6c0

SHA256
875a40b2b5260ce866ab9a8b09c6286310d3a3725b0d94dc6ee473b8c7d435da

SHA512
6be3d2c2d20aa58c5192183c49a0f46e04e455d3b56fd7c4f4c3c66fd960fac54885c5284d7fe27aaa8cc95931ffb02e81f4995e6199aa5010c4263fbdf97d8f

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
184KB

MD5
477569c254917d2c3e92108aee4d84b9

SHA1
49a8714c3e8fddd31c3725e39272c21b892cd681

SHA256
3eaa6ca9447f36c9f6e759244ae0ab64ef070a906809863b1a3d02725dd1c23a

SHA512
cd973c0bbca122da1a117c948969849f53788910a3a113317fc9dc6c27d9e79992117a06bd7d01be6e5faf9ce83942326d72ff3ba205ad19a6f2afdc05c25d75

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.cat

Filesize
11KB

MD5
ec7d0a49c44f4a60efb1a1c1dbda8636

SHA1
c93ca5789141bd7063ac9db0df4ce22e737f4648

SHA256
d1d1a377777a0b6cf6bed09b235b45e2bd5ea1d5c86efdf25843aae5ed4a1d84

SHA512
d92babbf0f3bc0fbc08acfa6de38b28124f7bb74d718b711eb160100f4636fae37d27c2d0ae69b8313e40795ae36c73c3f662ef65b7f4a7bb0ff9d70f8540171

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.sys

Filesize
248KB

MD5
5a42fd4fe07b75cc841af29626e04e1d

SHA1
ca3505352788a21960c8213f91078c0b07e777c7

SHA256
416f1c2ce6467d0d596522b8d155e08aacf210f7c2f37d6c1c0694ae1cef4ae3

SHA512
d9d4a9102b36658dac78b3dbfcff4a1811ad6441c2cec422dae201716ca7630ed918d76417482c79d54d9bf3dcfcaba5e5d4b3a5d3b0c425da2f40b035d09f07

Download Submit
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

Filesize
874KB

MD5
e0505a79d9d12c5cdc4762f770eae4a0

SHA1
ec0baa32126157ab668b169b9d771dd26fec7666

SHA256
999e5cd2bc8f180f9dd90c79727bdb760e69ee51f9413d7d66bf9d72fe1e95c9

SHA512
71d49183f5d18a17e07ba64a49aae1edb6370a691ea6a5082c7cd32f135d5ff1712f6b9c641af06db38755e4192ea4d48072073528620643673318592730ed58

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
3155160d6548ce4433d1611ba4872451

SHA1
46b7099f85af93155de58e5b4e41e8d48937b68b

SHA256
054385912c2f74a171572e750862f2ec75ab93c59f92213b40d007ce9aecc6e6

SHA512
3b2d79b8910b939f605f5c8d7a6ece541b80347602b3dc9f066f943a67fe90ec56607d29f2fe3824ab57b5781554171e800ed8ba549e9d535e16831fd368703a

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
11KB

MD5
f5cfc4cae166b9e81c89192f5e1a4d94

SHA1
868224fb61115ff0b90f68d1722423187eb14cfe

SHA256
0feed3207fb9853dd77b60bf611f26a65e3a932720d93f64bdd70082f1be955f

SHA512
712add1230397fe658b11f8f95b74a257348704315e96cb070d3f7a4e8dbe70c8d37d8add7cc151c050efe27fdc081bc6714438638d3d147605a54cb4d60fbc7

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
b0a35c2ca1180c2e4963e5be1235d93d

SHA1
862d17275c5e82430f37813c107f852af954bbdf

SHA256
ba5c69eee5390746fe9cd29a26197853d74d46b4248162c39be8f5212a9bf17d

SHA512
a8a842c3c9c10fb2c4d55589b64dd48d60a6bf5f41fd7092a2965d8f3ab7c3b8dc32822217df3f761ea77981395fa847a67bb9944ce9c718b747340db805c6bd

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
199KB

MD5
d0a8b437866db80fd1661174886f56dd

SHA1
2166c3f54262cae094073a2bc3b0c86f349ca51b

SHA256
05c99ae7cf556e8e35f22c51f5e52233baf236a6dccbdb15c5611da0e20b805f

SHA512
fa3d23e39bc607ca96af92ab4e382233e2194aeec2de95af8196bb72c5304327b590c230da211521a26405ac0e1042c190f344fd34bc0878bd39ad02b255f72d

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

Filesize
3KB

MD5
6b3fa213490c6f16d205e88f1291d996

SHA1
ec49d2336dccab27b42a53a96f7d2618e4c0101f

SHA256
bfdeea0ff03a48b192de9b9c4dbf59deeddf09b13399d3a860249b06c85615b3

SHA512
e8a9f55aedc46636f39ba892d275b73a959d507ded6890cb29f83479e8785c852812aec44e5f7bb4db6a9e7a70a346233d5690c2350f342250df6f716d4fc254

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
11KB

MD5
814ba3a3470df3bc9ea4db4425962dc6

SHA1
555bf96062bad5f61973af420575fecdf748f53d

SHA256
d617ca9c42fed44b6c6b3db16ace04b2545afaa2ad9cc3e4be2761da94327e12

SHA512
8ca5201a5c4645d67fbf1a6b1f8de8cb64ccb5282afdb35155f4c2bc9ec8daea2862e77b552f732800edf5538410d4611a98a6b323994c459cda77a4575eb7e7

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
cdff988430eb1bc5b00282cf72940e73

SHA1
65ea17e6e88cc4feb17031836b501fbb0f1b1d4e

SHA256
4cd64a11a7bdf1f18cc684f3ee6c8eeae8474074bd7fbebd7fe543656bb05b41

SHA512
8e01d8ad58f679ead7b35b5128f49f32535afa52a6844e4a53b714f4df538eb372a6345489e2994921557846460ea990407a811976439f69062f176b5f11a11a

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
146ccf9c24cd243b27919caeace73f74

SHA1
7df3bc16502a2dd2420f5d81e1d8acbe05c8fc7a

SHA256
95bf86954288bc187f0b034675a75a9e06ff5dc500c4a317c387c3cf22b5a628

SHA512
8e21fcef6456d27acc7811e624791ac8724d8b3345772578910848ce67c6f13855d5c5af3f057eb0f8c5c20aee4923f25ced5fcc1c309d127ff2a0b6a10a5700

Download Submit
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

Filesize
654KB

MD5
c5723bd0a399fdd5a72b47a5a5d98479

SHA1
b7d8ad38444130dbe7058a0d63dd36ad25636894

SHA256
0af7da511c562b1b037fdc9ff11a660efdb7684dbbf9155b067e08b1b6f5c52e

SHA512
938a110bb2814f1c1cc93c8ee3ada74df88256986fb0a00cad9fdbf5beacff7587ba21c2926d5da072a3169da7ab14f16765cd5a89b4a56033a27d7c9e4ae63b

Download Submit
C:\Users\Admin\.VirtualBox\VirtualBox.xml

Filesize
1KB

MD5
d9d28bd2ef7192fb0efb99607d7a0807

SHA1
7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

SHA256
dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

SHA512
e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA19F.tmp

Filesize
324KB

MD5
0653ce43996240dde250d557ef940bed

SHA1
da125564fadda9bea308bd7325d4664ee14c69a8

SHA256
d2fd21376c4595e60299e37cb55dceb92b531685f1a4545c6bb73681dbcad193

SHA512
27ab2bd553fa390315d360e593ca95e90f8de13d0d60326549fd5e63479143b33a0a7a49c4111e2041cfb05d5f2e9b516eaa7261acae3884094e3842a8309a6c

Download Submit
C:\Windows\Installer\MSI41DA.tmp

Filesize
234KB

MD5
8edc1557e9fc7f25f89ad384d01bcec4

SHA1
98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

SHA256
78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

SHA512
d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

Download Submit
C:\Windows\Installer\MSI4558.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSI4F8C.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
2KB

MD5
78fa691ac31fa27e6d7fad3495c4cfe5

SHA1
3f9dc23c82f930d608704eacb9cf3759f082ba92

SHA256
bec752bb78944836716e277c82bbdff0d746b6ea96faa588968649224851e4e7

SHA512
430199863de26d94b0380ce533313bba60fc8d1122e622c47b2f77cf95ad462fd8e31c1f668fdf7bcf79de34d64e538d759e5b0bd3bfe473c07530a065593223

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
2KB

MD5
2fac6ae7525c56fd0d3af65fe772cac5

SHA1
cf0a78e2ab092093c3171bb3a25092f0e9d9ba11

SHA256
5a81b70e11f47087633633181eb70d73c76693b5a5ea9b14cf89aff2e6d338f1

SHA512
9c10f811f587ee3d2f8197eefcf5612d755f75bac838d031df01e9eb80a33d6db11392bf3f2c75ca2870cf4c4b0742fbd57203c08163f89109c2d255999f1208

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
2KB

MD5
07bce4edff618d823fac9259397113b5

SHA1
75356efc5f8700674ca7fe82c8151116d302f0f8

SHA256
8be2378fcdfa7c414ef56b4d91f3c6252dd4461be04b56de21fcee218983394e

SHA512
29b60412fe160244493903a33fa7b2b75d3747949d27d484d2ce9520e2af8848205a1cdb0fe4f53bd162ba980bf7c547489ce16429351df8b5e32280e1e9d82d

Download Submit
C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\VBoxNetLwf.cat

Filesize
11KB

MD5
8efe8e5827cd8c5c9b07be9df8b6eb91

SHA1
0f682438473d6e87b7661e8cfb1a1b2980806f05

SHA256
aa7d8309c69f26d33ec92e4c2b68ffc7baf2a9d4009267346abe591027f4bec5

SHA512
6e4741ea43e9e6e2ba526d7883867d63e06705bb37cb889b9670d43485a3a92b28a15a795e9af01d8799ff28390f795a401ba621de819a0f40d215cfb4e44f40

Download Submit
C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\VBoxNetLwf.inf

Filesize
4KB

MD5
58aa41a4df0b4d9e77a576d1306bef77

SHA1
ecf3d90629d021e18399728848dd7ccedc54f1e9

SHA256
2d479ead5715faa9b1de5e873a377373add4f151942c9881fc1da607f773f723

SHA512
7624e3d7947c39a872f10d4493780181a24111f9bfe5395fdb3f9cfe13e62c5b46d0d4c24198f392f07cd74e0012b0b19fcf78d787d9192d4f10a5e325c274b8

Download Submit
C:\Windows\System32\DriverStore\Temp\{364d0bf6-b4da-ff45-8a08-e0c07353033c}\VBoxNetLwf.sys

Filesize
259KB

MD5
db91352985fdf76c4d8d7bf22d75d323

SHA1
600cc772fca941ec03e83823d2401b7085afc6ac

SHA256
9f9c839e8883ae1f5104a26262374dfa5ecc24590bb57275f0493ad9b226f45f

SHA512
9a0cd545d3018e9d350194e2debcb7ed159b60fc6ca033e607dd1eaacd2e7ee3c4776f4fb7f27af0d1118c8fb8a29a82df16a860abf4105d1f61d8efa8ffb933

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
052fbfbb8645be53f35385c0917fb4b9

SHA1
ae40346491b80bd43869224ca2aab430b599002a

SHA256
af8faada2847fccbd3f2cbe35ba8403abeda7948e5061e8f06e365c74a948391

SHA512
86add77c5adf3534501b78b605c594058411fe5f12de001aa8dcaf3c0f6b3884f91871f7a011a2960c1ad4c8ed777aac5343a7e0f02e2533f575df8e629865ac

Download Submit
\??\Volume{e2de8665-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{28895059-64ab-462a-8c36-1913c367caac}_OnDiskSnapshotProp

Filesize
6KB

MD5
682f4eab11e7bdee7fd13a1e7cd0de20

SHA1
6d2a39744b5f49d0137d8f69d1cc736848c90911

SHA256
3887841710c8919c6dee3fcdd88c4f5eac537505479ca54167e169e7fb83cdc1

SHA512
d51e675616d941aa4d1f44acd0cc7b42a57b5113abfb61c772a8bbea80d0451785dac8c5ce1af7dd6d76fb7b27b886d0b69ce0a96d1b3f7d859c53c0413062a1

Download Submit
memory/4720-531-0x00007FF71B620000-0x00007FF71B8A4000-memory.dmp

Filesize
2.5MB

Download
memory/4720-533-0x00007FFAFEA40000-0x00007FFAFEF81000-memory.dmp

Filesize
5.3MB

Download
memory/4720-532-0x00007FFAFCE60000-0x00007FFAFEA3E000-memory.dmp

Filesize
27.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads