bc22f01478b51d4852d6a83318ed682cee4d89fc9d8eb51b41988a67b04e7de1

Analysis

max time kernel
87s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

VirtualBox-7.1.0-164728-Win.exe
Size

105.5MB
MD5

1bd268b5bc2c521a62dd1e6e97108196
SHA1

158084c6b898d70accb0d333039fcc924df858da
SHA256

bc22f01478b51d4852d6a83318ed682cee4d89fc9d8eb51b41988a67b04e7de1
SHA512

a5b33a159614a40cc99d30fc0bd4b568813fee1de026ccdd49f59db5e9d9763b2152f328440d18bc1944ee602d2fc48092be32c7c2b9b4c29bbdd908f0523117
SSDEEP

1572864:Ftt6Ex4eQ5o2cl/JzG3YeHDg+QF3Uh9ZbS7Po+QuWjxst2aiW1wj:F7kB5Xcl1WBD1S3AnSbATt01C

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SET8325.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetLwf.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET8578.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET8325.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET6647.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET8578.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET652D.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET652D.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET6647.tmp	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\K:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\G:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\H:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.1.0-164728-Win.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}\SET6751.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\SET845E.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_65C5348749B843A925A38B1435FA7D91F6C0887A\VBoxSup.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\SET8096.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_01cb07ace7fcd19d\VBoxNetLwf.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_01cb07ace7fcd19d\vboxnetlwf.PNF	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log	VBoxSDS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\SET845F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\SET845F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\SET8085.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_f266791bb4f9feb5\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}\SET6741.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\SET8085.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\VBoxNetLwf.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\VBoxNetAdp6.cat	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_65C5348749B843A925A38B1435FA7D91F6C0887A\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}\SET6752.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a3a8c03e16643986\VBoxUSB.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\SET80A7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_01cb07ace7fcd19d\VBoxNetLwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_65C5348749B843A925A38B1435FA7D91F6C0887A\VBoxSup.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\SET80A7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a3a8c03e16643986\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\VBoxNetLwf.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\SET845E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_f266791bb4f9feb5\VBoxNetAdp6.cat	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_4355E3772AD3C3402003950FF5EFDCE0D1DAF2A8\VBoxUSBMon.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_4355E3772AD3C3402003950FF5EFDCE0D1DAF2A8\VBoxUSBMon.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a3a8c03e16643986\VBoxUSB.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_f266791bb4f9feb5\VBoxNetAdp6.sys	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_65C5348749B843A925A38B1435FA7D91F6C0887A\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_4355E3772AD3C3402003950FF5EFDCE0D1DAF2A8\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\SET8096.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\SET8460.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}\SET6741.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a3a8c03e16643986\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\SET8460.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}\SET6751.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ec1b73c1-5d35-5047-b603-525db0e66ea7}\SET6752.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\VBoxNetLwf.cat	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol8_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt6_unattended.xml	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6PrintSupportVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fa.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreenVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\cpumctx.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\installer\python\vboxapi\src\vboxapi\VirtualBox_constants.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxCAPI-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UserManual.qhc	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\vbox-img.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\vbox-arch-types.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_uk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt5_unattended.sif	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\vm.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_autoinstall_user_data	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6HelpVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxLibSsh.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6GuiVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxC.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5CD9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{E313889C-2E4A-4F7E-B33E-571CDF2F2BCA}\IconVirtualBox	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8970.tmp	msiexec.exe
File created	C:\Windows\Installer\e584b3f.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\Installer\{E313889C-2E4A-4F7E-B33E-571CDF2F2BCA}\IconVirtualBox	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI55F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F6A.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI51B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI8950.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5177.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65E4.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI843E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI648B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E313889C-2E4A-4F7E-B33E-571CDF2F2BCA}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5555.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI7F0C.tmp	msiexec.exe
File created	C:\Windows\INF\oem1.PNF	MsiExec.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\INF\oem4.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\e584b3d.msi	msiexec.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI50CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5216.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5265.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6691.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File created	C:\Windows\Installer\e584b3d.msi	msiexec.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
2836	VirtualBox.exe
1924	VBoxSVC.exe
3720	VBoxSDS.exe

Loads dropped DLL 41 IoCs

pid	Process
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
2260	MsiExec.exe
2520	MsiExec.exe
2520	MsiExec.exe
2520	MsiExec.exe
2520	MsiExec.exe
4988	MsiExec.exe
2520	MsiExec.exe
2520	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
2520	MsiExec.exe
2520	MsiExec.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
2836	VirtualBox.exe
1924	VBoxSVC.exe
1924	VBoxSVC.exe
3720	VBoxSDS.exe
3720	VBoxSDS.exe
1924	VBoxSVC.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirtualBox-7.1.0-164728-Win.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MsiExec.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000096fabf83e47a2dea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000096fabf830000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090096fabf83000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d96fabf83000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000096fabf8300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "198"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{A06253A7-DCD2-44E3-8689-9C9C4B6B6234}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9}\NumMethods\ = "13"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\NumMethods\ = "21"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75DFF9BE-6CB3-4857-BDE6-2FAF82ED9A8D}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D510820-A678-4730-A862-818DCD3FBED0}\ = "IMedium"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C984D15F-E191-400B-840E-970F3DAD7296}\NumMethods\ = "15"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB220201-2FD3-47E2-A5DC-2C2431D833CC}\ = "IVFSExplorer"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.vmdk	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{75DFF9BE-6CB3-4857-BDE6-2FAF82ED9A8D}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2DB178A-7485-11EC-AEC4-2FBF90681A84}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B0A0904D-2F05-4D28-855F-488F96BAD2B2}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CB6F0F2C-8384-11E9-921D-8B984E28A686}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1474BB3A-F096-4CD7-A857-8D8E3CEA7331}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29059FEA-2C99-11EE-BE56-0242AC120002}\ = "IExtPackInstalledEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4376693C-CF37-453B-9289-3B0F521CAF27}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{813C99FC-9849-4F47-813E-24A75DC85615}\ = "IParallelPortChangedEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{813C99FC-9849-4F47-813E-24A75DC85615}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{232E9151-AE84-4B8E-B0F3-5C20C35CAAC9}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\ = "IFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{739160A6-53EA-465B-BB6B-5326C20A3C0C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F22DD3B4-E4D0-437A-BFDF-0372896BA162}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{243829CB-15B7-42A4-8664-7AA4E34993DA}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{3DB2AB1A-6CF7-42F1-8BF5-E1C0553E0B30}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.ova\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{537707F7-EBF9-4D5C-7AEA-877BFC4256BA}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\ProgId	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CEB482FC-41B9-42A8-8538-9835EA33B6F2}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E36A5081-A82A-40BD-9E4E-42A44D6CE50F}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C984D15F-E191-400B-840E-970F3DAD7296}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}\NumMethods\ = "48"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA204A12-5B29-45A5-B5D6-C2BAFCDB9B0B}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E8D3F27-B45C-48AE-8B36-D35E83D207AA}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{31AAB263-95EF-48A4-9CE7-EAF0D3AE150F}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AE}\ = "IBandwidthControl"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70401EEF-C8E9-466B-9660-45CB3E9979E4}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\TypeLib	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{88394258-7006-40D4-B339-472EE3801844}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{abef51ae-1493-49f4-aa03-efaf106bf086}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9709DB9B-3346-49D6-8F1C-41B0C4784FF2}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{813C99FC-9849-4F47-813E-24A75DC85615}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA43579A-2272-47C4-A443-9713F19A902F}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA43579A-2272-47C4-A443-9713F19A902F}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{FB220201-2FD3-47E2-A5DC-2C2431D833CC}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\TypeLib	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods\ = "24"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{6DDEF35E-4737-457B-99FC-BC52C851A44F}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB6F0F2C-8384-11E9-921D-8B984E28A686}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d2937a8e-cb8d-4382-90ba-b7da78a74573}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{925084B0-625F-422F-A67D-0EDE1880A56C}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C354A762-3FF2-4F2E-8F09-07382EE25088}\TypeLib	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2836	VirtualBox.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1908	msiexec.exe
1908	msiexec.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeIncreaseQuotaPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSecurityPrivilege	1908	msiexec.exe
Token: SeCreateTokenPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeLockMemoryPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeIncreaseQuotaPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeMachineAccountPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeTcbPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSecurityPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeTakeOwnershipPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeLoadDriverPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSystemProfilePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSystemtimePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeProfSingleProcessPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeIncBasePriorityPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeCreatePagefilePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeCreatePermanentPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeBackupPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeRestorePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeShutdownPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeDebugPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeAuditPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSystemEnvironmentPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeChangeNotifyPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeRemoteShutdownPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeUndockPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSyncAgentPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeEnableDelegationPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeManageVolumePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeImpersonatePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeCreateGlobalPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeCreateTokenPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeLockMemoryPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeIncreaseQuotaPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeMachineAccountPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeTcbPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSecurityPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeTakeOwnershipPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeLoadDriverPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSystemProfilePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSystemtimePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeProfSingleProcessPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeIncBasePriorityPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeCreatePagefilePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeCreatePermanentPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeBackupPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeRestorePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeShutdownPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeDebugPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeAuditPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSystemEnvironmentPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeChangeNotifyPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeRemoteShutdownPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeUndockPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeSyncAgentPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeEnableDelegationPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeManageVolumePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeImpersonatePrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeCreateGlobalPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeCreateTokenPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe
Token: SeLockMemoryPrivilege	4844	VirtualBox-7.1.0-164728-Win.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4844	VirtualBox-7.1.0-164728-Win.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
4844	VirtualBox-7.1.0-164728-Win.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe
384	Taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3424	LogonUI.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2260	1908	msiexec.exe	88
PID 1908 wrote to memory of 2260	1908	msiexec.exe	88
PID 1908 wrote to memory of 1764	1908	msiexec.exe	101
PID 1908 wrote to memory of 1764	1908	msiexec.exe	101
PID 1908 wrote to memory of 2520	1908	msiexec.exe	103
PID 1908 wrote to memory of 2520	1908	msiexec.exe	103
PID 1908 wrote to memory of 4988	1908	msiexec.exe	104
PID 1908 wrote to memory of 4988	1908	msiexec.exe	104
PID 1908 wrote to memory of 4988	1908	msiexec.exe	104
PID 1908 wrote to memory of 3568	1908	msiexec.exe	106
PID 1908 wrote to memory of 3568	1908	msiexec.exe	106
PID 1512 wrote to memory of 4596	1512	svchost.exe	108
PID 1512 wrote to memory of 4596	1512	svchost.exe	108
PID 1908 wrote to memory of 2960	1908	msiexec.exe	111
PID 1908 wrote to memory of 2960	1908	msiexec.exe	111
PID 1908 wrote to memory of 2960	1908	msiexec.exe	111
PID 1512 wrote to memory of 1300	1512	svchost.exe	113
PID 1512 wrote to memory of 1300	1512	svchost.exe	113
PID 1512 wrote to memory of 2028	1512	svchost.exe	114
PID 1512 wrote to memory of 2028	1512	svchost.exe	114
PID 4844 wrote to memory of 2836	4844	VirtualBox-7.1.0-164728-Win.exe	116
PID 4844 wrote to memory of 2836	4844	VirtualBox-7.1.0-164728-Win.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.0-164728-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.0-164728-Win.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
  "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  PID:2836

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 266F506C896A46C8EA878402A50D4846 C
  2⤵
  - Loads dropped DLL
  PID:2260
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1764
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding CEC7CA77B43AAFBB5320DD2B863E9192
  2⤵
  - Loads dropped DLL
  PID:2520
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AEA15D8F0DC5CA2F10B6E12EBCBE2933
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4988
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 8A9B250377F9851F0564F02E41483C5B E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3568
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AFB94437B94A22FD5B4675BA016CCF05 M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4596
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "000000000000017C" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1300
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000158" "WinSta0\Default" "0000000000000148" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2028

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:384

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:3720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397d855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584b3e.rbs

Filesize
2.6MB

MD5
4e24224d9a0321723ff9572f7ac06b7d

SHA1
8cf052e17220e602b7470aafe6f616fd20109e38

SHA256
dab8cb9735b8168eb0df3d5a06d7852bfde42ec4dc633761c2d92ad421e822e6

SHA512
11d97651ded3867f71ad601416c26f148008525c99c2bb06355ce2d7d34db80484bac5a444c693a6faea4ea00cd11b1e4c88e90567ee384fc3b2556e47d8c055

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

Filesize
11KB

MD5
98cbb7d04c29a5c1703ec48dfc2ed1b8

SHA1
30882c98c721d9f0be210b5534809ff79d66379b

SHA256
e9613f32a03443aaaa4f797fa3884e6fdf50747158ed59ccd2636169f19e6197

SHA512
d0379684136839b77a3db3db1619ce5ef2b3e189f0b5a0dde345f29b9deb7d03670476caaaabe6ad526033fae5be045f362da86f61f62abf2816f0e5a53261e6

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
176KB

MD5
ae638e9a6f64ff93d029fe2ff5f0a14e

SHA1
111bbff1cc8d4a5c50d5352d0105f5a4baf59916

SHA256
eb7c02babed66900199be2b0a3f105d214285e0ada55267137f0d78d9fb45836

SHA512
75eeaaedb6186bc91a8e49b3ee42a6b34af6159a23c0dc6f42b722e1e1c32405bff7cf995f4b88f2c14a85b71b03607b07ad037d10c246fae9fcb3d2700da855

Download Submit
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

Filesize
918KB

MD5
8e73bb0002587e4d67c5114c0b056e15

SHA1
0bdb5915ab3aa8b742a2fd4c86cab77df319a85f

SHA256
87b4e58f53498bc725a2abe7605d7aee2f2a53b7ddb391c5ba2332ac32103719

SHA512
5d78bf3f378cfed0bb334f87945b347ff7c7727e29b9e2f7646bac70fec95fb9b4dfb9d733a244ea2def0225680f959dc54e1f37cbef78da3d16be1eec34e35c

Download Submit
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

Filesize
2.7MB

MD5
2054a68103a72dc9871ee2cb86549bf4

SHA1
6ed58f96e48419ff197614f4c0348b04f82bd854

SHA256
408fa3d3898c240fe64a0adb0dab0e30e21e1235dc8a8a32c81101a1debd996f

SHA512
ad41728ead049f52539d51765c7ab58ff626ce57558b39ae228c6514b9ee154e6f35744d1f443dfeecc1c81737b17486ea7330fd27eec207a1c16d9a382f8d06

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
b45d3e375012d269c3b32b09788e7583

SHA1
430e3d1518441c538b9d2e8e5cfd6281f543d9e2

SHA256
244b1e9a587732962862a8e24c5e49a5b4943b689a41877c899e2e0bf9cfa261

SHA512
79aaaaaae52e5b9a0c43bdf65b9a0a5b5513b8bba8732d210196fa77642fe0d6885bcdf6bd6945e5f5cd7b6d811c74496529d480d0333f3127da7dbbec88596e

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
11KB

MD5
4755133bb7c407c1ba71713e73a3cc7c

SHA1
4355e3772ad3c3402003950ff5efdce0d1daf2a8

SHA256
94b5a2cc918605fdf0735c9183033b96a9210bfa7b335ae0a1387ab4f3fa226b

SHA512
6f2fa3560657ab3ef94321d1de67d871dcdb33f2a6c089f3f31e282d9f4ee254d2e3b12a977feb5a13c0f9e74bcef2c419c6b10ccd04555c2624e4c5a06f6bba

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
a1fa20b47d57220e6e5bba156c3d5dc0

SHA1
3945f52226ff9f3b4592996a0c305a410b287c71

SHA256
5ddbe612e07f17c4f9701e09af129a800f2d035b8e3676d2cd85c8199a3b3e8c

SHA512
d41c66c7fc2886570be0f7a1dfbc652d05f9aa94bab41a359d14e6cbc6d40009c38de689e6b56a7820001f443ed2c8fb7e4067723ab7581c145141edb88609ac

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
190KB

MD5
a61d66a37ac69ef13bf2b50cbcdd3fdb

SHA1
9bb4c732fa81fd616467646c0578cd6a66a13a19

SHA256
cc950dd17f17effb20bdc1d63f7dbb76e112bfa84dd939b9e22c1e0995e195c5

SHA512
809ff29faba58600191f96e74179ab07728569076a5121e5c4e56142bb29ced366ed6990a5a2b241c4eec703bbd66bbc009c00f657e739c65d2d09e299adac4a

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
11KB

MD5
68926fe34f16816b9c3f01207640206b

SHA1
65c5348749b843a925a38b1435fa7d91f6c0887a

SHA256
bc450fc87cc98c6a79bd3a9749b8667cee73e71dfa8bcee43fec3c43c39cbb28

SHA512
47fc151b5b4ccfbdc5ac9c6e8e9eee1328a672a1b49ffa4fe491770ab16062fd32c1b46f2af13bad65710d19f013c8e657d562f6a802a1f5b3447c18098c8c6b

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
615cf491358e659bda243fe8a6a28cf2

SHA1
538e95a1f4d04d59e5231be4ef4b6a70c58054c8

SHA256
94d3101faa14a42e7fac7d30fa66938b0fc6945ac3d589a8b677293b10e1ddec

SHA512
50b1bd55a223ca7ce734e0e24c0ba9470531f1ab9f9f5ffa61c7d86f4db71d17e55ac54ca1eb2787a629b4a8719004d34879ef9ffaf16a4fc0b8625697e973a0

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
d437345b6f5d655fef45b2d250148699

SHA1
1c89bb32720eee24fc3771d47081a8bde5cee141

SHA256
c53317a4915c153d162c4382f569f06a681f0699558321d64e7ec1e2c1ba8d79

SHA512
49bb5b0acb3a9f5d63b3df944702117c55c0a7a99f5b260c4e2dc123048c39ea703f71b0bb48971cbe72a356aa14444c80befdd783b823a409a9b92599369506

Download Submit
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

Filesize
684KB

MD5
5d24e2daf55bf6073ec4e53b6a5f332e

SHA1
f91c126c1b865afb7b0a96e18fad3423afc45cb4

SHA256
db8b4e02c1de4e46fcc78996c057d0a476e0690294c6f07c8d4d93254d10c8ad

SHA512
d2a7b114885646dc4b1f8073ac248efe63802b9a8f05b93e6bf88c6fc20ebeb75c3a6d99ffc5f2d233de126ded7fafd5dbdf1f2a8e63e2936060800c1b1dbcae

Download Submit
C:\Users\Admin\.VirtualBox\VirtualBox.xml

Filesize
1KB

MD5
d9d28bd2ef7192fb0efb99607d7a0807

SHA1
7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

SHA256
dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

SHA512
e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
9ddbac445d0e3edfc1da1c9e0cc7049e

SHA1
7e978011ef7db7f0315e0a7c50c20ca8ed662b93

SHA256
6a624c5876030250829751c10462b7756b5454c93720e965ab5d2dc74ba19b1b

SHA512
8cfba09f317672789923ff836691ac216b15d8b002d62d0e888d7e88aa9106ca7a5d61ff80b4846f173c38fcc36d3a4de7c0c1864e23bef8abc08dbeabbe39e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
727B

MD5
8bec623aa257e66919e6b59d1ca5dd5d

SHA1
6fb47835f73fff57c6008d77202766f06e1e3605

SHA256
c822befe071be047f48b2a35189aa73176f7f686f77aac3ff40f61f4af82b26d

SHA512
48e0570ad719a8a6527a532b4621dc2168edeada194a710014593875f4a55ae5aee287f52e8b26e22dc198ec45b9d4fc4f09350612957526c30448268cf3502a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
b1b47440de795bdf1e84bb61a3c8e31a

SHA1
6c985358c0758616e0f4e58c01af21f46c6a7b85

SHA256
5adc2eea6cf86ad5a5a5d0111bfa0bdd3c864b191b5f8b1bc88781be36585ba4

SHA512
f148b49ae2d3191e154ae3785e2a59d4e77257764096e6d2ad33658543cc72e5b0d1887d09d11b3456967dfb39e77b52b68cc2323141e7e710a44d7dc9758728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
65bd48aacb66a00821878ab013ee71b1

SHA1
ede27c7471252df73c003a125b810d93dac045cc

SHA256
eadc46e06dbb8675bf95d21d1ba06504db44b616932cc10da2632fe97ce9ad33

SHA512
b0e6efdd1f21edf6edacdcbe030670e384ba9fa41d377669683308e37bebb3968d0aab2bad4b56ff94dac3b4c479bad96713788a048470237f0f6b63f86bf03c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
412B

MD5
014b7c3fc886332271c677c0c281aaf4

SHA1
95f7327126f8fe130f4eabad84f27664b627481e

SHA256
dd9ab275d42d2060bbdecc18d8a04f9d24da0938ec535060c9053cc8c4ca6cc7

SHA512
75762740ba0216561ad98827cec398b93e28cd26ea75d718b88d0dcfb69bc1ad040729c752fb04d404a549f5398a10f60878d626ecc61c65189208ee3933213d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
00f94f517b1f8ab0d30f4fcb68bd1d16

SHA1
9f4d09fe60143ba11e7313197e615d07404dd59a

SHA256
b797288a5b96f3054f06ad502da491eb3b6f1a31b182db9e4165753436a31c1f

SHA512
f783be67f6016217e273693e20a5efe9a16afc7f7865a57434d83e463f600fafa22059eb1255ec1e1de2289068c439e6db61e7a14a59f7817c6a3abb9d2a17a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7B4A.tmp

Filesize
330KB

MD5
8eec651788089ff13ee10890327b3960

SHA1
defdbad20b036ffaa5147f5d7d44aa2e5ccbd110

SHA256
6173b719808a772b2267cd52315917d36cc9131032c5a829acabf10ef09994b1

SHA512
2101bb6e4d38f994fe1d863e2e44d25920dc1b9bc9c662ec22093705fcbdd9fa53cc5e08644e37fedee6c0b2d378927abdd2d78b041d14381122efbf9fecbcb9

Download Submit
C:\Windows\Installer\MSI5265.tmp

Filesize
330KB

MD5
ac831c25bc16a05ee60aea5d79517434

SHA1
4946133e7fac34315a0ccaa30ca8ad383d5f0140

SHA256
947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869

SHA512
72f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b

Download Submit
C:\Windows\Installer\MSI55F2.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSI648B.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
fe09fb4e2df92da6959d6a1f2e682699

SHA1
8381d972d2e5b80360a14c7eede426dfef945cb7

SHA256
80623373cb21ccb8dc9585e4c1526bd7fd6e22ebb1e1489604fd212e07107e47

SHA512
bbe7da72e2eda15c37914a8190f28b3fc73b40b480c2338ce9d925d6df8e78cae5baed1ddf05733ca6380300e99929fdb1aca5ee8a2055d4c2b2faa389ed446c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
ecca10c55bb0cdbe2b30edb0d2e616a0

SHA1
4e974332a438f9fb1f01cc23da5d9d56b6cb6fdd

SHA256
187a5630116edab90d000304048c6086f6dc035ac5f8eb3dfd87827c3af24c6e

SHA512
c9247b293d42a6234e2da5229bd01742af8ee15e577c20feb328363a4c749cba48510b324da28ee31c4e59b93e40c258fe68d8e50023268b0d7a9476a646c378

Download Submit
C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\VBoxNetLwf.cat

Filesize
11KB

MD5
7a8b497c886daf1a204d128104d0745b

SHA1
4c627f02e0847eb65d0be0100f06514b73289173

SHA256
9c7696fc0b82552f9380677a8d882a14fddfbbb3299efee00147585496c1dee9

SHA512
6bf99c1d8ed86fe8d109c743648996bf3cc9f09f1f019160bcca1772438a6f85486aeb4247aa48de59ec32c8aae757c3c578fe3865c2b52404992ab9dde3792b

Download Submit
C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\VBoxNetLwf.inf

Filesize
4KB

MD5
a422f601080e6facacfb99e5242ddefd

SHA1
17f0f9f9f8dd0646262d86775c894ebc6143ac71

SHA256
9855ee05c50c36d0c0bd800ad082c936a367e86ad0a79dc86957a8b71d05b221

SHA512
3264852c68387a071e3ac0c1ba2094a2c19da31783898415735d85dc527f81e8341ca07ecfe9a0bc280ec8321cb6757b995236967a2faca56cc8d2f8f5b2b224

Download Submit
C:\Windows\System32\DriverStore\Temp\{8adfe764-ccc2-bc46-a1dd-4b571f7d7745}\VBoxNetLwf.sys

Filesize
250KB

MD5
493a965d8802a844777765a032a6b23a

SHA1
ca73d434f904292be4ad670f34b6861ead20699a

SHA256
6aa4f2dd992c6e6e23883afd4992f2f17088862079ec90252d721fe814065b9e

SHA512
5ed61f651257803534007e30518750ee1ceb5ac3b777d6a00c29953b7fc75f1a39b196637381bc880449e8db9090a39757de1ad060f9d024b8923b41bc4830a7

Download Submit
C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\VBoxNetAdp6.cat

Filesize
11KB

MD5
2662421634b511870df38415a64e135b

SHA1
cdb8acb594109c320b77f9fb9c58783ec35c1e27

SHA256
f225133d052d38cd5425d46f650e389f0a88caac1643b3d2aac660c9e6831050

SHA512
f368ae5fd4da9311427ef637385a737164292614c9f1d524c69cb247c70ad377241693be3a7da9ea474aa13089b4070318bffae4514ca629bb09844e2c0cc24e

Download Submit
C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\VBoxNetAdp6.inf

Filesize
3KB

MD5
0b58f7b01a55a237d6233a6a594d4b03

SHA1
8aaac2854a9ed42f83dcef46969f85d0fb7312ee

SHA256
d96204310fbad2402b06d67ce4531f26b0fa42cb216a8fd0bd81dbf59869d0f1

SHA512
1f79b557ce0990e36d85785d4fc84617de02686a737431b13f06a2a44f7cc66e8561e106dc6a1e9ad61cd564417a8fd2a5e867de5e650b6bc2dd89f6b22cff76

Download Submit
C:\Windows\System32\DriverStore\Temp\{f5e4a51d-7f09-7e4f-a44e-182de1788a21}\VBoxNetAdp6.sys

Filesize
240KB

MD5
b75313fb863685a14ee248b3eb375a41

SHA1
ffee8dbf3c6f20a2057be042c44cb0728fde4569

SHA256
81ea904f928ac417d845ea2d3374a992f829cb18b6084e24e6f925fa64a6f80e

SHA512
914483814757ce691107678d432628fd11a462672cea79694c599605dc404b4b97c3210622c05826bfc825bccb3491551d0e0dd40f9f9fc9c569b816298207bd

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
19KB

MD5
4d393a6d8f2b3fe7502162943e5ac7cc

SHA1
9ceea89a891989ea528fc3af8214feaf384ca1de

SHA256
c555a1d624bd09ec8749de29315375c5e4bcb141597bcb8da5e017e1306ab57f

SHA512
8cd37edda96b898ca42956bf50c89ced0e0a1f278fd1f60a5b50ad0c3641226cfa0a103e4c2490a19cee3b32a3b715ac0ede055c7f49ebc8450f56a77542c599

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
8684a6cda8c45a8fb6456e1b0615f593

SHA1
85eaddb60d76dea58d5b8835b493306044949bdf

SHA256
470a276dfbe3513a9eaea1c013512e22ce4dd7d26d05a08a587d36d94f0f0b42

SHA512
4558dc5eb1e8080471ac491e2a7b08adf140dbbb78b49a5c0432c7660fdf5caa0920f7578e1d44a528cb3da4f16c5b3f21b82ef1d52a6cb3206b4e79b392fc90

Download Submit
\??\Volume{83bffa96-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d02ebe30-121e-4ee7-8223-29ecaac68bd6}_OnDiskSnapshotProp

Filesize
6KB

MD5
a77976393939af7bbe04a3632a48efd4

SHA1
a83f92f49bedd368f20bf56b78e25e8f8d176153

SHA256
a87a208b464ea6b856b021220af7c7ff2a0acbf40b6360f11fe85620dffab1d5

SHA512
d44f2bb33a20972a589a95c9dd1e94fb03b06f48d6a18d6ac6199bca64bc4c410ab5ef717b170a094655bb563e84df8f8778baf331fd1db6d631cbb0ca9a9c46

Download Submit
memory/384-409-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/384-400-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/384-402-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/384-406-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/384-408-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/384-407-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/384-410-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/384-411-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/384-412-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/384-401-0x000002883FF20000-0x000002883FF21000-memory.dmp

Filesize
4KB

Download
memory/2836-569-0x00007FF764E50000-0x00007FF765109000-memory.dmp

Filesize
2.7MB

Download
memory/2836-571-0x00007FFE6AA80000-0x00007FFE6B041000-memory.dmp

Filesize
5.8MB

Download
memory/2836-570-0x00007FFE6B7D0000-0x00007FFE6D30D000-memory.dmp

Filesize
27.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads