Analysis

  • max time kernel
    49s
  • max time network
    56s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/11/2024, 21:24

Errors

Reason
Machine shutdown

General

  • Target

    VirtualBox-7.1.4-165100-Win.exe

  • Size

    105.9MB

  • MD5

    0923f79f004c8299e3327e3028de2d12

  • SHA1

    13d3408c0637f0b75bbb541e2be1f08b915b142b

  • SHA256

    f970e275f59eeeb129aab88a78dae80784370742b5051650a7926c9ea64afeac

  • SHA512

    714a3fafd3f5af5d60d8d4067e57c40c60e1b0df83f933b1ec3baa9d8b885ecb49fb6cf6119a1b5ec2070f8074313d939e73ef12060c2abeb5542d6ae3cbd02a

  • SSDEEP

    1572864:wThw9l6amedWj/ReS5wRZqf9gf10NbdmHURU9uer0kh/d092qnMbbtXosw/R7BQj:D9AedY/xE103mI1O9/22qM/t4P4yy3

Malware Config

Signatures

  • Drops file in Drivers directory 12 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 47 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 41 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe
    "C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
      "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:3748
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 681D4CDDC02BF24C3B201F02262B994F C
      2⤵
      • Loads dropped DLL
      PID:3684
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1224
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding EA17B10AD8B5C54D3F1D95EAAF5761BA
        2⤵
        • Loads dropped DLL
        PID:2612
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding E2C3F61558E84C01457E79B2B2FBF7D4
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2932
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 16327EE46E5A20ACB5DC184CB2232656 E Global\MSI0000
        2⤵
        • Drops file in Drivers directory
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:4960
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 7E58CF94CFD58FBB2416682ACEE6B8BF M Global\MSI0000
        2⤵
        • System Location Discovery: System Language Discovery
        PID:4348
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4756
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:5100
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000184" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:2348
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000164" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:1252
    • C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
      "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1880
    • C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
      "C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
      1⤵
      • Drops file in System32 directory
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4700
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39e0055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:328

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e5800e6.rbs

      Filesize

      2.6MB

      MD5

      1469e0ca56a45c4b2c6feacaa2a0cd56

      SHA1

      622789397dda43f1d8b7e0372f27859556a4186e

      SHA256

      8928dd187efc067744f869ea9a2f9695ece4f1d2cd3fd9afd05fd0a90c7175ef

      SHA512

      70721836cecd668e1068fe402e0b989bfda7f392c1bd5daac1017d25f7ac2201895838147bd676f270be75ba164757acb6c0b5bfbb1e14ce24960f095824f507

    • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

      Filesize

      11KB

      MD5

      ef3a8a5be39b7310aa1cae4f4e589208

      SHA1

      bce823d3ff3b7a4a5a7cc8efd693d3b36ace3e78

      SHA256

      b7a5d4285826327851a864698a938478bfc3a983a4386f7f70cabad9f7e7c6c9

      SHA512

      751c7cb03bcd6ce52d6171552ae3678a99076f0d5d216d3a95374b97b4cabcc338d155be9b8f84459ad755de875cfa0badd5018a85837e73e9a6815ac031f944

    • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

      Filesize

      176KB

      MD5

      696b58e28b09b0ebaf4f27901a52e0e1

      SHA1

      eb1b5166c42bb96983889c873f45a1ef7ee62295

      SHA256

      1ff96c3462cf14e27da3c82b3c890972d48b2b9ecc168608ef631b2ade2bb95d

      SHA512

      f57171a2b8236daca57d152d8c6b5cfd3e45f2037465c14410c44b510f07ae18bf777b7599c9f63293f9ac1e7322fd473db0f2a69172860d44046d43fb5bc39c

    • C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

      Filesize

      918KB

      MD5

      10f9b5bef3ae0d638915fbdc37e2c61e

      SHA1

      4b59849453ea99f415072c754d2073d863c8062f

      SHA256

      c1c89578869eba00f8e2dbdbc1f2683d8f1daced92b0ab23430ac0a982c24648

      SHA512

      e010231ce513438a449f2977c90ac91b56804940cc0e35f702b6d6a8aa78c8d9636cade7b5bfd2a7f2a0bbf2fa686738ebf168d40f3b54c98e2cd34853210fe7

    • C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

      Filesize

      2.7MB

      MD5

      8c2f0cb4fe0669d72b6fbeace9e375a6

      SHA1

      3ed426c730b7eab2068ced89f6aa1d8bdc4ac75c

      SHA256

      8672723927495625c1dd5fe5eefefc00cdeb2905db982522758ae2c5734137bf

      SHA512

      ceed87c3c8d418b8db827a52f995449ed114396a2b445528ee7e25343c01085d17308aab46a29d45d254b38c6ff0cf85e6ab31db34eb9ce20be60a0f2bd52873

    • C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

      Filesize

      2KB

      MD5

      81785d890d8115416554e545e3963651

      SHA1

      470cea23f5c8a0c64c84aceb35a0b8288d70400c

      SHA256

      c88c2da48932b247196ec915eb7e72403063376b4d8d35b582c236fdfd912bcb

      SHA512

      3a39f0d368eb15e73c69008b19f0b9561a56cc4ebdebe7d8cd2a57fa975d954a7660d2de2b74fe769dd0d78dd836d3033624109483f2e7784dbb470d38418ee1

    • C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

      Filesize

      11KB

      MD5

      d9d4bb36efe7f7d20cbdf7475810dafc

      SHA1

      fdfedcba20da40d999dc2639739fef88b396ca38

      SHA256

      cfa38c85e7414dd6b4f13558c2ddde8e5ff1f5c4cfab2bc7b7827e0ab92a4d1e

      SHA512

      d73308307a723a401e5b2a89466314c9fe9955f47510a38e326dabdae85423756fc992fd1f8536200a72f1962f1d3091324f1040cbbd7e17f81d93bcf0fe29a7

    • C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

      Filesize

      3KB

      MD5

      f07b83bffa21b5820da5f2b1b3878c6e

      SHA1

      b182ec163b2a13692c5d496ee0a442d3e23e4f00

      SHA256

      898e05b1935264736eb69f9b0be36f2815ee7ec7135cfc8db38c6490ec10b944

      SHA512

      d9477953f8a2c53a213a4b9b8d8c09b030c3a265869d676d06566dfe95072c51f77f8eb6aa01f86f88485d7e856ef1581c33930d7469095d29bb1a295855fdf6

    • C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

      Filesize

      190KB

      MD5

      bd852ea819ac44f17b4beebbd568f212

      SHA1

      e2f549d235e5d2c6824c7dc50bb09c6c083dd304

      SHA256

      1c317b5c535efe02446d8793c6a473e3ed51f06881b310906344e9e3bc5792b9

      SHA512

      e162dacdba163feebf91acd43792aa2669cd4e7f13f0fdaedc1554492e8135ae104aad06c651959f20581d9bb2b49f3d6a559bbabc43ea8ab6ed06d850931f01

    • C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

      Filesize

      11KB

      MD5

      4a9b8ed2a7923c2f51b816bdabf265f2

      SHA1

      d519a98e5bce10a4dec8f29865e90007390d666e

      SHA256

      14bf761cf13d3caf19810350024747687f64fc2d05cb6b78393f42df93024bcc

      SHA512

      8491bf1d71aa90f114166088cc94046564ba0386175f382ba737320443baff654ea8584c0d314539df0da2b4ad9d4cc02ad3abee0d102b0ac1d56c02cd83f9c9

    • C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

      Filesize

      3KB

      MD5

      d76b6215058c8d581bc7ed476794ea05

      SHA1

      e9aac803d1ea08560064ea01d63214ef42e39931

      SHA256

      f657dd259d84dd60da119e8ffc0d0b70aae6655875af4d72674d072543ca259e

      SHA512

      eb25843f06078c1fc8a84a3312d22e2bea544f521a501b92f55df234068bcf309266b0ee18ad8c0858602de721d56073ad13a074d7343dd706dffb9e5a85c6d2

    • C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

      Filesize

      1.0MB

      MD5

      0809df0b4b50b73e67b73ce9754fb482

      SHA1

      5bbf156438c6f53b426d451800ad31c18113d30e

      SHA256

      70c9a26893e09801ef872a8d93555454b520f60867a99df501607346a60f1352

      SHA512

      da9dec78d03ba2db5db957dd45e926e17fd4656c3e9823f1e0582968a2f9f4d97d4cc9d9e3587056c74e6384260476617310ce13259b72b1cc5c0a6c175501c1

    • C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

      Filesize

      684KB

      MD5

      3612c59246d7a36c607f6904dc3ac1b7

      SHA1

      0d2a4d6c9acf84b7aa168a2e62f55f58166f568c

      SHA256

      dc4f8bf8ab2d4a593c398c8f4747c3b67aeda838aa4f28c4e4d6217d91aafab9

      SHA512

      143ca0192bec78796c6e9220d3d77854f67187a914f18acaa6cce9a5e879e619dee3601aae3cbdd563400e526bddfd3e8edecd0336922aaa8c71cfb65d0b0159

    • C:\Users\Admin\.VirtualBox\VirtualBox.xml

      Filesize

      1KB

      MD5

      d9d28bd2ef7192fb0efb99607d7a0807

      SHA1

      7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

      SHA256

      dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

      SHA512

      e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

      Filesize

      471B

      MD5

      766cf5cd1ccee5f31bf4332b8c8629be

      SHA1

      b2937666b4f615601081a7e1bdaee0326b820e38

      SHA256

      1e929742ccc963109fe468e0efed37be626873b4d70006928d1ce413c4019c69

      SHA512

      242343410a5d8ebe6e9d8d0b2fe833e9320068ae163ef02eab7cbb784afd66eb5a9e210cbc12ca419f559e3366d790ccd541e9027efc244ead30035abef6c538

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

      Filesize

      727B

      MD5

      d82d323ac43cb5f0ad3322b946d8b010

      SHA1

      3c37a23d9241f1b291421adeb7e3bfecedca134e

      SHA256

      443ca2a35f9045f48b38fb7b1b6c088fdea068afe3f72516d2b3f180ac3e2668

      SHA512

      cfb237a211bd1d89d96ea8f3d71f7b01d43a8036d63506fd34f5127cffa3d5fff83b971d850eff02ea2ddb9cbb46895aaa6acb6fe702c214c95e7b7ec7136010

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

      Filesize

      727B

      MD5

      1425aae2b6e15ba77c0c4a8304422e63

      SHA1

      3c301b32c8d4193684f452a9c921d9135d085b6b

      SHA256

      4e948a3e1b38aa343e468510884a96f9def3270519b53f2e8734f1698fd954a9

      SHA512

      a9ecd4864f1139c8aa5aa5534a3cfb136b5e91121eb9d654a4b1dbb6149e5732d10bd5cbaf95b574848d06403c9cf1e096c5c7cb06bb6f41c3d116af69fe2262

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

      Filesize

      400B

      MD5

      a2bfa80e4367f432bc4c783432732b8c

      SHA1

      d3666ac976bc6462e2566059f269d58270ecb7b1

      SHA256

      3e8f45e6a6a93fd03c91d103a7be7b02a25fc70ba9598191c9fe01237b2f6eb0

      SHA512

      488da70f39ed2ea9e53504665b715b9d424771b865afedbbd01acbcbb0acb5802ba57adc1150eebb26e8e1a25b2952a6c867ccbfc40555dce85b615282db0708

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

      Filesize

      412B

      MD5

      a898ad52198fee59ed78967b3a041485

      SHA1

      7b78da243b27e65b90488c6b0df05ee9e0543e75

      SHA256

      35c8b319f0173d445b7b2ef57af4cf8b90e778f14787233a98dfeac9dbb372e5

      SHA512

      63530213637518236941183f68895e1f428d76bd8330ca729e4f8ab6f6f1f2b457b64e3118c3a2e86720e7870cd57eedf2117c3d058a1c61f47c142cf6bdb0a0

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

      Filesize

      412B

      MD5

      93e288e54b96ac7856737a99440638d1

      SHA1

      392376d98057e0203356f894dff500e9fb78fd70

      SHA256

      a84a10a712123ea6e021a8a6fcb02db610c62bc36df189e3b00c14fe7ec8fb10

      SHA512

      5b56c96d19b9bbe90059eb4d15324e6f6aa2b01b3c6092287e709275befcf9784dc22f76231ba9f1b9210b5bdf37c48df98fcb59825595c5f55b868b31207ae4

    • C:\Users\Admin\AppData\Local\Temp\MSIA6FE.tmp

      Filesize

      330KB

      MD5

      170b0049505e4312e410dcf1e683f0a7

      SHA1

      be2c41ff3c49a2ad7027df74d1107327b145e8d4

      SHA256

      67a1517109bbbdd924511a7896bdc1c245a939ec6fbe926e9077837b93848450

      SHA512

      dc5493b399e6781dd7bb28981e8835c4c004be9479b47b92cdc7300c1228bde4ee172f14be40155d5da7b71782b5f1a940a80d7aced8b610571c062873da3994

    • C:\Windows\Installer\MSI111C.tmp

      Filesize

      690KB

      MD5

      8deb7d2f91c7392925718b3ba0aade22

      SHA1

      fc8e9b10c83e16eb0af1b6f10128f5c37b389682

      SHA256

      cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

      SHA512

      37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

    • C:\Windows\Installer\MSI3E7.tmp

      Filesize

      330KB

      MD5

      ac831c25bc16a05ee60aea5d79517434

      SHA1

      4946133e7fac34315a0ccaa30ca8ad383d5f0140

      SHA256

      947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869

      SHA512

      72f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b

    • C:\Windows\Installer\MSI66B.tmp

      Filesize

      149KB

      MD5

      418322f7be2b68e88a93a048ac75a757

      SHA1

      09739792ff1c30f73dacafbe503630615922b561

      SHA256

      ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

      SHA512

      253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

    • C:\Windows\System32\CatRoot2\dberr.txt

      Filesize

      107KB

      MD5

      3eff05398c8ce17428812667f97ba2c9

      SHA1

      ffc5e4ead3dd13c9230183cf702666e9c7cacbc8

      SHA256

      5b028183644b3b44fa860a4378521e012ef976f8bbae96c2d43aeda01b9e57f8

      SHA512

      8899e16aa3f5c06db070cbc40511afcd6862ebc15cc74f73e4a2083452fe38bc5b36742f8d6a8d6471211769af6ce3c42ea00ea3bd9d56427b178092ac5770dc

    • C:\Windows\System32\CatRoot2\dberr.txt

      Filesize

      107KB

      MD5

      94337eb634b6569ccc3aa521c9e4708f

      SHA1

      7bae5e098f7a5ff82370bf5be0291a7bdf7aac23

      SHA256

      3ca9645459356cc4d58c50589df454d5998630116cf3a144036bbb04009b00fe

      SHA512

      b6c5b0764cbbbb2ea2b6de0034e0daa422da5a45bc705c033792f2ed896f381e7aa47b072d1d85e08704e5565a9b54e2112c0f55991dbe7a175814e855e26620

    • C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.cat

      Filesize

      11KB

      MD5

      5d3b6f1bf4205e0f41aa7ab4f0d1e954

      SHA1

      c5343a49ba2c8496de6a10c1ef13c4f45bc5aa7f

      SHA256

      6573b7f11080594cee694c545edbecaf2f577ddd996c3d1d6f5304847bd45a6d

      SHA512

      47190629218759c840e37f6b283bba8154c8fab6e8bee16b1f088848038cbe42dcb23fde6615d5e2d8b5e27a0c1f75377e76fd1b8147624f6293c8cb7a5f9acf

    • C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.inf

      Filesize

      3KB

      MD5

      39d54baf75931606454607628b8cfd56

      SHA1

      0c0af5bcb13fa4f9303adcaa5e1bd863850d696b

      SHA256

      c96d4504e9fa5a7cbafbe01b3a436848b7ea8c95690a533ac7d4453b5ebd17db

      SHA512

      3dac9f6f911e2a1daf1b04ff6ea2f1e23cc78fa53e67d4fdd26e641e290921f5da9bf9c4f6442eaf418bdcd4d3a9f1dc5fe558c4b3d34db7773ae451ece3b66b

    • C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.sys

      Filesize

      240KB

      MD5

      83e6380b648c6fa9659094bce716d9ba

      SHA1

      a8a97d3dcba0792644c29f04b832ddd4ffb0e35a

      SHA256

      7786fa5fde0234b77fd4fbc131857fac471b1dafd42ccf6f38b3012da3b8098d

      SHA512

      251613f93fb624da3c6daa30ca3b1ff80351c421639b3ee034898bcfa8dfc32c04af1370d0e470aa11c20dc64eaa8ea142bc31e544fbb358272efd2316ff73f6

    • C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.cat

      Filesize

      11KB

      MD5

      c0261377e9c8115d9e67db2dcfe1143c

      SHA1

      115916d3fd1ca02bd1fbb5db9c846f0a9ac9f3d5

      SHA256

      c47acf6981dfc65fb25166e3df07fdcfc55c4eeddb79e3b8d1a066ed2596334a

      SHA512

      348d638710b14fdf509009d6e8bd7e0576bf3ce9144dbfd07b95c773653860284a0c2e1b8d5ffdacf097bf4328082a79fa457e1eeb65c4752b840ab17346236f

    • C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.inf

      Filesize

      4KB

      MD5

      351856254220eb250d62f4547e9aeb96

      SHA1

      c7a72d9f7b783ba54b5d8839279dfcba689a7c11

      SHA256

      c62c8264b3add792c706a4e76b643fe969b69ec902651b5d31974c42a026e619

      SHA512

      4e6bc35063cb16c602dc4c6080c8ca8b48dedce63d01db7efe7576e24a82127ddfd4ae00f052a81e4779d517045e8477ec61a7cf71c378fbe491aec54504c2e6

    • C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.sys

      Filesize

      250KB

      MD5

      68c5f8884313e9c5ad1d54fd7181f140

      SHA1

      40e747ce98f899fb8beb31dacc2cb261092ad6cc

      SHA256

      de4a67670417fe97e0207d40f38317104548d4ee77bbbf50f269dfc8ef655a9c

      SHA512

      6433586185dd5d07ab9cf7141d64a55a33fea3872e6b2616ae0dd8e75820fd0eac7593cff39fd6262dc0b1c779c8c3a8a7bdbdde2b95e9e1aa74d3613419ee7b

    • C:\Windows\System32\catroot2\dberr.txt

      Filesize

      107KB

      MD5

      318b7c48d02a11054264f9d017c22ca3

      SHA1

      369495c45bffbc205a795cf6c7e86bf42c604524

      SHA256

      8e26a598819568c146546a15d463cbfe3e78afaccb1cc1f66610ea9335143199

      SHA512

      8a92c992f5bf2c2c402002306386c86a4411d4e3c32a04e6b6bcedc14026e9f4ace18aef7183df758f70f0a1ebe425869d0e52698b415cf582c7b282677ab733

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.6MB

      MD5

      733b842913fb6b20c5b2b86c61a7d666

      SHA1

      a00c089e9efaf4c744e91e8aecbfb4dd277fd913

      SHA256

      dd4db30762240a01ddccf7c8777afabef5f61fa564fca48b2742686285fd2da7

      SHA512

      55c091d79f8751fdbeb75dee592f620abe6f0c5b5719b318946ccdda89b79bf70cf23dda7057246cf751a301516d3d8e461b13bd306e6921309be7c5343555d6

    • \??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{29647298-cdd3-4f3d-80fc-380652cc15b5}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      47a974bc551163b6a3dc036f6f83212d

      SHA1

      0fc57684c9799d222b30114b8c17696efeb8ba21

      SHA256

      8151ab8f03dd662c759a06a851730bd44d34988430a376327329088880f9440a

      SHA512

      cea98a8fdb3da65ffecbc2353167abb47d043d738486f8c51991348bff60a3335ee8f4eee55985d6455a8c95f6ff1d73fff664f5ac0212459e01079cd6a9ad47

    • memory/3748-562-0x00007FFE99180000-0x00007FFE99741000-memory.dmp

      Filesize

      5.8MB

    • memory/3748-560-0x00007FF7FCD70000-0x00007FF7FD029000-memory.dmp

      Filesize

      2.7MB

    • memory/3748-561-0x00007FFE9AB60000-0x00007FFE9C6A0000-memory.dmp

      Filesize

      27.2MB