Analysis
-
max time kernel
49s -
max time network
56s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 21:24
Static task
static1
Behavioral task
behavioral1
Sample
VirtualBox-7.1.4-165100-Win.exe
Resource
win11-20241007-en
Errors
General
-
Target
VirtualBox-7.1.4-165100-Win.exe
-
Size
105.9MB
-
MD5
0923f79f004c8299e3327e3028de2d12
-
SHA1
13d3408c0637f0b75bbb541e2be1f08b915b142b
-
SHA256
f970e275f59eeeb129aab88a78dae80784370742b5051650a7926c9ea64afeac
-
SHA512
714a3fafd3f5af5d60d8d4067e57c40c60e1b0df83f933b1ec3baa9d8b885ecb49fb6cf6119a1b5ec2070f8074313d939e73ef12060c2abeb5542d6ae3cbd02a
-
SSDEEP
1572864:wThw9l6amedWj/ReS5wRZqf9gf10NbdmHURU9uer0kh/d092qnMbbtXosw/R7BQj:D9AedY/xE103mI1O9/22qM/t4P4yy3
Malware Config
Signatures
-
Drops file in Drivers directory 12 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\VBoxSup.sys MsiExec.exe File created C:\Windows\system32\DRIVERS\SET128A.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxUSBMon.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SET2596.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SET26C0.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SET11AE.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SET11AE.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxNetLwf.sys MsiExec.exe File created C:\Windows\system32\DRIVERS\SET26C0.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SET128A.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SET2596.tmp MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\V: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\Y: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\Q: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\T: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\J: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\M: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\U: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\A: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\G: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\H: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\K: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\N: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\P: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\Z: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\X: VirtualBox-7.1.4-165100-Win.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2363.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2364.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\vboxnetlwf.PNF MsiExec.exe File created C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.sys MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2362.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2640.tmp DrvInst.exe File created C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.inf MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_0525128a3d54207e\netnwifi.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2642.tmp DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log VBoxSDS.exe File opened for modification C:\Windows\system32\DRVSTORE MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\VBoxUSB.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1375.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2641.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.inf MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1364.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2642.tmp DrvInst.exe File created C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.cat MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1364.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2362.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2640.tmp DrvInst.exe File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.inf MsiExec.exe File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.sys MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_882899f2b1006416\netvwififlt.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_bc519c177a90877a\c_netservice.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_10acfa4b924dd181\netnb.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2641.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2363.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_56c163d21e8c2b62\netserv.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8} DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_8074ac14f1ab2957\netpacer.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1374.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1375.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1374.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1} DrvInst.exe File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.cat MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\VBoxUSB.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\VBoxUSB.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_3debe5e78bab1bca\netbrdg.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.inf DrvInst.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol8_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sdk\installer\python\vboxapisetup.py msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt5_unattended.sif msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.cat msiexec.exe File created C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt6SqlVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBox.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxRT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqliteVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxCAPI-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt6StateMachineVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UserManual.qch msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel3_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UserManual.qhc msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_fa.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh msiexec.exe -
Drops file in Windows directory 47 IoCs
description ioc Process File opened for modification C:\Windows\inf\oem5.inf DrvInst.exe File created C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI2AD4.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI2208.tmp msiexec.exe File created C:\Windows\INF\oem2.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSI263F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5FC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI66B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1275.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\Installer\MSI2AE5.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFAEC6D5C52D1CDC46.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI3D5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3E7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB00.tmp msiexec.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\Installer\{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA}\IconVirtualBox msiexec.exe File created C:\Windows\Installer\e5800e7.msi msiexec.exe File created C:\Windows\INF\oem1.PNF MsiExec.exe File opened for modification C:\Windows\Installer\{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA}\IconVirtualBox msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\e5800e5.msi msiexec.exe File opened for modification C:\Windows\Installer\e5800e5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3D6.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA} msiexec.exe File opened for modification C:\Windows\Installer\MSI111C.tmp msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\INF\oem3.PNF MsiExec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI385.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DFDE5B0D0C5388DF9E.TMP msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DFC86CC7CE32703A3C.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIB2F.tmp msiexec.exe File created C:\Windows\INF\oem0.PNF MsiExec.exe File created C:\Windows\SystemTemp\~DFB45172B67C19A507.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI436.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI12D4.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\MSI21C9.tmp msiexec.exe File created C:\Windows\INF\oem4.PNF MsiExec.exe -
Executes dropped EXE 3 IoCs
pid Process 3748 VirtualBox.exe 1880 VBoxSVC.exe 4700 VBoxSDS.exe -
Loads dropped DLL 41 IoCs
pid Process 3684 MsiExec.exe 3684 MsiExec.exe 3684 MsiExec.exe 3684 MsiExec.exe 3684 MsiExec.exe 3684 MsiExec.exe 2612 MsiExec.exe 2612 MsiExec.exe 2612 MsiExec.exe 2612 MsiExec.exe 2932 MsiExec.exe 2612 MsiExec.exe 2612 MsiExec.exe 4960 MsiExec.exe 4960 MsiExec.exe 4960 MsiExec.exe 4960 MsiExec.exe 4960 MsiExec.exe 4960 MsiExec.exe 4960 MsiExec.exe 4960 MsiExec.exe 2612 MsiExec.exe 2612 MsiExec.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 3748 VirtualBox.exe 1880 VBoxSVC.exe 1880 VBoxSVC.exe 4700 VBoxSDS.exe 4700 VBoxSDS.exe 1880 VBoxSVC.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VirtualBox-7.1.4-165100-Win.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters MsiExec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters MsiExec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters MsiExec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\NumMethods\ = "13" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{21637B0E-34B8-42D3-ACFB-7E96DAF77C22}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{726EACA9-091E-41B4-BCA6-355EFE864107}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\ = "IGuestMonitorInfoChangedEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6AC83D89-6EE7-4E33-8AE6-B257B2E81BE8}\ = "IConsole" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A773393-7A8C-4D57-B228-9ADE4049A81F}\ = "IMouseCapabilityChangedEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFD8965-B81B-469F-8649-F717CE97A5D5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA3EF5C-DE2F-4B74-AA3A-15D6249371A0}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA43579A-2272-47C4-A443-9713F19A902F}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\NumMethods\ = "47" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9709DB9B-3346-49D6-8F1C-41B0C4784FF2}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7932CB8-F6D4-4AB6-9CBF-558EB8959A6A}\ProxyStubClsid32 VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{788B87DF-7708-444B-9EEF-C116CE423D39}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A}\NumMethods\ = "13" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\ = "VirtualBoxClient Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\ = "INATNetworkChangedEvent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5DCECE0-B202-4416-A138-03502784CC07}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D984A7E-B855-40B8-AB0C-44D3515B4528}\ProxyStubClsid32 VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32 VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{86A98347-7619-41AA-AECE-B21AC5C1A7E6} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E}\TypeLib VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{41304F1B-7E72-4F34-B8F6-682785620C57}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\NumMethods\ = "14" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A338ED20-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C354A762-3FF2-4F2E-8F09-07382EE25088} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{78861431-D545-44AA-8013-181B8C288554}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32 VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02B69798-7CC2-4005-AC57-1AD7FF7A0997}\ = "IGuestDirectoryEvent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5587D0F6-A227-4F23-8278-2F675EEA1BB2}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24eef068-c380-4510-bc7c-19314a7352f1} VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}\NumMethods VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\progId_VirtualBox.Shell.vhd msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB6F0F2C-8384-11E9-921D-8B984E28A686}\TypeLib VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D782DBA7-CD4F-4ACE-951A-58321C23E258}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{147816C8-17E0-11EB-81FA-87CEA6263E1A}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\ProxyStubClsid32 VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101ae042-1a29-4a19-92cf-02285773f3b5} VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DB2AB1A-6CF7-42F1-8BF5-E1C0553E0B30}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{890ED3DC-CC19-43FA-8EBF-BAECB6B9EC87}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{5094F67A-8084-11E9-B185-DBE296E54799}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d5dcece0-b202-4416-a138-03502784cc07} VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A670A023-E172-452C-B731-14EF855F4DA6}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB000A0E-2079-4F47-BBCC-C6B28A4E50DF}\NumMethods\ = "14" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABE94809-2E88-4436-83D7-50F3E64D0503}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FDA727-7A08-46EE-8DD8-F8D7308B519C}\NumMethods\ = "22" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{739160A6-53EA-465B-BB6B-5326C20A3C0C} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{883dd18b-0721-4cde-867c-1a82abaf914c} VirtualBox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3748 VirtualBox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1540 msiexec.exe 1540 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3748 VirtualBox.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeIncreaseQuotaPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSecurityPrivilege 1540 msiexec.exe Token: SeCreateTokenPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeAssignPrimaryTokenPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeLockMemoryPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeIncreaseQuotaPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeMachineAccountPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeTcbPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSecurityPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeTakeOwnershipPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeLoadDriverPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSystemProfilePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSystemtimePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeProfSingleProcessPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeIncBasePriorityPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeCreatePagefilePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeCreatePermanentPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeBackupPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeRestorePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeShutdownPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeDebugPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeAuditPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSystemEnvironmentPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeChangeNotifyPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeRemoteShutdownPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeUndockPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSyncAgentPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeEnableDelegationPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeManageVolumePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeImpersonatePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeCreateGlobalPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeCreateTokenPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeAssignPrimaryTokenPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeLockMemoryPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeIncreaseQuotaPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeMachineAccountPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeTcbPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSecurityPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeTakeOwnershipPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeLoadDriverPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSystemProfilePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSystemtimePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeProfSingleProcessPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeIncBasePriorityPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeCreatePagefilePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeCreatePermanentPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeBackupPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeRestorePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeShutdownPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeDebugPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeAuditPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSystemEnvironmentPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeChangeNotifyPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeRemoteShutdownPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeUndockPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeSyncAgentPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeEnableDelegationPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeManageVolumePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeImpersonatePrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeCreateGlobalPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeCreateTokenPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeAssignPrimaryTokenPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe Token: SeLockMemoryPrivilege 1112 VirtualBox-7.1.4-165100-Win.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1112 VirtualBox-7.1.4-165100-Win.exe 1112 VirtualBox-7.1.4-165100-Win.exe 3748 VirtualBox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 328 LogonUI.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1540 wrote to memory of 3684 1540 msiexec.exe 80 PID 1540 wrote to memory of 3684 1540 msiexec.exe 80 PID 1540 wrote to memory of 1224 1540 msiexec.exe 84 PID 1540 wrote to memory of 1224 1540 msiexec.exe 84 PID 1540 wrote to memory of 2612 1540 msiexec.exe 86 PID 1540 wrote to memory of 2612 1540 msiexec.exe 86 PID 1540 wrote to memory of 2932 1540 msiexec.exe 87 PID 1540 wrote to memory of 2932 1540 msiexec.exe 87 PID 1540 wrote to memory of 2932 1540 msiexec.exe 87 PID 1540 wrote to memory of 4960 1540 msiexec.exe 88 PID 1540 wrote to memory of 4960 1540 msiexec.exe 88 PID 2264 wrote to memory of 5100 2264 svchost.exe 90 PID 2264 wrote to memory of 5100 2264 svchost.exe 90 PID 1540 wrote to memory of 4348 1540 msiexec.exe 92 PID 1540 wrote to memory of 4348 1540 msiexec.exe 92 PID 1540 wrote to memory of 4348 1540 msiexec.exe 92 PID 2264 wrote to memory of 2348 2264 svchost.exe 94 PID 2264 wrote to memory of 2348 2264 svchost.exe 94 PID 2264 wrote to memory of 1252 2264 svchost.exe 95 PID 2264 wrote to memory of 1252 2264 svchost.exe 95 PID 1112 wrote to memory of 3748 1112 VirtualBox-7.1.4-165100-Win.exe 97 PID 1112 wrote to memory of 3748 1112 VirtualBox-7.1.4-165100-Win.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3748
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 681D4CDDC02BF24C3B201F02262B994F C2⤵
- Loads dropped DLL
PID:3684
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1224
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding EA17B10AD8B5C54D3F1D95EAAF5761BA2⤵
- Loads dropped DLL
PID:2612
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E2C3F61558E84C01457E79B2B2FBF7D42⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 16327EE46E5A20ACB5DC184CB2232656 E Global\MSI00002⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4960
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7E58CF94CFD58FBB2416682ACEE6B8BF M Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:4348
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5100
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000184" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2348
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000164" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1252
-
-
C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880
-
C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:4700
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39e0055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD51469e0ca56a45c4b2c6feacaa2a0cd56
SHA1622789397dda43f1d8b7e0372f27859556a4186e
SHA2568928dd187efc067744f869ea9a2f9695ece4f1d2cd3fd9afd05fd0a90c7175ef
SHA51270721836cecd668e1068fe402e0b989bfda7f392c1bd5daac1017d25f7ac2201895838147bd676f270be75ba164757acb6c0b5bfbb1e14ce24960f095824f507
-
Filesize
11KB
MD5ef3a8a5be39b7310aa1cae4f4e589208
SHA1bce823d3ff3b7a4a5a7cc8efd693d3b36ace3e78
SHA256b7a5d4285826327851a864698a938478bfc3a983a4386f7f70cabad9f7e7c6c9
SHA512751c7cb03bcd6ce52d6171552ae3678a99076f0d5d216d3a95374b97b4cabcc338d155be9b8f84459ad755de875cfa0badd5018a85837e73e9a6815ac031f944
-
Filesize
176KB
MD5696b58e28b09b0ebaf4f27901a52e0e1
SHA1eb1b5166c42bb96983889c873f45a1ef7ee62295
SHA2561ff96c3462cf14e27da3c82b3c890972d48b2b9ecc168608ef631b2ade2bb95d
SHA512f57171a2b8236daca57d152d8c6b5cfd3e45f2037465c14410c44b510f07ae18bf777b7599c9f63293f9ac1e7322fd473db0f2a69172860d44046d43fb5bc39c
-
Filesize
918KB
MD510f9b5bef3ae0d638915fbdc37e2c61e
SHA14b59849453ea99f415072c754d2073d863c8062f
SHA256c1c89578869eba00f8e2dbdbc1f2683d8f1daced92b0ab23430ac0a982c24648
SHA512e010231ce513438a449f2977c90ac91b56804940cc0e35f702b6d6a8aa78c8d9636cade7b5bfd2a7f2a0bbf2fa686738ebf168d40f3b54c98e2cd34853210fe7
-
Filesize
2.7MB
MD58c2f0cb4fe0669d72b6fbeace9e375a6
SHA13ed426c730b7eab2068ced89f6aa1d8bdc4ac75c
SHA2568672723927495625c1dd5fe5eefefc00cdeb2905db982522758ae2c5734137bf
SHA512ceed87c3c8d418b8db827a52f995449ed114396a2b445528ee7e25343c01085d17308aab46a29d45d254b38c6ff0cf85e6ab31db34eb9ce20be60a0f2bd52873
-
Filesize
2KB
MD581785d890d8115416554e545e3963651
SHA1470cea23f5c8a0c64c84aceb35a0b8288d70400c
SHA256c88c2da48932b247196ec915eb7e72403063376b4d8d35b582c236fdfd912bcb
SHA5123a39f0d368eb15e73c69008b19f0b9561a56cc4ebdebe7d8cd2a57fa975d954a7660d2de2b74fe769dd0d78dd836d3033624109483f2e7784dbb470d38418ee1
-
Filesize
11KB
MD5d9d4bb36efe7f7d20cbdf7475810dafc
SHA1fdfedcba20da40d999dc2639739fef88b396ca38
SHA256cfa38c85e7414dd6b4f13558c2ddde8e5ff1f5c4cfab2bc7b7827e0ab92a4d1e
SHA512d73308307a723a401e5b2a89466314c9fe9955f47510a38e326dabdae85423756fc992fd1f8536200a72f1962f1d3091324f1040cbbd7e17f81d93bcf0fe29a7
-
Filesize
3KB
MD5f07b83bffa21b5820da5f2b1b3878c6e
SHA1b182ec163b2a13692c5d496ee0a442d3e23e4f00
SHA256898e05b1935264736eb69f9b0be36f2815ee7ec7135cfc8db38c6490ec10b944
SHA512d9477953f8a2c53a213a4b9b8d8c09b030c3a265869d676d06566dfe95072c51f77f8eb6aa01f86f88485d7e856ef1581c33930d7469095d29bb1a295855fdf6
-
Filesize
190KB
MD5bd852ea819ac44f17b4beebbd568f212
SHA1e2f549d235e5d2c6824c7dc50bb09c6c083dd304
SHA2561c317b5c535efe02446d8793c6a473e3ed51f06881b310906344e9e3bc5792b9
SHA512e162dacdba163feebf91acd43792aa2669cd4e7f13f0fdaedc1554492e8135ae104aad06c651959f20581d9bb2b49f3d6a559bbabc43ea8ab6ed06d850931f01
-
Filesize
11KB
MD54a9b8ed2a7923c2f51b816bdabf265f2
SHA1d519a98e5bce10a4dec8f29865e90007390d666e
SHA25614bf761cf13d3caf19810350024747687f64fc2d05cb6b78393f42df93024bcc
SHA5128491bf1d71aa90f114166088cc94046564ba0386175f382ba737320443baff654ea8584c0d314539df0da2b4ad9d4cc02ad3abee0d102b0ac1d56c02cd83f9c9
-
Filesize
3KB
MD5d76b6215058c8d581bc7ed476794ea05
SHA1e9aac803d1ea08560064ea01d63214ef42e39931
SHA256f657dd259d84dd60da119e8ffc0d0b70aae6655875af4d72674d072543ca259e
SHA512eb25843f06078c1fc8a84a3312d22e2bea544f521a501b92f55df234068bcf309266b0ee18ad8c0858602de721d56073ad13a074d7343dd706dffb9e5a85c6d2
-
Filesize
1.0MB
MD50809df0b4b50b73e67b73ce9754fb482
SHA15bbf156438c6f53b426d451800ad31c18113d30e
SHA25670c9a26893e09801ef872a8d93555454b520f60867a99df501607346a60f1352
SHA512da9dec78d03ba2db5db957dd45e926e17fd4656c3e9823f1e0582968a2f9f4d97d4cc9d9e3587056c74e6384260476617310ce13259b72b1cc5c0a6c175501c1
-
Filesize
684KB
MD53612c59246d7a36c607f6904dc3ac1b7
SHA10d2a4d6c9acf84b7aa168a2e62f55f58166f568c
SHA256dc4f8bf8ab2d4a593c398c8f4747c3b67aeda838aa4f28c4e4d6217d91aafab9
SHA512143ca0192bec78796c6e9220d3d77854f67187a914f18acaa6cce9a5e879e619dee3601aae3cbdd563400e526bddfd3e8edecd0336922aaa8c71cfb65d0b0159
-
Filesize
1KB
MD5d9d28bd2ef7192fb0efb99607d7a0807
SHA17fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a
SHA256dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5
SHA512e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5766cf5cd1ccee5f31bf4332b8c8629be
SHA1b2937666b4f615601081a7e1bdaee0326b820e38
SHA2561e929742ccc963109fe468e0efed37be626873b4d70006928d1ce413c4019c69
SHA512242343410a5d8ebe6e9d8d0b2fe833e9320068ae163ef02eab7cbb784afd66eb5a9e210cbc12ca419f559e3366d790ccd541e9027efc244ead30035abef6c538
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
Filesize727B
MD5d82d323ac43cb5f0ad3322b946d8b010
SHA13c37a23d9241f1b291421adeb7e3bfecedca134e
SHA256443ca2a35f9045f48b38fb7b1b6c088fdea068afe3f72516d2b3f180ac3e2668
SHA512cfb237a211bd1d89d96ea8f3d71f7b01d43a8036d63506fd34f5127cffa3d5fff83b971d850eff02ea2ddb9cbb46895aaa6acb6fe702c214c95e7b7ec7136010
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD51425aae2b6e15ba77c0c4a8304422e63
SHA13c301b32c8d4193684f452a9c921d9135d085b6b
SHA2564e948a3e1b38aa343e468510884a96f9def3270519b53f2e8734f1698fd954a9
SHA512a9ecd4864f1139c8aa5aa5534a3cfb136b5e91121eb9d654a4b1dbb6149e5732d10bd5cbaf95b574848d06403c9cf1e096c5c7cb06bb6f41c3d116af69fe2262
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5a2bfa80e4367f432bc4c783432732b8c
SHA1d3666ac976bc6462e2566059f269d58270ecb7b1
SHA2563e8f45e6a6a93fd03c91d103a7be7b02a25fc70ba9598191c9fe01237b2f6eb0
SHA512488da70f39ed2ea9e53504665b715b9d424771b865afedbbd01acbcbb0acb5802ba57adc1150eebb26e8e1a25b2952a6c867ccbfc40555dce85b615282db0708
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
Filesize412B
MD5a898ad52198fee59ed78967b3a041485
SHA17b78da243b27e65b90488c6b0df05ee9e0543e75
SHA25635c8b319f0173d445b7b2ef57af4cf8b90e778f14787233a98dfeac9dbb372e5
SHA51263530213637518236941183f68895e1f428d76bd8330ca729e4f8ab6f6f1f2b457b64e3118c3a2e86720e7870cd57eedf2117c3d058a1c61f47c142cf6bdb0a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD593e288e54b96ac7856737a99440638d1
SHA1392376d98057e0203356f894dff500e9fb78fd70
SHA256a84a10a712123ea6e021a8a6fcb02db610c62bc36df189e3b00c14fe7ec8fb10
SHA5125b56c96d19b9bbe90059eb4d15324e6f6aa2b01b3c6092287e709275befcf9784dc22f76231ba9f1b9210b5bdf37c48df98fcb59825595c5f55b868b31207ae4
-
Filesize
330KB
MD5170b0049505e4312e410dcf1e683f0a7
SHA1be2c41ff3c49a2ad7027df74d1107327b145e8d4
SHA25667a1517109bbbdd924511a7896bdc1c245a939ec6fbe926e9077837b93848450
SHA512dc5493b399e6781dd7bb28981e8835c4c004be9479b47b92cdc7300c1228bde4ee172f14be40155d5da7b71782b5f1a940a80d7aced8b610571c062873da3994
-
Filesize
690KB
MD58deb7d2f91c7392925718b3ba0aade22
SHA1fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA51237f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c
-
Filesize
330KB
MD5ac831c25bc16a05ee60aea5d79517434
SHA14946133e7fac34315a0ccaa30ca8ad383d5f0140
SHA256947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869
SHA51272f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b
-
Filesize
149KB
MD5418322f7be2b68e88a93a048ac75a757
SHA109739792ff1c30f73dacafbe503630615922b561
SHA256ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef
-
Filesize
107KB
MD53eff05398c8ce17428812667f97ba2c9
SHA1ffc5e4ead3dd13c9230183cf702666e9c7cacbc8
SHA2565b028183644b3b44fa860a4378521e012ef976f8bbae96c2d43aeda01b9e57f8
SHA5128899e16aa3f5c06db070cbc40511afcd6862ebc15cc74f73e4a2083452fe38bc5b36742f8d6a8d6471211769af6ce3c42ea00ea3bd9d56427b178092ac5770dc
-
Filesize
107KB
MD594337eb634b6569ccc3aa521c9e4708f
SHA17bae5e098f7a5ff82370bf5be0291a7bdf7aac23
SHA2563ca9645459356cc4d58c50589df454d5998630116cf3a144036bbb04009b00fe
SHA512b6c5b0764cbbbb2ea2b6de0034e0daa422da5a45bc705c033792f2ed896f381e7aa47b072d1d85e08704e5565a9b54e2112c0f55991dbe7a175814e855e26620
-
Filesize
11KB
MD55d3b6f1bf4205e0f41aa7ab4f0d1e954
SHA1c5343a49ba2c8496de6a10c1ef13c4f45bc5aa7f
SHA2566573b7f11080594cee694c545edbecaf2f577ddd996c3d1d6f5304847bd45a6d
SHA51247190629218759c840e37f6b283bba8154c8fab6e8bee16b1f088848038cbe42dcb23fde6615d5e2d8b5e27a0c1f75377e76fd1b8147624f6293c8cb7a5f9acf
-
Filesize
3KB
MD539d54baf75931606454607628b8cfd56
SHA10c0af5bcb13fa4f9303adcaa5e1bd863850d696b
SHA256c96d4504e9fa5a7cbafbe01b3a436848b7ea8c95690a533ac7d4453b5ebd17db
SHA5123dac9f6f911e2a1daf1b04ff6ea2f1e23cc78fa53e67d4fdd26e641e290921f5da9bf9c4f6442eaf418bdcd4d3a9f1dc5fe558c4b3d34db7773ae451ece3b66b
-
Filesize
240KB
MD583e6380b648c6fa9659094bce716d9ba
SHA1a8a97d3dcba0792644c29f04b832ddd4ffb0e35a
SHA2567786fa5fde0234b77fd4fbc131857fac471b1dafd42ccf6f38b3012da3b8098d
SHA512251613f93fb624da3c6daa30ca3b1ff80351c421639b3ee034898bcfa8dfc32c04af1370d0e470aa11c20dc64eaa8ea142bc31e544fbb358272efd2316ff73f6
-
Filesize
11KB
MD5c0261377e9c8115d9e67db2dcfe1143c
SHA1115916d3fd1ca02bd1fbb5db9c846f0a9ac9f3d5
SHA256c47acf6981dfc65fb25166e3df07fdcfc55c4eeddb79e3b8d1a066ed2596334a
SHA512348d638710b14fdf509009d6e8bd7e0576bf3ce9144dbfd07b95c773653860284a0c2e1b8d5ffdacf097bf4328082a79fa457e1eeb65c4752b840ab17346236f
-
Filesize
4KB
MD5351856254220eb250d62f4547e9aeb96
SHA1c7a72d9f7b783ba54b5d8839279dfcba689a7c11
SHA256c62c8264b3add792c706a4e76b643fe969b69ec902651b5d31974c42a026e619
SHA5124e6bc35063cb16c602dc4c6080c8ca8b48dedce63d01db7efe7576e24a82127ddfd4ae00f052a81e4779d517045e8477ec61a7cf71c378fbe491aec54504c2e6
-
Filesize
250KB
MD568c5f8884313e9c5ad1d54fd7181f140
SHA140e747ce98f899fb8beb31dacc2cb261092ad6cc
SHA256de4a67670417fe97e0207d40f38317104548d4ee77bbbf50f269dfc8ef655a9c
SHA5126433586185dd5d07ab9cf7141d64a55a33fea3872e6b2616ae0dd8e75820fd0eac7593cff39fd6262dc0b1c779c8c3a8a7bdbdde2b95e9e1aa74d3613419ee7b
-
Filesize
107KB
MD5318b7c48d02a11054264f9d017c22ca3
SHA1369495c45bffbc205a795cf6c7e86bf42c604524
SHA2568e26a598819568c146546a15d463cbfe3e78afaccb1cc1f66610ea9335143199
SHA5128a92c992f5bf2c2c402002306386c86a4411d4e3c32a04e6b6bcedc14026e9f4ace18aef7183df758f70f0a1ebe425869d0e52698b415cf582c7b282677ab733
-
Filesize
24.6MB
MD5733b842913fb6b20c5b2b86c61a7d666
SHA1a00c089e9efaf4c744e91e8aecbfb4dd277fd913
SHA256dd4db30762240a01ddccf7c8777afabef5f61fa564fca48b2742686285fd2da7
SHA51255c091d79f8751fdbeb75dee592f620abe6f0c5b5719b318946ccdda89b79bf70cf23dda7057246cf751a301516d3d8e461b13bd306e6921309be7c5343555d6
-
\??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{29647298-cdd3-4f3d-80fc-380652cc15b5}_OnDiskSnapshotProp
Filesize6KB
MD547a974bc551163b6a3dc036f6f83212d
SHA10fc57684c9799d222b30114b8c17696efeb8ba21
SHA2568151ab8f03dd662c759a06a851730bd44d34988430a376327329088880f9440a
SHA512cea98a8fdb3da65ffecbc2353167abb47d043d738486f8c51991348bff60a3335ee8f4eee55985d6455a8c95f6ff1d73fff664f5ac0212459e01079cd6a9ad47