35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6

Resubmissions

05-02-2025 14:45

250205-r4w5kssngm 8

28-01-2025 13:04

250128-qa9cdayrhw 8

Analysis

max time kernel
58s
max time network
59s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.1.6-167084-Win.exe
Size

117.3MB
MD5

8addd310d09249bc176c9c891aae41cb
SHA1

81212ad29642b2b261df42d25ccd23fe715914d1
SHA256

35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6
SHA512

b6126211ade8b38215ea70692af8cff5e47cb922484a3f08e377edf01a4a1d9b865772f4703d6914d779faba95eb46f16266e6f05411efba4691bc6f411d1d77
SSDEEP

3145728:Zqar23mGGWtNN/fdSqyI/LUs5DuFsdOKtVeBi4g:82GGOFfAqyI/7FdUAT

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET187.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET187.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetLwf.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETE35.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETE35.tmp	MsiExec.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CD7BE0F00F2A5EE102C3037E098AF3F457D3B1AB\Blob = 030000000100000014000000cd7be0f00f2a5ee102c3037e098af3f457d3b1ab1900000001000000100000005d348d256637dba6c37ab7c52a70fcfc14000000010000001400000051b8f644d5026aad4a82159c9c79ab3712e491e60400000001000000100000005f429788727974c52ef1b4cd93d03b8f0f000000010000002000000023533a4193388017e79a89286988374594b2466794256dca165999dca21c92f62000000001000000f3060000308206ef308204d7a0030201020210060e2f8f9e1b8be518d5fe2b69cfccb1300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3233303330393030303030305a170d3235303331313233353935395a3077310b3009060355040613025553311330110603550408130a43616c69666f726e6961311530130603550407130c526564776f6f642043697479311d301b060355040a13144f7261636c6520416d65726963612c20496e632e311d301b060355040313144f7261636c6520416d65726963612c20496e632e308201a2300d06092a864886f70d01010105000382018f003082018a0282018100a923894b895ffb4d12ec93f8c323ecd79af5c56138e730b3fa8b7d36c006b3ce21479f17092f4dad917723e78ddf17776a62cc51b22be9ac534649c6e09eca72fa19fcad338414632547c05877c7a4d93515790b4d414e8181abcfbaed92f78bab5cc7bfc73c400345ae1d6f4d0c87afb48f42fcda92d43a159ce5daa9a5a7c0072cb1538c6257abdbbac84d9bdedd4d1161a32b33b9710d1cb9b2464970a1f68b2ac9efc2bbf2b0e454d9dead2a09a4142a3b300e6fb3c21b3cca8098e00e74c5f30f46cb91b48077a083db650bbee7658c67396905dfdf9cc2e00d89a983be306ed31486f33025bfe2e8a66ec67dc19b724842a7947670a10ed953ab6e5bd4b68c21258ae1f84a65125d19f397b12fd485516bf318d0feb13bef6d065f29eee6211dbd761f5678360d5c839dbd995b75a3f7bc79da24c829422eeacc1aa9e55be80101904938f21eac4dda6a348cf9e6ecd36c2ec1d4fbd24b1442373bb6420194eb9708889d2e163a67213345b4f8b8435f90f9104cf6dab85e5b1d6c1be90203010001a3820203308201ff301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e0416041451b8f644d5026aad4a82159c9c79ab3712e491e6300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63727430090603551d1304023000300d06092a864886f70d01010b0500038202010030ff6c1186f9877d2be2e2701f0bc1c9b22b72fb594b549308349162455d45bab63a49a06fb47609f6b2d696c152a00ee2f3b00d513a8b994f68eb2137f1358cc1615046f9e94d4a05303e1caec31a22599219424fcdd87f5519fcf45411d6e88f743077e3668ed6de08d6d79353bb5bddbd4effa629314438a4be4ed5e1a6a45fcd6d0451281b370d2a2e7f85c33c8109baf511afd139a98b1de7314c4d554ed8f8d399f6ca3538e33ca23a7045dcf14c2a9b228937d7a7ad6c6197ad5b383b6f64b8f63c873ac0a0c6ead330405bfed617c65c025fae6672eb8ce482aa7a94eb7b37952d841a165fb39d9899b903948fe35678f03e578809e366ea9c616d3be15e7c98a73ff70179e9a501a9d852c17f7373587e051adf6e82e3022fc0244b0ba7ed40745ef9be8ddfd805510aa6be2d25bde2523955e772379e931c0d68eab5f17ceb5ebf966577ed637e386789830775bb791b13ba36e1659bc217345b08d4c2369de04f621dbabdee6aa0ea9e1560b99045da48a00218fc5a760cdb78a42ae8b8c72dafd281826b949c41a2fa4ae5712d4173dbea6b370f4134d651f0f81070a4b849d4147ede853685cff2a07fceba1afa8a9a346d48e079e8119ac12a9bfcb60d3dcd092447a2fd8af13463a9c083eeffb45d55968b19ddcaa8417f421bf00a110c04835245c455cd97b317d908a4f5b4ca9f3a0c6288c4ab63c21175	DrvInst.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\E:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\H:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\VBoxNetLwf.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_neutral_15909adfa959bbd7\VBoxNetAdp6.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\VBoxSup.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\SET1373.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\VBoxNetLwf.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\SET2A1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\SET2A2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\VBoxNetLwf.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\SETE37E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\SET2A0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\SETE37E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\SET2A0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_neutral_15909adfa959bbd7\vboxnetadp6.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\SET1362.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\SET1363.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\SETE37C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_neutral_15909adfa959bbd7\vboxnetadp6.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\VBoxNetLwf.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\SET2A1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\VBoxNetAdp6.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\SET2A2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\SET1373.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\SETE37D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\VBoxNetAdp6.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\SET1362.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\SET1363.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\VBoxSup.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\SETE37C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\SETE37D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\VBoxSup.sys	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\vbox-img.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6HelpVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_hu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqliteVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRes.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qwindowsVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6WidgetsVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6CoreVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxLibSsh.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAudioTest.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\vbox-arch-types.d	msiexec.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76b847.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCCC.tmp	msiexec.exe
File created	C:\Windows\Installer\f76b84a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12D6.tmp	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIBCAF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE231.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox	msiexec.exe
File created	C:\Windows\INF\oem1.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIBB55.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBFAF.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIBF02.tmp	msiexec.exe
File created	C:\Windows\Installer\f76b848.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE280.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI212.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76b848.ipi	msiexec.exe
File created	C:\Windows\Installer\f76b847.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD4C.tmp	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	VirtualBox.exe

Loads dropped DLL 28 IoCs

pid	Process
3068	MsiExec.exe
3068	MsiExec.exe
3068	MsiExec.exe
3068	MsiExec.exe
3068	MsiExec.exe
3068	MsiExec.exe
956	MsiExec.exe
956	MsiExec.exe
956	MsiExec.exe
956	MsiExec.exe
1496	MsiExec.exe
956	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
916	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
1196	Process not Found
956	MsiExec.exe
1196	Process not Found
1196	Process not Found
2004	VirtualBox.exe
2004	VirtualBox.exe
2004	VirtualBox.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirtualBox-7.1.6-167084-Win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516."	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000602a8e638571db01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000c08b90638571db01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000c08b90638571db01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\NumMethods\ = "14"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{31AAB263-95EF-48A4-9CE7-EAF0D3AE150F}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A338ED20-58D9-43AE-8B03-C1FD7088EF15}\NumMethods\ = "21"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{179F8647-319C-4E7E-8150-C5837BD265F6}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{426EF1B8-DE91-49FB-ABC3-0E2BAE654FF2}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4EE3CBCB-486F-40DB-9150-DEEE3FD24189}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B1D978B8-F7B7-4B05-900E-2A9253C00F51}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{F01F1066-F231-11EA-8EEE-33BB2AFB0B6E}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{0FE2DA40-5637-472A-9736-72019EABD7DE}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67099191-32E7-4F6C-85EE-422304C71B90}\NumMethods\ = "8"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{52F40B16-520E-473F-9428-3E69B0D915C3}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{714A3EEF-799A-4489-86CD-FE8E45B2FF8E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{83795A4C-FCE1-11EA-8A17-636028AE0BE2}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF398A9A-6B76-4805-8FAB-00A9DCF4732B}\NumMethods\ = "31"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E8D3F27-B45C-48AE-8B36-D35E83D207AA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABEF51AE-1493-49F4-AA03-EFAF106BF086}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F22DD3B4-E4D0-437A-BFDF-0372896BA162}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{45587218-4289-EF4E-8E6A-E5B07816B631}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DC83C2C-81A9-4005-9D52-FC45A78BF3F5}\ = "IUSBDevice"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A508E094-BF24-4ECA-80C6-467766A1E4C0}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2937A8E-CB8D-4382-90BA-B7DA78A74573}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5155BFD3-7BA7-45A8-B26D-C91AE3754E37}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E253EE8-477A-2497-6759-88B8292A5AF0}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D644AD1E-C501-4FC7-9AB6-AA6D763BC540}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8B2B6773-8B5A-4CD2-95F8-38FAF73913E1}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC830458-4974-A19C-4DC6-CC98C2269626}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCF47A1D-ED70-4DB8-9A4B-2646BD166905}\ = "INetworkAdapter"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\NumMethods\ = "34"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7191CF38-3E8A-11E9-825C-AB7B2CABCE23}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{327E3C00-EE61-462F-AED3-0DFF6CBF9904}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{C1844087-EC6B-488D-AFBB-C90F6452A04B}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08E25756-08A2-41AF-A05F-D7C661ABAEBE}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7C5E945F-2354-4267-883F-2F417D216519}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B2B6773-8B5A-4CD2-95F8-38FAF73913E1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{A6DCF6E8-416B-4181-8C4A-45EC95177AEF}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABE94809-2E88-4436-83D7-50F3E64D0503}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{CC830458-4974-A19C-4DC6-CC98C2269626}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD6A1080-E1B7-4339-A549-F0878115596E}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vdi\Content Type = "application/x-virtualbox-vdi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\AppID = "{61FF179A-5F10-4077-81F4-060BEBA09DEC}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46735DE7-F4C4-4020-A185-0D2881BCFA8B}\NumMethods\ = "56"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.vdi\ = "Virtual Disk Image"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{41A033B8-CC87-4F6E-A0E9-47BB7F2D4BE5}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F302674-C927-11E7-B788-33C248E71FC7}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{08E25756-08A2-41AF-A05F-D7C661ABAEBE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2514881B-23D0-430A-A7FF-7ED7F05534BC}\ = "INATNetworkPortForwardEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29059FEA-2C99-11EE-BE56-0242AC120002}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6C}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.1.6-167084-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.1.6-167084-Win.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VirtualBox-7.1.6-167084-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.1.6-167084-Win.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
332	msiexec.exe
332	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncreaseQuotaPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeSecurityPrivilege	332	msiexec.exe
Token: SeCreateTokenPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeLockMemoryPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncreaseQuotaPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeMachineAccountPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeTcbPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSecurityPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeTakeOwnershipPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeLoadDriverPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemProfilePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemtimePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeProfSingleProcessPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncBasePriorityPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePagefilePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePermanentPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeBackupPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeRestorePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeShutdownPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeDebugPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeAuditPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemEnvironmentPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeChangeNotifyPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeRemoteShutdownPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeUndockPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSyncAgentPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeEnableDelegationPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeManageVolumePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeImpersonatePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateGlobalPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateTokenPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeLockMemoryPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncreaseQuotaPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeMachineAccountPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeTcbPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSecurityPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeTakeOwnershipPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeLoadDriverPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemProfilePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemtimePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeProfSingleProcessPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncBasePriorityPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePagefilePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePermanentPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeBackupPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeRestorePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeShutdownPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeDebugPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeAuditPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemEnvironmentPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeChangeNotifyPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeRemoteShutdownPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeUndockPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeSyncAgentPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeEnableDelegationPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeManageVolumePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeImpersonatePrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateGlobalPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateTokenPrivilege	2812	VirtualBox-7.1.6-167084-Win.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2812	VirtualBox-7.1.6-167084-Win.exe
2812	VirtualBox-7.1.6-167084-Win.exe
2812	VirtualBox-7.1.6-167084-Win.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 3068	332	msiexec.exe	31
PID 332 wrote to memory of 3068	332	msiexec.exe	31
PID 332 wrote to memory of 3068	332	msiexec.exe	31
PID 332 wrote to memory of 3068	332	msiexec.exe	31
PID 332 wrote to memory of 3068	332	msiexec.exe	31
PID 332 wrote to memory of 956	332	msiexec.exe	35
PID 332 wrote to memory of 956	332	msiexec.exe	35
PID 332 wrote to memory of 956	332	msiexec.exe	35
PID 332 wrote to memory of 956	332	msiexec.exe	35
PID 332 wrote to memory of 956	332	msiexec.exe	35
PID 332 wrote to memory of 1496	332	msiexec.exe	36
PID 332 wrote to memory of 1496	332	msiexec.exe	36
PID 332 wrote to memory of 1496	332	msiexec.exe	36
PID 332 wrote to memory of 1496	332	msiexec.exe	36
PID 332 wrote to memory of 1496	332	msiexec.exe	36
PID 332 wrote to memory of 1496	332	msiexec.exe	36
PID 332 wrote to memory of 1496	332	msiexec.exe	36
PID 332 wrote to memory of 916	332	msiexec.exe	38
PID 332 wrote to memory of 916	332	msiexec.exe	38
PID 332 wrote to memory of 916	332	msiexec.exe	38
PID 332 wrote to memory of 916	332	msiexec.exe	38
PID 332 wrote to memory of 916	332	msiexec.exe	38
PID 332 wrote to memory of 1588	332	msiexec.exe	40
PID 332 wrote to memory of 1588	332	msiexec.exe	40
PID 332 wrote to memory of 1588	332	msiexec.exe	40
PID 332 wrote to memory of 1588	332	msiexec.exe	40
PID 332 wrote to memory of 1588	332	msiexec.exe	40
PID 332 wrote to memory of 1588	332	msiexec.exe	40
PID 332 wrote to memory of 1588	332	msiexec.exe	40
PID 2528 wrote to memory of 2172	2528	DrvInst.exe	42
PID 2528 wrote to memory of 2172	2528	DrvInst.exe	42
PID 2528 wrote to memory of 2172	2528	DrvInst.exe	42
PID 2452 wrote to memory of 2304	2452	DrvInst.exe	44
PID 2452 wrote to memory of 2304	2452	DrvInst.exe	44
PID 2452 wrote to memory of 2304	2452	DrvInst.exe	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding AD8E4750C429AD15A8202757C238F51C C
  2⤵
  - Loads dropped DLL
  PID:3068
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 2EFC1591F15EB4222735DFB538F31781
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  PID:956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7C08603B2CFC1A359A7411968C80EA7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B63C0063D03BA1CB8112C9B7DF76D41B M Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3129460481D0DA7DFE5652FC035872DB M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2924

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "0000000000000548"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1572

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4b558dd9-e9a1-3b98-5288-4b7aad351407}\VBoxNetLwf.inf" "9" "631e52bcb" "000000000000005C" "WinSta0\Default" "00000000000003CC" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{018a55d1-1abe-5f86-6b54-913337e3934c} Global\{3df9272d-ea42-13b1-6f52-0d1a7b638a33} C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\VBoxNetLwf.inf C:\Windows\System32\DriverStore\Temp\{647495af-4458-0d4a-fb6f-1a7176768d23}\VBoxNetLwf.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2172

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7d0fd49e-2e5d-2c22-8fac-0a2638ff9c5f}\VBoxNetAdp6.inf" "9" "673b17b7b" "000000000000005C" "WinSta0\Default" "00000000000003D0" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
1⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1d713689-7789-11f5-aba5-9627052bb633} Global\{1bd682de-379b-4abd-644a-f62f0244671f} C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\VBoxNetAdp6.inf C:\Windows\System32\DriverStore\Temp\{39a39c25-b60b-36e7-df89-aa4172f98071}\VBoxNetAdp6.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2304

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{7f672b6f-26a5-3118-5801-de7acb7fa962}\VBoxSup.inf" "9" "6edacf3f3" "00000000000005E8" "WinSta0\Default" "00000000000003CC" "208" "C:\Program Files\Oracle\VirtualBox\drivers\vboxsup"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1104

C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b849.rbs

Filesize
722KB

MD5
0bda11e0f91eae12df3144671d4a2f6c

SHA1
9062e44b5408abba128a78de568b4ecc1d830407

SHA256
4407acf54689ef4f6052e1f831c8b53eaa7b9cdab0b1d03a745cc3ae953e9984

SHA512
ca8d75998568117c61aceb44f429f680722ea348fc236067a1e9dda379efa54f64ba8b4b1a86c2dddfcf402c780ee5fa685e49822134b0fe5550c47d75e5e7b1

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.sys

Filesize
240KB

MD5
bb13c7ae29af3d73e2e2326bd37ef752

SHA1
d2b5617fe2f2de0831d2ad0f6301e5cb88851261

SHA256
755120e64cec6673bf8ad2ed0cfb031dd71a31ab8fc063c1b26cc3a8b9198857

SHA512
6aa2a7c483dd205a6d0f667a5249f7eb23b45ee760de009400c208e73c21feda8d94ca428e4922303727e735a0f6026ddfd02bc419f2f280e68f2b55a93acf82

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netlwf\VBoxNetLwf.sys

Filesize
250KB

MD5
10ed4a0f400f1db09e258c99939f15c7

SHA1
4ed115fb4bece2aaf9b0d724330811cd2c7878b2

SHA256
b7d5361a58530add79cdce5544f41190196ea7b16b32c889627e8b5a61be8483

SHA512
a573233ca92ff878f79261bf7ebc10def90c0995c46527a2f5f3791f5e48cf54158c07af1e0d969ba4d196f182126ca2e4c9ab5a1464e6974b279a6038102a6b

Download Submit
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

Filesize
936KB

MD5
dea158fd47abc3d173f6d8de13971372

SHA1
d42cdc78678744d4b23c338fe81e327c1d4d4abf

SHA256
701332a337b452e64a56bd7e1a1d7c76eb8b7fb7f6f63f74413866b7e2113980

SHA512
11f96f77dee048cf7a487334607d517ed3cb7ea0314f4daf719e361d9c6d0bc09c827081cfb6bb6403ecc174e5e6f4201e47c6c4ff186028380e0ac8240ddefa

Download Submit
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

Filesize
2.7MB

MD5
c43f5aba07ba81826943658cffd8d6bb

SHA1
7239eebeae740489dd9d88b533b094fa17627375

SHA256
c420308c229e51053b9857321c718815ca5551b6e914b5dc44eb1a6faf45db0f

SHA512
e3e66f177fcbc7e51d8738d8079d6845c4038685694f9a6e004469f2b99be1bb090870db3de391a1e831b45fd84aa593c53ee33973c1f7cde0242924ac9daa6d

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat

Filesize
10KB

MD5
552b5869498a21ebd60394c43855cd40

SHA1
936ffdd331ba58c7106b5e8f83788465150b1873

SHA256
10b6ae89e111003e4f8f4f1b53cc051aa4372e3705e23902df81e502891604a7

SHA512
06b70dd7ec315bd51567a1694e902fcb8cb697e27b3d588f8a0541c91152fb5ae035e5dc45e0d6628243e592288d9505b86df8fcf333d303d4bd41001f10b798

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

Filesize
3KB

MD5
7bd5968035e290fc975a3655d2a30c08

SHA1
f07a370d4734c9b332b35d26b4d16d7ae1ec17b6

SHA256
c1af8774a2b6c246a31b8c3f5185fff67a856c4f96d55c21b4d0587b34e4611b

SHA512
2da219b9fc716499b2d8fa62084c5039d61660bf4ea26e48599eb4d10d95b4ba408e8415a092307b5731cc1de9201bb000848f68d7e79f6b03da453e223253ac

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.cat

Filesize
10KB

MD5
9a7ea922dc84aff4eba3913b4e4baf7f

SHA1
0ac25dd63071e9f2018e30c96351975be3f91a66

SHA256
e2cd20ad1aa6650bb3bfb7a8eecaa3d8311cf367bb39b2b787a0857f9a0e53f6

SHA512
f1a4cbf81acf640a882e2c93e7443d8d607025c9f8e141fa93a8f0cbaf2c7b06f38ae567e06d58ad086809cbcfb419070f00e7f1ca0abfea5db884cdae9a8c54

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf

Filesize
4KB

MD5
7da30975a6c38e9a0fe9676950f70033

SHA1
d0134da02edaf78b60143d9d6a310ab97137b709

SHA256
aee3b03ca632f7985c71c56d747ed61d0a83e8250f72c4e3cecaca43d6262cdb

SHA512
2ab29cfa41572e3b94680a298248d8d459da50d7f136ec1885a092f8c6550a6fbc5c0e256bdf42285cd7d9234f015d2a577e90989e8eeaa8f4a2780d69c87f01

Download Submit
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

Filesize
684KB

MD5
a575376c0da3e58d68ddb30cf903af50

SHA1
5c82c307d82d57b51f365006b7935f952b0775b1

SHA256
ac2e8cda8c16350c20115774413245d2ef4fe2ee76aca73b2b3c47ad4add6116

SHA512
b16a1920b5c51df04e2adfeefbbdc523dfb99586a6e397c43f521fc7111b28416cb4b72052d00a7d2f6ea3f04ae6935f4536ba27a456dc714296940e2b557a2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
7e11369d957d022ac325669fa3c8d2f7

SHA1
29abd0b98021b953c22dafda61c79f05b64158e1

SHA256
69662ab0f25df6129fa50595df1e72d1045abf88c24b1fc6fc39c25c8daa0d53

SHA512
7333eba8279114522ac3054278d5246ca7e40af4f9e50f6993036a14f649bdbd0df65416d39fe80edc83f94e8bbffa05177571d9a92cffc8015300cad4273c9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
727B

MD5
e5537f2ab61975d2de0ab21338cb9f6a

SHA1
4f189b077a6c25d30283892c254b09296b52280f

SHA256
e93926b3cf5b2e49d4a2799943520036c0b66184750f23e9d071c6dd8c612c99

SHA512
ac44403b406764e3f42e263c306bf3ecd3b5ae00cebad3af63a3cad6baef584165f26763d4fb107abe5098db46e2b523c3f99ed804dbfb3ec60a9417e611f75f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
89daee5ebc3c014d0f256a3f30c582b9

SHA1
d4d6e0c11f56f6ffe44969d64083ebd76615e6e5

SHA256
ebc7f30c2c3ae32be08ec25566dd989a1d6f346b0562b2ad14ddc7eacbf69b18

SHA512
ac0e04ffeed3182e0b30cac0f271751373ad26dbc41a8bdfbcd630de30466736d8a6234014e0af181c91e0d71c67be5ac2522cb623b763b0624183d80035efce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
9ecc4e4b096df19be0633c08bcc41791

SHA1
e486f85d8e0348e1beb1d9f0af94d62a40c2f47b

SHA256
bee9b7d1f34a5ef00ea5ae3a6943ed10ca2a580d923701d580f129fe8ed2abe8

SHA512
e3b51e038bf5a291db20267d504b65e069a7ee1b4cfd197a98032ece17b8c89caa1bb6dab3e2e65309cd125812676d5cff51c824ad0ea21afda288b925abd128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
412B

MD5
7d41620474c65bdd1d2e33afc80492f1

SHA1
79a24f331147eb26d2f4d0701608b26ec352fe93

SHA256
1498b95c0ba6edb94a7c0d9a06f0be3382d8d0b2121c671567c6a4581911f3a4

SHA512
b92eb73daaec7887f2354f745bb0da13976aabe4e38034e9da706fc31e75b7c7ff5629d9d2239a1d63bade0ff13d8d2976ed4c93c5738cee22d55aa0ae3bccf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58a8f8475ee9e09dd668fa6d21324efb

SHA1
01c40ca00f970a13fe9168323a60d11fc6a91098

SHA256
20995074798297b515fcddddf8a5d90e61fcd1daec5f6b37dbb0bb726e8a8efb

SHA512
331900f75b82aadac8576e43341668f3298844b612ab63c6018e67525ce84ceb9cb56d3d49bbe6563ce799df2dec16fe282638ef9496e9bf2a792c8d853f6186

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
850bbbbebf47259e1cf315c9132a19d5

SHA1
dc2b24b27f2edc39c5ecea15d8e3633efff20d47

SHA256
c190f1784469340ceb6780ac4a1057f5ee586b5154a34526b69b441f5bd0be21

SHA512
e508eb9439ec016fa347cc46f9572f78ea2a2d0d91700f01ddb90b9bc215c374b21d87ea8b083936b41bad0da4c7a4895767b490ad84f09a0052b5bf187b73a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6106.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar629F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSIBE37.tmp

Filesize
330KB

MD5
ac831c25bc16a05ee60aea5d79517434

SHA1
4946133e7fac34315a0ccaa30ca8ad383d5f0140

SHA256
947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869

SHA512
72f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF

Filesize
9KB

MD5
004ba353a605e577205a2c2eeb4066c7

SHA1
f8c976b64bd9e4b55f5a37668d44055b0e184610

SHA256
1468ec3bd8e720955fedac1c3704bfb0f35b66fceb72ac40c622599a759d0f03

SHA512
7f5d8d1872a476e47d5bee91d1f2cbcc5a92b2c5b3b1cdfb72b50c61a09a71ca929ff201e34d40c67c3a0e25e960f3118318610aabdbc34ae0bb0cd12e9705d2

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
b957bd83159a8059ddfb1454f5899694

SHA1
c3b7794ad8c28a554f1a30bcdf1c4aa3c4b85f90

SHA256
0b9512faee29614770b1d1e2393e5c77e5c432986c740c92704ca8f37a65ea72

SHA512
c790e60d717622b1b800baf32837a7f1c69cd4f6e5c9b9a8c88ad29c7184a7b08f3b270de62a991f2e87d2e593e9542d08a7aa754e2a1228aa49e9ba82b98128

Download Submit
C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\SET1362.tmp

Filesize
10KB

MD5
616622190cbd26c6297e711002db9a18

SHA1
3ae814e574c3e1f7e1a47b74d409d76dbfcc7c04

SHA256
338534cc66c824995a299888caea8dc83de179e88f22e9a037dfd7c399a66ea2

SHA512
cc574a02c278f96b9bb45cbc9164b77e4b66341eb2f2b8cb1870590735b2d5ee13fbf0de96f85309a544c7a88b50453830db50c25a4c73cd843ba4d0d9772c2e

Download Submit
C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\SET1363.tmp

Filesize
2KB

MD5
59048a0500cb88084655b38de2a3097f

SHA1
014f0f333df2fac12045fb89ce1042f3352241c4

SHA256
c3c0f8172fee9aeeff7d4ac43af0b0b9357f2f119b53c70377f015168586c546

SHA512
cb596dc5048d09186b011ea4a314b7355c2191fff0cae929ebaa919294ed17041006ae575122d7191bfa3572c4da3f75e109d10cbc847e48121de0ef2761b9c0

Download Submit
C:\Windows\System32\DriverStore\Temp\{2f060bd3-d6cf-7930-a63a-0b1907d4ae30}\SET1373.tmp

Filesize
1.0MB

MD5
9b7cdaa9dfa551282134f4e75074f702

SHA1
e05035fcfe2369000a0264ab1c7eac9c40ecbb5c

SHA256
decc9f7c751ded1aaddc3528dd545837a2a2994c415e983f30a6af1747ac3acf

SHA512
7da4fe862ce314548977672494391370045b80c6bd38f74f82e1f39a88143f93b36c1c06feeca4668a4e29ad60ff73e5f615fd61c6b514bdd902042ab7698af2

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
9KB

MD5
b9eba21acab889d1deb20b899c078346

SHA1
669fd38fea027f563c3fad87cffbe05385338c73

SHA256
c7bd96f26121655bb37275d503c697fad41a1cb4560b8ddc4fae795821a9cd1c

SHA512
2b4252b2ddaae82ecd137b816617a3ab9580b2b78188f30050d33198c59ec8dd9d91a5409e96a7f89749d2b5a5a1c41597dfe70a293d6efefe24eec6b90656c8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI69FF.tmp

Filesize
476KB

MD5
39f6c48493b5225bae95cdb52c8bf69d

SHA1
f54e11158d71068dc61f2c3c2a9db471ecdfcadd

SHA256
55dcfb4404fd2a7ce72dabc23d856f7529f7ed4359e1af19eca2619c2bf840cd

SHA512
0c5a07e45ba250e253e5ec3fb87c191e9de46027ee1f8ff5fae4be0a4c0e8a7aac48f64d6fb12dfbdd1b77ee93b5c6740e36a5a90e6ff817dd5f18e3fe3bdd6b

Download Submit
memory/916-395-0x0000000000500000-0x0000000000526000-memory.dmp

Filesize
152KB

Download