Resubmissions

05-02-2025 14:45

250205-r4w5kssngm 8

28-01-2025 13:04

250128-qa9cdayrhw 8

Analysis

  • max time kernel
    68s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 13:04

General

  • Target

    VirtualBox-7.1.6-167084-Win.exe

  • Size

    117.3MB

  • MD5

    8addd310d09249bc176c9c891aae41cb

  • SHA1

    81212ad29642b2b261df42d25ccd23fe715914d1

  • SHA256

    35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6

  • SHA512

    b6126211ade8b38215ea70692af8cff5e47cb922484a3f08e377edf01a4a1d9b865772f4703d6914d779faba95eb46f16266e6f05411efba4691bc6f411d1d77

  • SSDEEP

    3145728:Zqar23mGGWtNN/fdSqyI/LUs5DuFsdOKtVeBi4g:82GGOFfAqyI/7FdUAT

Malware Config

Signatures

  • Drops file in Drivers directory 18 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 50 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 39 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe
    "C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
      "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:2700
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 36094A64B8980C5A5541C49362189881 C
      2⤵
      • Loads dropped DLL
      PID:4816
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4660
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding A6746E8CA695DD934E6101124A96DE2C
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        PID:4328
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding A4E2A94B3DEB2D6C4F0BCBFE68334AC6
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1088
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 17A1A4020F4AD435A5E83B1C6F24C617 E Global\MSI0000
        2⤵
        • Drops file in Drivers directory
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        PID:1416
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding B8691181864A68886B4C148ED926192F M Global\MSI0000
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1640
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:5100
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:2260
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000158" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:920
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{265f4dbb-fe25-9146-a1d3-16db5f3121de}\VBoxSup.inf" "9" "4edacf3f3" "0000000000000154" "WinSta0\Default" "0000000000000148" "208" "C:\Program Files\Oracle\VirtualBox\drivers\vboxsup"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:4852
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "8" "14" "C:\Windows\System32\DriverStore\FileRepository\vboxsup.inf_amd64_51feefe6fa2584ec\vboxsup.inf" "0" "4edacf3f3" "0000000000000148" "WinSta0\Default"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        PID:4040
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{fb4e004b-c39b-584c-a403-e3144697110f}\VBoxUSB.inf" "9" "4f05f54f7" "0000000000000170" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:4584
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{53c2b02e-d29e-7f45-9a01-92999f06771a}\VBoxUSBMon.inf" "9" "4e4e9030b" "000000000000015C" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\filter"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:1860
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "8" "14" "C:\Windows\System32\DriverStore\FileRepository\vboxusbmon.inf_amd64_92b271dae027ffef\vboxusbmon.inf" "0" "4e4e9030b" "0000000000000164" "WinSta0\Default"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        PID:3644
    • C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
      "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4404
    • C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
      "C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e5841b8.rbs

      Filesize

      727KB

      MD5

      23ef9e7e1cc6db158d2dfcbadc7d00b2

      SHA1

      8aa62dea490971a93721aac0588d5a9cb0dbce34

      SHA256

      10951d634cd59bd9a51f89b27ca354c3923151a27b6cb48d09077d2a64c5e0a2

      SHA512

      cff02b3b1c5d2d93a54b453458fc90d6af4854eb2518dc3097f89ac533bbbe5fde2469d7f8b6ff54e128fdbfcaa56d839547bacc8e883f9438da1c7671772683

    • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netlwf\VBoxNetLwf.cat

      Filesize

      11KB

      MD5

      18fd2f2ce49c749c0c8d4ea321661715

      SHA1

      af7f728e0403c4ba63480bc8ddd55cb3c4ac5f1e

      SHA256

      96eb758ee44b13d5df932e176addfd42bfd1eb27aa7ddec5801fae07e9797a65

      SHA512

      14be128511b33fefda28d2d98fc522f6c85230369b14cf78046a566e8df73734a6971208226523da3eb6445c32db4a805b4819cc315655d0e8dc4b547842575e

    • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netlwf\VBoxNetLwf.sys

      Filesize

      250KB

      MD5

      10ed4a0f400f1db09e258c99939f15c7

      SHA1

      4ed115fb4bece2aaf9b0d724330811cd2c7878b2

      SHA256

      b7d5361a58530add79cdce5544f41190196ea7b16b32c889627e8b5a61be8483

      SHA512

      a573233ca92ff878f79261bf7ebc10def90c0995c46527a2f5f3791f5e48cf54158c07af1e0d969ba4d196f182126ca2e4c9ab5a1464e6974b279a6038102a6b

    • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\vboxsup\VBoxSup.cat

      Filesize

      11KB

      MD5

      7d1841943d1f332eb32e49de47d62e03

      SHA1

      a4c445ac6247f7919ce9cebf2b543800970a5d81

      SHA256

      86d86beec055d6bfcaa0d4906a919cb21789e89375d7b50270f85b6b3b5f9a33

      SHA512

      c6574b411c255f97efa343d168ee45365ffab6e195087722398cd3693336f6ac44cfc7b51f1e6ed328c7091f9c7a311672613c158e8a3b28d6862c2002a7b681

    • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\vboxsup\VBoxSup.sys

      Filesize

      1.0MB

      MD5

      9b7cdaa9dfa551282134f4e75074f702

      SHA1

      e05035fcfe2369000a0264ab1c7eac9c40ecbb5c

      SHA256

      decc9f7c751ded1aaddc3528dd545837a2a2994c415e983f30a6af1747ac3acf

      SHA512

      7da4fe862ce314548977672494391370045b80c6bd38f74f82e1f39a88143f93b36c1c06feeca4668a4e29ad60ff73e5f615fd61c6b514bdd902042ab7698af2

    • C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

      Filesize

      936KB

      MD5

      dea158fd47abc3d173f6d8de13971372

      SHA1

      d42cdc78678744d4b23c338fe81e327c1d4d4abf

      SHA256

      701332a337b452e64a56bd7e1a1d7c76eb8b7fb7f6f63f74413866b7e2113980

      SHA512

      11f96f77dee048cf7a487334607d517ed3cb7ea0314f4daf719e361d9c6d0bc09c827081cfb6bb6403ecc174e5e6f4201e47c6c4ff186028380e0ac8240ddefa

    • C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

      Filesize

      2.7MB

      MD5

      c43f5aba07ba81826943658cffd8d6bb

      SHA1

      7239eebeae740489dd9d88b533b094fa17627375

      SHA256

      c420308c229e51053b9857321c718815ca5551b6e914b5dc44eb1a6faf45db0f

      SHA512

      e3e66f177fcbc7e51d8738d8079d6845c4038685694f9a6e004469f2b99be1bb090870db3de391a1e831b45fd84aa593c53ee33973c1f7cde0242924ac9daa6d

    • C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf

      Filesize

      4KB

      MD5

      7da30975a6c38e9a0fe9676950f70033

      SHA1

      d0134da02edaf78b60143d9d6a310ab97137b709

      SHA256

      aee3b03ca632f7985c71c56d747ed61d0a83e8250f72c4e3cecaca43d6262cdb

      SHA512

      2ab29cfa41572e3b94680a298248d8d459da50d7f136ec1885a092f8c6550a6fbc5c0e256bdf42285cd7d9234f015d2a577e90989e8eeaa8f4a2780d69c87f01

    • C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

      Filesize

      2KB

      MD5

      59048a0500cb88084655b38de2a3097f

      SHA1

      014f0f333df2fac12045fb89ce1042f3352241c4

      SHA256

      c3c0f8172fee9aeeff7d4ac43af0b0b9357f2f119b53c70377f015168586c546

      SHA512

      cb596dc5048d09186b011ea4a314b7355c2191fff0cae929ebaa919294ed17041006ae575122d7191bfa3572c4da3f75e109d10cbc847e48121de0ef2761b9c0

    • C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

      Filesize

      684KB

      MD5

      a575376c0da3e58d68ddb30cf903af50

      SHA1

      5c82c307d82d57b51f365006b7935f952b0775b1

      SHA256

      ac2e8cda8c16350c20115774413245d2ef4fe2ee76aca73b2b3c47ad4add6116

      SHA512

      b16a1920b5c51df04e2adfeefbbdc523dfb99586a6e397c43f521fc7111b28416cb4b72052d00a7d2f6ea3f04ae6935f4536ba27a456dc714296940e2b557a2c

    • C:\Users\Admin\.VirtualBox\VirtualBox.xml

      Filesize

      1KB

      MD5

      d9d28bd2ef7192fb0efb99607d7a0807

      SHA1

      7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

      SHA256

      dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

      SHA512

      e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

      Filesize

      471B

      MD5

      7e11369d957d022ac325669fa3c8d2f7

      SHA1

      29abd0b98021b953c22dafda61c79f05b64158e1

      SHA256

      69662ab0f25df6129fa50595df1e72d1045abf88c24b1fc6fc39c25c8daa0d53

      SHA512

      7333eba8279114522ac3054278d5246ca7e40af4f9e50f6993036a14f649bdbd0df65416d39fe80edc83f94e8bbffa05177571d9a92cffc8015300cad4273c9d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

      Filesize

      727B

      MD5

      e5537f2ab61975d2de0ab21338cb9f6a

      SHA1

      4f189b077a6c25d30283892c254b09296b52280f

      SHA256

      e93926b3cf5b2e49d4a2799943520036c0b66184750f23e9d071c6dd8c612c99

      SHA512

      ac44403b406764e3f42e263c306bf3ecd3b5ae00cebad3af63a3cad6baef584165f26763d4fb107abe5098db46e2b523c3f99ed804dbfb3ec60a9417e611f75f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

      Filesize

      727B

      MD5

      89daee5ebc3c014d0f256a3f30c582b9

      SHA1

      d4d6e0c11f56f6ffe44969d64083ebd76615e6e5

      SHA256

      ebc7f30c2c3ae32be08ec25566dd989a1d6f346b0562b2ad14ddc7eacbf69b18

      SHA512

      ac0e04ffeed3182e0b30cac0f271751373ad26dbc41a8bdfbcd630de30466736d8a6234014e0af181c91e0d71c67be5ac2522cb623b763b0624183d80035efce

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

      Filesize

      400B

      MD5

      e47216f5e3a8c76c1fb0d902d5f0da65

      SHA1

      0be96cb793f93932a9b62f7ae25bb38e6a9cb45a

      SHA256

      3e07613c137bc55f37b42b09dbff0b9489cda067deae3b49b06fa17069460702

      SHA512

      83904b925628ac57082f651aa2eb5173517cb5ab2aac8d79bd634825cd8997a8911cfd9c0bb8db3141892c14a2c31393635c373380c18fe8a55049f1bb07f2fd

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

      Filesize

      412B

      MD5

      7c85be596c45263c30664d3969a8e333

      SHA1

      fc4295ca15cab8718117cd64fc6a354eb9f934dd

      SHA256

      9a82af573fd84cfa8e073e656c8b1e531cdf6ff12c36497f858f804efdfad5e6

      SHA512

      9be6c005c148a2d698697e496b7f1a1afeb7c24621960eed8da29330c6210d1c5b3f198d89388d0b8e9c3a539ed30e3e00e66a8bf4b5af98d74d7b74d5a9bb23

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

      Filesize

      412B

      MD5

      cc6fae372f81e2f3c85c9900e30e096b

      SHA1

      70041877946a2e605fccd35ee624037cc14829fd

      SHA256

      bdb1240279dc6afc79201ee5d7c47946fe92e8b507e71e48a97df69da5c29181

      SHA512

      de4e2b69123b5498e3197d745dbc6faa291e6b71f341c5ca156f2bf7d9fe0165e82383272675b93930fffb71b12ab54a215e6cc917d8b980c714d0b93c8fae5d

    • C:\Users\Admin\AppData\Local\Temp\MSID2F0.tmp

      Filesize

      476KB

      MD5

      39f6c48493b5225bae95cdb52c8bf69d

      SHA1

      f54e11158d71068dc61f2c3c2a9db471ecdfcadd

      SHA256

      55dcfb4404fd2a7ce72dabc23d856f7529f7ed4359e1af19eca2619c2bf840cd

      SHA512

      0c5a07e45ba250e253e5ec3fb87c191e9de46027ee1f8ff5fae4be0a4c0e8a7aac48f64d6fb12dfbdd1b77ee93b5c6740e36a5a90e6ff817dd5f18e3fe3bdd6b

    • C:\Windows\INF\oem0.PNF

      Filesize

      5KB

      MD5

      e2bb627ce015242a790dcc63e90f8ad2

      SHA1

      78b2970b012c109d8617c3d70291a531e6948499

      SHA256

      793c311185d52b1587e3e8525f850e71fa1022c9da27aeb4c9fd6782a013596e

      SHA512

      fa7470dac8f6451d06331e4d8337c8c012e1223be43ece9488ea91383a785efb065ed17a19ec73b9e4e3a456a4a1110026c7cc9bb934f5687c1f38f951b6107c

    • C:\Windows\INF\oem1.PNF

      Filesize

      5KB

      MD5

      e4397a69f1eb44a8548d7eed5de72ab1

      SHA1

      d9ec163be1a02673b7081bcad62b838f8f42ab4b

      SHA256

      de35319b8c48124a31977d4a6be55a9f64d863789530bea12d38e4c8390820ee

      SHA512

      67c0a0ad9232a92def28112b9d8a763402a8218934f27f3cf2c54583aaa87e62d997f57a617807363a3ba542846ebfff0d1e4e6dbbb5fca49cc76dd3239dd18a

    • C:\Windows\INF\oem2.PNF

      Filesize

      6KB

      MD5

      b34df29f524aa0e4aa6b626b771fea1d

      SHA1

      1f7aca39b966d95b5053ddbfc746dd8442e92397

      SHA256

      5ee3deb0c51d1b61b28a82d10fcbb7391e7fce12fc41e44a1d918dfb0642e0f3

      SHA512

      0c6311d2f874a051fd1fcb62a5474d51ac400ab260dabacaec0da6f57ccf254c9d0821e51927327a2cf535307ce2bea60ecae7ced6cba0264ce4a327a49fb143

    • C:\Windows\INF\oem3.PNF

      Filesize

      9KB

      MD5

      295b859d06c96ce8ed843b8b75856cb9

      SHA1

      fdaa39af05630f990eeaecc930887f0cb9fb4608

      SHA256

      78884d68752eefe42cfab2f9070e120bbbab54bc852c0324a9471cf5c6d6e641

      SHA512

      9eede10e90b8f158cca739d6851976aa5ac27dbf504f466e0ad716bafd5433b5f13abe9d0bdffc22365df35f026bef0037ad7111c9e9e39487aef392f50dc017

    • C:\Windows\Installer\MSI45F1.tmp

      Filesize

      330KB

      MD5

      ac831c25bc16a05ee60aea5d79517434

      SHA1

      4946133e7fac34315a0ccaa30ca8ad383d5f0140

      SHA256

      947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869

      SHA512

      72f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b

    • C:\Windows\System32\CatRoot2\dberr.txt

      Filesize

      37KB

      MD5

      be90e44918ec7f86defdcc4ead5a21f3

      SHA1

      d4f6d7c4ddc72b74f13298648cf13ff5c1b3e928

      SHA256

      b5be907f98c4949abb9a79d97a9d3e6f3f006b2fbdc950e759310c9a960d8f10

      SHA512

      3598086585e9389aa9d5d9b093abe215b643a9be96f6dea0434f5993ed4d8fbc0afde46723293b84304ca2315e42d6c96e3e6c2024892fcd261bfafbd479276a

    • C:\Windows\System32\DriverStore\Temp\{4ff05aa7-bd80-a14e-8573-013cca04fac6}\SET842F.tmp

      Filesize

      11KB

      MD5

      a707e21804161083d77a12b91d3059f9

      SHA1

      2bb2e03cf8b024133bb501b769ec128d24f49194

      SHA256

      2969d9aa44c08db04529ec043d9a8c9e47b68ece7aa51ab6cb78f1c514c9e843

      SHA512

      9233a827cadec4ec8b44b0b5ed3526f2f45391f07a15256d9f68f943378079311893257532fe6e1bdfeacc2014d8f110f33f1db199aad9bf4573ac0794587da3

    • C:\Windows\System32\DriverStore\Temp\{4ff05aa7-bd80-a14e-8573-013cca04fac6}\SET843F.tmp

      Filesize

      2KB

      MD5

      7ad88778968e6768a71bf7dd65444c3c

      SHA1

      ec753a59e7c6482e8bb1e72e9c5b5424092c26d8

      SHA256

      db8c675f4a9837eadf86654d586f2afd2d44e31be12f5c5cec2754d424ebb6e0

      SHA512

      2339e015305d601077ea17e3bd9d2d2649d64de350436d99d5f1d2a3bda84bf7610fac278094c87b628e4f3c51fb516fdb8f09a274bd532734543cb0eea284b6

    • C:\Windows\System32\DriverStore\Temp\{4ff05aa7-bd80-a14e-8573-013cca04fac6}\SET8440.tmp

      Filesize

      190KB

      MD5

      44a46b8f144a04e18d341b9ac239ff20

      SHA1

      9e911d62c66b8fedff0cf5a9a9684b2f87221f7d

      SHA256

      ebcaba012c908d5584579ba927d4e7dfb3be28d91d7c369a2473b393915e933d

      SHA512

      144d7c3b3f4c63f8f04f786ddc7d553b83808afef47a9628b5f67493950a42d020469c75d536c1214186daae34fdd437eb2a9f7a2214b0e434b6d8decd57c3dc

    • C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\SET82D7.tmp

      Filesize

      11KB

      MD5

      27eefd6a4c376a709a16793b3cf420da

      SHA1

      a3465d24e915ef51ad758df74de6787bd16d5ea3

      SHA256

      6323642efc5be5973787e2ecaf8ec6e5e09d72a3ecdc2799f9b6c06841862d8c

      SHA512

      52a296b56c8fdc9c214d139b47e2ec2ebb7339ee88ca65daa236e088b4dbf3cae392b6e0dc6ea93a23f1877654d335650e03054b39de3692b9b60c46abdfbaff

    • C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\SET82E8.tmp

      Filesize

      2KB

      MD5

      b54fa51b12cfc7a9a54fe666b64b8ade

      SHA1

      e17673b6636138209d98953d1f6d56b701bc0ba5

      SHA256

      5b9f68c1a69270234873701f8ad50e60487ad5b3103f7bb1953d0363ffaf61f6

      SHA512

      f2347994eff841006fbad5dd603875444c13702392dc52f4fb05ee297faf3cf2c617bffa9245f99b28e50171825517af59b2b87014213abf3a80060e6714a40c

    • C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\SET82E9.tmp

      Filesize

      176KB

      MD5

      337251c0585346f48901de919f1758c1

      SHA1

      6acf0a827435716d2a464f21c57e51fbf68466f1

      SHA256

      5c750a8d786aad679c0e13934f07bd5cdbf5e5b7fb68a6d62a58967bcf2562e2

      SHA512

      ac565a4b8ef61b48c0ea7ac8f304a045fce6a925e5cacc3a03646ab41dbf910d58ae65e6c3df3b5d75df4d4efa7f1cc1bf03e48bc7bba5815a9e2690fd1ce2af

    • C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\VBoxNetAdp6.cat

      Filesize

      11KB

      MD5

      0a751919ada4675a3347d8f45a174b77

      SHA1

      5ab33ad59706d0456a6396bbecbf5cab9e13138d

      SHA256

      f42b04be8a339a383dd01b640f0fa274e31c18a1c531287d5d9182b0dc56870b

      SHA512

      aa3bb2b0a258e716ff975ae56e4dd0b14ca1bc1a0c8f56598d448ac2b78fe2b91d9ed4c109e04956860919f624c845d348a03f8ee223f6b8a776e3e33a69a2d2

    • C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\VBoxNetAdp6.inf

      Filesize

      3KB

      MD5

      7bd5968035e290fc975a3655d2a30c08

      SHA1

      f07a370d4734c9b332b35d26b4d16d7ae1ec17b6

      SHA256

      c1af8774a2b6c246a31b8c3f5185fff67a856c4f96d55c21b4d0587b34e4611b

      SHA512

      2da219b9fc716499b2d8fa62084c5039d61660bf4ea26e48599eb4d10d95b4ba408e8415a092307b5731cc1de9201bb000848f68d7e79f6b03da453e223253ac

    • C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\VBoxNetAdp6.sys

      Filesize

      240KB

      MD5

      bb13c7ae29af3d73e2e2326bd37ef752

      SHA1

      d2b5617fe2f2de0831d2ad0f6301e5cb88851261

      SHA256

      755120e64cec6673bf8ad2ed0cfb031dd71a31ab8fc063c1b26cc3a8b9198857

      SHA512

      6aa2a7c483dd205a6d0f667a5249f7eb23b45ee760de009400c208e73c21feda8d94ca428e4922303727e735a0f6026ddfd02bc419f2f280e68f2b55a93acf82

    • C:\Windows\System32\catroot2\dberr.txt

      Filesize

      37KB

      MD5

      3a203f9e312ea2684b38438ec8974be3

      SHA1

      dd19b10190947543b39791e843584c0505c8c424

      SHA256

      647eed76b4c9b49ee42db211147b9dc4859f55a2a1b73560b587d7a16e65dbe0

      SHA512

      a38d047ad11873c11bab58b2fe7780dec481cfed4bf68342fbdcc9d0a327e7dfd01184fa0522aeaaaf3e0cbc572191c13437076c6a5079235a1b8923ff2c758b

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.1MB

      MD5

      7f3bf2e735315015877e252c9684c478

      SHA1

      da678dfbb0a4f811be755c5b39b19af405cce9db

      SHA256

      fd43c543c3dee075d3595e2c5bc4d7203a4ade712ffe382c72832fe207bd7c2f

      SHA512

      8dd1d8de8501fc1a30413f5738447292eb2a0cb71704e5fb2799874b0f1b187bec48e1d8c987d042f669832492ac73e47e441e40d78511635662f5c754cee0b3

    • \??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{355ebb45-8394-4f2e-8319-4ce7dd53faa1}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      f459df2efb8d1ce6853e05a603aaef78

      SHA1

      d72e00eccb6be9fb062864412a1686c9507929a9

      SHA256

      4708193014251e8b495a1c546cb11cce112a2bf04638b26ffd9cf76a55ea2df7

      SHA512

      4be5f3cbc37f4b778d20a75463691a6e7ae80fb48fb77f6505b931f3fad79ad766d610858eef39b8fc4c18060cc47b2a6bfd21d8576bc7fd785c9fc181489be1

    • memory/2700-665-0x00007FF66CEA0000-0x00007FF66D15A000-memory.dmp

      Filesize

      2.7MB

    • memory/2700-667-0x00007FF81BDB0000-0x00007FF81C371000-memory.dmp

      Filesize

      5.8MB

    • memory/2700-666-0x00007FF81D090000-0x00007FF81EBDA000-memory.dmp

      Filesize

      27.3MB