Analysis
-
max time kernel
68s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2025 13:04
Static task
static1
Behavioral task
behavioral1
Sample
VirtualBox-7.1.6-167084-Win.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
VirtualBox-7.1.6-167084-Win.exe
Resource
win10v2004-20241007-en
General
-
Target
VirtualBox-7.1.6-167084-Win.exe
-
Size
117.3MB
-
MD5
8addd310d09249bc176c9c891aae41cb
-
SHA1
81212ad29642b2b261df42d25ccd23fe715914d1
-
SHA256
35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6
-
SHA512
b6126211ade8b38215ea70692af8cff5e47cb922484a3f08e377edf01a4a1d9b865772f4703d6914d779faba95eb46f16266e6f05411efba4691bc6f411d1d77
-
SSDEEP
3145728:Zqar23mGGWtNN/fdSqyI/LUs5DuFsdOKtVeBi4g:82GGOFfAqyI/7FdUAT
Malware Config
Signatures
-
Drops file in Drivers directory 18 IoCs
description ioc Process File created C:\Windows\system32\DRIVERS\SET7402.tmp MsiExec.exe File opened for modification C:\Windows\System32\drivers\SET7BF1.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET7BF1.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxSup.sys MsiExec.exe File created C:\Windows\system32\DRIVERS\SET875C.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SET7402.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SET821C.tmp MsiExec.exe File opened for modification C:\Windows\System32\drivers\SET84EA.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\VBoxSup.sys DrvInst.exe File created C:\Windows\system32\DRIVERS\SET821C.tmp MsiExec.exe File opened for modification C:\Windows\System32\drivers\VBoxUSBMon.sys DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxUSBMon.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SET7599.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SET7599.tmp MsiExec.exe File created C:\Windows\System32\drivers\SET84EA.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\SET875C.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxNetLwf.sys MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\N: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\P: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\V: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\K: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\B: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\L: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\Y: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\Q: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\R: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\Z: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\O: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\T: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\U: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\J: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\S: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\W: VirtualBox-7.1.6-167084-Win.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4fa3353d-4e52-2345-b19e-4008af2fb847}\SET7B19.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4ff05aa7-bd80-a14e-8573-013cca04fac6}\SET843F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a7bff3a9-55a9-da46-af0a-c9ad553c8c02}\SET7097.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a7bff3a9-55a9-da46-af0a-c9ad553c8c02}\SET70B8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4ff05aa7-bd80-a14e-8573-013cca04fac6}\SET8440.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\SET74EE.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\SET74EF.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4fa3353d-4e52-2345-b19e-4008af2fb847}\VBoxSup.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_1eb1ed3a2c402b9d\VBoxUSB.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_1eb1ed3a2c402b9d\VBoxUSB.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4ff05aa7-bd80-a14e-8573-013cca04fac6}\SET8440.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a7bff3a9-55a9-da46-af0a-c9ad553c8c02}\SET70A8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF MsiExec.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusbmon.inf_amd64_92b271dae027ffef\VBoxUSBMon.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusbmon.inf_amd64_92b271dae027ffef\VBoxUSBMon.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\SET74BE.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4fa3353d-4e52-2345-b19e-4008af2fb847}\SET7B17.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4fa3353d-4e52-2345-b19e-4008af2fb847}\SET7B18.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\VBoxUSB.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\VBoxUSB.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a7bff3a9-55a9-da46-af0a-c9ad553c8c02}\VBoxNetLwf.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{a7bff3a9-55a9-da46-af0a-c9ad553c8c02}\SET70B8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4fa3353d-4e52-2345-b19e-4008af2fb847}\VBoxSup.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\SET82D7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4ff05aa7-bd80-a14e-8573-013cca04fac6}\SET842F.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\SET82D7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_15909adfa959bbd7\VBoxNetAdp6.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4fa3353d-4e52-2345-b19e-4008af2fb847}\SET7B17.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4fa3353d-4e52-2345-b19e-4008af2fb847} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\SET82E9.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\VBoxNetAdp6.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\SET74EF.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4fa3353d-4e52-2345-b19e-4008af2fb847}\SET7B19.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\SET82E8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\VBoxUSB.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusbmon.inf_amd64_92b271dae027ffef\VBoxUSBMon.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a7bff3a9-55a9-da46-af0a-c9ad553c8c02}\VBoxNetLwf.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a7bff3a9-55a9-da46-af0a-c9ad553c8c02} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\VBoxNetAdp6.sys DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4ff05aa7-bd80-a14e-8573-013cca04fac6}\SET843F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a7bff3a9-55a9-da46-af0a-c9ad553c8c02}\VBoxNetLwf.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\SET74BE.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxsup.inf_amd64_51feefe6fa2584ec\VBoxSup.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4ff05aa7-bd80-a14e-8573-013cca04fac6}\VBoxUSBMon.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_9855768fcc4a8263\vboxnetlwf.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxsup.inf_amd64_51feefe6fa2584ec\VBoxSup.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6f6bf24f-e804-0b4f-85b9-edac8fa171cd}\SET82E8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{775d50cf-6efc-3b49-81ee-aacedf821834}\SET74EE.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF MsiExec.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_tr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\platforms\qminimalVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_postinstall.sh msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sdk\installer\python\vboxapisetup.py msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt6StateMachineVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_autoinstall_user_data msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UICommon.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\vbox-types.d msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UserManual.qhc msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\vbox-img.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\x86.d msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_preseed.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_response_files.rsp msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_hr_HR.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol8_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_cs.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_zh_TW.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sdk\installer\python\vboxapi\pyproject.toml msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxClient-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt6GuiVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt6_unattended.xml msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxCAPI-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm msiexec.exe -
Drops file in Windows directory 50 IoCs
description ioc Process File opened for modification C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\Installer\e5841b7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI45B2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI45F1.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{08123D53-81FD-48DF-BDD1-64FC2B977919} msiexec.exe File opened for modification C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox msiexec.exe File opened for modification C:\Windows\Installer\MSI6E8D.tmp msiexec.exe File created C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\inf\oem7.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI4571.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI475A.tmp msiexec.exe File created C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox msiexec.exe File created C:\Windows\INF\oem2.PNF MsiExec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI45A1.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5288.tmp msiexec.exe File created C:\Windows\INF\oem1.PNF MsiExec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI7A86.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem0.PNF MsiExec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\MSI748A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8257.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4522.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4B72.tmp msiexec.exe File created C:\Windows\Installer\e5841b9.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem6.inf DrvInst.exe File created C:\Windows\inf\oem7.inf DrvInst.exe File created C:\Windows\INF\oem6.PNF MsiExec.exe File created C:\Windows\Installer\e5841b7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5229.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6ECC.tmp msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\INF\oem3.PNF MsiExec.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI83F0.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\Installer\MSI8278.tmp msiexec.exe File opened for modification C:\Windows\inf\oem6.inf DrvInst.exe -
Executes dropped EXE 3 IoCs
pid Process 2700 VirtualBox.exe 4404 VBoxSVC.exe 4168 VBoxSDS.exe -
Loads dropped DLL 39 IoCs
pid Process 4816 MsiExec.exe 4816 MsiExec.exe 4816 MsiExec.exe 4816 MsiExec.exe 4816 MsiExec.exe 4816 MsiExec.exe 4328 MsiExec.exe 4328 MsiExec.exe 4328 MsiExec.exe 4328 MsiExec.exe 1088 MsiExec.exe 4328 MsiExec.exe 1416 MsiExec.exe 1416 MsiExec.exe 1416 MsiExec.exe 1416 MsiExec.exe 1416 MsiExec.exe 4328 MsiExec.exe 4328 MsiExec.exe 4328 MsiExec.exe 4328 MsiExec.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 2700 VirtualBox.exe 4404 VBoxSVC.exe 4404 VBoxSVC.exe 4168 VBoxSDS.exe 4168 VBoxSDS.exe 4404 VBoxSVC.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VirtualBox-7.1.6-167084-Win.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID MsiExec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E632}\NumMethods\ = "23" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32 VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35CF4B3F-4453-4F3E-C9B8-5686939C80B6}\NumMethods VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{327E3C00-EE61-462F-AED3-0DFF6CBF9904}\ = "IGuestSessionStateChangedEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A508E094-BF24-4ECA-80C6-467766A1E4C0}\ = "IDirectory" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FAC49A-B7F1-4A5A-A4EF-A11DD9C2A458}\NumMethods\ = "15" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4A773393-7A8C-4D57-B228-9ADE4049A81F}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\AppID = "{61FF179A-5F10-4077-81F4-060BEBA09DEC}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\ = "IDHCPIndividualConfig" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E578BB9C-E88D-416B-BB45-08A4E7A5B463}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F22DD3B4-E4D0-437A-BFDF-0372896BA162}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5094F67A-8084-11E9-B185-DBE296E54799} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69BFB134-80F6-4266-8E20-16371F68FA25}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E632}\NumMethods\ = "23" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FE2DA40-5637-472A-9736-72019EABD7DE}\ProxyStubClsid32 VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5094F67A-8084-11E9-B185-DBE296E54799}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{CC830458-4974-A19C-4DC6-CC98C2269626}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AE}\ProxyStubClsid32 VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{B31C4052-7BDC-11E9-8BC2-8FFDB8B19219}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8C25D4D-AC97-4C16-B3E2-81BD8A57CC27}\NumMethods\ = "14" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6C}\TypeLib VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{890ED3DC-CC19-43FA-8EBF-BAECB6B9EC87}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{1E775EA3-9070-4F9C-B0D5-53054496DBE0} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{245D88BD-800A-40F8-87A6-170D02249A55}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\NumMethods\ = "13" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}\TypeLib VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69BFB134-80F6-4266-8E20-16371F68FA25}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\TypeLib VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39B4E759-1EC0-4C0F-857F-FBE2A737A256}\NumMethods VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D3D5F1EE-BCB2-4905-A7AB-CC85448A742B}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E578BB9C-E88D-416B-BB45-08A4E7A5B463}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{4EE3CBCB-486F-40DB-9150-DEEE3FD24189}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E28E227A-F231-11EA-9641-9B500C6D5365}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4E774BBE-5285-4517-8D34-21260633C513}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E253EE8-477A-2497-6759-88B8292A5AF0}\NumMethods\ = "18" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E}\ = "IMachineEvent" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B79DE686-EABD-4FA6-960A-F1756C99EA1C}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25360A74-55E5-4F14-AC2A-F5CF8E62E4AF}\NumMethods VirtualBox.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E7932CB8-F6D4-4AB6-9CBF-558EB8959A6A}\NumMethods msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\TypeLib VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{426EF1B8-DE91-49FB-ABC3-0E2BAE654FF2}\TypeLib VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C354A762-3FF2-4F2E-8F09-07382EE25088}\NumMethods VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3890B2C8-604D-11E9-92D3-53CB473DB9FB}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F01F1066-F231-11EA-8EEE-33BB2AFB0B6E}\NumMethods\ = "13" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C5E945F-2354-4267-883F-2F417D216519}\TypeLib VirtualBox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E5F6F25-BEDA-46AD-8DDB-23C0268AC345}\NumMethods VirtualBox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\NumMethods\ = "21" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{788B87DF-7708-444B-9EEF-C116CE423D39}\ = "IParallelPort" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D134C6B6-4479-430D-BB73-68A452BA3E67}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F22DD3B4-E4D0-437A-BFDF-0372896BA162}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2F7FAE4-4A06-81FC-A916-78B2DA1FA0E5}\TypeLib VirtualBox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2700 VirtualBox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3748 msiexec.exe 3748 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2700 VirtualBox.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeIncreaseQuotaPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSecurityPrivilege 3748 msiexec.exe Token: SeCreateTokenPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeAssignPrimaryTokenPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeLockMemoryPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeIncreaseQuotaPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeMachineAccountPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeTcbPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSecurityPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeTakeOwnershipPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeLoadDriverPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemProfilePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemtimePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeProfSingleProcessPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeIncBasePriorityPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeCreatePagefilePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeCreatePermanentPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeBackupPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeRestorePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeShutdownPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeDebugPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeAuditPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemEnvironmentPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeChangeNotifyPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeRemoteShutdownPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeUndockPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSyncAgentPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeEnableDelegationPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeManageVolumePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeImpersonatePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeCreateGlobalPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeCreateTokenPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeAssignPrimaryTokenPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeLockMemoryPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeIncreaseQuotaPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeMachineAccountPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeTcbPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSecurityPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeTakeOwnershipPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeLoadDriverPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemProfilePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemtimePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeProfSingleProcessPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeIncBasePriorityPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeCreatePagefilePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeCreatePermanentPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeBackupPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeRestorePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeShutdownPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeDebugPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeAuditPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemEnvironmentPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeChangeNotifyPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeRemoteShutdownPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeUndockPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeSyncAgentPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeEnableDelegationPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeManageVolumePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeImpersonatePrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeCreateGlobalPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeCreateTokenPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeAssignPrimaryTokenPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe Token: SeLockMemoryPrivilege 5048 VirtualBox-7.1.6-167084-Win.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 5048 VirtualBox-7.1.6-167084-Win.exe 5048 VirtualBox-7.1.6-167084-Win.exe 2700 VirtualBox.exe 2700 VirtualBox.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3748 wrote to memory of 4816 3748 msiexec.exe 84 PID 3748 wrote to memory of 4816 3748 msiexec.exe 84 PID 3748 wrote to memory of 4660 3748 msiexec.exe 97 PID 3748 wrote to memory of 4660 3748 msiexec.exe 97 PID 3748 wrote to memory of 4328 3748 msiexec.exe 99 PID 3748 wrote to memory of 4328 3748 msiexec.exe 99 PID 3748 wrote to memory of 1088 3748 msiexec.exe 101 PID 3748 wrote to memory of 1088 3748 msiexec.exe 101 PID 3748 wrote to memory of 1088 3748 msiexec.exe 101 PID 3748 wrote to memory of 1416 3748 msiexec.exe 102 PID 3748 wrote to memory of 1416 3748 msiexec.exe 102 PID 3748 wrote to memory of 1640 3748 msiexec.exe 104 PID 3748 wrote to memory of 1640 3748 msiexec.exe 104 PID 3748 wrote to memory of 1640 3748 msiexec.exe 104 PID 4408 wrote to memory of 2260 4408 svchost.exe 107 PID 4408 wrote to memory of 2260 4408 svchost.exe 107 PID 4408 wrote to memory of 920 4408 svchost.exe 108 PID 4408 wrote to memory of 920 4408 svchost.exe 108 PID 4408 wrote to memory of 4852 4408 svchost.exe 109 PID 4408 wrote to memory of 4852 4408 svchost.exe 109 PID 4408 wrote to memory of 4040 4408 svchost.exe 110 PID 4408 wrote to memory of 4040 4408 svchost.exe 110 PID 4408 wrote to memory of 4584 4408 svchost.exe 111 PID 4408 wrote to memory of 4584 4408 svchost.exe 111 PID 4408 wrote to memory of 1860 4408 svchost.exe 112 PID 4408 wrote to memory of 1860 4408 svchost.exe 112 PID 4408 wrote to memory of 3644 4408 svchost.exe 113 PID 4408 wrote to memory of 3644 4408 svchost.exe 113 PID 5048 wrote to memory of 2700 5048 VirtualBox-7.1.6-167084-Win.exe 114 PID 5048 wrote to memory of 2700 5048 VirtualBox-7.1.6-167084-Win.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2700
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 36094A64B8980C5A5541C49362189881 C2⤵
- Loads dropped DLL
PID:4816
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4660
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A6746E8CA695DD934E6101124A96DE2C2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:4328
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A4E2A94B3DEB2D6C4F0BCBFE68334AC62⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1088
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 17A1A4020F4AD435A5E83B1C6F24C617 E Global\MSI00002⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:1416
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B8691181864A68886B4C148ED926192F M Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:1640
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:5100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2260
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000158" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:920
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{265f4dbb-fe25-9146-a1d3-16db5f3121de}\VBoxSup.inf" "9" "4edacf3f3" "0000000000000154" "WinSta0\Default" "0000000000000148" "208" "C:\Program Files\Oracle\VirtualBox\drivers\vboxsup"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4852
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "8" "14" "C:\Windows\System32\DriverStore\FileRepository\vboxsup.inf_amd64_51feefe6fa2584ec\vboxsup.inf" "0" "4edacf3f3" "0000000000000148" "WinSta0\Default"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:4040
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{fb4e004b-c39b-584c-a403-e3144697110f}\VBoxUSB.inf" "9" "4f05f54f7" "0000000000000170" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4584
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{53c2b02e-d29e-7f45-9a01-92999f06771a}\VBoxUSBMon.inf" "9" "4e4e9030b" "000000000000015C" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\filter"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1860
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "8" "14" "C:\Windows\System32\DriverStore\FileRepository\vboxusbmon.inf_amd64_92b271dae027ffef\vboxusbmon.inf" "0" "4e4e9030b" "0000000000000164" "WinSta0\Default"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:3644
-
-
C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4404
-
C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
727KB
MD523ef9e7e1cc6db158d2dfcbadc7d00b2
SHA18aa62dea490971a93721aac0588d5a9cb0dbce34
SHA25610951d634cd59bd9a51f89b27ca354c3923151a27b6cb48d09077d2a64c5e0a2
SHA512cff02b3b1c5d2d93a54b453458fc90d6af4854eb2518dc3097f89ac533bbbe5fde2469d7f8b6ff54e128fdbfcaa56d839547bacc8e883f9438da1c7671772683
-
Filesize
11KB
MD518fd2f2ce49c749c0c8d4ea321661715
SHA1af7f728e0403c4ba63480bc8ddd55cb3c4ac5f1e
SHA25696eb758ee44b13d5df932e176addfd42bfd1eb27aa7ddec5801fae07e9797a65
SHA51214be128511b33fefda28d2d98fc522f6c85230369b14cf78046a566e8df73734a6971208226523da3eb6445c32db4a805b4819cc315655d0e8dc4b547842575e
-
Filesize
250KB
MD510ed4a0f400f1db09e258c99939f15c7
SHA14ed115fb4bece2aaf9b0d724330811cd2c7878b2
SHA256b7d5361a58530add79cdce5544f41190196ea7b16b32c889627e8b5a61be8483
SHA512a573233ca92ff878f79261bf7ebc10def90c0995c46527a2f5f3791f5e48cf54158c07af1e0d969ba4d196f182126ca2e4c9ab5a1464e6974b279a6038102a6b
-
Filesize
11KB
MD57d1841943d1f332eb32e49de47d62e03
SHA1a4c445ac6247f7919ce9cebf2b543800970a5d81
SHA25686d86beec055d6bfcaa0d4906a919cb21789e89375d7b50270f85b6b3b5f9a33
SHA512c6574b411c255f97efa343d168ee45365ffab6e195087722398cd3693336f6ac44cfc7b51f1e6ed328c7091f9c7a311672613c158e8a3b28d6862c2002a7b681
-
Filesize
1.0MB
MD59b7cdaa9dfa551282134f4e75074f702
SHA1e05035fcfe2369000a0264ab1c7eac9c40ecbb5c
SHA256decc9f7c751ded1aaddc3528dd545837a2a2994c415e983f30a6af1747ac3acf
SHA5127da4fe862ce314548977672494391370045b80c6bd38f74f82e1f39a88143f93b36c1c06feeca4668a4e29ad60ff73e5f615fd61c6b514bdd902042ab7698af2
-
Filesize
936KB
MD5dea158fd47abc3d173f6d8de13971372
SHA1d42cdc78678744d4b23c338fe81e327c1d4d4abf
SHA256701332a337b452e64a56bd7e1a1d7c76eb8b7fb7f6f63f74413866b7e2113980
SHA51211f96f77dee048cf7a487334607d517ed3cb7ea0314f4daf719e361d9c6d0bc09c827081cfb6bb6403ecc174e5e6f4201e47c6c4ff186028380e0ac8240ddefa
-
Filesize
2.7MB
MD5c43f5aba07ba81826943658cffd8d6bb
SHA17239eebeae740489dd9d88b533b094fa17627375
SHA256c420308c229e51053b9857321c718815ca5551b6e914b5dc44eb1a6faf45db0f
SHA512e3e66f177fcbc7e51d8738d8079d6845c4038685694f9a6e004469f2b99be1bb090870db3de391a1e831b45fd84aa593c53ee33973c1f7cde0242924ac9daa6d
-
Filesize
4KB
MD57da30975a6c38e9a0fe9676950f70033
SHA1d0134da02edaf78b60143d9d6a310ab97137b709
SHA256aee3b03ca632f7985c71c56d747ed61d0a83e8250f72c4e3cecaca43d6262cdb
SHA5122ab29cfa41572e3b94680a298248d8d459da50d7f136ec1885a092f8c6550a6fbc5c0e256bdf42285cd7d9234f015d2a577e90989e8eeaa8f4a2780d69c87f01
-
Filesize
2KB
MD559048a0500cb88084655b38de2a3097f
SHA1014f0f333df2fac12045fb89ce1042f3352241c4
SHA256c3c0f8172fee9aeeff7d4ac43af0b0b9357f2f119b53c70377f015168586c546
SHA512cb596dc5048d09186b011ea4a314b7355c2191fff0cae929ebaa919294ed17041006ae575122d7191bfa3572c4da3f75e109d10cbc847e48121de0ef2761b9c0
-
Filesize
684KB
MD5a575376c0da3e58d68ddb30cf903af50
SHA15c82c307d82d57b51f365006b7935f952b0775b1
SHA256ac2e8cda8c16350c20115774413245d2ef4fe2ee76aca73b2b3c47ad4add6116
SHA512b16a1920b5c51df04e2adfeefbbdc523dfb99586a6e397c43f521fc7111b28416cb4b72052d00a7d2f6ea3f04ae6935f4536ba27a456dc714296940e2b557a2c
-
Filesize
1KB
MD5d9d28bd2ef7192fb0efb99607d7a0807
SHA17fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a
SHA256dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5
SHA512e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD57e11369d957d022ac325669fa3c8d2f7
SHA129abd0b98021b953c22dafda61c79f05b64158e1
SHA25669662ab0f25df6129fa50595df1e72d1045abf88c24b1fc6fc39c25c8daa0d53
SHA5127333eba8279114522ac3054278d5246ca7e40af4f9e50f6993036a14f649bdbd0df65416d39fe80edc83f94e8bbffa05177571d9a92cffc8015300cad4273c9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
Filesize727B
MD5e5537f2ab61975d2de0ab21338cb9f6a
SHA14f189b077a6c25d30283892c254b09296b52280f
SHA256e93926b3cf5b2e49d4a2799943520036c0b66184750f23e9d071c6dd8c612c99
SHA512ac44403b406764e3f42e263c306bf3ecd3b5ae00cebad3af63a3cad6baef584165f26763d4fb107abe5098db46e2b523c3f99ed804dbfb3ec60a9417e611f75f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD589daee5ebc3c014d0f256a3f30c582b9
SHA1d4d6e0c11f56f6ffe44969d64083ebd76615e6e5
SHA256ebc7f30c2c3ae32be08ec25566dd989a1d6f346b0562b2ad14ddc7eacbf69b18
SHA512ac0e04ffeed3182e0b30cac0f271751373ad26dbc41a8bdfbcd630de30466736d8a6234014e0af181c91e0d71c67be5ac2522cb623b763b0624183d80035efce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5e47216f5e3a8c76c1fb0d902d5f0da65
SHA10be96cb793f93932a9b62f7ae25bb38e6a9cb45a
SHA2563e07613c137bc55f37b42b09dbff0b9489cda067deae3b49b06fa17069460702
SHA51283904b925628ac57082f651aa2eb5173517cb5ab2aac8d79bd634825cd8997a8911cfd9c0bb8db3141892c14a2c31393635c373380c18fe8a55049f1bb07f2fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
Filesize412B
MD57c85be596c45263c30664d3969a8e333
SHA1fc4295ca15cab8718117cd64fc6a354eb9f934dd
SHA2569a82af573fd84cfa8e073e656c8b1e531cdf6ff12c36497f858f804efdfad5e6
SHA5129be6c005c148a2d698697e496b7f1a1afeb7c24621960eed8da29330c6210d1c5b3f198d89388d0b8e9c3a539ed30e3e00e66a8bf4b5af98d74d7b74d5a9bb23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5cc6fae372f81e2f3c85c9900e30e096b
SHA170041877946a2e605fccd35ee624037cc14829fd
SHA256bdb1240279dc6afc79201ee5d7c47946fe92e8b507e71e48a97df69da5c29181
SHA512de4e2b69123b5498e3197d745dbc6faa291e6b71f341c5ca156f2bf7d9fe0165e82383272675b93930fffb71b12ab54a215e6cc917d8b980c714d0b93c8fae5d
-
Filesize
476KB
MD539f6c48493b5225bae95cdb52c8bf69d
SHA1f54e11158d71068dc61f2c3c2a9db471ecdfcadd
SHA25655dcfb4404fd2a7ce72dabc23d856f7529f7ed4359e1af19eca2619c2bf840cd
SHA5120c5a07e45ba250e253e5ec3fb87c191e9de46027ee1f8ff5fae4be0a4c0e8a7aac48f64d6fb12dfbdd1b77ee93b5c6740e36a5a90e6ff817dd5f18e3fe3bdd6b
-
Filesize
5KB
MD5e2bb627ce015242a790dcc63e90f8ad2
SHA178b2970b012c109d8617c3d70291a531e6948499
SHA256793c311185d52b1587e3e8525f850e71fa1022c9da27aeb4c9fd6782a013596e
SHA512fa7470dac8f6451d06331e4d8337c8c012e1223be43ece9488ea91383a785efb065ed17a19ec73b9e4e3a456a4a1110026c7cc9bb934f5687c1f38f951b6107c
-
Filesize
5KB
MD5e4397a69f1eb44a8548d7eed5de72ab1
SHA1d9ec163be1a02673b7081bcad62b838f8f42ab4b
SHA256de35319b8c48124a31977d4a6be55a9f64d863789530bea12d38e4c8390820ee
SHA51267c0a0ad9232a92def28112b9d8a763402a8218934f27f3cf2c54583aaa87e62d997f57a617807363a3ba542846ebfff0d1e4e6dbbb5fca49cc76dd3239dd18a
-
Filesize
6KB
MD5b34df29f524aa0e4aa6b626b771fea1d
SHA11f7aca39b966d95b5053ddbfc746dd8442e92397
SHA2565ee3deb0c51d1b61b28a82d10fcbb7391e7fce12fc41e44a1d918dfb0642e0f3
SHA5120c6311d2f874a051fd1fcb62a5474d51ac400ab260dabacaec0da6f57ccf254c9d0821e51927327a2cf535307ce2bea60ecae7ced6cba0264ce4a327a49fb143
-
Filesize
9KB
MD5295b859d06c96ce8ed843b8b75856cb9
SHA1fdaa39af05630f990eeaecc930887f0cb9fb4608
SHA25678884d68752eefe42cfab2f9070e120bbbab54bc852c0324a9471cf5c6d6e641
SHA5129eede10e90b8f158cca739d6851976aa5ac27dbf504f466e0ad716bafd5433b5f13abe9d0bdffc22365df35f026bef0037ad7111c9e9e39487aef392f50dc017
-
Filesize
330KB
MD5ac831c25bc16a05ee60aea5d79517434
SHA14946133e7fac34315a0ccaa30ca8ad383d5f0140
SHA256947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869
SHA51272f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b
-
Filesize
37KB
MD5be90e44918ec7f86defdcc4ead5a21f3
SHA1d4f6d7c4ddc72b74f13298648cf13ff5c1b3e928
SHA256b5be907f98c4949abb9a79d97a9d3e6f3f006b2fbdc950e759310c9a960d8f10
SHA5123598086585e9389aa9d5d9b093abe215b643a9be96f6dea0434f5993ed4d8fbc0afde46723293b84304ca2315e42d6c96e3e6c2024892fcd261bfafbd479276a
-
Filesize
11KB
MD5a707e21804161083d77a12b91d3059f9
SHA12bb2e03cf8b024133bb501b769ec128d24f49194
SHA2562969d9aa44c08db04529ec043d9a8c9e47b68ece7aa51ab6cb78f1c514c9e843
SHA5129233a827cadec4ec8b44b0b5ed3526f2f45391f07a15256d9f68f943378079311893257532fe6e1bdfeacc2014d8f110f33f1db199aad9bf4573ac0794587da3
-
Filesize
2KB
MD57ad88778968e6768a71bf7dd65444c3c
SHA1ec753a59e7c6482e8bb1e72e9c5b5424092c26d8
SHA256db8c675f4a9837eadf86654d586f2afd2d44e31be12f5c5cec2754d424ebb6e0
SHA5122339e015305d601077ea17e3bd9d2d2649d64de350436d99d5f1d2a3bda84bf7610fac278094c87b628e4f3c51fb516fdb8f09a274bd532734543cb0eea284b6
-
Filesize
190KB
MD544a46b8f144a04e18d341b9ac239ff20
SHA19e911d62c66b8fedff0cf5a9a9684b2f87221f7d
SHA256ebcaba012c908d5584579ba927d4e7dfb3be28d91d7c369a2473b393915e933d
SHA512144d7c3b3f4c63f8f04f786ddc7d553b83808afef47a9628b5f67493950a42d020469c75d536c1214186daae34fdd437eb2a9f7a2214b0e434b6d8decd57c3dc
-
Filesize
11KB
MD527eefd6a4c376a709a16793b3cf420da
SHA1a3465d24e915ef51ad758df74de6787bd16d5ea3
SHA2566323642efc5be5973787e2ecaf8ec6e5e09d72a3ecdc2799f9b6c06841862d8c
SHA51252a296b56c8fdc9c214d139b47e2ec2ebb7339ee88ca65daa236e088b4dbf3cae392b6e0dc6ea93a23f1877654d335650e03054b39de3692b9b60c46abdfbaff
-
Filesize
2KB
MD5b54fa51b12cfc7a9a54fe666b64b8ade
SHA1e17673b6636138209d98953d1f6d56b701bc0ba5
SHA2565b9f68c1a69270234873701f8ad50e60487ad5b3103f7bb1953d0363ffaf61f6
SHA512f2347994eff841006fbad5dd603875444c13702392dc52f4fb05ee297faf3cf2c617bffa9245f99b28e50171825517af59b2b87014213abf3a80060e6714a40c
-
Filesize
176KB
MD5337251c0585346f48901de919f1758c1
SHA16acf0a827435716d2a464f21c57e51fbf68466f1
SHA2565c750a8d786aad679c0e13934f07bd5cdbf5e5b7fb68a6d62a58967bcf2562e2
SHA512ac565a4b8ef61b48c0ea7ac8f304a045fce6a925e5cacc3a03646ab41dbf910d58ae65e6c3df3b5d75df4d4efa7f1cc1bf03e48bc7bba5815a9e2690fd1ce2af
-
Filesize
11KB
MD50a751919ada4675a3347d8f45a174b77
SHA15ab33ad59706d0456a6396bbecbf5cab9e13138d
SHA256f42b04be8a339a383dd01b640f0fa274e31c18a1c531287d5d9182b0dc56870b
SHA512aa3bb2b0a258e716ff975ae56e4dd0b14ca1bc1a0c8f56598d448ac2b78fe2b91d9ed4c109e04956860919f624c845d348a03f8ee223f6b8a776e3e33a69a2d2
-
Filesize
3KB
MD57bd5968035e290fc975a3655d2a30c08
SHA1f07a370d4734c9b332b35d26b4d16d7ae1ec17b6
SHA256c1af8774a2b6c246a31b8c3f5185fff67a856c4f96d55c21b4d0587b34e4611b
SHA5122da219b9fc716499b2d8fa62084c5039d61660bf4ea26e48599eb4d10d95b4ba408e8415a092307b5731cc1de9201bb000848f68d7e79f6b03da453e223253ac
-
Filesize
240KB
MD5bb13c7ae29af3d73e2e2326bd37ef752
SHA1d2b5617fe2f2de0831d2ad0f6301e5cb88851261
SHA256755120e64cec6673bf8ad2ed0cfb031dd71a31ab8fc063c1b26cc3a8b9198857
SHA5126aa2a7c483dd205a6d0f667a5249f7eb23b45ee760de009400c208e73c21feda8d94ca428e4922303727e735a0f6026ddfd02bc419f2f280e68f2b55a93acf82
-
Filesize
37KB
MD53a203f9e312ea2684b38438ec8974be3
SHA1dd19b10190947543b39791e843584c0505c8c424
SHA256647eed76b4c9b49ee42db211147b9dc4859f55a2a1b73560b587d7a16e65dbe0
SHA512a38d047ad11873c11bab58b2fe7780dec481cfed4bf68342fbdcc9d0a327e7dfd01184fa0522aeaaaf3e0cbc572191c13437076c6a5079235a1b8923ff2c758b
-
Filesize
24.1MB
MD57f3bf2e735315015877e252c9684c478
SHA1da678dfbb0a4f811be755c5b39b19af405cce9db
SHA256fd43c543c3dee075d3595e2c5bc4d7203a4ade712ffe382c72832fe207bd7c2f
SHA5128dd1d8de8501fc1a30413f5738447292eb2a0cb71704e5fb2799874b0f1b187bec48e1d8c987d042f669832492ac73e47e441e40d78511635662f5c754cee0b3
-
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{355ebb45-8394-4f2e-8319-4ce7dd53faa1}_OnDiskSnapshotProp
Filesize6KB
MD5f459df2efb8d1ce6853e05a603aaef78
SHA1d72e00eccb6be9fb062864412a1686c9507929a9
SHA2564708193014251e8b495a1c546cb11cce112a2bf04638b26ffd9cf76a55ea2df7
SHA5124be5f3cbc37f4b778d20a75463691a6e7ae80fb48fb77f6505b931f3fad79ad766d610858eef39b8fc4c18060cc47b2a6bfd21d8576bc7fd785c9fc181489be1