Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

05/02/2025, 14:45

250205-r4w5kssngm 8

28/01/2025, 13:04

250128-qa9cdayrhw 8

Analysis

  • max time kernel
    117s
  • max time network
    227s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    05/02/2025, 14:45

General

  • Target

    VirtualBox-7.1.6-167084-Win.exe

  • Size

    117.3MB

  • MD5

    8addd310d09249bc176c9c891aae41cb

  • SHA1

    81212ad29642b2b261df42d25ccd23fe715914d1

  • SHA256

    35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6

  • SHA512

    b6126211ade8b38215ea70692af8cff5e47cb922484a3f08e377edf01a4a1d9b865772f4703d6914d779faba95eb46f16266e6f05411efba4691bc6f411d1d77

  • SSDEEP

    3145728:Zqar23mGGWtNN/fdSqyI/LUs5DuFsdOKtVeBi4g:82GGOFfAqyI/7FdUAT

Malware Config

Signatures

  • Drops file in Drivers directory 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 47 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 38 IoCs
  • Loads dropped DLL 18 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:2
    1⤵
      PID:2228
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:8
      1⤵
        PID:2676
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:8
        1⤵
          PID:1820
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=1460 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:1
          1⤵
            PID:1444
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:1
            1⤵
              PID:1016
            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
              1⤵
                PID:2968
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1604 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:2
                1⤵
                  PID:1052
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=1364 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:1
                  1⤵
                    PID:2452
                  • C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe
                    "C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe"
                    1⤵
                    • Enumerates connected drives
                    • System Location Discovery: System Language Discovery
                    • Modifies system certificate store
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:2208
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:8
                    1⤵
                      PID:2368
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Blocklisted process makes network request
                      • Enumerates connected drives
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • Modifies data under HKEY_USERS
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:960
                      • C:\Windows\system32\MsiExec.exe
                        C:\Windows\system32\MsiExec.exe -Embedding 1C71857DAA81C75EDE81153CB638A51B C
                        2⤵
                        • Loads dropped DLL
                        PID:2512
                      • C:\Windows\system32\MsiExec.exe
                        C:\Windows\system32\MsiExec.exe -Embedding 2ED9274274A0FC4300338B765CA9A96C
                        2⤵
                        • Drops file in Windows directory
                        • Loads dropped DLL
                        PID:1264
                      • C:\Windows\syswow64\MsiExec.exe
                        C:\Windows\syswow64\MsiExec.exe -Embedding 49F5C2E1A3D0F329B28324C0D05EC0DC
                        2⤵
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:3020
                      • C:\Windows\system32\MsiExec.exe
                        C:\Windows\system32\MsiExec.exe -Embedding AD698649D9DB851D59BF51B2050F1CB7 M Global\MSI0000
                        2⤵
                        • Drops file in Drivers directory
                        • Drops file in System32 directory
                        • Drops file in Windows directory
                        • Loads dropped DLL
                        • Modifies data under HKEY_USERS
                        PID:1612
                      • C:\Windows\syswow64\MsiExec.exe
                        C:\Windows\syswow64\MsiExec.exe -Embedding 42D779F1B1992771AD031827DC24B605 M Global\MSI0000
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:2556
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                        PID:760
                      • C:\Windows\system32\DrvInst.exe
                        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000068" "00000000000003F0"
                        1⤵
                        • Drops file in Windows directory
                        • Modifies data under HKEY_USERS
                        PID:2428
                      • C:\Windows\system32\DrvInst.exe
                        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{43711d41-affb-4410-6b82-c249e87f0d21}\VBoxNetLwf.inf" "9" "631e52bcb" "00000000000005B0" "WinSta0\Default" "0000000000000068" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
                        1⤵
                        • Drops file in System32 directory
                        • Drops file in Windows directory
                        • Modifies data under HKEY_USERS
                        • Suspicious use of WriteProcessMemory
                        PID:1884
                        • C:\Windows\system32\rundll32.exe
                          rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5c7240e0-7b79-4af1-479f-f10773afb55e} Global\{2a95f175-d916-7339-024a-b65ebd3e250a} C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.inf C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.cat
                          2⤵
                          • Modifies data under HKEY_USERS
                          PID:472
                      • C:\Windows\system32\DrvInst.exe
                        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3fc1518a-d50a-5ff1-5d03-cd0316e7cc2f}\VBoxNetAdp6.inf" "9" "673b17b7b" "00000000000005B0" "WinSta0\Default" "00000000000005D4" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
                        1⤵
                        • Drops file in System32 directory
                        • Drops file in Windows directory
                        • Modifies data under HKEY_USERS
                        • Suspicious use of WriteProcessMemory
                        PID:2100
                        • C:\Windows\system32\rundll32.exe
                          rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3291b95c-ecb3-04e8-6c26-f15a697eb273} Global\{45f4d342-d615-43d1-1e5e-523f0f810f15} C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.inf C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.cat
                          2⤵
                          • Modifies data under HKEY_USERS
                          PID:2444
                      • C:\Windows\system32\DrvInst.exe
                        DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{39b7bdb0-9a93-53c7-097d-cd6e62b4cb5e}\VBoxSup.inf" "9" "6edacf3f3" "00000000000005FC" "WinSta0\Default" "00000000000005D4" "208" "C:\Program Files\Oracle\VirtualBox\drivers\vboxsup"
                        1⤵
                        • Drops file in System32 directory
                        • Drops file in Windows directory
                        • Modifies data under HKEY_USERS
                        PID:852

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Config.Msi\f788596.rbs

                        Filesize

                        718KB

                        MD5

                        a9f53389b0c84fec395f288ec7070e59

                        SHA1

                        15cde3f11c906282180810f118d9ff2f7211c6b4

                        SHA256

                        25ec09aac17c6d5402f1ce6ccd6383da417193c5eb67590f17fd3c9545546edd

                        SHA512

                        18cf9f7a6527611172e12d7707915ae00074caa33e2793ba5cb717565d622f42cee07bc5d80c27a92a97579c82a81ae282b3fccf757c846be6137ed623da832b

                      • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.sys

                        Filesize

                        240KB

                        MD5

                        bb13c7ae29af3d73e2e2326bd37ef752

                        SHA1

                        d2b5617fe2f2de0831d2ad0f6301e5cb88851261

                        SHA256

                        755120e64cec6673bf8ad2ed0cfb031dd71a31ab8fc063c1b26cc3a8b9198857

                        SHA512

                        6aa2a7c483dd205a6d0f667a5249f7eb23b45ee760de009400c208e73c21feda8d94ca428e4922303727e735a0f6026ddfd02bc419f2f280e68f2b55a93acf82

                      • C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netlwf\VBoxNetLwf.sys

                        Filesize

                        250KB

                        MD5

                        10ed4a0f400f1db09e258c99939f15c7

                        SHA1

                        4ed115fb4bece2aaf9b0d724330811cd2c7878b2

                        SHA256

                        b7d5361a58530add79cdce5544f41190196ea7b16b32c889627e8b5a61be8483

                        SHA512

                        a573233ca92ff878f79261bf7ebc10def90c0995c46527a2f5f3791f5e48cf54158c07af1e0d969ba4d196f182126ca2e4c9ab5a1464e6974b279a6038102a6b

                      • C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

                        Filesize

                        936KB

                        MD5

                        dea158fd47abc3d173f6d8de13971372

                        SHA1

                        d42cdc78678744d4b23c338fe81e327c1d4d4abf

                        SHA256

                        701332a337b452e64a56bd7e1a1d7c76eb8b7fb7f6f63f74413866b7e2113980

                        SHA512

                        11f96f77dee048cf7a487334607d517ed3cb7ea0314f4daf719e361d9c6d0bc09c827081cfb6bb6403ecc174e5e6f4201e47c6c4ff186028380e0ac8240ddefa

                      • C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat

                        Filesize

                        10KB

                        MD5

                        552b5869498a21ebd60394c43855cd40

                        SHA1

                        936ffdd331ba58c7106b5e8f83788465150b1873

                        SHA256

                        10b6ae89e111003e4f8f4f1b53cc051aa4372e3705e23902df81e502891604a7

                        SHA512

                        06b70dd7ec315bd51567a1694e902fcb8cb697e27b3d588f8a0541c91152fb5ae035e5dc45e0d6628243e592288d9505b86df8fcf333d303d4bd41001f10b798

                      • C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

                        Filesize

                        3KB

                        MD5

                        7bd5968035e290fc975a3655d2a30c08

                        SHA1

                        f07a370d4734c9b332b35d26b4d16d7ae1ec17b6

                        SHA256

                        c1af8774a2b6c246a31b8c3f5185fff67a856c4f96d55c21b4d0587b34e4611b

                        SHA512

                        2da219b9fc716499b2d8fa62084c5039d61660bf4ea26e48599eb4d10d95b4ba408e8415a092307b5731cc1de9201bb000848f68d7e79f6b03da453e223253ac

                      • C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.cat

                        Filesize

                        10KB

                        MD5

                        9a7ea922dc84aff4eba3913b4e4baf7f

                        SHA1

                        0ac25dd63071e9f2018e30c96351975be3f91a66

                        SHA256

                        e2cd20ad1aa6650bb3bfb7a8eecaa3d8311cf367bb39b2b787a0857f9a0e53f6

                        SHA512

                        f1a4cbf81acf640a882e2c93e7443d8d607025c9f8e141fa93a8f0cbaf2c7b06f38ae567e06d58ad086809cbcfb419070f00e7f1ca0abfea5db884cdae9a8c54

                      • C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf

                        Filesize

                        4KB

                        MD5

                        7da30975a6c38e9a0fe9676950f70033

                        SHA1

                        d0134da02edaf78b60143d9d6a310ab97137b709

                        SHA256

                        aee3b03ca632f7985c71c56d747ed61d0a83e8250f72c4e3cecaca43d6262cdb

                        SHA512

                        2ab29cfa41572e3b94680a298248d8d459da50d7f136ec1885a092f8c6550a6fbc5c0e256bdf42285cd7d9234f015d2a577e90989e8eeaa8f4a2780d69c87f01

                      • C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

                        Filesize

                        684KB

                        MD5

                        a575376c0da3e58d68ddb30cf903af50

                        SHA1

                        5c82c307d82d57b51f365006b7935f952b0775b1

                        SHA256

                        ac2e8cda8c16350c20115774413245d2ef4fe2ee76aca73b2b3c47ad4add6116

                        SHA512

                        b16a1920b5c51df04e2adfeefbbdc523dfb99586a6e397c43f521fc7111b28416cb4b72052d00a7d2f6ea3f04ae6935f4536ba27a456dc714296940e2b557a2c

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                        Filesize

                        471B

                        MD5

                        42cff42b997443cb256b1289a350b1b6

                        SHA1

                        651afb301d9acc6d9c7306060597e6a5c30625fc

                        SHA256

                        5a0156e23df8fc05add3ecbdc44fb33b70d86fd08dcafad7fbb37b2107bb629a

                        SHA512

                        6e50f0b49cabdc45f4b1609a0d388d0c5c544bd3e957951f23637a3059da8500d7e1afe8e8b76d9bacdc2cbb6f7516d2bdbffc09a7e6fbe3a16c4d8100214cdd

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

                        Filesize

                        727B

                        MD5

                        30d135e2903facc564d175c2b6e4044c

                        SHA1

                        5db057c161190338ffae691542cabe047fdd37e8

                        SHA256

                        4344543735255f395138e70373d859469b598f3c599c350249f9128dd81d812d

                        SHA512

                        df6337142a1187e0a049aa5866303783395d448aa6fa32fd3bddf07c23f01c343e361e81394ce36764b2e1e29b84e1a8b86068dd79a306180b77010c45176fd2

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                        Filesize

                        727B

                        MD5

                        7ede1c2319349ee09eef9b918f848ee1

                        SHA1

                        907bc671d8865713c6c6758ab35d880bc195cd26

                        SHA256

                        0091300b2b650fad4fdf32c8681ca431aa280403bb7afec50e1e3b2232537c9e

                        SHA512

                        673710e89af144f22a6a69011341e48681cf2b46ec58fa7ceed13688f3dfa17e5c8ea9f8054cb99c054864ec980fa0acebdb480ce9abf4d1d7a8ec46dcfb5866

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                        Filesize

                        400B

                        MD5

                        6c4dc00fd3cada904697c7d0d2cc90a9

                        SHA1

                        6be8276f41821a8fa5d143175f3f6502721474c9

                        SHA256

                        78b2ac20c69750226145018f2e06a0f0affecba3b197d25322f144ecfd6ed55d

                        SHA512

                        533528a8faef1a8a2fcda8fb82af090025c5c8e5419f543c1320d1887c267215c9f3c171cd37e04254689c72d69fb5bcba3ad6e77b35f64aeea3775fd4f17b0f

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

                        Filesize

                        412B

                        MD5

                        fbe79bbbac43dabd5e2b4dc121cdec9f

                        SHA1

                        393b80c851b9cf6fb20e08e090e6606367004173

                        SHA256

                        78c4027cb98aa4d5d6850bdbc828c8108f40da746f7ea4c1416a5c6ac83fd541

                        SHA512

                        e13fb49a37a577355ca6851904081136104707e14d03fbe2e1d27d808e720f8d1a3cd1a3f581deb7ffae6690a5a9f7a157b6527e3538c2e29678f8ecc341b73c

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                        Filesize

                        342B

                        MD5

                        57861c86a745f7470e89fd26b9cd6432

                        SHA1

                        8ae74c16388511828a6a762f3cbf2a396325cfe4

                        SHA256

                        8bb6ec5908d29855377a9ff387ba660f01b58da18d495a90d6492a02a46bc1a0

                        SHA512

                        6f7aadc67607a1d617d13961a7aec88a138d13e172390fbbcf4ed0b56ecc9b9bc9126b5df7743017fd34a607bbfa794f55a2f4bdfbd3ae8348bd803e393f2ff0

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                        Filesize

                        412B

                        MD5

                        08af6ecc9bc93049ce406a2f21c0b612

                        SHA1

                        817fb72adcb293b09347d97aa2147bbf6908de7c

                        SHA256

                        a05befae9b89bcaeff43dbb4e549fda8c4adb69b54cc075daa789f71b47cb9da

                        SHA512

                        80e6ff6ee047fdf7075b6972300f1e868373a60614698b1cf621e777469cb742fbc001d2ddda81f28b001ff7af911c69881f4c8db849bc8aa458f9a7d55a3b64

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                        Filesize

                        933B

                        MD5

                        7ee3baa5245d29541c29b8c862b99aaa

                        SHA1

                        0d7dfb41f55bf84e9ccb802a96187fbb07e0cb6c

                        SHA256

                        3b2ac1abb0a3ba21fdd9f90d0efb4acd808eac1a3505cac9c9aee7bb0bd97ce7

                        SHA512

                        c50a94d2eecaeb2828759b82a91fa029a2bfad0184db413fc0617302b910256bd400b21318d7b759b496409895e4bee215efe8ef0d540fd9709361151300565c

                      • C:\Users\Admin\AppData\Local\Temp\Cab6BC0.tmp

                        Filesize

                        70KB

                        MD5

                        49aebf8cbd62d92ac215b2923fb1b9f5

                        SHA1

                        1723be06719828dda65ad804298d0431f6aff976

                        SHA256

                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                        SHA512

                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                      • C:\Users\Admin\AppData\Local\Temp\MSI71BD.tmp

                        Filesize

                        476KB

                        MD5

                        39f6c48493b5225bae95cdb52c8bf69d

                        SHA1

                        f54e11158d71068dc61f2c3c2a9db471ecdfcadd

                        SHA256

                        55dcfb4404fd2a7ce72dabc23d856f7529f7ed4359e1af19eca2619c2bf840cd

                        SHA512

                        0c5a07e45ba250e253e5ec3fb87c191e9de46027ee1f8ff5fae4be0a4c0e8a7aac48f64d6fb12dfbdd1b77ee93b5c6740e36a5a90e6ff817dd5f18e3fe3bdd6b

                      • C:\Users\Admin\AppData\Local\Temp\Tar6F4C.tmp

                        Filesize

                        181KB

                        MD5

                        4ea6026cf93ec6338144661bf1202cd1

                        SHA1

                        a1dec9044f750ad887935a01430bf49322fbdcb7

                        SHA256

                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                        SHA512

                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                      • C:\Windows\Installer\MSI94B7.tmp

                        Filesize

                        330KB

                        MD5

                        ac831c25bc16a05ee60aea5d79517434

                        SHA1

                        4946133e7fac34315a0ccaa30ca8ad383d5f0140

                        SHA256

                        947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869

                        SHA512

                        72f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b

                      • C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF

                        Filesize

                        9KB

                        MD5

                        667276dab6d500ca19b865f648a53d96

                        SHA1

                        a3aecca5cef5f2dc4b9b31b7282a9242ea49b826

                        SHA256

                        277bb1dd365972a94524549ce1152d5323bb4d8bacb886c40f03d55e45587cb0

                        SHA512

                        0efe6e86e2fbb3962d4ff0f879c9d807cf3bb821becfd25a5d1aa1699144befff0e66ef828294914e680fcc05d11cfd571c5171f340d1b81f5234adb32bcf6ba

                      • C:\Windows\System32\DriverStore\INFCACHE.1

                        Filesize

                        1.4MB

                        MD5

                        35a717ecab29b165dc7dbf0b1be15b5e

                        SHA1

                        3dfc969fcb9e77a715dc75fda25651cce066d0c2

                        SHA256

                        addf5b47c3bf6cbb3fe82fefe84eccd544b187309e1569ee4910291e68991d84

                        SHA512

                        cab2cc2d5dfa3ed7700cc1a7b351109e0a38ddd69a707e67cbce3917f6b3a1881c0d57a3f419cb34962a3a23dce1db5f0a4f71fdec21d13e700ab0e1e3a81043

                      • C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE24.tmp

                        Filesize

                        10KB

                        MD5

                        616622190cbd26c6297e711002db9a18

                        SHA1

                        3ae814e574c3e1f7e1a47b74d409d76dbfcc7c04

                        SHA256

                        338534cc66c824995a299888caea8dc83de179e88f22e9a037dfd7c399a66ea2

                        SHA512

                        cc574a02c278f96b9bb45cbc9164b77e4b66341eb2f2b8cb1870590735b2d5ee13fbf0de96f85309a544c7a88b50453830db50c25a4c73cd843ba4d0d9772c2e

                      • C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE25.tmp

                        Filesize

                        2KB

                        MD5

                        59048a0500cb88084655b38de2a3097f

                        SHA1

                        014f0f333df2fac12045fb89ce1042f3352241c4

                        SHA256

                        c3c0f8172fee9aeeff7d4ac43af0b0b9357f2f119b53c70377f015168586c546

                        SHA512

                        cb596dc5048d09186b011ea4a314b7355c2191fff0cae929ebaa919294ed17041006ae575122d7191bfa3572c4da3f75e109d10cbc847e48121de0ef2761b9c0

                      • C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE26.tmp

                        Filesize

                        1.0MB

                        MD5

                        9b7cdaa9dfa551282134f4e75074f702

                        SHA1

                        e05035fcfe2369000a0264ab1c7eac9c40ecbb5c

                        SHA256

                        decc9f7c751ded1aaddc3528dd545837a2a2994c415e983f30a6af1747ac3acf

                        SHA512

                        7da4fe862ce314548977672494391370045b80c6bd38f74f82e1f39a88143f93b36c1c06feeca4668a4e29ad60ff73e5f615fd61c6b514bdd902042ab7698af2

                      • C:\Windows\inf\oem2.PNF

                        Filesize

                        9KB

                        MD5

                        834da9911ab6cc4846d0c277d8e8cfb3

                        SHA1

                        73d982ae07378a573fad645d2daff5fea0a2fcbc

                        SHA256

                        7954f9f456b12ebaee26aac8744e20bf1846ea1653f79c10d888546e12ae283d

                        SHA512

                        02235165aab39f56249315ee201a1f90a3bce10276df0480da004cda8d3a412486ce87377f07f0af4816ffb7b18488ec69b63557e7c9e9f2fb9b90fda3fd2a9f

                      • memory/1612-394-0x0000000000220000-0x0000000000246000-memory.dmp

                        Filesize

                        152KB