Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
227s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/02/2025, 14:45
Static task
static1
Behavioral task
behavioral1
Sample
VirtualBox-7.1.6-167084-Win.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
VirtualBox-7.1.6-167084-Win.exe
Resource
win10v2004-20250129-en
General
-
Target
VirtualBox-7.1.6-167084-Win.exe
-
Size
117.3MB
-
MD5
8addd310d09249bc176c9c891aae41cb
-
SHA1
81212ad29642b2b261df42d25ccd23fe715914d1
-
SHA256
35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6
-
SHA512
b6126211ade8b38215ea70692af8cff5e47cb922484a3f08e377edf01a4a1d9b865772f4703d6914d779faba95eb46f16266e6f05411efba4691bc6f411d1d77
-
SSDEEP
3145728:Zqar23mGGWtNN/fdSqyI/LUs5DuFsdOKtVeBi4g:82GGOFfAqyI/7FdUAT
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET407.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SET407.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SETEDA9.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SETEDA9.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\VBoxNetLwf.sys MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 32 960 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\Q: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\X: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\K: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\U: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\I: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\Y: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\L: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\T: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\W: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\Z: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\N: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\O: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\R: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\M: VirtualBox-7.1.6-167084-Win.exe File opened (read-only) \??\V: VirtualBox-7.1.6-167084-Win.exe -
Drops file in System32 directory 47 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDCAA.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFEA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\VBoxSup.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\VBoxSup.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFFC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE24.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE26.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDC99.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDCAB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFEA.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\VBoxSup.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_neutral_15909adfa959bbd7\vboxnetadp6.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE24.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE25.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE26.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDC99.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDCAA.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDCAB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.sys DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\VBoxNetLwf.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFEB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFFC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFEB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_neutral_15909adfa959bbd7\vboxnetadp6.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_neutral_15909adfa959bbd7\VBoxNetAdp6.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE25.tmp DrvInst.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Oracle\VirtualBox\nls\qt_el.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\platforms\qwindowsVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt6GuiVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\x86.d msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxRT-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxRT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqliteVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UserManual.qhc msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\platforms\qminimalVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\CPUMInternal.d msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ja.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UICommon.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBox_70px.png msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxLibSsh.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\Qt6HelpVBox.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_uk.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol8_ks.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_preseed.cfg msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\VirtualBox.exe msiexec.exe File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat msiexec.exe -
Drops file in Windows directory 38 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI9080.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID814.tmp msiexec.exe File opened for modification C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox msiexec.exe File created C:\Windows\INF\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI913C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI95C1.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA7EE.tmp msiexec.exe File created C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox msiexec.exe File opened for modification C:\Windows\Installer\MSI9227.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI94B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID777.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\Installer\MSI8F85.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9777.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File created C:\Windows\Installer\f788595.ipi msiexec.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File created C:\Windows\INF\oem2.PNF MsiExec.exe File opened for modification C:\Windows\INF\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\f788594.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIC60.tmp msiexec.exe File created C:\Windows\INF\oem3.PNF MsiExec.exe File opened for modification C:\Windows\Installer\f788595.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f788594.msi msiexec.exe File created C:\Windows\Installer\f788597.msi msiexec.exe File created C:\Windows\INF\oem0.PNF MsiExec.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.app.log MsiExec.exe File opened for modification C:\Windows\Installer\MSIA6F3.tmp msiexec.exe File created C:\Windows\INF\oem1.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSIEEB1.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Loads dropped DLL 18 IoCs
pid Process 2512 MsiExec.exe 2512 MsiExec.exe 2512 MsiExec.exe 2512 MsiExec.exe 2512 MsiExec.exe 2512 MsiExec.exe 1264 MsiExec.exe 1264 MsiExec.exe 1264 MsiExec.exe 1264 MsiExec.exe 3020 MsiExec.exe 1264 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1264 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VirtualBox-7.1.6-167084-Win.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000c0faaaefdc77db01 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e01eb2efdc77db01 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks." MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs rundll32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4E77131D-3629-431C-9818-C5679DC83E81} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e01eb2efdc77db01 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MsiExec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{537707F7-EBF9-4D5C-7AEA-877BFC4256BA}\NumMethods\ = "69" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{726EACA9-091E-41B4-BCA6-355EFE864107}\NumMethods\ = "30" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{D3D5F1EE-BCB2-4905-A7AB-CC85448A742B}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5}\ = "IMediumConfigChangedEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75DFF9BE-6CB3-4857-BDE6-2FAF82ED9A8D}\ = "IPlatformARM" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E775EA3-9070-4F9C-B0D5-53054496DBE0}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B2F98F8-9641-4397-854A-040439D0114B}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D0F4C6F-A77E-45C5-96D2-7CA7DAAE63A9}\NumMethods\ = "17" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\ = "IBooleanFormValue" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{5ADA589F-09C9-4604-B700-9AB3A5572E3A}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{28935887-782B-4C94-8410-CE557B9CFE44}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{327E3C00-EE61-462F-AED3-0DFF6CBF9904}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5587D0F6-A227-4F23-8278-2F675EEA1BB2}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DDEF35E-4737-457B-99FC-BC52C851A44F}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9709DB9B-3346-49D6-8F1C-41B0C4784FF2}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ABE94809-2E88-4436-83D7-50F3E64D0503}\ = "IMachineDataChangedEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FDEBBF0-BE30-49C0-B315-E9749E1BDED1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA9227C-E9BB-49B3-BFC7-C5171E93EF38}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0BAD6DF-D612-47D3-89D4-DB3992533948}\NumMethods\ = "17" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E28E227A-F231-11EA-9641-9B500C6D5365} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FE2DA40-5637-472A-9736-72019EABD7DE}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{28935887-782B-4C94-8410-CE557B9CFE44} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{28935887-782B-4C94-8410-CE557B9CFE44}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{5094F67A-8084-11E9-B185-DBE296E54799}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{5900472F-CC58-48AC-A088-B571B77F839B} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{69BFB134-80F6-4266-8E20-16371F68FA25} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BB335CC-1C58-440C-BB7B-3A1397284C7B}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{D134C6B6-4479-430D-BB73-68A452BA3E67}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0A0904D-2F05-4D28-855F-488F96BAD2B2}\TypeLib\Version = "1.3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{B79DE686-EABD-4FA6-960A-F1756C99EA1C}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{35CF4B3F-4453-4F3E-C9B8-5686939C80B6}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{5CA9E537-5A1D-43F1-6F27-6A0DB298A9A8}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6A5E65BA-EEB9-11EA-AE38-73242BC0F172}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6CC49055-DAD4-4496-85CF-3F76BCB3B5FA}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E253EE8-477A-2497-6759-88B8292A5AF0}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB220201-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{B9ACD33F-647D-45AC-8FE9-F49B3183BA37}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF58A51D-54A1-411C-93E9-3047EB4DCD21}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{A508E094-BF24-4ECA-80C6-467766A1E4C0}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A71E5822-365B-49BA-BD14-C8D616E6740D}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\NumMethods\ = "15" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DB2AB1A-6CF7-42F1-8BF5-E1C0553E0B30}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A06253A7-DCD2-44E3-8689-9C9C4B6B6234}\TypeLib\Version = "1.3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F22DD3B4-E4D0-437A-BFDF-0372896BA162}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2514881B-23D0-430A-A7FF-7ED7F05534BC}\ = "INATNetworkPortForwardEvent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ = "IStorageController" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{DD6A1080-E1B7-4339-A549-F0878115596E}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{75DFF9BE-6CB3-4857-BDE6-2FAF82ED9A8D}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5BBDB7D-8CE7-469F-A4C2-6476F581FF72}\NumMethods\ = "14" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{426EF1B8-DE91-49FB-ABC3-0E2BAE654FF2}\TypeLib\Version = "1.3" msiexec.exe -
Modifies system certificate store 2 TTPs 4 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 VirtualBox-7.1.6-167084-Win.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 VirtualBox-7.1.6-167084-Win.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 VirtualBox-7.1.6-167084-Win.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 VirtualBox-7.1.6-167084-Win.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 960 msiexec.exe 960 msiexec.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeIncreaseQuotaPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeSecurityPrivilege 960 msiexec.exe Token: SeCreateTokenPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeAssignPrimaryTokenPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeLockMemoryPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeIncreaseQuotaPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeMachineAccountPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeTcbPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSecurityPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeTakeOwnershipPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeLoadDriverPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemProfilePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemtimePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeProfSingleProcessPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeIncBasePriorityPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeCreatePagefilePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeCreatePermanentPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeBackupPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeRestorePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeShutdownPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeDebugPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeAuditPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemEnvironmentPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeChangeNotifyPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeRemoteShutdownPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeUndockPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSyncAgentPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeEnableDelegationPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeManageVolumePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeImpersonatePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeCreateGlobalPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeCreateTokenPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeAssignPrimaryTokenPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeLockMemoryPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeIncreaseQuotaPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeMachineAccountPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeTcbPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSecurityPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeTakeOwnershipPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeLoadDriverPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemProfilePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemtimePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeProfSingleProcessPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeIncBasePriorityPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeCreatePagefilePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeCreatePermanentPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeBackupPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeRestorePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeShutdownPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeDebugPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeAuditPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSystemEnvironmentPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeChangeNotifyPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeRemoteShutdownPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeUndockPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeSyncAgentPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeEnableDelegationPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeManageVolumePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeImpersonatePrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeCreateGlobalPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe Token: SeCreateTokenPrivilege 2208 VirtualBox-7.1.6-167084-Win.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2208 VirtualBox-7.1.6-167084-Win.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 960 wrote to memory of 2512 960 msiexec.exe 43 PID 960 wrote to memory of 2512 960 msiexec.exe 43 PID 960 wrote to memory of 2512 960 msiexec.exe 43 PID 960 wrote to memory of 2512 960 msiexec.exe 43 PID 960 wrote to memory of 2512 960 msiexec.exe 43 PID 960 wrote to memory of 1264 960 msiexec.exe 47 PID 960 wrote to memory of 1264 960 msiexec.exe 47 PID 960 wrote to memory of 1264 960 msiexec.exe 47 PID 960 wrote to memory of 1264 960 msiexec.exe 47 PID 960 wrote to memory of 1264 960 msiexec.exe 47 PID 960 wrote to memory of 3020 960 msiexec.exe 48 PID 960 wrote to memory of 3020 960 msiexec.exe 48 PID 960 wrote to memory of 3020 960 msiexec.exe 48 PID 960 wrote to memory of 3020 960 msiexec.exe 48 PID 960 wrote to memory of 3020 960 msiexec.exe 48 PID 960 wrote to memory of 3020 960 msiexec.exe 48 PID 960 wrote to memory of 3020 960 msiexec.exe 48 PID 960 wrote to memory of 1612 960 msiexec.exe 49 PID 960 wrote to memory of 1612 960 msiexec.exe 49 PID 960 wrote to memory of 1612 960 msiexec.exe 49 PID 960 wrote to memory of 1612 960 msiexec.exe 49 PID 960 wrote to memory of 1612 960 msiexec.exe 49 PID 960 wrote to memory of 2556 960 msiexec.exe 50 PID 960 wrote to memory of 2556 960 msiexec.exe 50 PID 960 wrote to memory of 2556 960 msiexec.exe 50 PID 960 wrote to memory of 2556 960 msiexec.exe 50 PID 960 wrote to memory of 2556 960 msiexec.exe 50 PID 960 wrote to memory of 2556 960 msiexec.exe 50 PID 960 wrote to memory of 2556 960 msiexec.exe 50 PID 1884 wrote to memory of 472 1884 DrvInst.exe 52 PID 1884 wrote to memory of 472 1884 DrvInst.exe 52 PID 1884 wrote to memory of 472 1884 DrvInst.exe 52 PID 2100 wrote to memory of 2444 2100 DrvInst.exe 54 PID 2100 wrote to memory of 2444 2100 DrvInst.exe 54 PID 2100 wrote to memory of 2444 2100 DrvInst.exe 54 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:21⤵PID:2228
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:81⤵PID:2676
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:81⤵PID:1820
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=1460 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:11⤵PID:1444
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:11⤵PID:1016
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2968
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1604 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:21⤵PID:1052
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=1364 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:11⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2208
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:81⤵PID:2368
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 1C71857DAA81C75EDE81153CB638A51B C2⤵
- Loads dropped DLL
PID:2512
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 2ED9274274A0FC4300338B765CA9A96C2⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:1264
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 49F5C2E1A3D0F329B28324C0D05EC0DC2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding AD698649D9DB851D59BF51B2050F1CB7 M Global\MSI00002⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1612
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 42D779F1B1992771AD031827DC24B605 M Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:760
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000068" "00000000000003F0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2428
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{43711d41-affb-4410-6b82-c249e87f0d21}\VBoxNetLwf.inf" "9" "631e52bcb" "00000000000005B0" "WinSta0\Default" "0000000000000068" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5c7240e0-7b79-4af1-479f-f10773afb55e} Global\{2a95f175-d916-7339-024a-b65ebd3e250a} C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.inf C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.cat2⤵
- Modifies data under HKEY_USERS
PID:472
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3fc1518a-d50a-5ff1-5d03-cd0316e7cc2f}\VBoxNetAdp6.inf" "9" "673b17b7b" "00000000000005B0" "WinSta0\Default" "00000000000005D4" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3291b95c-ecb3-04e8-6c26-f15a697eb273} Global\{45f4d342-d615-43d1-1e5e-523f0f810f15} C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.inf C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.cat2⤵
- Modifies data under HKEY_USERS
PID:2444
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{39b7bdb0-9a93-53c7-097d-cd6e62b4cb5e}\VBoxSup.inf" "9" "6edacf3f3" "00000000000005FC" "WinSta0\Default" "00000000000005D4" "208" "C:\Program Files\Oracle\VirtualBox\drivers\vboxsup"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
718KB
MD5a9f53389b0c84fec395f288ec7070e59
SHA115cde3f11c906282180810f118d9ff2f7211c6b4
SHA25625ec09aac17c6d5402f1ce6ccd6383da417193c5eb67590f17fd3c9545546edd
SHA51218cf9f7a6527611172e12d7707915ae00074caa33e2793ba5cb717565d622f42cee07bc5d80c27a92a97579c82a81ae282b3fccf757c846be6137ed623da832b
-
Filesize
240KB
MD5bb13c7ae29af3d73e2e2326bd37ef752
SHA1d2b5617fe2f2de0831d2ad0f6301e5cb88851261
SHA256755120e64cec6673bf8ad2ed0cfb031dd71a31ab8fc063c1b26cc3a8b9198857
SHA5126aa2a7c483dd205a6d0f667a5249f7eb23b45ee760de009400c208e73c21feda8d94ca428e4922303727e735a0f6026ddfd02bc419f2f280e68f2b55a93acf82
-
Filesize
250KB
MD510ed4a0f400f1db09e258c99939f15c7
SHA14ed115fb4bece2aaf9b0d724330811cd2c7878b2
SHA256b7d5361a58530add79cdce5544f41190196ea7b16b32c889627e8b5a61be8483
SHA512a573233ca92ff878f79261bf7ebc10def90c0995c46527a2f5f3791f5e48cf54158c07af1e0d969ba4d196f182126ca2e4c9ab5a1464e6974b279a6038102a6b
-
Filesize
936KB
MD5dea158fd47abc3d173f6d8de13971372
SHA1d42cdc78678744d4b23c338fe81e327c1d4d4abf
SHA256701332a337b452e64a56bd7e1a1d7c76eb8b7fb7f6f63f74413866b7e2113980
SHA51211f96f77dee048cf7a487334607d517ed3cb7ea0314f4daf719e361d9c6d0bc09c827081cfb6bb6403ecc174e5e6f4201e47c6c4ff186028380e0ac8240ddefa
-
Filesize
10KB
MD5552b5869498a21ebd60394c43855cd40
SHA1936ffdd331ba58c7106b5e8f83788465150b1873
SHA25610b6ae89e111003e4f8f4f1b53cc051aa4372e3705e23902df81e502891604a7
SHA51206b70dd7ec315bd51567a1694e902fcb8cb697e27b3d588f8a0541c91152fb5ae035e5dc45e0d6628243e592288d9505b86df8fcf333d303d4bd41001f10b798
-
Filesize
3KB
MD57bd5968035e290fc975a3655d2a30c08
SHA1f07a370d4734c9b332b35d26b4d16d7ae1ec17b6
SHA256c1af8774a2b6c246a31b8c3f5185fff67a856c4f96d55c21b4d0587b34e4611b
SHA5122da219b9fc716499b2d8fa62084c5039d61660bf4ea26e48599eb4d10d95b4ba408e8415a092307b5731cc1de9201bb000848f68d7e79f6b03da453e223253ac
-
Filesize
10KB
MD59a7ea922dc84aff4eba3913b4e4baf7f
SHA10ac25dd63071e9f2018e30c96351975be3f91a66
SHA256e2cd20ad1aa6650bb3bfb7a8eecaa3d8311cf367bb39b2b787a0857f9a0e53f6
SHA512f1a4cbf81acf640a882e2c93e7443d8d607025c9f8e141fa93a8f0cbaf2c7b06f38ae567e06d58ad086809cbcfb419070f00e7f1ca0abfea5db884cdae9a8c54
-
Filesize
4KB
MD57da30975a6c38e9a0fe9676950f70033
SHA1d0134da02edaf78b60143d9d6a310ab97137b709
SHA256aee3b03ca632f7985c71c56d747ed61d0a83e8250f72c4e3cecaca43d6262cdb
SHA5122ab29cfa41572e3b94680a298248d8d459da50d7f136ec1885a092f8c6550a6fbc5c0e256bdf42285cd7d9234f015d2a577e90989e8eeaa8f4a2780d69c87f01
-
Filesize
684KB
MD5a575376c0da3e58d68ddb30cf903af50
SHA15c82c307d82d57b51f365006b7935f952b0775b1
SHA256ac2e8cda8c16350c20115774413245d2ef4fe2ee76aca73b2b3c47ad4add6116
SHA512b16a1920b5c51df04e2adfeefbbdc523dfb99586a6e397c43f521fc7111b28416cb4b72052d00a7d2f6ea3f04ae6935f4536ba27a456dc714296940e2b557a2c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD542cff42b997443cb256b1289a350b1b6
SHA1651afb301d9acc6d9c7306060597e6a5c30625fc
SHA2565a0156e23df8fc05add3ecbdc44fb33b70d86fd08dcafad7fbb37b2107bb629a
SHA5126e50f0b49cabdc45f4b1609a0d388d0c5c544bd3e957951f23637a3059da8500d7e1afe8e8b76d9bacdc2cbb6f7516d2bdbffc09a7e6fbe3a16c4d8100214cdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
Filesize727B
MD530d135e2903facc564d175c2b6e4044c
SHA15db057c161190338ffae691542cabe047fdd37e8
SHA2564344543735255f395138e70373d859469b598f3c599c350249f9128dd81d812d
SHA512df6337142a1187e0a049aa5866303783395d448aa6fa32fd3bddf07c23f01c343e361e81394ce36764b2e1e29b84e1a8b86068dd79a306180b77010c45176fd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD57ede1c2319349ee09eef9b918f848ee1
SHA1907bc671d8865713c6c6758ab35d880bc195cd26
SHA2560091300b2b650fad4fdf32c8681ca431aa280403bb7afec50e1e3b2232537c9e
SHA512673710e89af144f22a6a69011341e48681cf2b46ec58fa7ceed13688f3dfa17e5c8ea9f8054cb99c054864ec980fa0acebdb480ce9abf4d1d7a8ec46dcfb5866
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD56c4dc00fd3cada904697c7d0d2cc90a9
SHA16be8276f41821a8fa5d143175f3f6502721474c9
SHA25678b2ac20c69750226145018f2e06a0f0affecba3b197d25322f144ecfd6ed55d
SHA512533528a8faef1a8a2fcda8fb82af090025c5c8e5419f543c1320d1887c267215c9f3c171cd37e04254689c72d69fb5bcba3ad6e77b35f64aeea3775fd4f17b0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
Filesize412B
MD5fbe79bbbac43dabd5e2b4dc121cdec9f
SHA1393b80c851b9cf6fb20e08e090e6606367004173
SHA25678c4027cb98aa4d5d6850bdbc828c8108f40da746f7ea4c1416a5c6ac83fd541
SHA512e13fb49a37a577355ca6851904081136104707e14d03fbe2e1d27d808e720f8d1a3cd1a3f581deb7ffae6690a5a9f7a157b6527e3538c2e29678f8ecc341b73c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD557861c86a745f7470e89fd26b9cd6432
SHA18ae74c16388511828a6a762f3cbf2a396325cfe4
SHA2568bb6ec5908d29855377a9ff387ba660f01b58da18d495a90d6492a02a46bc1a0
SHA5126f7aadc67607a1d617d13961a7aec88a138d13e172390fbbcf4ed0b56ecc9b9bc9126b5df7743017fd34a607bbfa794f55a2f4bdfbd3ae8348bd803e393f2ff0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD508af6ecc9bc93049ce406a2f21c0b612
SHA1817fb72adcb293b09347d97aa2147bbf6908de7c
SHA256a05befae9b89bcaeff43dbb4e549fda8c4adb69b54cc075daa789f71b47cb9da
SHA51280e6ff6ee047fdf7075b6972300f1e868373a60614698b1cf621e777469cb742fbc001d2ddda81f28b001ff7af911c69881f4c8db849bc8aa458f9a7d55a3b64
-
Filesize
933B
MD57ee3baa5245d29541c29b8c862b99aaa
SHA10d7dfb41f55bf84e9ccb802a96187fbb07e0cb6c
SHA2563b2ac1abb0a3ba21fdd9f90d0efb4acd808eac1a3505cac9c9aee7bb0bd97ce7
SHA512c50a94d2eecaeb2828759b82a91fa029a2bfad0184db413fc0617302b910256bd400b21318d7b759b496409895e4bee215efe8ef0d540fd9709361151300565c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
476KB
MD539f6c48493b5225bae95cdb52c8bf69d
SHA1f54e11158d71068dc61f2c3c2a9db471ecdfcadd
SHA25655dcfb4404fd2a7ce72dabc23d856f7529f7ed4359e1af19eca2619c2bf840cd
SHA5120c5a07e45ba250e253e5ec3fb87c191e9de46027ee1f8ff5fae4be0a4c0e8a7aac48f64d6fb12dfbdd1b77ee93b5c6740e36a5a90e6ff817dd5f18e3fe3bdd6b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
330KB
MD5ac831c25bc16a05ee60aea5d79517434
SHA14946133e7fac34315a0ccaa30ca8ad383d5f0140
SHA256947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869
SHA51272f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b
-
C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF
Filesize9KB
MD5667276dab6d500ca19b865f648a53d96
SHA1a3aecca5cef5f2dc4b9b31b7282a9242ea49b826
SHA256277bb1dd365972a94524549ce1152d5323bb4d8bacb886c40f03d55e45587cb0
SHA5120efe6e86e2fbb3962d4ff0f879c9d807cf3bb821becfd25a5d1aa1699144befff0e66ef828294914e680fcc05d11cfd571c5171f340d1b81f5234adb32bcf6ba
-
Filesize
1.4MB
MD535a717ecab29b165dc7dbf0b1be15b5e
SHA13dfc969fcb9e77a715dc75fda25651cce066d0c2
SHA256addf5b47c3bf6cbb3fe82fefe84eccd544b187309e1569ee4910291e68991d84
SHA512cab2cc2d5dfa3ed7700cc1a7b351109e0a38ddd69a707e67cbce3917f6b3a1881c0d57a3f419cb34962a3a23dce1db5f0a4f71fdec21d13e700ab0e1e3a81043
-
Filesize
10KB
MD5616622190cbd26c6297e711002db9a18
SHA13ae814e574c3e1f7e1a47b74d409d76dbfcc7c04
SHA256338534cc66c824995a299888caea8dc83de179e88f22e9a037dfd7c399a66ea2
SHA512cc574a02c278f96b9bb45cbc9164b77e4b66341eb2f2b8cb1870590735b2d5ee13fbf0de96f85309a544c7a88b50453830db50c25a4c73cd843ba4d0d9772c2e
-
Filesize
2KB
MD559048a0500cb88084655b38de2a3097f
SHA1014f0f333df2fac12045fb89ce1042f3352241c4
SHA256c3c0f8172fee9aeeff7d4ac43af0b0b9357f2f119b53c70377f015168586c546
SHA512cb596dc5048d09186b011ea4a314b7355c2191fff0cae929ebaa919294ed17041006ae575122d7191bfa3572c4da3f75e109d10cbc847e48121de0ef2761b9c0
-
Filesize
1.0MB
MD59b7cdaa9dfa551282134f4e75074f702
SHA1e05035fcfe2369000a0264ab1c7eac9c40ecbb5c
SHA256decc9f7c751ded1aaddc3528dd545837a2a2994c415e983f30a6af1747ac3acf
SHA5127da4fe862ce314548977672494391370045b80c6bd38f74f82e1f39a88143f93b36c1c06feeca4668a4e29ad60ff73e5f615fd61c6b514bdd902042ab7698af2
-
Filesize
9KB
MD5834da9911ab6cc4846d0c277d8e8cfb3
SHA173d982ae07378a573fad645d2daff5fea0a2fcbc
SHA2567954f9f456b12ebaee26aac8744e20bf1846ea1653f79c10d888546e12ae283d
SHA51202235165aab39f56249315ee201a1f90a3bce10276df0480da004cda8d3a412486ce87377f07f0af4816ffb7b18488ec69b63557e7c9e9f2fb9b90fda3fd2a9f