35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6

Resubmissions

05-02-2025 14:45

250205-r4w5kssngm 8

28-01-2025 13:04

250128-qa9cdayrhw 8

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.1.6-167084-Win.exe
Size

117.3MB
MD5

8addd310d09249bc176c9c891aae41cb
SHA1

81212ad29642b2b261df42d25ccd23fe715914d1
SHA256

35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6
SHA512

b6126211ade8b38215ea70692af8cff5e47cb922484a3f08e377edf01a4a1d9b865772f4703d6914d779faba95eb46f16266e6f05411efba4691bc6f411d1d77
SSDEEP

3145728:Zqar23mGGWtNN/fdSqyI/LUs5DuFsdOKtVeBi4g:82GGOFfAqyI/7FdUAT

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\drivers\SETEB36.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF21B.tmp	MsiExec.exe
File opened for modification	C:\Windows\System32\drivers\SETF596.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF596.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF818.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETE133.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETE309.tmp	MsiExec.exe
File created	C:\Windows\System32\drivers\SETEB36.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\VBoxSup.sys	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SETF21B.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETE133.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETE309.tmp	MsiExec.exe
File opened for modification	C:\Windows\System32\drivers\VBoxUSBMon.sys	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SETF818.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetLwf.sys	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\E:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ee684c45-2aa8-1549-81bc-2d8c3e55fa0e}\VBoxNetLwf.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ec086a5-c875-2e41-8ab2-879d9d9040aa}\SETE22F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ec086a5-c875-2e41-8ab2-879d9d9040aa}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0f8b5d19-f907-7343-b5d1-3c489ec56834}\SETE9FD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_1eb1ed3a2c402b9d\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_1eb1ed3a2c402b9d\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ee684c45-2aa8-1549-81bc-2d8c3e55fa0e}\SETDD7C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ee684c45-2aa8-1549-81bc-2d8c3e55fa0e}\VBoxNetLwf.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\VBoxUSBMon.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0f8b5d19-f907-7343-b5d1-3c489ec56834}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ee684c45-2aa8-1549-81bc-2d8c3e55fa0e}\SETDD7B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ee684c45-2aa8-1549-81bc-2d8c3e55fa0e}\SETDD7B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_9855768fcc4a8263\VBoxNetLwf.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\SETF49E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}\SETF315.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}\SETF327.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_1eb1ed3a2c402b9d\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ee684c45-2aa8-1549-81bc-2d8c3e55fa0e}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0f8b5d19-f907-7343-b5d1-3c489ec56834}\SETE9FD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}\SETF316.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\SETF48C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\SETF48D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ee684c45-2aa8-1549-81bc-2d8c3e55fa0e}\VBoxNetLwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\SETF49E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ec086a5-c875-2e41-8ab2-879d9d9040aa}\SETE22F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_15909adfa959bbd7\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxsup.inf_amd64_51feefe6fa2584ec\VBoxSup.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ee684c45-2aa8-1549-81bc-2d8c3e55fa0e}\SETDD5B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ec086a5-c875-2e41-8ab2-879d9d9040aa}\SETE21E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\SETF48D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\VBoxUSBMon.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusbmon.inf_amd64_92b271dae027ffef\VBoxUSBMon.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\SETF48C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_9855768fcc4a8263\vboxnetlwf.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ec086a5-c875-2e41-8ab2-879d9d9040aa}\SETE21E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0f8b5d19-f907-7343-b5d1-3c489ec56834}\SETE9FE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0f8b5d19-f907-7343-b5d1-3c489ec56834}\VBoxSup.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxsup.inf_amd64_51feefe6fa2584ec\VBoxSup.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_15909adfa959bbd7\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0f8b5d19-f907-7343-b5d1-3c489ec56834}\SETEA1F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ee684c45-2aa8-1549-81bc-2d8c3e55fa0e}\SETDD5B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_9855768fcc4a8263\VBoxNetLwf.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ec086a5-c875-2e41-8ab2-879d9d9040aa}\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_15909adfa959bbd7\VBoxNetAdp6.sys	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_autoinstall_user_data	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\License_en_US.rtf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\cpumctx.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\vbox-arch-types.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\CPUMInternal.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqliteVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_postinstall.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxExtPackHelperApp.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qminimalVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_id.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\installer\python\vboxapi\src\vboxapi\__init__.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6StateMachineVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\vbox-img.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\installer\python\vboxapi\pyproject.toml	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UICommon.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_preseed.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf	msiexec.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1DB.tmp	msiexec.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\INF\oem6.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIE93E.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIAE60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{08123D53-81FD-48DF-BDD1-64FC2B977919}	msiexec.exe
File opened for modification	C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB12.tmp	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF2C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a92c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD34.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB61.tmp	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB865.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF3FF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD83.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFB8.tmp	msiexec.exe
File created	C:\Windows\INF\oem1.PNF	MsiExec.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF267.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIADF1.tmp	msiexec.exe
File created	C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox	msiexec.exe
File created	C:\Windows\Installer\e58a92e.msi	msiexec.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\e58a92c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACA6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8A5.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe

Executes dropped EXE 3 IoCs

pid	Process
4216	VirtualBox.exe
4928	VBoxSVC.exe
1692	VBoxSDS.exe

Loads dropped DLL 39 IoCs

pid	Process
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2796	MsiExec.exe
2796	MsiExec.exe
2796	MsiExec.exe
2796	MsiExec.exe
4640	MsiExec.exe
2796	MsiExec.exe
4668	MsiExec.exe
4668	MsiExec.exe
4668	MsiExec.exe
4668	MsiExec.exe
4668	MsiExec.exe
2796	MsiExec.exe
2796	MsiExec.exe
2796	MsiExec.exe
2796	MsiExec.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4216	VirtualBox.exe
4928	VBoxSVC.exe
4928	VBoxSVC.exe
1692	VBoxSDS.exe
1692	VBoxSDS.exe
4928	VBoxSVC.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirtualBox-7.1.6-167084-Win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000290fce3451661f390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000290fce340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900290fce34000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d290fce34000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000290fce3400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{67C50AFE-3E78-11E9-B25E-7768F80C0E07}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8B2B6773-8B5A-4CD2-95F8-38FAF73913E1}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45587218-4289-EF4E-8E6A-E5B07816B631}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5191A7C-9536-4EF8-820E-3B0E17E5BBC8}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0447716-FF5A-4795-B57A-ECD5FFFA18A4}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E8C25D4D-AC97-4C16-B3E2-81BD8A57CC27}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA11554}\ = "IDnDTarget"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{181DFB55-394D-44D3-9EDB-AF2C4472C40A}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D947ADF5-4022-DC80-5535-6FB116815604}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5155BFD3-7BA7-45A8-B26D-C91AE3754E37}\ = "IAudioAdapter"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{52F40B16-520E-473F-9428-3E69B0D915C3}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{FB220201-2FD3-47E2-A5DC-2C2431D833CC}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{890ED3DC-CC19-43FA-8EBF-BAECB6B9EC87}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3D5F1EE-BCB2-4905-A7AB-CC85448A742B}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{45587218-4289-EF4E-8E6A-E5B07816B631}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E632}\NumMethods\ = "23"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D095CB0-0126-43E0-B05D-326E74ABB356}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF58A51D-54A1-411C-93E9-3047EB4DCD21}\NumMethods\ = "13"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{28935887-782B-4C94-8410-CE557B9CFE44}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{A0BAD6DF-D612-47D3-89D4-DB3992533948}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C984D15F-E191-400B-840E-970F3DAD7296}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5587D0F6-A227-4F23-8278-2F675EEA1BB2}\ProxyStubClsid32	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A71E5822-365B-49BA-BD14-C8D616E6740D}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6DCF6E8-416B-4181-8C4A-45EC95177AEF}\NumMethods\ = "19"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C1844087-EC6B-488D-AFBB-C90F6452A04B}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EE206A6E-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA11554}\ = "IDnDTarget"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\NumMethods\ = "15"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08889892-1EC6-4883-801D-77F56CFD0103}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D984A7E-B855-40B8-AB0C-44D3515B4528}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A85BBA40-1B93-47BB-B125-DEC708C30FC0}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07541941-8079-447A-A33E-47A69C7980DB}\ = "ISnapshotChangedEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{243829CB-15B7-42A4-8664-7AA4E34993DA}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{726EACA9-091E-41B4-BCA6-355EFE864107}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E578BB9C-E88D-416B-BB45-08A4E7A5B463}\TypeLib	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AE}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E}\NumMethods\ = "13"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{ABEF51AE-1493-49F4-AA03-EFAF106BF086}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08E25756-08A2-41AF-A05F-D7C661ABAEBE}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BAE19D0-CA40-4CA2-A485-C8065190BBE5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}\ = "IProgress"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7569351-1750-46F0-936E-BD127D5BC264}\1.3	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41304F1B-7E72-4F34-B8F6-682785620C57}\ = "IExtPackFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\ = "IVBoxSVCRegistration"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CEB482FC-41B9-42A8-8538-9835EA33B6F2}\TypeLib	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA11554}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6A5E65BA-EEB9-11EA-AE38-73242BC0F172}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B2B6773-8B5A-4CD2-95F8-38FAF73913E1}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1844087-EC6B-488D-AFBB-C90F6452A04B}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4216	VirtualBox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
212	msiexec.exe
212	msiexec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncreaseQuotaPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSecurityPrivilege	212	msiexec.exe
Token: SeCreateTokenPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeAssignPrimaryTokenPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeLockMemoryPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncreaseQuotaPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeMachineAccountPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeTcbPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSecurityPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeTakeOwnershipPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeLoadDriverPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemProfilePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemtimePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeProfSingleProcessPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncBasePriorityPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePagefilePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePermanentPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeBackupPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeRestorePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeShutdownPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeDebugPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeAuditPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemEnvironmentPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeChangeNotifyPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeRemoteShutdownPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeUndockPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSyncAgentPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeEnableDelegationPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeManageVolumePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeImpersonatePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateGlobalPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateTokenPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeAssignPrimaryTokenPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeLockMemoryPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncreaseQuotaPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeMachineAccountPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeTcbPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSecurityPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeTakeOwnershipPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeLoadDriverPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemProfilePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemtimePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeProfSingleProcessPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncBasePriorityPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePagefilePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePermanentPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeBackupPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeRestorePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeShutdownPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeDebugPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeAuditPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemEnvironmentPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeChangeNotifyPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeRemoteShutdownPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeUndockPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeSyncAgentPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeEnableDelegationPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeManageVolumePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeImpersonatePrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateGlobalPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateTokenPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeAssignPrimaryTokenPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe
Token: SeLockMemoryPrivilege	3656	VirtualBox-7.1.6-167084-Win.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3656	VirtualBox-7.1.6-167084-Win.exe
3656	VirtualBox-7.1.6-167084-Win.exe
4216	VirtualBox.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2320	212	msiexec.exe	89
PID 212 wrote to memory of 2320	212	msiexec.exe	89
PID 212 wrote to memory of 2824	212	msiexec.exe	97
PID 212 wrote to memory of 2824	212	msiexec.exe	97
PID 212 wrote to memory of 2796	212	msiexec.exe	99
PID 212 wrote to memory of 2796	212	msiexec.exe	99
PID 212 wrote to memory of 4640	212	msiexec.exe	100
PID 212 wrote to memory of 4640	212	msiexec.exe	100
PID 212 wrote to memory of 4640	212	msiexec.exe	100
PID 212 wrote to memory of 4668	212	msiexec.exe	101
PID 212 wrote to memory of 4668	212	msiexec.exe	101
PID 212 wrote to memory of 4168	212	msiexec.exe	104
PID 212 wrote to memory of 4168	212	msiexec.exe	104
PID 212 wrote to memory of 4168	212	msiexec.exe	104
PID 5116 wrote to memory of 4224	5116	svchost.exe	107
PID 5116 wrote to memory of 4224	5116	svchost.exe	107
PID 5116 wrote to memory of 4220	5116	svchost.exe	108
PID 5116 wrote to memory of 4220	5116	svchost.exe	108
PID 5116 wrote to memory of 4628	5116	svchost.exe	110
PID 5116 wrote to memory of 4628	5116	svchost.exe	110
PID 5116 wrote to memory of 1080	5116	svchost.exe	111
PID 5116 wrote to memory of 1080	5116	svchost.exe	111
PID 5116 wrote to memory of 5056	5116	svchost.exe	112
PID 5116 wrote to memory of 5056	5116	svchost.exe	112
PID 5116 wrote to memory of 3892	5116	svchost.exe	113
PID 5116 wrote to memory of 3892	5116	svchost.exe	113
PID 5116 wrote to memory of 4704	5116	svchost.exe	114
PID 5116 wrote to memory of 4704	5116	svchost.exe	114
PID 3656 wrote to memory of 4216	3656	VirtualBox-7.1.6-167084-Win.exe	115
PID 3656 wrote to memory of 4216	3656	VirtualBox-7.1.6-167084-Win.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
  "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  PID:4216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3D9748717931144C9283A13717535DBE C
  2⤵
  - Loads dropped DLL
  PID:2320
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2824
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 710E160B0F83F79499E404581A0A6B36
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:2796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 037CB014590464520B7634D2BF1F99C7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4640
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4B74D0715E69BCAD61EA62E721042CE1 E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:4668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1EB49AC7DBBB48208D936CC74DE20064 M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000148" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4224
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000174" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4220
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{61f03951-2cd3-8549-bf17-11179b7751c0}\VBoxSup.inf" "9" "4edacf3f3" "000000000000015C" "WinSta0\Default" "0000000000000140" "208" "C:\Program Files\Oracle\VirtualBox\drivers\vboxsup"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4628
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "14" "C:\Windows\System32\DriverStore\FileRepository\vboxsup.inf_amd64_51feefe6fa2584ec\vboxsup.inf" "0" "4edacf3f3" "0000000000000140" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  PID:1080
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{03d37116-ef56-4d49-947b-73f4dd8412a3}\VBoxUSB.inf" "9" "4f05f54f7" "0000000000000170" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5056
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{efcbfb9c-e245-ab49-afaf-2a7bafd0bc2a}\VBoxUSBMon.inf" "9" "4e4e9030b" "000000000000015C" "WinSta0\Default" "000000000000016C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\filter"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3892
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "14" "C:\Windows\System32\DriverStore\FileRepository\vboxusbmon.inf_amd64_92b271dae027ffef\vboxusbmon.inf" "0" "4e4e9030b" "000000000000016C" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  PID:4704

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4928

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58a92d.rbs

Filesize
722KB

MD5
cc2709fe2b77b312c31d3d053fa8d51a

SHA1
b5d24397f66cff0fec59e9c020f23660773d52cf

SHA256
7909fe5ae3157c822b543629743f8cd13cb5cf1cead47c1a756c590a5d0369e5

SHA512
6becbfaec9a3039876e80aa2715e1b6451e18e420e92c208e383ddccb4863f1e236069026c5b6195ce6cdae4b5dce38493a412a2d61d0e3bb3c4623a7cab0845

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netlwf\VBoxNetLwf.cat

Filesize
11KB

MD5
18fd2f2ce49c749c0c8d4ea321661715

SHA1
af7f728e0403c4ba63480bc8ddd55cb3c4ac5f1e

SHA256
96eb758ee44b13d5df932e176addfd42bfd1eb27aa7ddec5801fae07e9797a65

SHA512
14be128511b33fefda28d2d98fc522f6c85230369b14cf78046a566e8df73734a6971208226523da3eb6445c32db4a805b4819cc315655d0e8dc4b547842575e

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netlwf\VBoxNetLwf.sys

Filesize
250KB

MD5
10ed4a0f400f1db09e258c99939f15c7

SHA1
4ed115fb4bece2aaf9b0d724330811cd2c7878b2

SHA256
b7d5361a58530add79cdce5544f41190196ea7b16b32c889627e8b5a61be8483

SHA512
a573233ca92ff878f79261bf7ebc10def90c0995c46527a2f5f3791f5e48cf54158c07af1e0d969ba4d196f182126ca2e4c9ab5a1464e6974b279a6038102a6b

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\vboxsup\VBoxSup.cat

Filesize
11KB

MD5
7d1841943d1f332eb32e49de47d62e03

SHA1
a4c445ac6247f7919ce9cebf2b543800970a5d81

SHA256
86d86beec055d6bfcaa0d4906a919cb21789e89375d7b50270f85b6b3b5f9a33

SHA512
c6574b411c255f97efa343d168ee45365ffab6e195087722398cd3693336f6ac44cfc7b51f1e6ed328c7091f9c7a311672613c158e8a3b28d6862c2002a7b681

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
9b7cdaa9dfa551282134f4e75074f702

SHA1
e05035fcfe2369000a0264ab1c7eac9c40ecbb5c

SHA256
decc9f7c751ded1aaddc3528dd545837a2a2994c415e983f30a6af1747ac3acf

SHA512
7da4fe862ce314548977672494391370045b80c6bd38f74f82e1f39a88143f93b36c1c06feeca4668a4e29ad60ff73e5f615fd61c6b514bdd902042ab7698af2

Download Submit
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

Filesize
936KB

MD5
dea158fd47abc3d173f6d8de13971372

SHA1
d42cdc78678744d4b23c338fe81e327c1d4d4abf

SHA256
701332a337b452e64a56bd7e1a1d7c76eb8b7fb7f6f63f74413866b7e2113980

SHA512
11f96f77dee048cf7a487334607d517ed3cb7ea0314f4daf719e361d9c6d0bc09c827081cfb6bb6403ecc174e5e6f4201e47c6c4ff186028380e0ac8240ddefa

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf

Filesize
4KB

MD5
7da30975a6c38e9a0fe9676950f70033

SHA1
d0134da02edaf78b60143d9d6a310ab97137b709

SHA256
aee3b03ca632f7985c71c56d747ed61d0a83e8250f72c4e3cecaca43d6262cdb

SHA512
2ab29cfa41572e3b94680a298248d8d459da50d7f136ec1885a092f8c6550a6fbc5c0e256bdf42285cd7d9234f015d2a577e90989e8eeaa8f4a2780d69c87f01

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
2KB

MD5
59048a0500cb88084655b38de2a3097f

SHA1
014f0f333df2fac12045fb89ce1042f3352241c4

SHA256
c3c0f8172fee9aeeff7d4ac43af0b0b9357f2f119b53c70377f015168586c546

SHA512
cb596dc5048d09186b011ea4a314b7355c2191fff0cae929ebaa919294ed17041006ae575122d7191bfa3572c4da3f75e109d10cbc847e48121de0ef2761b9c0

Download Submit
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

Filesize
684KB

MD5
a575376c0da3e58d68ddb30cf903af50

SHA1
5c82c307d82d57b51f365006b7935f952b0775b1

SHA256
ac2e8cda8c16350c20115774413245d2ef4fe2ee76aca73b2b3c47ad4add6116

SHA512
b16a1920b5c51df04e2adfeefbbdc523dfb99586a6e397c43f521fc7111b28416cb4b72052d00a7d2f6ea3f04ae6935f4536ba27a456dc714296940e2b557a2c

Download Submit
C:\Users\Admin\.VirtualBox\VirtualBox.xml

Filesize
1KB

MD5
d9d28bd2ef7192fb0efb99607d7a0807

SHA1
7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

SHA256
dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

SHA512
e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
42cff42b997443cb256b1289a350b1b6

SHA1
651afb301d9acc6d9c7306060597e6a5c30625fc

SHA256
5a0156e23df8fc05add3ecbdc44fb33b70d86fd08dcafad7fbb37b2107bb629a

SHA512
6e50f0b49cabdc45f4b1609a0d388d0c5c544bd3e957951f23637a3059da8500d7e1afe8e8b76d9bacdc2cbb6f7516d2bdbffc09a7e6fbe3a16c4d8100214cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
727B

MD5
30d135e2903facc564d175c2b6e4044c

SHA1
5db057c161190338ffae691542cabe047fdd37e8

SHA256
4344543735255f395138e70373d859469b598f3c599c350249f9128dd81d812d

SHA512
df6337142a1187e0a049aa5866303783395d448aa6fa32fd3bddf07c23f01c343e361e81394ce36764b2e1e29b84e1a8b86068dd79a306180b77010c45176fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
7ede1c2319349ee09eef9b918f848ee1

SHA1
907bc671d8865713c6c6758ab35d880bc195cd26

SHA256
0091300b2b650fad4fdf32c8681ca431aa280403bb7afec50e1e3b2232537c9e

SHA512
673710e89af144f22a6a69011341e48681cf2b46ec58fa7ceed13688f3dfa17e5c8ea9f8054cb99c054864ec980fa0acebdb480ce9abf4d1d7a8ec46dcfb5866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
d0906df8c15342312691ee417cfbdafd

SHA1
84eecedd9674479e335f80604980014d45e6325b

SHA256
6b7f881b55f8034d301b82d9b47b211998d31fc3b831aaada454e136552305e9

SHA512
388e6d2a7d86fe3416a2939c127705121393d069c5dd23b90a9d5777241977990eead55f32cf2b6ad7af74cbb4e9a76c0a22cd7c14503cd69363a355da987495

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
412B

MD5
5d4b5b9738ae47e78a090daa467758dc

SHA1
150a86e547266ae98c7beb900c73e2e37957f214

SHA256
81c038d69ab38d346abb017579bfaa081f411c778df879c1065e12db74605b8e

SHA512
f601160e14c76e517ce6a72b7d8c96933f686e62ac947b98b3e5d6283cef3dbdc17c74b62b2e00f378a2aa8b24fd3c034a90d0762681fd7d4ce296a47c0f788e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
a17a1ed79f3b1c77d9cf830a92fad6b9

SHA1
3c239843aec0aa442548f5a5bbacdc6454b9a68a

SHA256
11bed63a0a4108d4419f637a4cdc149cdf3eeb714e04701b65592066239564e5

SHA512
9f8a5bb024065ab6bb19751ec8996411636347ac9bf612423431b2d79cf25bc9bb675871b4f13e31eadb0d29432c4a47271daa22ffa6183f8cdf0e16b5eb0d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICD81.tmp

Filesize
476KB

MD5
39f6c48493b5225bae95cdb52c8bf69d

SHA1
f54e11158d71068dc61f2c3c2a9db471ecdfcadd

SHA256
55dcfb4404fd2a7ce72dabc23d856f7529f7ed4359e1af19eca2619c2bf840cd

SHA512
0c5a07e45ba250e253e5ec3fb87c191e9de46027ee1f8ff5fae4be0a4c0e8a7aac48f64d6fb12dfbdd1b77ee93b5c6740e36a5a90e6ff817dd5f18e3fe3bdd6b

Download Submit
C:\Windows\INF\oem0.PNF

Filesize
5KB

MD5
b3deed40ed6d08faf1e6e916132d8cbc

SHA1
ceafad5e5efe6e7bdd4774bf29c8d798c0a009fb

SHA256
82a3baa29f6642b25ee4861eb6b5c2cbe1a0d5662e36f9ce0258e39b356af7b5

SHA512
93866998fb85888eaf56a58bc2feb62594f8c97165d9eb76a722a3d1213e2c557f26be8a137aeb4b75222b20ed40108cdd9b5ffa64e6733530cab30d10c1c858

Download Submit
C:\Windows\INF\oem1.PNF

Filesize
5KB

MD5
8c3637053f8befb090559e6ba3a8ab04

SHA1
7add574ce73653163634b92fc4a19cf6e25a78e5

SHA256
860fd78a1208e2d025c3d50051c0b7c4434da0aa1071d565fa8339719f2ac1be

SHA512
c904985e30e479cb3aadaa307636eba283b8b03a3b9cef2aade50192a27d3d8a7b834f7b1ea7337435d2d5746fc21fd35b2580130d5b3c693bb00ab92de0ca72

Download Submit
C:\Windows\INF\oem2.PNF

Filesize
6KB

MD5
e1581f0ad1dea661f9646714dff4ff2c

SHA1
4b23e612b2dd1dc04728a2dcbf0d63d7cb619fa4

SHA256
b388cbc536ccf163016472d30ee7f00e578d098840afa485cdb92f73e2f02b51

SHA512
f1fac5722e224446fc31138aa39eba5eb6108a99f1e8c6a61e53b7327002f78e6bec169ab989337b00da291ae6ac7362c9602b6cb6617b8abd8581a747cbd4d7

Download Submit
C:\Windows\INF\oem3.PNF

Filesize
9KB

MD5
079676a4a5661b8e6e7d6b1fa12b9e9d

SHA1
25c17963385f87bed5ecb9cac89dd67014c85910

SHA256
1e6d1f3d7a5aec3b2a8cb66cdc5e5e7ffe8b8788d4988eac9cf3d91a0af8e434

SHA512
963ec1d216e50cca4dda708377acf5f751c15a8ada41759b3eabc7e0843713315bccf26a86741a0b9bc3015684f040810cec445098eba034d8b42de7ffea233f

Download Submit
C:\Windows\Installer\MSIAE60.tmp

Filesize
330KB

MD5
ac831c25bc16a05ee60aea5d79517434

SHA1
4946133e7fac34315a0ccaa30ca8ad383d5f0140

SHA256
947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869

SHA512
72f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
93a210c5aa2818d891894e4187023e02

SHA1
a3d1e09b4ba3acc086e45973d452e27b48c8f852

SHA256
cc0c166e2bb90801af7a82b2f6833760ef4fcbb85dd5af22157319cd15cc1340

SHA512
aadf19614099bb1ecc27c186c4a8ade4169aca27ced524635bc7fc53dd653b040a0114ca32065de6b780d0e60ee9062a083af674aa0ce8160fd393471c631eb6

Download Submit
C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}\SETF315.tmp

Filesize
11KB

MD5
27eefd6a4c376a709a16793b3cf420da

SHA1
a3465d24e915ef51ad758df74de6787bd16d5ea3

SHA256
6323642efc5be5973787e2ecaf8ec6e5e09d72a3ecdc2799f9b6c06841862d8c

SHA512
52a296b56c8fdc9c214d139b47e2ec2ebb7339ee88ca65daa236e088b4dbf3cae392b6e0dc6ea93a23f1877654d335650e03054b39de3692b9b60c46abdfbaff

Download Submit
C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}\SETF316.tmp

Filesize
2KB

MD5
b54fa51b12cfc7a9a54fe666b64b8ade

SHA1
e17673b6636138209d98953d1f6d56b701bc0ba5

SHA256
5b9f68c1a69270234873701f8ad50e60487ad5b3103f7bb1953d0363ffaf61f6

SHA512
f2347994eff841006fbad5dd603875444c13702392dc52f4fb05ee297faf3cf2c617bffa9245f99b28e50171825517af59b2b87014213abf3a80060e6714a40c

Download Submit
C:\Windows\System32\DriverStore\Temp\{04809618-39a2-e645-b459-28e091371ec3}\SETF327.tmp

Filesize
176KB

MD5
337251c0585346f48901de919f1758c1

SHA1
6acf0a827435716d2a464f21c57e51fbf68466f1

SHA256
5c750a8d786aad679c0e13934f07bd5cdbf5e5b7fb68a6d62a58967bcf2562e2

SHA512
ac565a4b8ef61b48c0ea7ac8f304a045fce6a925e5cacc3a03646ab41dbf910d58ae65e6c3df3b5d75df4d4efa7f1cc1bf03e48bc7bba5815a9e2690fd1ce2af

Download Submit
C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\SETF48C.tmp

Filesize
11KB

MD5
a707e21804161083d77a12b91d3059f9

SHA1
2bb2e03cf8b024133bb501b769ec128d24f49194

SHA256
2969d9aa44c08db04529ec043d9a8c9e47b68ece7aa51ab6cb78f1c514c9e843

SHA512
9233a827cadec4ec8b44b0b5ed3526f2f45391f07a15256d9f68f943378079311893257532fe6e1bdfeacc2014d8f110f33f1db199aad9bf4573ac0794587da3

Download Submit
C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\SETF48D.tmp

Filesize
2KB

MD5
7ad88778968e6768a71bf7dd65444c3c

SHA1
ec753a59e7c6482e8bb1e72e9c5b5424092c26d8

SHA256
db8c675f4a9837eadf86654d586f2afd2d44e31be12f5c5cec2754d424ebb6e0

SHA512
2339e015305d601077ea17e3bd9d2d2649d64de350436d99d5f1d2a3bda84bf7610fac278094c87b628e4f3c51fb516fdb8f09a274bd532734543cb0eea284b6

Download Submit
C:\Windows\System32\DriverStore\Temp\{122479e5-1da6-4440-95e0-15927bb05443}\SETF49E.tmp

Filesize
190KB

MD5
44a46b8f144a04e18d341b9ac239ff20

SHA1
9e911d62c66b8fedff0cf5a9a9684b2f87221f7d

SHA256
ebcaba012c908d5584579ba927d4e7dfb3be28d91d7c369a2473b393915e933d

SHA512
144d7c3b3f4c63f8f04f786ddc7d553b83808afef47a9628b5f67493950a42d020469c75d536c1214186daae34fdd437eb2a9f7a2214b0e434b6d8decd57c3dc

Download Submit
C:\Windows\System32\DriverStore\Temp\{5ec086a5-c875-2e41-8ab2-879d9d9040aa}\VBoxNetAdp6.cat

Filesize
11KB

MD5
0a751919ada4675a3347d8f45a174b77

SHA1
5ab33ad59706d0456a6396bbecbf5cab9e13138d

SHA256
f42b04be8a339a383dd01b640f0fa274e31c18a1c531287d5d9182b0dc56870b

SHA512
aa3bb2b0a258e716ff975ae56e4dd0b14ca1bc1a0c8f56598d448ac2b78fe2b91d9ed4c109e04956860919f624c845d348a03f8ee223f6b8a776e3e33a69a2d2

Download Submit
C:\Windows\System32\DriverStore\Temp\{5ec086a5-c875-2e41-8ab2-879d9d9040aa}\VBoxNetAdp6.inf

Filesize
3KB

MD5
7bd5968035e290fc975a3655d2a30c08

SHA1
f07a370d4734c9b332b35d26b4d16d7ae1ec17b6

SHA256
c1af8774a2b6c246a31b8c3f5185fff67a856c4f96d55c21b4d0587b34e4611b

SHA512
2da219b9fc716499b2d8fa62084c5039d61660bf4ea26e48599eb4d10d95b4ba408e8415a092307b5731cc1de9201bb000848f68d7e79f6b03da453e223253ac

Download Submit
C:\Windows\System32\DriverStore\Temp\{5ec086a5-c875-2e41-8ab2-879d9d9040aa}\VBoxNetAdp6.sys

Filesize
240KB

MD5
bb13c7ae29af3d73e2e2326bd37ef752

SHA1
d2b5617fe2f2de0831d2ad0f6301e5cb88851261

SHA256
755120e64cec6673bf8ad2ed0cfb031dd71a31ab8fc063c1b26cc3a8b9198857

SHA512
6aa2a7c483dd205a6d0f667a5249f7eb23b45ee760de009400c208e73c21feda8d94ca428e4922303727e735a0f6026ddfd02bc419f2f280e68f2b55a93acf82

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
37KB

MD5
cc2573a0eb0830b67913ac6bacc8df29

SHA1
1e6bb36341ee1f86a9bc12a92859c852318ca4c1

SHA256
1f7dec70d9234ca1d293d038dbcdcd6a6573c785ba356345b3f28a2115477381

SHA512
47aee3021e373dd8e9da3fb4bf939984d4a7c168f271e72221da99a9e7326bcf748d1557580e935ea4564622a3d99bed06d967f8139fd46d75bba6a5d557f5b5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
becfd5ae86260422fcfabe1af9dc5d49

SHA1
1a9ce8421cc52d3a16bbefaba49dc033fbeba411

SHA256
000feb7cb2ceb9a9b6b43eb5ca521aa08e899eb36a1bf88e1c174ce204cd09a9

SHA512
628a9ca850297a648cd99ba983dae0b4fdff5daf306a0a49862508b700dcd77729869429248a16e269af453ab4524f6bcd9fd5abb82acb5e0bd415c11672265f

Download Submit
\??\Volume{34ce0f29-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fbabe41d-9009-495c-8db3-6f1103e158e6}_OnDiskSnapshotProp

Filesize
6KB

MD5
088fefdc691fa179d38b9de657fa88dd

SHA1
dec384e235263c56e2586288c534a8f4c2802132

SHA256
3902598ae0e843d8e3f158341da0075c22d098ed1b68f8034d0161df9ad8a725

SHA512
466487a3cb2318d1fc89f075937bb845e24e5a9a014ec1b98eb89ae0ce03f315d4003bfce047a181e5039c327b8f7b15f8ffae9940cdc781bfa91614611d3bae

Download Submit
memory/4216-657-0x00007FF7EC360000-0x00007FF7EC61A000-memory.dmp

Filesize
2.7MB

Download
memory/4216-659-0x00007FFEA8FA0000-0x00007FFEA9561000-memory.dmp

Filesize
5.8MB

Download
memory/4216-658-0x00007FFEAA3F0000-0x00007FFEABF3A000-memory.dmp

Filesize
27.3MB

Download