IOC Report
Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

loading gif

Files

File Path
Type
Category
Malicious
Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\Users\user\Desktop\Portable-VirtualBox\Portable-VirtualBox.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
 malicious
C:\Users\user\Desktop\Portable-VirtualBox\data\tools\7za.exe
PE32 executable (console) Intel 80386, for MS Windows
dropped
 malicious
C:\Users\user\Desktop\Portable-VirtualBox\data\tools\mpress.exe
MS-DOS executable PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
dropped
 malicious
C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x64.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
 malicious
C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x86.exe
PE32 executable (console) Intel 80386, for MS Windows
dropped
 malicious
C:\Users\user\Desktop\Portable-VirtualBox\data\tools\upx.exe
PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
dropped
 malicious
C:\Users\user\Desktop\Portable-VirtualBox\LiesMich.txt
Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\ReadMe.txt
ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\catalan.ini
Unicode text, UTF-8 (with BOM) text, with very long lines (496), with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\chinese.ini
Generic INItialization configuration [messages]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\english.ini
Generic INItialization configuration [messages]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\french.ini
Unicode text, UTF-8 (with BOM) text, with very long lines (380), with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\german.ini
Generic INItialization configuration [messages]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\italian.ini
Generic INItialization configuration [messages]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\japanese.ini
Non-ISO extended-ASCII text, with very long lines (343), with CRLF, NEL line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\polish.ini
Generic INItialization configuration [messages]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\portuguese.ini
Generic INItialization configuration [messages]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\russian.ini
Generic INItialization configuration [messages]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\spanish.ini
Generic INItialization configuration [messages]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\language\ukrainian.ini
Generic INItialization configuration [messages]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\settings\SplashScreen.jpg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 480x360, components 3
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\settings\settings.ini
Generic INItialization configuration [usb]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\settings\vboxinstall.ini
Generic INItialization configuration [startvbox]
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x64.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x86.exe
PE32 executable (console) Intel 80386, for MS Windows
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\ColorConstants.au3
C source, ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\Constants.au3
C source, ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\DirConstants.au3
C source, ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\FileConstants.au3
C source, ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\FrameConstants.au3
C source, ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\GUIConstantsEx.au3
C source, ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\IE.au3
C source, ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\Portable-VirtualBox.au3
C source, ASCII text, with very long lines (391), with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\ProcessConstants.au3
C source, ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\String.au3
C source, Non-ISO extended-ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\UpDate.au3
ASCII text, with CRLF line terminators
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\VirtualBox.ico
MS Windows icon resource - 1 icon, 32x64, 32 bits/pixel
dropped
C:\Users\user\Desktop\Portable-VirtualBox\source\WinAPIError.au3
C source, ASCII text, with CRLF line terminators
dropped
There are 29 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
"C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe"
 malicious

URLs

Name
IP
Malicious
http://www.autoitscript.com/forum/
unknown
http://www.debugbar.com/
unknown
http://www.win-lite.de/wbb/index.php?page=Board&&&boardID=153
unknown
http://www.autoitscript.com/forum/index.php?act=Search
unknown
http://www.autoitscript.com/forum/index.php?showtopic=19368
unknown
http://www.virtualbox.org)
unknown
http://upx.sf.netT
unknown
http://www.vbox.me/update/
unknown
http://validator.w3.org/
unknown
http://www.vbox.me
unknown
http://upx.sourceforge.net)
unknown
http://www.win-lite.de/wbb/index.php?page=Board&boardID=153
unknown
http://www.autoitscript.com/forum/index.php?act=Search&CODE=01
unknown
http://download.virtualbox.org/virtualbox/5.1.22/VirtualBox-5.1.22-115126-Win.exe
unknown
http://creativecommons.org/licenses/by-nc-sa/3.0/
unknown
http://slayeroffice.com/tools/modi/v2.0/modi_help.html
unknown
http://download.virtualbox.org/virtualbox/5.1.22/Oracle_VM_VirtualBox_Extension_Pack-5.1.22-115126.v
unknown
http://www.vbox.me/
unknown
http://www.virtualbox.org/wiki/VirtualBox_PUEL
unknown
http://www.autoitscript.com
unknown
http://www.matcode.com/mpress.htm)
unknown
http://www.virtualbox.org
unknown
http://www.fiddlertool.com/fiddler/
unknown
http://www.autoitscript.com/images/autoit_6_240x100.jpg
unknown
There are 14 hidden URLs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
2250000
heap
page read and write
2440000
heap
page read and write
777000
heap
page read and write
3EF0000
trusted library allocation
page read and write
4F06000
heap
page read and write
720000
heap
page read and write
75E000
heap
page read and write
427000
unkown
page write copy
42D000
unkown
page readonly
5A0000
heap
page read and write
77F000
heap
page read and write
71F000
stack
page read and write
773000
heap
page read and write
221E000
stack
page read and write
4DA4000
heap
page read and write
94F000
stack
page read and write
2B65000
heap
page read and write
797000
heap
page read and write
58E000
stack
page read and write
2444000
heap
page read and write
1F0000
heap
page read and write
777000
heap
page read and write
19C000
stack
page read and write
4D75000
heap
page read and write
427000
unkown
page read and write
773000
heap
page read and write
4BF6000
heap
page read and write
2A60000
heap
page read and write
5F0000
heap
page read and write
2255000
heap
page read and write
4BF1000
heap
page read and write
4F08000
heap
page read and write
777000
heap
page read and write
2220000
direct allocation
page read and write
500000
heap
page read and write
750000
heap
page read and write
23DF000
stack
page read and write
784000
heap
page read and write
79C000
heap
page read and write
42D000
unkown
page readonly
98000
stack
page read and write
2A50000
heap
page read and write
401000
unkown
page execute read
4D86000
heap
page read and write
54E000
stack
page read and write
2A61000
heap
page read and write
29CF000
stack
page read and write
616000
heap
page read and write
75A000
heap
page read and write
28CE000
stack
page read and write
421000
unkown
page readonly
794000
heap
page read and write
225A000
heap
page read and write
421000
unkown
page readonly
79C000
heap
page read and write
401000
unkown
page execute read
2A6A000
heap
page read and write
610000
heap
page read and write
400000
unkown
page readonly
782000
heap
page read and write
400000
unkown
page readonly
There are 51 hidden memdumps, click here to show them.