Edit tour

Windows Analysis Report
https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi

Overview

General Information

Sample URL:	https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi
Analysis ID:	1578196
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Installs a global keyboard hook

Sample or dropped binary is a compiled AutoHotkey binary

Checks for available system drives (often done to infect USB drives)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Found dropped PE file which has not been started or loaded

Installs a global mouse hook

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 3808 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6748 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1940,i,17963621369457857308,10502918025744691634,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msiexec.exe (PID: 2728 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Downloads\VirtualDesktopExtension-1.1.0.msi" MD5: E5DA170027542E25EDE42FC54C929077)

chrome.exe (PID: 6376 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msiexec.exe (PID: 1288 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7252 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B27C57194D85AE4BFC86F7B8AC43A699 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7544 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 1CF007D8F12414184BCAAD9763C7EB69 MD5: 9D09DC1EDA745A5F87553048E57620CF)

VirtualDesktopExtension.exe (PID: 7732 cmdline: "C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe" MD5: AFF8458E1DCB441F4186E8FF05BF55F0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\msiexec.exe, ProcessId: 1288, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E592FA79-3583-48CB-AF7B-0216F306753E}

Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49709 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49709 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

Windows user hook set: 0 mouse low level C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

System Summary

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

Window found: window name: AutoHotkey

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\39b783.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB929.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB997.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB9B7.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E592FA79-3583-48CB-AF7B-0216F306753E}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBA26.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\39b785.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\39b785.msi

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIB929.tmp

Source: classification engine

Classification label: mal48.spyw.win@25/36@6/84

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Mutant created: \Sessions\1\BaseNamedObjects\AHK Mouse
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Mutant created: \Sessions\1\BaseNamedObjects\AHK Keybd

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIA6BA.tmp

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1940,i,17963621369457857308,10502918025744691634,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1940,i,17963621369457857308,10502918025744691634,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Downloads\VirtualDesktopExtension-1.1.0.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B27C57194D85AE4BFC86F7B8AC43A699 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1CF007D8F12414184BCAAD9763C7EB69
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe "C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Downloads\VirtualDesktopExtension-1.1.0.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B27C57194D85AE4BFC86F7B8AC43A699 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1CF007D8F12414184BCAAD9763C7EB69

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: actxprxy.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: kbdsg.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Section loaded: wintypes.dll

Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A6FF50C0-56C0-71CA-5732-BED303A59628}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E592FA79-3583-48CB-AF7B-0216F306753E}

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopAccessor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA7A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Virtual Desktop Extension
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Virtual Desktop Extension\Virtual Desktop Extension.lnk
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtual Desktop Extension.lnk

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopAccessor.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA7A7.tmp			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000807

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

Memory allocated: page read and write | page guard

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 Windows Service	1 Windows Service	11 Masquerading	111 Input Capture	1 Process Discovery	Remote Services	111 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 DLL Side-Loading	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MSIA7A7.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopAccessor.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe	8%	ReversingLabs

Name	IP	Active	Malicious	Reputation
github.com	20.233.83.145	true	false	high
www.google.com	172.217.19.164	true	false	high
objects.githubusercontent.com	185.199.108.133	true	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.17.78	unknown	United States	15169	GOOGLEUS	false
185.199.108.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
172.217.21.35	unknown	United States	15169	GOOGLEUS	false
172.217.19.164	www.google.com	United States	15169	GOOGLEUS	false
64.233.162.84	unknown	United States	15169	GOOGLEUS	false
20.233.83.145	github.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578196
Start date and time:	2024-12-19 12:14:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.spyw.win@25/36@6/84

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.21.35, 64.233.162.84, 172.217.17.78, 142.250.181.142
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi

Created / dropped Files

C:\Config.Msi\39b784.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	11632
Entropy (8bit):	5.697675124875055
Encrypted:	false
SSDEEP:
MD5:	F2DAC49B810267B8309FBA8192904480
SHA1:	97E393D3E790E4F3198D4DFFF1A2E7B48358B0C8
SHA-256:	B5F8BFD170344C5B5F349657E0486C08A99F24454E3AF428DE7815E5130D9F1E
SHA-512:	B3B13FF428A0004EBE22D259A65AF3D1D59CCFBC65116548FCA70483C000A86F7241DC21B177B2682DB3AC1555838B9AE67B072741710810ABDDDA83D0D8C28A
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.Y.@.....@.....@.....@.....@.....@......&.{E592FA79-3583-48CB-AF7B-0216F306753E}..Virtual Desktop Extension!.VirtualDesktopExtension-1.1.0.msi.@.....@.....@.....@......app.exe..&.{824DE1F3-815F-4A4E-946C-5BC640CC3E46}.....@.....@.....@.....@.......@.....@.....@.......@......Virtual Desktop Extension......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{2B4C814D-B623-4E1C-ADD2-5D170D21B657}&.{E592FA79-3583-48CB-AF7B-0216F306753E}.@......&.{BB8B1DBF-36BF-4E76-A520-74E74E59394B}&.{E592FA79-3583-48CB-AF7B-0216F306753E}.@......&.{D3372013-9966-4E9C-94BC-26B854FD487C}&.{E592FA79-3583-48CB-AF7B-0216F306753E}.@......&.{BC85D0BF-4608-48B2-8A21-0064FCC32D88}&.{E592FA79-3583-48CB-AF7B-0216F306753E}.@......&.{DA2F2709-4268-409F-8F76-5E71D075E40F}&.{E592FA79-3583-48CB-AF7B-0216F306753E}.@......&.{563ED775-4A3E-4340-B0D9-6A0C0FB35FF9}&.{E592FA79-3583-48CB-AF7B-0216F306753E}.@......&.{2F40EE

C:\Users\user\AppData\Local\Temp\MSIA7A7.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616460351265781
Encrypted:	false
SSDEEP:
MD5:	36CD2870D577FF917BA93C9F50F86374
SHA1:	E51BAF257F5A3C3CD7B68690E36945FA3284E710
SHA-256:	8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
SHA-512:	426FE493A25E99CA9630AD4706CA5AC062445391AB2087793637339F3742A5E1AF2CEDB4682BABC0C4E7F9E06FED0B4ED543DDEB6F4E6F75C50349C0354ACEDA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.ZRu.4.u.4.u.4...7.~.4...1...4.sf0.g.4.sf7.b.4.sf1.;.4...0.l.4...2.t.4...5.\.4.u.5...4..f=...4..f4.t.4..f..t.4.u..t.4..f6.t.4.Richu.4.................PE..L...4.e.........."!...&............................................................i.....@A........................ ..........,....................N..`=.......x..p...p...............................@...............x............................text...j........................... ..`.rdata..H...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 10:15:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9884963945676386
Encrypted:	false
SSDEEP:
MD5:	EF3F908F228134E4E92D2C9B08D8A9C3
SHA1:	4B5713CE203F498CCB0309F216A8B32DFCACBF0C
SHA-256:	76B91A73B3FC06A45E1B696358CBA919135BECEC1627585DD23033EFC1E8A00A
SHA-512:	FA0BAC1CEADBA5D61874D44E3B1F4EAE39B6342E94DE9E67FF3DEA8F30F6BBD998CB0B2BDCDC00F3EC6840B43BA47101F063B90590C45DD842539A9455C8099A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....I.N.R..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.Y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.Y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.Y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.Y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.Y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............K......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 10:15:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.003892604659012
Encrypted:	false
SSDEEP:
MD5:	606FF0DB1E2B3FDF50D2A239EC8F92CA
SHA1:	71F0254F7AECF37C8F8981E47A30CD7DE24F7779
SHA-256:	300113B1E5E3E3A6A6B552163BEC8F0B92BCE0D3B6832319FEBF0A4D03F0981D
SHA-512:	B77B3FAF663BE01AF57AA7D1927FEF260210E3DA5F0DFC97692643E474C9D9AFA7B06182747393D4DCB39051811DB41733805F06550A78164933BA60961C728E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......N.R..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.Y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.Y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.Y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.Y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.Y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............K......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.013283705480714
Encrypted:	false
SSDEEP:
MD5:	1B175A267738CF9A35EADB9DE9BD0323
SHA1:	C53B15F7AD5F1A17CEFE0A76C6D2C03A04094F6B
SHA-256:	3F322CFCAFC9D2D1D1BB7F78A2F0E5A9A08E86AC4C2EB055501387042674F7D1
SHA-512:	2F54AD10CAF6BBB79FDADD0C7D50D27E9D5D5FB65CA0469A97C988D9C4A28F4D8DB9A9080A2ECD4A781CC8B0A617ADD44FEA243B1E08451EE700CF89A1E6B94D
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.Y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.Y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.Y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.Y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............K......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 10:15:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.003302858529038
Encrypted:	false
SSDEEP:
MD5:	6C8D421966C593DC49D0C38D61DC1838
SHA1:	D3B228C868ED6BDA9AD6B8D41D88480187869FB6
SHA-256:	2A82AA2C9CEDDD299CE9489ED5DE316F5A32152930BE4CF27E8707C52E7582C1
SHA-512:	47A7A7D23EBF6ED2934B3CE4DC40C6826BF8E7341A831581B979602523083EA0BB0DE9096693F4EBC8D6635BD69411C010203D0D755A35FE8E9C34FF4392C633
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....:.N.R..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.Y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.Y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.Y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.Y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.Y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............K......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 10:15:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9904264288335
Encrypted:	false
SSDEEP:
MD5:	8EB1FB1EADF91855114538D1113FEB1F
SHA1:	5A4C72C992E4F69B287468049744E190A102F7E1
SHA-256:	B3C0FA50F99E3D7AB4E0C55C3300BD4E64E5A654A61B068CF88E9F2DEDDFBAD7
SHA-512:	1E772A3CDF9F53C0932E83B05880D80BCAB6BA24D89D2B390334F1944DBBC87B917E685A96DFFA44EA65BDA12A867CB6DAC4544B934646B0677D761607B0013C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....`/.N.R..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.Y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.Y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.Y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.Y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.Y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............K......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 10:15:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.999214908396357
Encrypted:	false
SSDEEP:
MD5:	21FC770B20E9AAF717E09A9FAF306647
SHA1:	F1B87849E2C7E037F2E50AB5B5C5E9644432B57F
SHA-256:	3FDC57717549623AA203A5CFBF78EFC8591A111591B00E5D9328976A27DECD9D
SHA-512:	FABAB70EE90761A98B033872E960B2616C85E9264DDE5893BD9A8121738D2DDFEE78BB42F73771AB983EFDC895FADFD3901FC5233150F6D8ABF617F03DC28954
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......N.R..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.Y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.Y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.Y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.Y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.Y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............K......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtual Desktop Extension.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Feb 26 02:43:26 2024, mtime=Thu Dec 19 10:15:42 2024, atime=Mon Feb 26 02:43:26 2024, length=667136, window=hide
Category:	dropped
Size (bytes):	1213
Entropy (8bit):	4.747378946584868
Encrypted:	false
SSDEEP:
MD5:	3D4509B7260963ACE177EC2E0D2E73DA
SHA1:	3FF7F70A543BFC09BC68F9BC95DFD4ADACB43657
SHA-256:	475E069D53D1C821C4A70D2666071EF4E1CA2716C21087B2C5AD38E60BBD2A8D
SHA-512:	959638D08A1019C13B0D6BD459B0B9349A6E352CC3011E249E7D500E56B5E9C17472788712746F7260566BE84DD9AD596B0692E24A46391ADD0FB5C81230DA00
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....E.eh..s..W.R....E.eh............................:..DG..Yr?.D..U..k0.&...&.........{4....w.I.R.. ..W.R......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.H.Y.Y..............................A.p.p.D.a.t.a...B.V.1......Y.Y..Roaming.@......FW.H.Y.Y..........................k...R.o.a.m.i.n.g.....\|.1......Y.Y..VIRTUA~1..d......Y.Y.Y.Y.....Z....................U...V.i.r.t.u.a.l. .D.e.s.k.t.o.p. .E.x.t.e.n.s.i.o.n.......2.....ZXm. .VIRTUA~1.EXE..h......ZXm..Y.Y.....Z........................V.i.r.t.u.a.l.D.e.s.k.t.o.p.E.x.t.e.n.s.i.o.n...e.x.e.......................-.....................K......C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe....V.i.r.t.u.a.l. .D.e.s.k.t.o.p. .E.x.t.e.n.s.i.o.n.D.....\.....\.....\.....\.....\.V.i.r.t.u.a.l. .D.e.s.k.t.o.p. .E.x.t.e.n.s.i.o.n.\.V.i.r.t.u.a.l.D.e.s.k.t.o.p.E.x.t.e.n.s.i.o.n...e.x.e.8.C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.V.i.r.t.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Virtual Desktop Extension\Virtual Desktop Extension.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Feb 26 02:43:26 2024, mtime=Thu Dec 19 10:15:42 2024, atime=Mon Feb 26 02:43:26 2024, length=667136, window=hide
Category:	dropped
Size (bytes):	1213
Entropy (8bit):	4.744868463090686
Encrypted:	false
SSDEEP:
MD5:	2C85234A7B2E55E06965848E2D2A8624
SHA1:	A29B4280F091274288ACEDDA626B31C47DDC8676
SHA-256:	79D50575E562FC900819BE37B7DCE71FB1B67E975C15BE5114475461E0D6D0B8
SHA-512:	DAF8E526D2CCEAD99F0D82FCF8FF84E817B7C6B5E9398AA29DB9A75EAD6DC3E589881F87ABF8AA0AC04A75CD22BED85DAE8DFAC8BC2E58AA942F07D014C55264
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....E.eh...onW.R....E.eh............................:..DG..Yr?.D..U..k0.&...&.........{4....w.I.R.. ..W.R......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.H.Y.Y..............................A.p.p.D.a.t.a...B.V.1......Y.Y..Roaming.@......FW.H.Y.Y..........................k...R.o.a.m.i.n.g.....\|.1......Y.Y..VIRTUA~1..d......Y.Y.Y.Y.....Z....................U...V.i.r.t.u.a.l. .D.e.s.k.t.o.p. .E.x.t.e.n.s.i.o.n.......2.....ZXm. .VIRTUA~1.EXE..h......ZXm..Y.Y.....Z........................V.i.r.t.u.a.l.D.e.s.k.t.o.p.E.x.t.e.n.s.i.o.n...e.x.e.......................-.....................K......C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe....V.i.r.t.u.a.l. .D.e.s.k.t.o.p. .E.x.t.e.n.s.i.o.n.D.....\.....\.....\.....\.....\.V.i.r.t.u.a.l. .D.e.s.k.t.o.p. .E.x.t.e.n.s.i.o.n.\.V.i.r.t.u.a.l.D.e.s.k.t.o.p.E.x.t.e.n.s.i.o.n...e.x.e.8.C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.V.i.r.t.

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\LICENSE

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	753
Entropy (8bit):	5.018976491257682
Encrypted:	false
SSDEEP:
MD5:	BDA8002F197FD8CEE8CE96F5F492D8C7
SHA1:	EE8B86C10D8FC8921AEC11FF5925380467E6DD58
SHA-256:	7B2848724EAB9A0CC984D206685DB5BA6DD4D85B4BEDBF20ACE7705A789735C0
SHA-512:	4E39F9472087A7C17756F02E57C7829E5BD5C57B1CA96E6137DC657006CAC18B28A816D2D0815E3D3B78AC5D2D7FE506AB0BC5236E37B816A01479491166A90B
Malicious:	false
Reputation:	unknown
Preview:	ISC License..Copyright (c) 2024-present, Andrea Brandi..Permission to use, copy, modify, and/or distribute this software for any.purpose with or without fee is hereby granted, provided that the above.copyright notice and this permission notice appear in all copies...THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES.WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF.MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR.ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES.WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN.ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF.OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE..

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\README.md

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	4.9158589933782295
Encrypted:	false
SSDEEP:
MD5:	9DF870F2E174C68AC5A7B36E89AE6B55
SHA1:	FC1FEFCFE30B648B50BA38538B4627A07BB800CF
SHA-256:	F95B25FB528DDDED9972E9C1E909037C846985988BD8B13F583B047132F27652
SHA-512:	AF22D301589A0AF6DD6F7F43E50CEAE2CC15BE01CCC61F0DBD138FD511E373EF1BABF7DD5286DD3F8E2A57FA9CBFF4E90589F38263921C6E768E5F8C1152F61E
Malicious:	false
Reputation:	unknown
Preview:	# Windows 11 Virtual Desktop Extension..![Windows 11 Virtual Desktop Extension Banner](Win11-Virtual-Desktop-Extension.png)..Requires at least Windows 11 Version 23H2 Build 22631.3085...- Enhance Windows 11 virtual desktops with additional keyboard shortcuts..- Switch between virtual desktops using the mouse wheel on taskbar and task view..- Move the current selected window to another virtual desktop..- Show current virtual desktop number on tray icon...## Additional Mouse & Keyboard Shortcuts..- `Mouse Wheel Up` (_on taskbar_) . Switch to the previous virtual desktop..- `Mouse Wheel Down` (_on taskbar_) . Switch to the next virtual desktop..- `Ctrl+Win+Shift + Left` . Move current window to the previous virtual desktop..- `Ctrl+Win+Shift + Right` . Move current window to the next virtual desktop...## Windows 11 Native Keyboard Shortcuts..- `Win + Tab` . Open Task View..- `Ctrl+Win + D` . Add a new virtual desktop..- `Ctrl+Win + F4` . Close the current virtual desktop..-

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopAccessor.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	348672
Entropy (8bit):	6.289212368565391
Encrypted:	false
SSDEEP:
MD5:	CCDEFC4618AC481F3CE8D11B82AD52B5
SHA1:	7A56EFD3EF76DCF4343F3B7AB18DBD7CB3422C92
SHA-256:	F78FF6334F6C0EF5175EC0819026CEC31D421A564B9ED1EE1AC4B6ED98D4F999
SHA-512:	A516B59998A3560ED17D01E187A2B4180985F981EC3C5DCD1ADE3F8D19F3A64D0F2F5253721E9FC3A142672C59C2E6D1AF36DD55DCC34F7F92D0CB1ED63B3A40
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.%6(.Ke(.Ke(.Ke!..e .Ke=.Jd*.Ke=.Nd8.Ke=.Od/.Ke=.Hd+.Ke(.Je..Ke.Jd3.Ke(.Key.Ke.RKd).Ke.RId).KeRich(.Ke........................PE..d...S..e.........." ...%..................................................................`.........................................`.......4................0..P4...........p.......h..T....................i..(....g..@............................................text...7........................... ..`.rdata...>.......@..................@..@.data........ ......................@....pdata..P4...0...6..................@..@.reloc.......p.......L..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	667136
Entropy (8bit):	7.291924562101168
Encrypted:	false
SSDEEP:
MD5:	AFF8458E1DCB441F4186E8FF05BF55F0
SHA1:	48F23169C9A268E1E4B9465B4FACAB002D41894D
SHA-256:	F33D2B680802FF85264D9F62B60061D0FEEE209E7DB50415FB542D86BB8FB2CF
SHA-512:	AC059A0B321982392D263F3D678E1E775F137322441D4063EC00DF073DAC92B654D59F2C7E9C8D7A7152320ED84377E118E2ABFAE9993EF333C3A7E1594673E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	unknown
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d....:.e..........#....%.............T.........@.............................`............ ...@..............................................P.. ....`..........<...................................................................TQ...............................MPRESS1.@.......(.......................MPRESS2.....P..........................rsrc........`.......:..............@..............................................................v2.19d..'.. ..$ ...@.K...u..\...Y...2/%.#3..t..H..L.7HE.e..(..1H{\..Q.......\..uj?4k........Vv.....A'.f}.......F.8.?T`.>.\|5.7K<j!.`.....L...........+.....`!...P......o..a.c..&d.Hu.W..+......\|+)o.B...G.&B...`y.\|<[.^W.3YY..b..o.d.2.Ku....... e.~...jl..1.x.9h..iQ.=.n.=.,]...BO.-vD.5....k....n..9....v.L...h...X.....x.C3..)[S.........qs..Q.5.e:...n-.=.h.,...........($...."...p`.;..\.2..t...\}..O...5..m.G.j......"7[/+..We.q T.u.?.Hn......\|..0.Y.i.{.l..,..1\..n.....i1'..s^[-).

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\+.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	95026
Entropy (8bit):	1.7829808768385567
Encrypted:	false
SSDEEP:
MD5:	E06B4E6D6F89095C33368D6EFCA4B359
SHA1:	5684DC7220073C16929B7433ABC658E7DBA93AAA
SHA-256:	550C50975AA4FA1E7783670282AFB6B55D07ADBCC6F5075A0D4F2AC45228B8B0
SHA-512:	AD6BFBEF4235626BE16CA263062FC75F82E4BAA6356D8E78228409B785B5AFAC9ABC26DF3479CFB3A262688D7ABDC12C16A2FBCC8C9841C1326450162AAF5906
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .....n!........ .(...R0..00.... ..%..z8.. .... ....."^........ .h....n..(... ...@.........................................................................................................................................................................................................................................................................................................................................................................................p.....................................................................................................................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\1.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	93346
Entropy (8bit):	1.4767029893950183
Encrypted:	false
SSDEEP:
MD5:	17E059AB899802424D09E9B0802F004D
SHA1:	88194AB529727597B316924710D859A5B50A026D
SHA-256:	31060C423E8FAC1641B2437E473A0B105550D73A756C46FB99615B0C32DCF76D
SHA-512:	02C90320C3F216CA0C9914B353B909EEDBFFD045A4E8C7F05E2DC2FFF1A4EFFAF93A2B253FAE6A964C9C44DE65569E55AB030C8338264A221B04DCC3B6E8B6C2
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .T...n!........ .(....)..00.... ..%...1.. .... ......W........ .h...:h..(... ...@.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................p.......................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\10.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	97114
Entropy (8bit):	2.2251033973404963
Encrypted:	false
SSDEEP:
MD5:	88338DEA5818D6EDCC6A1F0D808BA2BE
SHA1:	0FFED29438C9191118D5A4FA92DDDD0167D8BCA1
SHA-256:	DC347B6BA5228DE6285E4506F8AEB85EF8ED02AD0598243BA32BD82F306385A1
SHA-512:	F0A4E0E301635B6A8844A0C50628FE3542495CBBF87620DE81E2725D38C289187991EB16271BBE8016C5CE0B88518978E7B3C3D711EE0ED3FB0EA4FAB0845E67
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .....n!........ .(...z8..00.... ..%...@.. .... .....Jf........ .h....v..(... ...@.........................................................................................................................................................................................................................................wp.................................................................................................p...............p...............p...............p...............p....xp...............................................x............................................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\2.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	93711
Entropy (8bit):	1.679324883228845
Encrypted:	false
SSDEEP:
MD5:	11C55047C85E01A6BBB753147C9645EB
SHA1:	989E56BC70D2D4C8015C78D74E2AB300456F2C13
SHA-256:	F914BDAADEEB989B895587ED3EB52BFEB0F4BC7A5B2E80B427CEA6AE9EDFDDB2
SHA-512:	05DD0EAA967F7AA4BE2F6BE58703BC82969B1FD719BF7BBB2CAE2CC40B3192F13112CE20ABECDB98F0CB7708E333442D483AC0CC0164A1A9D6E7383035672C6B
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .....n!........ .(.../+..00.... ..%..W3.. .... ......X........ .h....i..(... ...@.......................................................................................................................................................................................................................................................................................p................................p................................................p...........................................p................p...............................................ww.......................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\3.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	93864
Entropy (8bit):	1.6971715364213245
Encrypted:	false
SSDEEP:
MD5:	2C39063D5A7FA49C2B19E4DAA160EF11
SHA1:	EADF2BD05EF4B929D6CBEB2DCFCD50FF2C2E8B97
SHA-256:	02222308BE202DE61F3B106FEC550568DC517EB4352A478CA6514C018B709510
SHA-512:	34FCAC70107EE0873EB42A6BF8684588A052DCAA681A1A8A711EB8BC1FE90203D9F2411C9BDAE449BD81262DA1345481BA84E781FB6A022007848412F30E46A8
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .Z...n!........ .(....+..00.... ..%...3.. .... ......Y........ .h...@j..(... ...@.....................................................................................................................................................................................................................................x...............................................p.................................................x..............................................w..................p............................p...............................................ww.......................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\4.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	93597
Entropy (8bit):	1.6123787639036842
Encrypted:	false
SSDEEP:
MD5:	076ADFFA8C7DDC78E5FE1BC9A62A6EFB
SHA1:	3774F263A36F4A564AC525301DB36FB4D3AA5E24
SHA-256:	346B4E83CA06FC118064C547BE332347B2B576CD29D9386B76672B0737FD862A
SHA-512:	D768A0634AFC7271710DEB66094BE82815174EBB684EA7C26FC04F2522F6A78C8713EFDD1A6CA76FA3CB3A5184EC3169137E76FE22DE891718AB0FF8C3F23EDC
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .O...n!........ .(....*..00.... ..%...2.. .... ......X........ .h...5i..(... ...@.......................................................................................................................................................................................................................................xw.............................................................................................w..p..........x.................p................................................................................................................pp......................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\5.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	93692
Entropy (8bit):	1.6612587467165143
Encrypted:	false
SSDEEP:
MD5:	094293A097067640FF2A38270672EDAF
SHA1:	E47F7C72953D9266FD41D3F7832FDF5AF3684CD7
SHA-256:	8AD6A64BF416F4129727C5CD6E064B9ADA5FDAA5779E9EF72E60490F8CFCD414
SHA-512:	1E30432468A970F26D7A03DE791FABB0D212EC1000DFF9AF4B1B641AA2028ADED7BB52B55E813375E8314C0EF471A1C75728698E6F1309EF2EB862E298FFADB8
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .....n!........ .(....+..00.... ..%..D3.. .... ......X........ .h....i..(... ...@.....................................................................................................................................................................................................................................x...................................p...........p...............................................................ww................................................................................wwp.....................................................................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\6.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	94016
Entropy (8bit):	1.7414677478263525
Encrypted:	false
SSDEEP:
MD5:	DBF9CAB3CC74D0F20BD93F212718BB77
SHA1:	F77F506BC8C5C03EF2DDA2FE1D1681F355BB5FD7
SHA-256:	1F85224C317A6EF270720D2BCE4B0EBCF2BA3D031872FDF5C6345AEDBA990472
SHA-512:	F07F55372F7F12C20D2139283C316029178608083700B25E6FBA07A24C9EC4F49E01ABFE2856DB25BFEB77E8F92F6C27004A3A099B9DE195C0A3D661824BF033
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .....n!........ .(...`,..00.... ..%...4.. .... .....0Z........ .h....j..(... ...@........................................................................................................................................................................................................................................p.............................................p...............................................................pw..............................................pw................................p.............................x.................w......................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\7.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	93352
Entropy (8bit):	1.5558636255927867
Encrypted:	false
SSDEEP:
MD5:	8CC0AB3326D736D553314BB64AA06C42
SHA1:	12EC27CF776AB627FD270CA91ADFDFA7372AAC22
SHA-256:	AEE04509DC8F02897C711332FD553E0449D2D260A3360EE50637891336BD0487
SHA-512:	4ADD4D1FDF363829B4F4505084BF9F5D542FFC9252A1733DD09917CC32757951FBF19A84AD197463E0F1ECE83A99259F855650E28F8F91A9E386ABE7591EB2CE
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .Z...n!........ .(....)..00.... ..%...1.. .... ......W........ .h...@h..(... ...@.....................................................................................................................................................................................................................................xw................p................................................................p............................................................................................................www.............................................ppppp.....................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\8.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	94044
Entropy (8bit):	1.7785408362543749
Encrypted:	false
SSDEEP:
MD5:	11634B68C5D1428B2C1AEF42E8C3F03C
SHA1:	4424A18B942C02D5799588E60F6609B7403B2FEF
SHA-256:	84E1D00CFEE7C5CEEAEE2F85E07685993C62AD2BDE3A4CCC41D97B521A17036A
SHA-512:	00B9BB95CF351266804DF4B193E2F061826027FEEEA0685D3895D5C09D6A96AD55A60736D7B3E907706B3EC7E7B2F1615B2884A45D61CE3C9DE4BAC17D9CB2E7
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .....n!........ .(...\|,..00.... ..%...4.. .... .....LZ........ .h....j..(... ...@........................................................................................................................................................................................................................................p................p.............x..............p...............................p................x.................p...............................p............................p................................................................w.......................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\9.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 10 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	93960
Entropy (8bit):	1.7341744752963297
Encrypted:	false
SSDEEP:
MD5:	43F336C72B1A7D725B8405C665BA1FBE
SHA1:	39665851F7A7E6E1B462190FCC8291ACCD5B0AA2
SHA-256:	AFA2051C6BD8A42479E51691CC7A0A6234E27CDA8CC0F1454F6F9CEF2B82FF7B
SHA-512:	AC0A47CAAF2A802A0BF731D369133F1766786BC25388708164003D6E4EE9FA4A2DC773C9C01E3CE2039205D6194B6E696FBA76C76821057B7E63CA078251056B
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(.......00.............. ..........^...........h............. .....n!........ .(...(,..00.... ..%..P4.. .... ......Y........ .h....j..(... ...@.........................................................................................................................................................................................................................................................................................................p............ww..............................................p...............................................................px.............................x................wp.......................................................................................................................................................................................................................................................................(....... .................................................................................

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\app.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
Category:	dropped
Size (bytes):	166042
Entropy (8bit):	3.191186418762733
Encrypted:	false
SSDEEP:
MD5:	3FC0DC6608FF2E9D0ABE4A541AE51C37
SHA1:	5247D7860425ACF836C1420B477268D29E4BFF24
SHA-256:	8BDCC13A09139ED20B0E61970EA59BB853F9647F1BB07CD081DC915446BE1574
SHA-512:	FD023FA2FC245254C25764E955EB33B277878760E51568322FC81FAC5C83CD6EC13040936C6BB85998747382EC381CD3E8C04BCD94548C9B77D504F9775F53EF
Malicious:	false
Reputation:	unknown
Preview:	............ .h............. ......... .... .........00.... ..%......@@.... .(B...D..HH.... ..T......``.... ............... .(....p........ .D...Vx..(....... ..... ................................................................................................................+...+...+...+...+...+.......................................P...........................P...........................................2...........2.............................../...J...I...I...G...[...........[...G...I...I...J.../.......P......%...'...&...&...'...'...'...'...&...&...'...%........P......C...................................................C...........O................................................O...........N...........h...)..............u...)...p...........N...........N.......v.......r...................g..............N...........N..............*...o...........g...,..............N...........O.................................................O...........=...................................

C:\Users\user\Downloads\25752823-81bb-4f11-86ae-d907068630cd.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Composite Document File V2 Document, Can't read SAT
Category:	dropped
Size (bytes):	8268
Entropy (8bit):	4.995287804715013
Encrypted:	false
SSDEEP:
MD5:	2C55BE7FE82A30211D68C1238C791603
SHA1:	9075B74B689C86C9C369D214A1B36EB3FBB50946
SHA-256:	1CA815026CB27784E79BEE6C00024188E5E5D168550C75F2B50A1C5AE64FCF26
SHA-512:	0699DAD8CD80ED9FA1E3A8FE9473C125E8352870C3F189B9553EBA5F194150665D61B28B7B232ED5081231ECBE22D0C565057CA6DC52A4C3E243CA0A941A3175
Malicious:	false
Reputation:	unknown
Preview:	......................>.......................................................j.......D...............................................................q...r...s...t...u...v...w...x...y...z...{...\|.......................................................................................................................................................................................................................................................................................................................................F...............$...7........................................................................................... ...!..."...#.......4...&...'...(...)...*...+...,...-......./...0...1...2...3...8...5...6...>...@...9...:...;...<...=...}...?...D...A...B...C...~...E...G...^...H...I...J...K... ...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...........l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Downloads\Unconfirmed 925116.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Composite Document File V2 Document, Can't read SAT
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	2C55BE7FE82A30211D68C1238C791603
SHA1:	9075B74B689C86C9C369D214A1B36EB3FBB50946
SHA-256:	1CA815026CB27784E79BEE6C00024188E5E5D168550C75F2B50A1C5AE64FCF26
SHA-512:	0699DAD8CD80ED9FA1E3A8FE9473C125E8352870C3F189B9553EBA5F194150665D61B28B7B232ED5081231ECBE22D0C565057CA6DC52A4C3E243CA0A941A3175
Malicious:	false
Reputation:	unknown
Preview:	......................>.......................................................j.......D...............................................................q...r...s...t...u...v...w...x...y...z...{...\|.......................................................................................................................................................................................................................................................................................................................................F...............$...7........................................................................................... ...!..."...#.......4...&...'...(...)...*...+...,...-......./...0...1...2...3...8...5...6...>...@...9...:...;...<...=...}...?...D...A...B...C...~...E...G...^...H...I...J...K... ...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...........l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Downloads\VirtualDesktopExtension-1.1.0.msi (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Composite Document File V2 Document, Can't read SAT
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	2C55BE7FE82A30211D68C1238C791603
SHA1:	9075B74B689C86C9C369D214A1B36EB3FBB50946
SHA-256:	1CA815026CB27784E79BEE6C00024188E5E5D168550C75F2B50A1C5AE64FCF26
SHA-512:	0699DAD8CD80ED9FA1E3A8FE9473C125E8352870C3F189B9553EBA5F194150665D61B28B7B232ED5081231ECBE22D0C565057CA6DC52A4C3E243CA0A941A3175
Malicious:	false
Reputation:	unknown
Preview:	......................>.......................................................j.......D...............................................................q...r...s...t...u...v...w...x...y...z...{...\|.......................................................................................................................................................................................................................................................................................................................................F...............$...7........................................................................................... ...!..."...#.......4...&...'...(...)...*...+...,...-......./...0...1...2...3...8...5...6...>...@...9...:...;...<...=...}...?...D...A...B...C...~...E...G...^...H...I...J...K... ...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...........l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\39b783.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {824DE1F3-815F-4A4E-946C-5BC640CC3E46}, Number of Words: 10, Subject: Virtual Desktop Extension, Author: Andrea Brandi, Name of Creating Application: Virtual Desktop Extension, Template: x64;1033, Comments: This installer database contains the logic and data required to install Virtual Desktop Extension., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Feb 25 21:44:23 2024, Last Saved Time/Date: Sun Feb 25 21:44:23 2024, Last Printed: Sun Feb 25 21:44:23 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	1981440
Entropy (8bit):	7.048847974117887
Encrypted:	false
SSDEEP:
MD5:	69371CEFE8756C8792658131BA0B616F
SHA1:	FE6BBCF75DE9A47A0FD77AEE2FEF97B0EF84AFFA
SHA-256:	00D46BB9D680DB2604DF7B630547907D7972CA2F7CF6E65BCEC0433394ED690D
SHA-512:	EAD477613FDB93D7A9266E7875C4EA85F44AE7CECC5EF40940CF7232A8C21B0A8EF0BA7933B94C9030BCE4F476F3AE0378A616C954F24221565C6C624EBC349D
Malicious:	false
Reputation:	unknown
Preview:	......................>.......................................................j.......D...............................................................q...r...s...t...u...v...w...x...y...z...{...\|.......................................................................................................................................................................................................................................................................................................................................F...............$...7........................................................................................... ...!..."...#.......4...&...'...(...)...*...+...,...-......./...0...1...2...3...8...5...6...>...@...9...:...;...<...=...}...?...D...A...B...C...~...E...G...^...H...I...J...K... ...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...........l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIBA26.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	171384
Entropy (8bit):	3.3795724242758705
Encrypted:	false
SSDEEP:
MD5:	63CAB3349CC7A0778466D76F2EBA4CA0
SHA1:	765A21068EC13FB029F9DC1027F38F2C63B24D32
SHA-256:	D5208CC2C6DF6B5A477B9BA63C39DC83B55BE364B6D4EDF1CD09CBF22C8CF191
SHA-512:	D0D861D4575C0853579FC02634B176093DF85BEC8355FD224D093992D4664F98F787D3954CDB57D39FD96DFB0AE03EF468B1805D8801080E267CE8FE217C71D9
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.1.Y.@.....@.....@.....@.....@.....@......&.{E592FA79-3583-48CB-AF7B-0216F306753E}..Virtual Desktop Extension!.VirtualDesktopExtension-1.1.0.msi.@.....@.....@.....@......app.exe..&.{824DE1F3-815F-4A4E-946C-5BC640CC3E46}.....@.....@.....@.....@.......@.....@.....@.......@......Virtual Desktop Extension......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{2B4C814D-B623-4E1C-ADD2-5D170D21B657}8.C:\Users\user\AppData\Roaming\Virtual Desktop Extension\.@.......@.....@.....@......&.{BB8B1DBF-36BF-4E76-A520-74E74E59394B}<.21:\Software\Andrea Brandi\Virtual Desktop Extension\Version.@.......@.....@.....@......&.{D3372013-9966-4E9C-94BC-26B854FD487C}?.C:\Users\user\AppData\Roaming\Virtual Desktop Extension\LICENSE.@.......@.....@.....@......&.{BC85D0BF-4608-48B2-8A21-0064FCC32D88}R.C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktop

C:\Windows\Installer\SourceHash{E592FA79-3583-48CB-AF7B-0216F306753E}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1740668016154887
Encrypted:	false
SSDEEP:
MD5:	8742FFCEBE883486F93837F80C2FC698
SHA1:	D22DDF6191E0882C2161A61FCEEF7AFE9DBC2EDD
SHA-256:	4BC0711C565C29D4306B09B4971B6AF9C30E92F7BDCC65ED2C05453E03190524
SHA-512:	BC60D64DB5748533E26CB04EE0B7087B7A1A1C4AFB821A8EBEFCA338FBD8EE4BAB1000FEA20D5670CDF33D4FCD41B80FE1177F111A733D3ACD074FE786806858
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6507596219848524
Encrypted:	false
SSDEEP:
MD5:	FC44E04B78A4BEA2CFCF84BFABEA30AD
SHA1:	D0A2188200F9A9B69686ED042F42B030D0EBDD0D
SHA-256:	F0A5A0F8CC7AD6DC164E871CA243065D9C46715A2740178308EC150F3D806795
SHA-512:	16541934E2382B974C2858A759B35A28B4CD647E01DDE1E9A5C531A44FBE4C1B588B39AC9435042392EEB6824853385F18B214D2BD7369F78B4F7626699EFEA4
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	454234
Entropy (8bit):	5.356170967044975
Encrypted:	false
SSDEEP:
MD5:	D5BEF82349E19920B3F138DB48E5737B
SHA1:	85D9C0ADC96D65F5F5D08035298705E3CE5BE075
SHA-256:	9BCEAB9E28B8566120F16988508375F651325E3CB7B02A014B379EBA4E253B55
SHA-512:	82EF1C43496A24315E7D2A9244EE823A84154760C7D49B9764B1C357ED583B53124AF16A2FF399F8BDC8D8B81A0FC423A57370A5A8AF5A405534923C3901FF89
Malicious:	false
Reputation:	unknown
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF6219693BA75C9E17.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.316713583396612
Encrypted:	false
SSDEEP:
MD5:	CB880E4E58E94172217E2BEC4ABBA6F0
SHA1:	50A52D20C7A894C56D439DEBC5BD2E72E6354471
SHA-256:	3972C6A6D60F2957530E72058AA7AE1EA540CC29171F24F0E1297F3E3B7FC93B
SHA-512:	E4B7A6AA419CFBEC17523E241CB0466B1D3781B7C68E564D84CCBEBF1250571D596901F04C43C9639C1F4B03F4A227CB21F64CE0A12C4E23DC899451AFFD3FC8
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF84E3775A4BD7A6E7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8E59409F47A0E9DF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.17074364596357444
Encrypted:	false
SSDEEP:
MD5:	B86CAEFA2E8217F931F6D9B224E2F567
SHA1:	A235935B32A186669294F03C6446588A9AAA03D5
SHA-256:	9F45EA75B69B0C93962D67E89B12E3A9B000875DDC12F23EE2D0020C4E14710B
SHA-512:	E93FF8AB15E596D79CE53057198C5B742554304E2685ED38D251F3FF6ED152FFF6BDA62297A493CB8E0B191AE12D5F3E4A2453D683468F0F3FE65DB304F11039
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE1BB38895E0B220B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07931019262792448
Encrypted:	false
SSDEEP:
MD5:	1B97BA81FE91AF6726C69D67C5A39E68
SHA1:	C096856B628492ED45AD51E81618516700208FB1
SHA-256:	5D94532D6236C9BE3442550A0064C774668032277CBCADEC2B5AC2C4AF239E1E
SHA-512:	35E3CCA86A91001C1311C1FCD97C9DD9DD8F7EA4A7791D987283230E901277C3683E8BB2A9ACF61AD8BB3FD4E7112E7A5996D25F5335013C0EFAAB45B3B75E48
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

⊘No static file info

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Config.Msi\39b784.rbs

C:\Users\user\AppData\Local\Temp\MSIA7A7.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtual Desktop Extension.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Virtual Desktop Extension\Virtual Desktop Extension.lnk

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\LICENSE

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\README.md

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopAccessor.dll

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\VirtualDesktopExtension.exe

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\+.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\1.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\10.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\2.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\3.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\4.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\5.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\6.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\7.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\8.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\9.ico

C:\Users\user\AppData\Roaming\Virtual Desktop Extension\icons\app.ico

C:\Users\user\Downloads\25752823-81bb-4f11-86ae-d907068630cd.tmp

C:\Users\user\Downloads\Unconfirmed 925116.crdownload (copy)

C:\Users\user\Downloads\VirtualDesktopExtension-1.1.0.msi (copy)

C:\Windows\Installer\39b783.msi

C:\Windows\Installer\MSIBA26.tmp

C:\Windows\Installer\SourceHash{E592FA79-3583-48CB-AF7B-0216F306753E}

Windows Analysis Report
https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi