41d4f3ba691da9d0c0e7a269f8d3fff7c843c3f8249131dcf112cb149499ec73

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/05/2023, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.0.2-154219-Win(1).exe
Size

105.0MB
MD5

5615443c79de81d4427fcb36a0048ec2
SHA1

55df20799f7f33fd8a004fc9583aafba1ead4f90
SHA256

41d4f3ba691da9d0c0e7a269f8d3fff7c843c3f8249131dcf112cb149499ec73
SHA512

62787b79c5631e63c948a4eb1ef88eecae03b01b39f0134d975579f430f92e63443a5e05f04bacc7c2484f7b7eae60bb83fdbe4a1bd4fb301c314dedb3b54fdf
SSDEEP

3145728:IJG3vysnMAfaW1IfA96jD6yMcU+VnBmK4:IJG36sMtuuBm

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	1460	msiexec.exe
11	1460	msiexec.exe

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET168E.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET168E.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET2204.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET2204.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\X:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\L:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\F:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\J:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\O:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\R:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\S:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\V:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\W:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\K:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\T:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\M:	VirtualBox-7.0.2-154219-Win(1).exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.2-154219-Win(1).exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRVSTORE\VBoxSup_7177F232A65269D60FFF7AC9212120603E78AD19\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_F9F4FF4CC19551FEAFB22E1B6746B0A027525367\VBoxUSBMon.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\SET2398.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\VBoxUSB.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\SET23AA.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_7177F232A65269D60FFF7AC9212120603E78AD19\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_7177F232A65269D60FFF7AC9212120603E78AD19\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_7177F232A65269D60FFF7AC9212120603E78AD19\VBoxSup.sys	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_F9F4FF4CC19551FEAFB22E1B6746B0A027525367\VBoxUSBMon.sys	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\SET23A9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\SET23A9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\SET23AA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxUSBMon_F9F4FF4CC19551FEAFB22E1B6746B0A027525367\VBoxUSBMon.cat	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxUSBMon_F9F4FF4CC19551FEAFB22E1B6746B0A027525367\VBoxUSBMon.inf	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_7177F232A65269D60FFF7AC9212120603E78AD19\VBoxSup.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_7177F232A65269D60FFF7AC9212120603E78AD19\VBoxSup.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_F9F4FF4CC19551FEAFB22E1B6746B0A027525367\VBoxUSBMon.cat	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\SET2398.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxUSBMon_F9F4FF4CC19551FEAFB22E1B6746B0A027525367\VBoxUSBMon.sys	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UserManual.qch	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UserManual.qhc	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxExtPackHelperApp.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VMMR0.r0	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRes.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5WinExtrasVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel3_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_hu.qm	msiexec.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI812.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5108.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\6cf27a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI148.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6cf27b.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\6cf27b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI22C6.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI503.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI766.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI51F3.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\6cf27a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI291.tmp	msiexec.exe

Loads dropped DLL 18 IoCs

pid	Process
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1108	MsiExec.exe
1108	MsiExec.exe
1108	MsiExec.exe
1776	MsiExec.exe
1108	MsiExec.exe
1108	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0bc4ea0d78dd901	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe

Modifies system certificate store 2 TTPs 9 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F530E4200FF093E61B55AFF7B0EA28B1F23376E8	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F530E4200FF093E61B55AFF7B0EA28B1F23376E8\Blob = 0f0000000100000020000000a277a0d4c66269ec6b4982fe5dd1202db715ba87c98a44c228bcae62f69e0889030000000100000014000000f530e4200ff093e61b55aff7b0ea28b1f23376e8200000000100000039060000308206353082041da0030201020214033db638e181e7fce551a6ede45fceb1c4164e51300d06092a864886f70d01010b0500308195310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b473138303606035504030c2f5669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341301e170d3130303130313030303030305a170d3337313233313233353935395a308195310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b473138303606035504030c2f5669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d7020434130820222300d06092a864886f70d01010105000382020f003082020a0282020100e3a8feab8900102edfafb008aab193e20579c3d99b793e92120020aca9ae749f748f5441a0b47098daa38191544b8236606140a0a1fa0e70847a737174008ac2be0e1293ea201abf2ccc3f0efea2d147fe10d7c9cca1348b80f937d2262b882c5d05e3e79a56e2ce9753bf46d66ba747aa4d00e6cfc32240dc8e34d54a3209b1f15691c9d2b9e24ada683038ad72c88448ded75e9cb840d88cc25095c26b5e0487f0a85e88254c1723d8984e0b194f55f7ade9f044f2b4ff363bfa355051ca2aa34d045983fcf77dffeeda26173c41546ccf83174adacbaa4dbe96dd05762773ae45ea1f203106d7763eb0b1dbfda5a6dfd001f1df83de4a269993f0bd011123ea518b172cfe1b9c6cf8be16bfc39acd2defcfd56318f631f044d5b18295ee7e9f31804f2a4d59403e3274a5d4803522aaf095b53e100ddcfef611dae6f0b3fe0fd14e80af57e8daa9b5819e81ac1cacd2e8215cc27ebb695befa8ca895ad153dedc1a0ec396b8d4229203b63d8d6fb7276c8f7638f64cdaa847a2d6d13fb77d381bc0b652c4cf2ece27d8740e3c616330151dd5721931db6e10760dc149651d7821e7f3300d1354357aa8a48cd392c4d82524b36e6c3c4242a9f5d7a67883123e4e23374e2814727c05dd041d951f8ae8d0c0880b75611ed2a81a4cd47aabeea460a40c7531cbf802371c125487f898d419eff10b31ab71096992a070910d4d0203010001a37b307930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e041604140b00a3a5c4bff14800215b59f823193d2e30a8fd301f0603551d230418301680140b00a3a5c4bff14800215b59f823193d2e30a8fd30130603551d25040c300a06082b06010505070308300d06092a864886f70d01010b050003820201009bddb07c2e9e73474e200ba07251fc3a70f3b77d08ec13d676e666161d495aa7e13df8bed9fb3e2bca7590eaa10e1066f13f671a317611dec21548954d28293ea5061b6b3f0a8c68e56ad06cb161e3085dd59485fab51cae17194b6ac018755f824690888776bd397ffea10b2170560118e61acbaed454e4e77b9d0b19785f12510a764a88c977e9b8d50f888169e66fb5c2c094b3d1b7ab0948d397b69b58dd59d796ca47e56888262b5772c27d23d2687694b5409bb10085b236ba2aa4c4f752f61ea1ea233ef682f3ef039895d67309c16223256e518e783871bd306403b86fe1b4df4e3a783951d4b6cdc2064eda6d108f7cb899411d0d66d670842586022abcf36fdafabb9d7fed0a746ea0a91f92e639f75180e61805c169b8d4261e8dbe6e6ea5e469cb1fc45d2fcb1d5d89a1cb252f73985faa14264aa06a89bbc6d64525a90f3ae4338723902bd0c0a9f54e19c602b28de9cc7439fa5e223360ee38d877eda5955659b3cf1bcf3a19b3035ff185ae30711662ef1896ec5e2a38cd44de3c38e737f6481ba49bf19d61398d9ac2004ee9f1b09b45a039397da029fef45edc40d39e58ff044746f6ceb0f3650eb24e0d1f3d96f707aef4b207333d72295a2ef841d14bcd23a741659c78984d248a56fd787321d2b4f7bd7ea4a863088e64ee2915c221fab1decb0ffa71c60b9a5bb8ece6cb150f73584cb23a7a3091e9	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F530E4200FF093E61B55AFF7B0EA28B1F23376E8\Blob = 1400000001000000140000000b00a3a5c4bff14800215b59f823193d2e30a8fd030000000100000014000000f530e4200ff093e61b55aff7b0ea28b1f23376e80f0000000100000020000000a277a0d4c66269ec6b4982fe5dd1202db715ba87c98a44c228bcae62f69e0889200000000100000039060000308206353082041da0030201020214033db638e181e7fce551a6ede45fceb1c4164e51300d06092a864886f70d01010b0500308195310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b473138303606035504030c2f5669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341301e170d3130303130313030303030305a170d3337313233313233353935395a308195310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b473138303606035504030c2f5669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d7020434130820222300d06092a864886f70d01010105000382020f003082020a0282020100e3a8feab8900102edfafb008aab193e20579c3d99b793e92120020aca9ae749f748f5441a0b47098daa38191544b8236606140a0a1fa0e70847a737174008ac2be0e1293ea201abf2ccc3f0efea2d147fe10d7c9cca1348b80f937d2262b882c5d05e3e79a56e2ce9753bf46d66ba747aa4d00e6cfc32240dc8e34d54a3209b1f15691c9d2b9e24ada683038ad72c88448ded75e9cb840d88cc25095c26b5e0487f0a85e88254c1723d8984e0b194f55f7ade9f044f2b4ff363bfa355051ca2aa34d045983fcf77dffeeda26173c41546ccf83174adacbaa4dbe96dd05762773ae45ea1f203106d7763eb0b1dbfda5a6dfd001f1df83de4a269993f0bd011123ea518b172cfe1b9c6cf8be16bfc39acd2defcfd56318f631f044d5b18295ee7e9f31804f2a4d59403e3274a5d4803522aaf095b53e100ddcfef611dae6f0b3fe0fd14e80af57e8daa9b5819e81ac1cacd2e8215cc27ebb695befa8ca895ad153dedc1a0ec396b8d4229203b63d8d6fb7276c8f7638f64cdaa847a2d6d13fb77d381bc0b652c4cf2ece27d8740e3c616330151dd5721931db6e10760dc149651d7821e7f3300d1354357aa8a48cd392c4d82524b36e6c3c4242a9f5d7a67883123e4e23374e2814727c05dd041d951f8ae8d0c0880b75611ed2a81a4cd47aabeea460a40c7531cbf802371c125487f898d419eff10b31ab71096992a070910d4d0203010001a37b307930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e041604140b00a3a5c4bff14800215b59f823193d2e30a8fd301f0603551d230418301680140b00a3a5c4bff14800215b59f823193d2e30a8fd30130603551d25040c300a06082b06010505070308300d06092a864886f70d01010b050003820201009bddb07c2e9e73474e200ba07251fc3a70f3b77d08ec13d676e666161d495aa7e13df8bed9fb3e2bca7590eaa10e1066f13f671a317611dec21548954d28293ea5061b6b3f0a8c68e56ad06cb161e3085dd59485fab51cae17194b6ac018755f824690888776bd397ffea10b2170560118e61acbaed454e4e77b9d0b19785f12510a764a88c977e9b8d50f888169e66fb5c2c094b3d1b7ab0948d397b69b58dd59d796ca47e56888262b5772c27d23d2687694b5409bb10085b236ba2aa4c4f752f61ea1ea233ef682f3ef039895d67309c16223256e518e783871bd306403b86fe1b4df4e3a783951d4b6cdc2064eda6d108f7cb899411d0d66d670842586022abcf36fdafabb9d7fed0a746ea0a91f92e639f75180e61805c169b8d4261e8dbe6e6ea5e469cb1fc45d2fcb1d5d89a1cb252f73985faa14264aa06a89bbc6d64525a90f3ae4338723902bd0c0a9f54e19c602b28de9cc7439fa5e223360ee38d877eda5955659b3cf1bcf3a19b3035ff185ae30711662ef1896ec5e2a38cd44de3c38e737f6481ba49bf19d61398d9ac2004ee9f1b09b45a039397da029fef45edc40d39e58ff044746f6ceb0f3650eb24e0d1f3d96f707aef4b207333d72295a2ef841d14bcd23a741659c78984d248a56fd787321d2b4f7bd7ea4a863088e64ee2915c221fab1decb0ffa71c60b9a5bb8ece6cb150f73584cb23a7a3091e9	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F530E4200FF093E61B55AFF7B0EA28B1F23376E8\Blob = 19000000010000001000000043a79b96707e4056cbe3250669cc674c0f0000000100000020000000a277a0d4c66269ec6b4982fe5dd1202db715ba87c98a44c228bcae62f69e0889030000000100000014000000f530e4200ff093e61b55aff7b0ea28b1f23376e81400000001000000140000000b00a3a5c4bff14800215b59f823193d2e30a8fd200000000100000039060000308206353082041da0030201020214033db638e181e7fce551a6ede45fceb1c4164e51300d06092a864886f70d01010b0500308195310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b473138303606035504030c2f5669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341301e170d3130303130313030303030305a170d3337313233313233353935395a308195310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b473138303606035504030c2f5669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d7020434130820222300d06092a864886f70d01010105000382020f003082020a0282020100e3a8feab8900102edfafb008aab193e20579c3d99b793e92120020aca9ae749f748f5441a0b47098daa38191544b8236606140a0a1fa0e70847a737174008ac2be0e1293ea201abf2ccc3f0efea2d147fe10d7c9cca1348b80f937d2262b882c5d05e3e79a56e2ce9753bf46d66ba747aa4d00e6cfc32240dc8e34d54a3209b1f15691c9d2b9e24ada683038ad72c88448ded75e9cb840d88cc25095c26b5e0487f0a85e88254c1723d8984e0b194f55f7ade9f044f2b4ff363bfa355051ca2aa34d045983fcf77dffeeda26173c41546ccf83174adacbaa4dbe96dd05762773ae45ea1f203106d7763eb0b1dbfda5a6dfd001f1df83de4a269993f0bd011123ea518b172cfe1b9c6cf8be16bfc39acd2defcfd56318f631f044d5b18295ee7e9f31804f2a4d59403e3274a5d4803522aaf095b53e100ddcfef611dae6f0b3fe0fd14e80af57e8daa9b5819e81ac1cacd2e8215cc27ebb695befa8ca895ad153dedc1a0ec396b8d4229203b63d8d6fb7276c8f7638f64cdaa847a2d6d13fb77d381bc0b652c4cf2ece27d8740e3c616330151dd5721931db6e10760dc149651d7821e7f3300d1354357aa8a48cd392c4d82524b36e6c3c4242a9f5d7a67883123e4e23374e2814727c05dd041d951f8ae8d0c0880b75611ed2a81a4cd47aabeea460a40c7531cbf802371c125487f898d419eff10b31ab71096992a070910d4d0203010001a37b307930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e041604140b00a3a5c4bff14800215b59f823193d2e30a8fd301f0603551d230418301680140b00a3a5c4bff14800215b59f823193d2e30a8fd30130603551d25040c300a06082b06010505070308300d06092a864886f70d01010b050003820201009bddb07c2e9e73474e200ba07251fc3a70f3b77d08ec13d676e666161d495aa7e13df8bed9fb3e2bca7590eaa10e1066f13f671a317611dec21548954d28293ea5061b6b3f0a8c68e56ad06cb161e3085dd59485fab51cae17194b6ac018755f824690888776bd397ffea10b2170560118e61acbaed454e4e77b9d0b19785f12510a764a88c977e9b8d50f888169e66fb5c2c094b3d1b7ab0948d397b69b58dd59d796ca47e56888262b5772c27d23d2687694b5409bb10085b236ba2aa4c4f752f61ea1ea233ef682f3ef039895d67309c16223256e518e783871bd306403b86fe1b4df4e3a783951d4b6cdc2064eda6d108f7cb899411d0d66d670842586022abcf36fdafabb9d7fed0a746ea0a91f92e639f75180e61805c169b8d4261e8dbe6e6ea5e469cb1fc45d2fcb1d5d89a1cb252f73985faa14264aa06a89bbc6d64525a90f3ae4338723902bd0c0a9f54e19c602b28de9cc7439fa5e223360ee38d877eda5955659b3cf1bcf3a19b3035ff185ae30711662ef1896ec5e2a38cd44de3c38e737f6481ba49bf19d61398d9ac2004ee9f1b09b45a039397da029fef45edc40d39e58ff044746f6ceb0f3650eb24e0d1f3d96f707aef4b207333d72295a2ef841d14bcd23a741659c78984d248a56fd787321d2b4f7bd7ea4a863088e64ee2915c221fab1decb0ffa71c60b9a5bb8ece6cb150f73584cb23a7a3091e9	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.2-154219-Win(1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F530E4200FF093E61B55AFF7B0EA28B1F23376E8\Blob = 030000000100000014000000f530e4200ff093e61b55aff7b0ea28b1f23376e8200000000100000039060000308206353082041da0030201020214033db638e181e7fce551a6ede45fceb1c4164e51300d06092a864886f70d01010b0500308195310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b473138303606035504030c2f5669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341301e170d3130303130313030303030305a170d3337313233313233353935395a308195310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b473138303606035504030c2f5669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d7020434130820222300d06092a864886f70d01010105000382020f003082020a0282020100e3a8feab8900102edfafb008aab193e20579c3d99b793e92120020aca9ae749f748f5441a0b47098daa38191544b8236606140a0a1fa0e70847a737174008ac2be0e1293ea201abf2ccc3f0efea2d147fe10d7c9cca1348b80f937d2262b882c5d05e3e79a56e2ce9753bf46d66ba747aa4d00e6cfc32240dc8e34d54a3209b1f15691c9d2b9e24ada683038ad72c88448ded75e9cb840d88cc25095c26b5e0487f0a85e88254c1723d8984e0b194f55f7ade9f044f2b4ff363bfa355051ca2aa34d045983fcf77dffeeda26173c41546ccf83174adacbaa4dbe96dd05762773ae45ea1f203106d7763eb0b1dbfda5a6dfd001f1df83de4a269993f0bd011123ea518b172cfe1b9c6cf8be16bfc39acd2defcfd56318f631f044d5b18295ee7e9f31804f2a4d59403e3274a5d4803522aaf095b53e100ddcfef611dae6f0b3fe0fd14e80af57e8daa9b5819e81ac1cacd2e8215cc27ebb695befa8ca895ad153dedc1a0ec396b8d4229203b63d8d6fb7276c8f7638f64cdaa847a2d6d13fb77d381bc0b652c4cf2ece27d8740e3c616330151dd5721931db6e10760dc149651d7821e7f3300d1354357aa8a48cd392c4d82524b36e6c3c4242a9f5d7a67883123e4e23374e2814727c05dd041d951f8ae8d0c0880b75611ed2a81a4cd47aabeea460a40c7531cbf802371c125487f898d419eff10b31ab71096992a070910d4d0203010001a37b307930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e041604140b00a3a5c4bff14800215b59f823193d2e30a8fd301f0603551d230418301680140b00a3a5c4bff14800215b59f823193d2e30a8fd30130603551d25040c300a06082b06010505070308300d06092a864886f70d01010b050003820201009bddb07c2e9e73474e200ba07251fc3a70f3b77d08ec13d676e666161d495aa7e13df8bed9fb3e2bca7590eaa10e1066f13f671a317611dec21548954d28293ea5061b6b3f0a8c68e56ad06cb161e3085dd59485fab51cae17194b6ac018755f824690888776bd397ffea10b2170560118e61acbaed454e4e77b9d0b19785f12510a764a88c977e9b8d50f888169e66fb5c2c094b3d1b7ab0948d397b69b58dd59d796ca47e56888262b5772c27d23d2687694b5409bb10085b236ba2aa4c4f752f61ea1ea233ef682f3ef039895d67309c16223256e518e783871bd306403b86fe1b4df4e3a783951d4b6cdc2064eda6d108f7cb899411d0d66d670842586022abcf36fdafabb9d7fed0a746ea0a91f92e639f75180e61805c169b8d4261e8dbe6e6ea5e469cb1fc45d2fcb1d5d89a1cb252f73985faa14264aa06a89bbc6d64525a90f3ae4338723902bd0c0a9f54e19c602b28de9cc7439fa5e223360ee38d877eda5955659b3cf1bcf3a19b3035ff185ae30711662ef1896ec5e2a38cd44de3c38e737f6481ba49bf19d61398d9ac2004ee9f1b09b45a039397da029fef45edc40d39e58ff044746f6ceb0f3650eb24e0d1f3d96f707aef4b207333d72295a2ef841d14bcd23a741659c78984d248a56fd787321d2b4f7bd7ea4a863088e64ee2915c221fab1decb0ffa71c60b9a5bb8ece6cb150f73584cb23a7a3091e9	VirtualBox-7.0.2-154219-Win(1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VirtualBox-7.0.2-154219-Win(1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1460	msiexec.exe
1460	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1360	VirtualBox-7.0.2-154219-Win(1).exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncreaseQuotaPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeRestorePrivilege	1460	msiexec.exe
Token: SeTakeOwnershipPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	1460	msiexec.exe
Token: SeCreateTokenPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeAssignPrimaryTokenPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeLockMemoryPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncreaseQuotaPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeMachineAccountPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeTcbPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSecurityPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeTakeOwnershipPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeLoadDriverPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemProfilePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemtimePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeProfSingleProcessPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncBasePriorityPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreatePagefilePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreatePermanentPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeBackupPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeRestorePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeShutdownPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeDebugPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeAuditPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemEnvironmentPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeChangeNotifyPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeRemoteShutdownPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeUndockPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSyncAgentPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeEnableDelegationPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeManageVolumePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeImpersonatePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreateGlobalPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreateTokenPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeAssignPrimaryTokenPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeLockMemoryPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncreaseQuotaPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeMachineAccountPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeTcbPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSecurityPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeTakeOwnershipPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeLoadDriverPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemProfilePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemtimePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeProfSingleProcessPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeIncBasePriorityPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreatePagefilePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreatePermanentPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeBackupPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeRestorePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeShutdownPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeDebugPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeAuditPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSystemEnvironmentPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeChangeNotifyPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeRemoteShutdownPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeUndockPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeSyncAgentPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeEnableDelegationPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeManageVolumePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeImpersonatePrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreateGlobalPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe
Token: SeCreateTokenPrivilege	1360	VirtualBox-7.0.2-154219-Win(1).exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1360	VirtualBox-7.0.2-154219-Win(1).exe
1360	VirtualBox-7.0.2-154219-Win(1).exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1724	1460	msiexec.exe	29
PID 1460 wrote to memory of 1724	1460	msiexec.exe	29
PID 1460 wrote to memory of 1724	1460	msiexec.exe	29
PID 1460 wrote to memory of 1724	1460	msiexec.exe	29
PID 1460 wrote to memory of 1724	1460	msiexec.exe	29
PID 1460 wrote to memory of 1108	1460	msiexec.exe	33
PID 1460 wrote to memory of 1108	1460	msiexec.exe	33
PID 1460 wrote to memory of 1108	1460	msiexec.exe	33
PID 1460 wrote to memory of 1108	1460	msiexec.exe	33
PID 1460 wrote to memory of 1108	1460	msiexec.exe	33
PID 1460 wrote to memory of 1776	1460	msiexec.exe	34
PID 1460 wrote to memory of 1776	1460	msiexec.exe	34
PID 1460 wrote to memory of 1776	1460	msiexec.exe	34
PID 1460 wrote to memory of 1776	1460	msiexec.exe	34
PID 1460 wrote to memory of 1776	1460	msiexec.exe	34
PID 1460 wrote to memory of 1776	1460	msiexec.exe	34
PID 1460 wrote to memory of 1776	1460	msiexec.exe	34
PID 1460 wrote to memory of 1664	1460	msiexec.exe	35
PID 1460 wrote to memory of 1664	1460	msiexec.exe	35
PID 1460 wrote to memory of 1664	1460	msiexec.exe	35
PID 1460 wrote to memory of 1664	1460	msiexec.exe	35
PID 1460 wrote to memory of 1664	1460	msiexec.exe	35
PID 1308 wrote to memory of 1920	1308	DrvInst.exe	37
PID 1308 wrote to memory of 1920	1308	DrvInst.exe	37
PID 1308 wrote to memory of 1920	1308	DrvInst.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win(1).exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win(1).exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 2729D44EC946D9A743B1FEA0715F1CBA C
  2⤵
  - Loads dropped DLL
  PID:1724
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 76B7247D47DF91F15A0EE95C63A7DE5E
  2⤵
  - Loads dropped DLL
  PID:1108
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0547A8E11BAD15C08CD79253C451E2DC
  2⤵
  - Loads dropped DLL
  PID:1776
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 032738173429ADB6CFA76E8566829FDC M Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:948

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A0" "0000000000000328"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1172

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5cb9c5f2-b525-6c43-167b-612264918e10}\VBoxUSB.inf" "9" "66237d90b" "0000000000000574" "WinSta0\Default" "00000000000005A4" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{06e9a89a-66f5-3fb9-8a4d-7039ef249203} Global\{42b67609-2735-3222-4c2f-4e48023e9979} C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\VBoxUSB.inf C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\VBoxUSB.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
184KB

MD5
b684e5150d954888718a2018e6bd03d8

SHA1
554d38375a7c0075f1d7bbebb1f390caadbf7e62

SHA256
26e00f8da64445a0f511e79cb71afdd172e629fb8a6b454b7c15707691aa366d

SHA512
26f368abee9e4eb0866c157f3a90369d11e205f3cb2080d68128766676dec7c1c1fe3aa61106d0f1cd7551f5d8798ed57235d9b7079db7c7a0f19bc737257c51

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat

Filesize
18KB

MD5
ef690f380caa4a3d330ba5a0f74ed24c

SHA1
0323b7533372a8be1aa834186e30b4b6733ea8a7

SHA256
a6f40a6d7d64f0b2d192df5829bd21e6ad9cd2e7527a500931039831bdd7fb80

SHA512
6f46669bb172d7bd357324ce3458ae5fbad9163f78c49582fb3a59483bec5523ec62ecb2929c0e1ce87e8a2e500ef83e7092e1e736aa8e47a4c1fc5b8836136b

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
cd6c6347523eb274e0666c617939c6c0

SHA1
f7afc7271ee0b2e5b088bcf58266e8806680ebcf

SHA256
9577df2b810593f32f7923c59967a42c32b9da2fb5dff09a947d3be67c4b658b

SHA512
4292bc35da1c49d9c25c7a56bac426b722b698589e2a2821e63e2e26bd863e6167804c2fae4749fdc9403f822fb02dbba542c0b0dfa4ddc0182d21631d3930b6

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
18KB

MD5
c11c7c35b52a93f158a676a62f891756

SHA1
f9f4ff4cc19551feafb22e1b6746b0a027525367

SHA256
aaea46f684d619ce878e716778f9af28c48dff42def0bb8a29b4d238b8c9f9be

SHA512
58817d66aa6e39ada73ee0167a97affba2b55849da6d9f78f2d2613694c53a0d938bb4dcab48bc25bf5ae58b3d4d7d2fcfd653e409fea4175fa99eeaf97b8c84

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
c927a76eada8569536942d56242d10b2

SHA1
b93872bd9619bcb5e1e600a7f8c55223b3a5bd70

SHA256
22a06ae8b3784f8c86b8bfcf271172b521257ca4731c26f22939f0a4dbae9342

SHA512
e4aed508cd3499e2d20ebb1d134bb49f0f4d27a65909cec3f4d8c682373cdbea426e3a3a24aa9eed7014592789b4e902eb9e7d5b1eb3c2d6dfd5cfe078e3d29e

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
199KB

MD5
64f4f79854480e0ef3455554c55358f4

SHA1
88e86152c5684f28944785c5c4e47f9d72252901

SHA256
c691c59f9cba7b101df5f784abbd9dc6111b68b9dd565a5fb7c0b98f9ab0541f

SHA512
f209e811fff911c6aba697da62ef521873e8276a117ead6bf18f84d6005379d52962428f848021c7151b551dbf3a9715d4bd54072512815720c39c33af8d3966

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
18KB

MD5
0f1ee0df8e86c32bba29debbce4372c1

SHA1
7177f232a65269d60fff7ac9212120603e78ad19

SHA256
c4aa8061c68c9a72afffa630a575de527cd5e1f5c5c025834fc6f4d5c35ea4bd

SHA512
62fe9a0963c5b19e685b7673153e4c1e2533d996fd159f98bf93155b22912f83182e7b692ef58e5e901d5dee24644ab5f2a00155248c1e1e1dcaf56f0b4769dc

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
c84bdfcb974cad4c6a5daa26a1441f88

SHA1
6c6a8e73ea7707db6f678d94fc3e38c1537f8b6e

SHA256
db0c3a11942d40f18de8c65d1dab9e181ea1c4ce9b29fb2cd14c1282c6505243

SHA512
9f69c2545d4272685c364e0407dd6351e91a2cee79be1df7594b28282c2c23c1070f862ddd90f2787a01f4fc2c3f2e8ca17f6918e83fd382c971b8bd3307a458

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
ebda1cf43e71f6e2fc0eca19a181a3d9

SHA1
61991dbfb7bf3a6bd7491251de77f2ad0306e9a4

SHA256
15c1b6aa1987e5cc86796bbcf12e577d7cb1b330dad057ecf78f898b7f0128a1

SHA512
5e4ec77c2b9d8c725d566b4aeef57cb4591277b83b3aad563c2fb99875ce26214efa4fdc8da1ab066866c3b29e8f7f873e31207e264f30654f448f89da562115

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
ad63784f3463d13edf171dd01bc67a2f

SHA1
ab60502c53ed7bf30af3fe118b6c2b86024417d7

SHA256
4983b22db79b2c0214532a448d66424fba5fa77e46e00cb4a4faa3a3592b4e8e

SHA512
579c4a96bdf2a2f11d1aeb309f5118dbe6fba30e61c2675b02649ca08fe7e57ec971dadc5b4ce0401e043f2dbe7fa763a40240bb5dee8c7025821965bbbfed46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

Filesize
471B

MD5
86c63b5d046ac12fb446a7eac3248d42

SHA1
f1f8397cb6929ea89a98c932b9c734dc94a7eec8

SHA256
2257315cbddd4ab286933193499884bed4dd79322e8ae8a70b40c947967ad065

SHA512
15b00944714acb1a01e69fb13c71ec6911f985bd7f9a9fc037393b4633f1cc533c25d6b4df50d9637f337c0bcd218c516fc3369e612120b0e319a121c373158a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
d12b65614244a04a4b3541d8395b4565

SHA1
02a78c531aad827b78d9ec9368c4aadcf3ae2baa

SHA256
c545c7eccb233780af54224718baf610f8d62b9d5d9c8c8c2a080fdcd317fb4f

SHA512
56b7f950d74ea54b2a049a199eda3e5b07d198f43dbed203e7cf0f47244fb4714ac346980b17c67313264c99d379c9e34488e63401f79510b80767db4066650b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

Filesize
404B

MD5
6fa4f289b22536a8174aadd327a42a7e

SHA1
b944bed1113276d190f205696a976fc38112abc0

SHA256
82a37540dd7618da68d7a635a6bcf8e5a772107915f9059fb5f2f0fc3b37e368

SHA512
16a8aaa315d3207af7953c91f33a924ec7586427e7f8490b97b012af3879f144b6a57cfb0b47d82b1b135be3d780abc36b255d30afbd8153e81e01a92fd46f0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41859d7c98e6c1d9ef617f261381f948

SHA1
6b0d90425fb2c59b5d2c3f0e0850e57836055cfa

SHA256
ab561f660c003a9c2f5b19f768315659ae6919190a2f89a68784674959a801f1

SHA512
9a7f42b56c81b37810bec0d6138b5ea01490d4700f4005ed67df274a71df3d3d50df755ff958ceb33b9f69f95c30c3091b983149a6f45de3b903ca2df497c576

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e063f66278d1bed0d1dbb8f0c7977e9e

SHA1
3ba33420201095e2e48bf2b2ad6a40fdf4c9efda

SHA256
0fc35e155afa98f66f6c255fa3cb29ee5c36b0c74686ba1980689f9cd1f1b37e

SHA512
18c1e05b669fc6123098db816b87d3770c708919a607c3392c6666da6c5d4a3c49d882ca4dbf90ef6ca25aeedb9d86cc1114f256299083b1930251cb9144f401

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1577.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33EF.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4771.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI486C.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4B2B.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4B2B.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4B99.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar158A.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3421.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4462.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\axk73suwamkhlb11cl01dyoc\slgpvbxuji8xcgu4hurw18py.msi

Filesize
104.4MB

MD5
545e2bb954f4791292bfc34a3cce9804

SHA1
630aa38b5b826b20264d281a7037299db4d42faf

SHA256
c7ad5a63e966d856ab37d0c903d151bc7db949a22e7c1a406eb2419b2abbcfaa

SHA512
730d902886b22f45ea323f2b353d04fe642da92c64f52469745b17454992857b371b49d1afbd32e51b0f41ecebeea41a1af5b3942923429e2a9989e030181870

Download Submit
C:\Users\Admin\AppData\Local\Temp\axk73suwamkhlb11cl01dyoc\slgpvbxuji8xcgu4hurw18py.msi

Filesize
104.4MB

MD5
545e2bb954f4791292bfc34a3cce9804

SHA1
630aa38b5b826b20264d281a7037299db4d42faf

SHA256
c7ad5a63e966d856ab37d0c903d151bc7db949a22e7c1a406eb2419b2abbcfaa

SHA512
730d902886b22f45ea323f2b353d04fe642da92c64f52469745b17454992857b371b49d1afbd32e51b0f41ecebeea41a1af5b3942923429e2a9989e030181870

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5CB9C~1\VBoxUSB.sys

Filesize
184KB

MD5
b684e5150d954888718a2018e6bd03d8

SHA1
554d38375a7c0075f1d7bbebb1f390caadbf7e62

SHA256
26e00f8da64445a0f511e79cb71afdd172e629fb8a6b454b7c15707691aa366d

SHA512
26f368abee9e4eb0866c157f3a90369d11e205f3cb2080d68128766676dec7c1c1fe3aa61106d0f1cd7551f5d8798ed57235d9b7079db7c7a0f19bc737257c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5cb9c5f2-b525-6c43-167b-612264918e10}\VBoxUSB.cat

Filesize
18KB

MD5
ef690f380caa4a3d330ba5a0f74ed24c

SHA1
0323b7533372a8be1aa834186e30b4b6733ea8a7

SHA256
a6f40a6d7d64f0b2d192df5829bd21e6ad9cd2e7527a500931039831bdd7fb80

SHA512
6f46669bb172d7bd357324ce3458ae5fbad9163f78c49582fb3a59483bec5523ec62ecb2929c0e1ce87e8a2e500ef83e7092e1e736aa8e47a4c1fc5b8836136b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5cb9c5f2-b525-6c43-167b-612264918e10}\VBoxUSB.inf

Filesize
2KB

MD5
cd6c6347523eb274e0666c617939c6c0

SHA1
f7afc7271ee0b2e5b088bcf58266e8806680ebcf

SHA256
9577df2b810593f32f7923c59967a42c32b9da2fb5dff09a947d3be67c4b658b

SHA512
4292bc35da1c49d9c25c7a56bac426b722b698589e2a2821e63e2e26bd863e6167804c2fae4749fdc9403f822fb02dbba542c0b0dfa4ddc0182d21631d3930b6

Download Submit
C:\Windows\Installer\MSI148.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Windows\Installer\MSI14A1.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSI1B6.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI20B3.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSI22C6.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSI22C6.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSI291.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Windows\Installer\MSI503.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSI5108.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSI51F3.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSI52FD.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSI766.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Windows\Installer\MSI812.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Windows\Installer\MSID9.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Windows\Installer\MSIFDCC.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
C:\Windows\System32\DRVSTORE\VBoxSup_7177F232A65269D60FFF7AC9212120603E78AD19\VBoxSup.cat

Filesize
18KB

MD5
0f1ee0df8e86c32bba29debbce4372c1

SHA1
7177f232a65269d60fff7ac9212120603e78ad19

SHA256
c4aa8061c68c9a72afffa630a575de527cd5e1f5c5c025834fc6f4d5c35ea4bd

SHA512
62fe9a0963c5b19e685b7673153e4c1e2533d996fd159f98bf93155b22912f83182e7b692ef58e5e901d5dee24644ab5f2a00155248c1e1e1dcaf56f0b4769dc

Download Submit
C:\Windows\System32\DRVSTORE\VBoxSup_7177F232A65269D60FFF7AC9212120603E78AD19\VBoxSup.inf

Filesize
3KB

MD5
c84bdfcb974cad4c6a5daa26a1441f88

SHA1
6c6a8e73ea7707db6f678d94fc3e38c1537f8b6e

SHA256
db0c3a11942d40f18de8c65d1dab9e181ea1c4ce9b29fb2cd14c1282c6505243

SHA512
9f69c2545d4272685c364e0407dd6351e91a2cee79be1df7594b28282c2c23c1070f862ddd90f2787a01f4fc2c3f2e8ca17f6918e83fd382c971b8bd3307a458

Download Submit
C:\Windows\System32\DRVSTORE\VBoxSup_7177F232A65269D60FFF7AC9212120603E78AD19\VBoxSup.sys

Filesize
1.0MB

MD5
ebda1cf43e71f6e2fc0eca19a181a3d9

SHA1
61991dbfb7bf3a6bd7491251de77f2ad0306e9a4

SHA256
15c1b6aa1987e5cc86796bbcf12e577d7cb1b330dad057ecf78f898b7f0128a1

SHA512
5e4ec77c2b9d8c725d566b4aeef57cb4591277b83b3aad563c2fb99875ce26214efa4fdc8da1ab066866c3b29e8f7f873e31207e264f30654f448f89da562115

Download Submit
C:\Windows\System32\DRVSTORE\VBoxUSBMon_F9F4FF4CC19551FEAFB22E1B6746B0A027525367\VBoxUSBMon.cat

Filesize
18KB

MD5
c11c7c35b52a93f158a676a62f891756

SHA1
f9f4ff4cc19551feafb22e1b6746b0a027525367

SHA256
aaea46f684d619ce878e716778f9af28c48dff42def0bb8a29b4d238b8c9f9be

SHA512
58817d66aa6e39ada73ee0167a97affba2b55849da6d9f78f2d2613694c53a0d938bb4dcab48bc25bf5ae58b3d4d7d2fcfd653e409fea4175fa99eeaf97b8c84

Download Submit
C:\Windows\System32\DRVSTORE\VBoxUSBMon_F9F4FF4CC19551FEAFB22E1B6746B0A027525367\VBoxUSBMon.inf

Filesize
3KB

MD5
c927a76eada8569536942d56242d10b2

SHA1
b93872bd9619bcb5e1e600a7f8c55223b3a5bd70

SHA256
22a06ae8b3784f8c86b8bfcf271172b521257ca4731c26f22939f0a4dbae9342

SHA512
e4aed508cd3499e2d20ebb1d134bb49f0f4d27a65909cec3f4d8c682373cdbea426e3a3a24aa9eed7014592789b4e902eb9e7d5b1eb3c2d6dfd5cfe078e3d29e

Download Submit
C:\Windows\System32\DRVSTORE\VBoxUSBMon_F9F4FF4CC19551FEAFB22E1B6746B0A027525367\VBoxUSBMon.sys

Filesize
199KB

MD5
64f4f79854480e0ef3455554c55358f4

SHA1
88e86152c5684f28944785c5c4e47f9d72252901

SHA256
c691c59f9cba7b101df5f784abbd9dc6111b68b9dd565a5fb7c0b98f9ab0541f

SHA512
f209e811fff911c6aba697da62ef521873e8276a117ead6bf18f84d6005379d52962428f848021c7151b551dbf3a9715d4bd54072512815720c39c33af8d3966

Download Submit
C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\SET2398.tmp

Filesize
18KB

MD5
ef690f380caa4a3d330ba5a0f74ed24c

SHA1
0323b7533372a8be1aa834186e30b4b6733ea8a7

SHA256
a6f40a6d7d64f0b2d192df5829bd21e6ad9cd2e7527a500931039831bdd7fb80

SHA512
6f46669bb172d7bd357324ce3458ae5fbad9163f78c49582fb3a59483bec5523ec62ecb2929c0e1ce87e8a2e500ef83e7092e1e736aa8e47a4c1fc5b8836136b

Download Submit
C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\SET23A9.tmp

Filesize
2KB

MD5
cd6c6347523eb274e0666c617939c6c0

SHA1
f7afc7271ee0b2e5b088bcf58266e8806680ebcf

SHA256
9577df2b810593f32f7923c59967a42c32b9da2fb5dff09a947d3be67c4b658b

SHA512
4292bc35da1c49d9c25c7a56bac426b722b698589e2a2821e63e2e26bd863e6167804c2fae4749fdc9403f822fb02dbba542c0b0dfa4ddc0182d21631d3930b6

Download Submit
C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\SET23AA.tmp

Filesize
184KB

MD5
b684e5150d954888718a2018e6bd03d8

SHA1
554d38375a7c0075f1d7bbebb1f390caadbf7e62

SHA256
26e00f8da64445a0f511e79cb71afdd172e629fb8a6b454b7c15707691aa366d

SHA512
26f368abee9e4eb0866c157f3a90369d11e205f3cb2080d68128766676dec7c1c1fe3aa61106d0f1cd7551f5d8798ed57235d9b7079db7c7a0f19bc737257c51

Download Submit
C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\VBoxUSB.cat

Filesize
18KB

MD5
ef690f380caa4a3d330ba5a0f74ed24c

SHA1
0323b7533372a8be1aa834186e30b4b6733ea8a7

SHA256
a6f40a6d7d64f0b2d192df5829bd21e6ad9cd2e7527a500931039831bdd7fb80

SHA512
6f46669bb172d7bd357324ce3458ae5fbad9163f78c49582fb3a59483bec5523ec62ecb2929c0e1ce87e8a2e500ef83e7092e1e736aa8e47a4c1fc5b8836136b

Download Submit
C:\Windows\System32\DriverStore\Temp\{6477af34-0000-1948-5d10-210ae3e0f302}\VBoxUSB.inf

Filesize
2KB

MD5
cd6c6347523eb274e0666c617939c6c0

SHA1
f7afc7271ee0b2e5b088bcf58266e8806680ebcf

SHA256
9577df2b810593f32f7923c59967a42c32b9da2fb5dff09a947d3be67c4b658b

SHA512
4292bc35da1c49d9c25c7a56bac426b722b698589e2a2821e63e2e26bd863e6167804c2fae4749fdc9403f822fb02dbba542c0b0dfa4ddc0182d21631d3930b6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4771.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
\Users\Admin\AppData\Local\Temp\MSI486C.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4B2B.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4B99.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
\Windows\Installer\MSI148.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
\Windows\Installer\MSI14A1.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
\Windows\Installer\MSI1B6.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\Windows\Installer\MSI20B3.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
\Windows\Installer\MSI22C6.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
\Windows\Installer\MSI291.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
\Windows\Installer\MSI503.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
\Windows\Installer\MSI5108.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
\Windows\Installer\MSI51F3.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
\Windows\Installer\MSI52FD.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
\Windows\Installer\MSI766.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
\Windows\Installer\MSI812.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
\Windows\Installer\MSID9.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
\Windows\Installer\MSIFDCC.tmp

Filesize
297KB

MD5
0520c53c6b3c32f59ca1463545ca2e00

SHA1
9991a1173ddf366b7ac361dab6c2e033b44fa8f1

SHA256
811ecb9409b347854bd70e5528a74b4706a8657151a8aea162982f12dd370a5b

SHA512
db2edc4be3cc82410de6e50eb01d3b46cd6c82566916907fa609c0dc7b3696b9bb667d8e9b87f35a1a6053c30bb8e1ff803b185cf76ce06d2fb9bebab346e710

Download Submit
memory/1920-651-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download