4c83894c00aa9f55f7e0f70807210896ba32e1222d4ff1d0b9487af81f328f36

Analysis

max time kernel
252s
max time network
160s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.0.18-162988-Win.exe
Size

104.6MB
MD5

6a046a57ca3dd222d8bf1410b8172f81
SHA1

49888a74780ac09ab6ec99bbcca5950890e5a227
SHA256

4c83894c00aa9f55f7e0f70807210896ba32e1222d4ff1d0b9487af81f328f36
SHA512

cb19129d62253bde686618cba40449ed05d5435ae11dbbb83ebc9a1b308fc7e9387cb964cb4cf26e91d7e38b9e8b75ebcb5de8039379986bf95cc77456a65a4b
SSDEEP

3145728:aTdp/Gww7IEwmuQYIuSwHn9B4mzL8M6Wfwf:aFw70RQYIfwM6Q7+wf

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET5581.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET5581.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET517A.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET517A.tmp	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2612	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.18-162988-Win.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRVSTORE\VBoxSup_90D0B24457308DEEFA47C280C7B27F2B2BDB34BB\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_90D0B24457308DEEFA47C280C7B27F2B2BDB34BB\VBoxSup.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\SET5773.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\SET5784.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_A05F836B5B04FCBAEEDF1BC307B4FF38E378C0C3\VBoxUSBMon.sys	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\SET5773.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\SET5784.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\SET5785.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_90D0B24457308DEEFA47C280C7B27F2B2BDB34BB\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_A05F836B5B04FCBAEEDF1BC307B4FF38E378C0C3\VBoxUSBMon.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_A05F836B5B04FCBAEEDF1BC307B4FF38E378C0C3\VBoxUSBMon.cat	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\SET5785.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_90D0B24457308DEEFA47C280C7B27F2B2BDB34BB\VBoxSup.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\VBoxUSB.inf	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\VBoxLibSsh.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_70px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UICommon.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxClient-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel3_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxRT-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxExtPackHelperApp.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxManage.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI50AD.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI53F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4207.tmp	msiexec.exe
File created	C:\Windows\Installer\f773959.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI491D.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f773958.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3FF0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI436E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56D6.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI404F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI413B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f773958.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3EA8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI440B.tmp	msiexec.exe

Loads dropped DLL 18 IoCs

pid	Process
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1920	MsiExec.exe
1920	MsiExec.exe
1920	MsiExec.exe
1920	MsiExec.exe
1928	MsiExec.exe
1920	MsiExec.exe
1920	MsiExec.exe
1640	MsiExec.exe
1640	MsiExec.exe
1640	MsiExec.exe
1640	MsiExec.exe
1640	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4E77131D-3629-431C-9818-C5679DC83E81} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000060be64c965d0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0fb5fc965d0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000060be64c965d0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000060be64c965d0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0fb5fc965d0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe

Modifies system certificate store 2 TTPs 9 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.18-162988-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.18-162988-Win.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F	VirtualBox-7.0.18-162988-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.18-162988-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 140000000100000014000000f116993ca2d97cd4756acf02af9febdfe731993e030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f0f00000001000000140000006135597bf3e5090eda793e29a604b1e4995f132d2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.18-162988-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 19000000010000001000000015a6a7f09e2304a29823e91ef5af979d0f00000001000000140000006135597bf3e5090eda793e29a604b1e4995f132d030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f140000000100000014000000f116993ca2d97cd4756acf02af9febdfe731993e2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.18-162988-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 0f00000001000000140000006135597bf3e5090eda793e29a604b1e4995f132d030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.18-162988-Win.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VirtualBox-7.0.18-162988-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.18-162988-Win.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	msiexec.exe
2612	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2252	VirtualBox-7.0.18-162988-Win.exe
2704	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeIncreaseQuotaPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeSecurityPrivilege	2612	msiexec.exe
Token: SeCreateTokenPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeLockMemoryPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeIncreaseQuotaPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeMachineAccountPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeTcbPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSecurityPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeTakeOwnershipPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeLoadDriverPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSystemProfilePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSystemtimePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeProfSingleProcessPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeIncBasePriorityPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeCreatePagefilePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeCreatePermanentPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeBackupPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeRestorePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeShutdownPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeDebugPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeAuditPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSystemEnvironmentPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeChangeNotifyPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeRemoteShutdownPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeUndockPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSyncAgentPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeEnableDelegationPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeManageVolumePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeImpersonatePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeCreateGlobalPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeCreateTokenPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeLockMemoryPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeIncreaseQuotaPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeMachineAccountPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeTcbPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSecurityPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeTakeOwnershipPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeLoadDriverPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSystemProfilePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSystemtimePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeProfSingleProcessPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeIncBasePriorityPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeCreatePagefilePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeCreatePermanentPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeBackupPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeRestorePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeShutdownPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeDebugPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeAuditPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSystemEnvironmentPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeChangeNotifyPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeRemoteShutdownPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeUndockPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeSyncAgentPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeEnableDelegationPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeManageVolumePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeImpersonatePrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeCreateGlobalPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe
Token: SeCreateTokenPrivilege	2252	VirtualBox-7.0.18-162988-Win.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2252	VirtualBox-7.0.18-162988-Win.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1724	2612	msiexec.exe	29
PID 2612 wrote to memory of 1724	2612	msiexec.exe	29
PID 2612 wrote to memory of 1724	2612	msiexec.exe	29
PID 2612 wrote to memory of 1724	2612	msiexec.exe	29
PID 2612 wrote to memory of 1724	2612	msiexec.exe	29
PID 2612 wrote to memory of 1920	2612	msiexec.exe	35
PID 2612 wrote to memory of 1920	2612	msiexec.exe	35
PID 2612 wrote to memory of 1920	2612	msiexec.exe	35
PID 2612 wrote to memory of 1920	2612	msiexec.exe	35
PID 2612 wrote to memory of 1920	2612	msiexec.exe	35
PID 2612 wrote to memory of 1928	2612	msiexec.exe	36
PID 2612 wrote to memory of 1928	2612	msiexec.exe	36
PID 2612 wrote to memory of 1928	2612	msiexec.exe	36
PID 2612 wrote to memory of 1928	2612	msiexec.exe	36
PID 2612 wrote to memory of 1928	2612	msiexec.exe	36
PID 2612 wrote to memory of 1928	2612	msiexec.exe	36
PID 2612 wrote to memory of 1928	2612	msiexec.exe	36
PID 2612 wrote to memory of 1640	2612	msiexec.exe	37
PID 2612 wrote to memory of 1640	2612	msiexec.exe	37
PID 2612 wrote to memory of 1640	2612	msiexec.exe	37
PID 2612 wrote to memory of 1640	2612	msiexec.exe	37
PID 2612 wrote to memory of 1640	2612	msiexec.exe	37
PID 112 wrote to memory of 2704	112	DrvInst.exe	39
PID 112 wrote to memory of 2704	112	DrvInst.exe	39
PID 112 wrote to memory of 2704	112	DrvInst.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A3A02729C2ADE1C0530574A486B21B17 C
  2⤵
  - Loads dropped DLL
  PID:1724
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B6D5DDA4868C2927C1965AD92E81A5AD
  2⤵
  - Loads dropped DLL
  PID:1920
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 99A58A15DC385624B1CE0C01D4BAFC52
  2⤵
  - Loads dropped DLL
  PID:1928
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 8AD04D12F1E8298FF3A7913146ABD085 M Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1188

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000394" "00000000000005AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:872

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3969afeb-cb28-049f-f1d0-9e5b89235f5a}\VBoxUSB.inf" "9" "66237d90b" "00000000000005B8" "WinSta0\Default" "00000000000005AC" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{520d6856-50fe-5f28-4d5d-df36a766bc65} Global\{06a05628-f956-5d57-5a78-e21aba16593a} C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\VBoxUSB.inf C:\Windows\System32\DriverStore\Temp\{4771c272-0893-7392-5270-4b2459731322}\VBoxUSB.cat
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
184KB

MD5
1f50fa5bf6487796d2913e78ed8cb8b0

SHA1
8be143b0a7d6963e9ab911cfba9d3e4ec508f368

SHA256
d38854405d1b7e9602bc288e2db9b8492d82f14410b44f655f5505ba9e41aa90

SHA512
bfebbd90662901ea80a2f7eff4446c02bd0549f823b310908fc4e2e11b8cc370fc70a0da6945aa4335de81d61dd95980cd3a7bd58acdd06b015d5b4e163c6a29

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat

Filesize
19KB

MD5
26e61131eb9dff89b0894fb56564735b

SHA1
69695c2502486ab804d8ac167e21a9cdb1d48146

SHA256
d3a81fb7ccfaab0914460fb75c831cd3a0af3137e7acac1b32736af83e50769b

SHA512
fe79e64c86cabaa230804af2ea1e599a3d7a497f8ef9431586dba22e855c90028b5cbc31251a93133a7c12b868872c72c3466bca73da2ae382e0e84f698e7726

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
35806a0ffff129546450cdcaffafc06b

SHA1
11251df1fbe7ab027059768154077eb985cca790

SHA256
66a137a1a716e2d673666e74074b69b6f68f46072b359b4c17fee5055a3b98f3

SHA512
ac3d4a434b75b22d3334c9e7c6dd2be51e55d5439c78b8e05c83ce84da78016d111a95f3890f950de57431b03cfc136fce7563ef7931b3e1724ada6f19defc4d

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
19KB

MD5
b0e3b263b754279706ba68202722e4e4

SHA1
a05f836b5b04fcbaeedf1bc307b4ff38e378c0c3

SHA256
f2e0143ddb584d1c8b300cf483c6a3ed008dba1ad2319a8e956583e15c331706

SHA512
9aebc05a8acd2101a59a3bde21f1fc97a4953bbf51c18ead71f53cad65ee27320a8482bd045c7ea24f980752688e934998368dd2b11aaca4a6a4efce00b573a4

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
07bbbda4185e4ee2acc39cbbf3587d39

SHA1
690d99470d0611e5d4341f78d468354e24516b45

SHA256
4ca28bcb2f7a024df37830aa6314d2f6c0fc0ec6b46231a9255abb32a39502ac

SHA512
ed55425344f5158b0e5ad46228a223bfebd246df32ef628c177d514b8e3677c4e12ac4d64f5989329f6283cecf1a5f3a7f5516296ed0dbeec703cb71cc0985e4

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
199KB

MD5
6bc9768cdd545c056faeaa153e73c686

SHA1
8dbfeff04cb7a6a32f3f2a09fbbfaff31dd34792

SHA256
2e19d29e7e6b1d1a9093eb7f0bd2e2825ed08785d6042b90e3748f3d087e59c9

SHA512
7b4e293dd8c1e7cb466d71c5a2b98814ebc973d717e46fcf5e63dcde925d9905fd5ec87f729c1feace5baba74eef9a8a769b47e191df6651d1122432fb8e6739

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
19KB

MD5
b703e14140f90296e49fd36ccd02b031

SHA1
90d0b24457308deefa47c280c7b27f2b2bdb34bb

SHA256
09c2c814130aa43b86da34517200e4ead6ebafb7188d7c0c17498e31913be8f8

SHA512
a606d9f1bd70e0dc5f009ab103f099a6242f37302f0253962241e7385bb4299e5ea7ee4defbb81049ac9748a461563b756fcd1918eb3c98086a221b564a0034b

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
18344eb15d0a3efb7b72eb6e75b18811

SHA1
9f88f5eac5bb5e9a9b6894d1d78ee0887bd94dd8

SHA256
80e3772271bf6f6c35062e6e163d81392cfc65b837f638f2ca4808429909cd91

SHA512
10458bace0531bba2296bc50fd9e2dba339abb1e04ed8601f958472502552010fb8f5b58b6a351dd51245d056fa2abbf8ea176a21ae051e8e2a4bd3b314add90

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
8dc26c500f411c68a1cbd2523fe85dfc

SHA1
c43446b2005130ad83579132c979def6841ff43f

SHA256
5eddb05714b93fcbf3d9dc9210f2e29a7d49d738fecb63f89021a2b17cebc382

SHA512
78974b608dc671eff7f1d7b31435d3bda4bb7897f8dd835b265cbf4d8a5f1367f1f7e09b387d1199046a44797bac5d180f488400a35d2946373b1f9fa576d0a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
ba47fa9dea8a71d1c63709b8aedf6470

SHA1
94832444a0942a1eb710b6ea14c32a88befa82bb

SHA256
6b98c3ade0aa3b40cf0b26ab2039c92ea513c1a5e8a09c3471d749a3e2450931

SHA512
384def7bfe5532d6e3151401b6e3bc847fcf29f4bceb7871756ffd2d58da1328c0bd322300401bf0ec7ef6d44697ca19b7eb6c43a8556e6fe655fed4b82da291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
727B

MD5
f0920817e695bf85896191695be66369

SHA1
34ac0ed680118f704e379e8e92dafbee3a7348a9

SHA256
cc458d27daa3c72449446a117646e8bbe8e416b7220b86f9575e37ed56ca34cf

SHA512
58080f2fee8b621af242e52f06e69b62a531cc22be8100156bf1dae3a67de3543b22b72599b2e0efe68575b3cc5a9d3fcd3038b219f82c3941b732710aba0a72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
92dedb354f34137e0b748c555e3a182b

SHA1
5dc92f07fad8701a42b0e25a5b0e6de3e67f3e52

SHA256
2aaaac91e9f217f59f423ea35e36154815ddd08fa4126aa4bfe8af66875d0060

SHA512
680434722d0d131504bebe7b09bd24b781f091f0b67c787e632f6d355e13da2ca91209ec43544764b48dd3898a559705b97f2d76066447a1b7370ffcfac1efd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
a03d4ccc026b90255bdae36552ea28c5

SHA1
1a0a2053f4b14e62b9c0f12a877cbd1f12fb3259

SHA256
1b381e4772894f11286ea519646b1ef6928db4064601b64a1db900e325553a2b

SHA512
e33d19b37beff1a1c4f8dbfe7a0c19da8c0fe33f146c1ff65cc077d72a63a062403599274b7d4f1176f664c27b53a1359a6601cf6945ffe4a22957f53e306870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
412B

MD5
9aa6cfd638bbf55b8b9b145078c596b9

SHA1
d4efee83aadb64c17235c7b27be00c635990e6b3

SHA256
99bf80e5c4067d439fe43741b29bae52c563c13a31368a6add3c94bec207f998

SHA512
229508828321d8368530bcdd175ac235c30caae7c007e4c50cee6c036fd6fd11ee0522ea65fc342ed87f4680590b37b519b805faeccb64518877471d3b7a8bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b77de091d44127e85ae3eeb1cd780df2

SHA1
fce7fbd3762e5a21720272169466fd7fc74f0199

SHA256
ac1b645019ab2f5245dae7dd23adb6dc9c7e04befc2652a494f8e08bcab3fec7

SHA512
cf3f376e1802e7d6ba1664d36652a09fdb4e3b3f17fc3fd225c06ff23f5ba84c6a2f847808a370aa1c3b951c8cc0517216408aa1c71fe8fc19e6defb2556936d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
d36028dfce2e3d2e54f12c80bf7969e0

SHA1
a9b8bbbae84559c98901dbb199cd137fd99d925e

SHA256
16aefc5b23d587ac04998a16aec9d60c99600b064e274850cfd81f83186e1360

SHA512
1b150b486e8240ad859deaaf22ca5cd05565b43fcff79a254f5b022b61e0cecc174d99f1f63badc84d0132edc6ce12020ed7ab3c76cca2d13c1041811193350f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2BF2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab511E.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2ED6.tmp

Filesize
324KB

MD5
d045098c42378ebe26f6da17977551ee

SHA1
80a93acee96419dd9c44d0d15d7518aea21f782a

SHA256
92b89b56400e8d01a813513ef8af685fb23adcaba49d7775853e650266b2f63a

SHA512
9e110110c6ec6aa43e64069744901c955ac90253a036b9837d2e0150c5da97cb8f927db4a36e9f289684c3b91724a4d93aa189a3fde9d06d07d62dd4b8c08a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C05.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5131.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Installer\MSI413B.tmp

Filesize
234KB

MD5
8edc1557e9fc7f25f89ad384d01bcec4

SHA1
98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

SHA256
78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

SHA512
d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

Download Submit
C:\Windows\Installer\MSI440B.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSI50AD.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit