fa3544162eee87b660999bd913f76ccb2e5a706928ef2c2e29811e4ac76fb166

Analysis

max time kernel
129s
max time network
132s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.0.20-163906-Win.exe
Size

105.1MB
MD5

b822835698e76fff193342effc92d286
SHA1

e049adb24caf0153b94e801da9835d485c67e38c
SHA256

fa3544162eee87b660999bd913f76ccb2e5a706928ef2c2e29811e4ac76fb166
SHA512

0381b27478dc25d4b3707fb21a34be66ca42eb18d93ce8ec90be7325015f540a39ebfea58b7992a38cc2c861e6e86d89c67f5b3a84ddb65e339fcca0dc314bed
SSDEEP

3145728:VuwDpzeIGwA7iKVCv8hxxgFYHey3WCfEOiP1e48TetH+H9:VuwDpz9A70Cno1XZBtHC9

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SETBBC2.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETB7EA.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETB7EA.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETBBC2.tmp	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_99945AF90D9C8273571E67CAB5A51A23C46AA482\VBoxUSBMon.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\SETBE71.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\SETBE71.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\SETBE60.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_D038A2CBD8FB3F43618A40C3B4BE8C01C0CF3B28\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\SETBE5F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\SETBE5F.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_D038A2CBD8FB3F43618A40C3B4BE8C01C0CF3B28\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_D038A2CBD8FB3F43618A40C3B4BE8C01C0CF3B28\VBoxSup.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_99945AF90D9C8273571E67CAB5A51A23C46AA482\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\SETBE60.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_D038A2CBD8FB3F43618A40C3B4BE8C01C0CF3B28\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_99945AF90D9C8273571E67CAB5A51A23C46AA482\VBoxUSBMon.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\VBoxUSB.inf	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_uk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxC.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\vbox-img.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqlite.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_70px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UICommon.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VMMR0.r0	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5GuiVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5HelpVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UserManual.qch	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRes.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5SqlVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAudioTest.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIBCBA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI95F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA763.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB680.tmp	msiexec.exe
File created	C:\Windows\Installer\f788b9e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6F4.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f788b9d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9061.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI911E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F85.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9003.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9332.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI949A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f788b9d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA68.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	MsiExec.exe

Loads dropped DLL 18 IoCs

pid	Process
1996	MsiExec.exe
1996	MsiExec.exe
1996	MsiExec.exe
1996	MsiExec.exe
1996	MsiExec.exe
1996	MsiExec.exe
824	MsiExec.exe
824	MsiExec.exe
824	MsiExec.exe
824	MsiExec.exe
2456	MsiExec.exe
824	MsiExec.exe
824	MsiExec.exe
2468	MsiExec.exe
2468	MsiExec.exe
2468	MsiExec.exe
2468	MsiExec.exe
2468	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirtualBox-7.0.20-163906-Win.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000106a2b3608e0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b008293608e0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000070cb2d3608e0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4E77131D-3629-431C-9818-C5679DC83E81} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000106a2b3608e0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000106a2b3608e0da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 0f00000001000000140000006135597bf3e5090eda793e29a604b1e4995f132d030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 19000000010000001000000015a6a7f09e2304a29823e91ef5af979d0f00000001000000140000006135597bf3e5090eda793e29a604b1e4995f132d030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f140000000100000014000000f116993ca2d97cd4756acf02af9febdfe731993e2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.20-163906-Win.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VirtualBox-7.0.20-163906-Win.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 140000000100000014000000f116993ca2d97cd4756acf02af9febdfe731993e030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f0f00000001000000140000006135597bf3e5090eda793e29a604b1e4995f132d2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.20-163906-Win.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
912	msiexec.exe
912	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	VirtualBox-7.0.20-163906-Win.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncreaseQuotaPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeRestorePrivilege	912	msiexec.exe
Token: SeTakeOwnershipPrivilege	912	msiexec.exe
Token: SeSecurityPrivilege	912	msiexec.exe
Token: SeCreateTokenPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeLockMemoryPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncreaseQuotaPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeMachineAccountPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeTcbPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSecurityPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeTakeOwnershipPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeLoadDriverPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemProfilePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemtimePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeProfSingleProcessPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncBasePriorityPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePagefilePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePermanentPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeBackupPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeRestorePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeShutdownPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeDebugPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeAuditPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemEnvironmentPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeChangeNotifyPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeRemoteShutdownPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeUndockPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSyncAgentPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeEnableDelegationPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeManageVolumePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeImpersonatePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateGlobalPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateTokenPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeLockMemoryPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncreaseQuotaPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeMachineAccountPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeTcbPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSecurityPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeTakeOwnershipPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeLoadDriverPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemProfilePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemtimePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeProfSingleProcessPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncBasePriorityPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePagefilePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePermanentPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeBackupPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeRestorePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeShutdownPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeDebugPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeAuditPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemEnvironmentPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeChangeNotifyPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeRemoteShutdownPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeUndockPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeSyncAgentPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeEnableDelegationPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeManageVolumePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeImpersonatePrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateGlobalPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateTokenPrivilege	2676	VirtualBox-7.0.20-163906-Win.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	VirtualBox-7.0.20-163906-Win.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1996	912	msiexec.exe	31
PID 912 wrote to memory of 1996	912	msiexec.exe	31
PID 912 wrote to memory of 1996	912	msiexec.exe	31
PID 912 wrote to memory of 1996	912	msiexec.exe	31
PID 912 wrote to memory of 1996	912	msiexec.exe	31
PID 912 wrote to memory of 824	912	msiexec.exe	35
PID 912 wrote to memory of 824	912	msiexec.exe	35
PID 912 wrote to memory of 824	912	msiexec.exe	35
PID 912 wrote to memory of 824	912	msiexec.exe	35
PID 912 wrote to memory of 824	912	msiexec.exe	35
PID 912 wrote to memory of 2456	912	msiexec.exe	36
PID 912 wrote to memory of 2456	912	msiexec.exe	36
PID 912 wrote to memory of 2456	912	msiexec.exe	36
PID 912 wrote to memory of 2456	912	msiexec.exe	36
PID 912 wrote to memory of 2456	912	msiexec.exe	36
PID 912 wrote to memory of 2456	912	msiexec.exe	36
PID 912 wrote to memory of 2456	912	msiexec.exe	36
PID 912 wrote to memory of 2468	912	msiexec.exe	37
PID 912 wrote to memory of 2468	912	msiexec.exe	37
PID 912 wrote to memory of 2468	912	msiexec.exe	37
PID 912 wrote to memory of 2468	912	msiexec.exe	37
PID 912 wrote to memory of 2468	912	msiexec.exe	37
PID 2680 wrote to memory of 1520	2680	DrvInst.exe	39
PID 2680 wrote to memory of 1520	2680	DrvInst.exe	39
PID 2680 wrote to memory of 1520	2680	DrvInst.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding C7A4B7F812CEA13229C65F63B154512E C
  2⤵
  - Loads dropped DLL
  PID:1996
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 86D98C5ED73324C9F40F8142F50317F3
  2⤵
  - Loads dropped DLL
  PID:824
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6DFDFCFDF34A363DCAA59E931332915
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 8571CFB2172C52C125BB91FC760349D0 M Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2440

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000038C" "00000000000004A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1160

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{13dc7f9d-4735-7969-2dad-36069a016769}\VBoxUSB.inf" "9" "66237d90b" "00000000000003E8" "WinSta0\Default" "00000000000004A4" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{7261c7a7-d727-2bab-f1a8-e001dce67c73} Global\{7f7967d0-2b84-5d19-6c59-4a21bbd3b97c} C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\VBoxUSB.inf C:\Windows\System32\DriverStore\Temp\{4b158d57-1826-1807-79cc-af2227b6c528}\VBoxUSB.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
184KB

MD5
477569c254917d2c3e92108aee4d84b9

SHA1
49a8714c3e8fddd31c3725e39272c21b892cd681

SHA256
3eaa6ca9447f36c9f6e759244ae0ab64ef070a906809863b1a3d02725dd1c23a

SHA512
cd973c0bbca122da1a117c948969849f53788910a3a113317fc9dc6c27d9e79992117a06bd7d01be6e5faf9ce83942326d72ff3ba205ad19a6f2afdc05c25d75

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat

Filesize
19KB

MD5
efcd24c4e96c670449494be9bab36d04

SHA1
e0e6f34d3cbfab8e52508764176a9c37305bf453

SHA256
b35a06b5511f3d40765406bcb1de7ed8b9eba89a06a4fcbed983b4c6f6159471

SHA512
7fa3be5099f34a76ca7690467101de04007acb0ecbc2a9ca2ddc112280b29fadae80c04b344222e669cdbe50ffeb89e9aa95481bde1d83cdce1dfefad03885fa

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
3155160d6548ce4433d1611ba4872451

SHA1
46b7099f85af93155de58e5b4e41e8d48937b68b

SHA256
054385912c2f74a171572e750862f2ec75ab93c59f92213b40d007ce9aecc6e6

SHA512
3b2d79b8910b939f605f5c8d7a6ece541b80347602b3dc9f066f943a67fe90ec56607d29f2fe3824ab57b5781554171e800ed8ba549e9d535e16831fd368703a

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
19KB

MD5
f02290e0e12c2a240842faa0d0b4e8bd

SHA1
99945af90d9c8273571e67cab5a51a23c46aa482

SHA256
7071e601d25284a091c4bf4b44e96073439f02fb18461be622a427fdedbd5235

SHA512
eab09ee7de948eeb0c00912b1d0cce4aebc8f4b8ea56804d1eff2a7278a0503bca049f83f3bcefeca740f167cfedf5d3c66c89f1cde76f8fc8976836fd40f115

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
b0a35c2ca1180c2e4963e5be1235d93d

SHA1
862d17275c5e82430f37813c107f852af954bbdf

SHA256
ba5c69eee5390746fe9cd29a26197853d74d46b4248162c39be8f5212a9bf17d

SHA512
a8a842c3c9c10fb2c4d55589b64dd48d60a6bf5f41fd7092a2965d8f3ab7c3b8dc32822217df3f761ea77981395fa847a67bb9944ce9c718b747340db805c6bd

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
199KB

MD5
d0a8b437866db80fd1661174886f56dd

SHA1
2166c3f54262cae094073a2bc3b0c86f349ca51b

SHA256
05c99ae7cf556e8e35f22c51f5e52233baf236a6dccbdb15c5611da0e20b805f

SHA512
fa3d23e39bc607ca96af92ab4e382233e2194aeec2de95af8196bb72c5304327b590c230da211521a26405ac0e1042c190f344fd34bc0878bd39ad02b255f72d

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
19KB

MD5
4e6f0c0c56e0f9432113c49ece3dda62

SHA1
d038a2cbd8fb3f43618a40c3b4be8c01c0cf3b28

SHA256
6d16a05e733476a129cf9e8c1c876671094a1749e67291535a8124d749a0fa94

SHA512
fa378b3d17028713a9d29371253b00945707f179629672932e26f0073ee9ca8d51d820860a2cf9628434bab3f79e01f3b1ac6e1f73977bcf39b33aa1848363f0

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
cdff988430eb1bc5b00282cf72940e73

SHA1
65ea17e6e88cc4feb17031836b501fbb0f1b1d4e

SHA256
4cd64a11a7bdf1f18cc684f3ee6c8eeae8474074bd7fbebd7fe543656bb05b41

SHA512
8e01d8ad58f679ead7b35b5128f49f32535afa52a6844e4a53b714f4df538eb372a6345489e2994921557846460ea990407a811976439f69062f176b5f11a11a

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
146ccf9c24cd243b27919caeace73f74

SHA1
7df3bc16502a2dd2420f5d81e1d8acbe05c8fc7a

SHA256
95bf86954288bc187f0b034675a75a9e06ff5dc500c4a317c387c3cf22b5a628

SHA512
8e21fcef6456d27acc7811e624791ac8724d8b3345772578910848ce67c6f13855d5c5af3f057eb0f8c5c20aee4923f25ced5fcc1c309d127ff2a0b6a10a5700

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4f4adc1c1ca88ff7e8c36d133a8ecda0

SHA1
72786dcd1d303cd9470a24e45c49c8be0eca64ed

SHA256
df376680485b5fb1b67534fa2d2873d89c6aa73270d1401e2c70eda139cbb13a

SHA512
ee5744f70ae12619dd93fb7463036953a29a34eb5584083c816be789a571a2848ed8ac1320410b0bf1ae7aeac9e3527ca8a27ff314adb1cfa59c6a9cad339024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
727B

MD5
e7933d7a74b9b710bca5c26102752b74

SHA1
69c0a4d2265ecfe761984194e2171d40583e5648

SHA256
ecad033a416f6870c9fdabeae0e0fd7eca1ed723459ec87731e856b4e2746711

SHA512
bcdcf941d23c4ae822203123b9c5199a6991c79f4e2ca95e780573b0471b30af85084dc5094367195bf29d3483543236aa24147b9b7270732065d4e72086eb7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
16aca8f094a2ff8d3583c5ffa6794c13

SHA1
ddc31408896006459d03b4ca884c16f1b5ea75c1

SHA256
18bcf914006e1367c2f1dfe94b5bcc497a0c731f95a546c8a7742df4cf4a99ff

SHA512
42b0f7d4d8e7f2dd54f26945467a73c1bb02a1dbdd6b975d389fc96a263e7c944ca443baca215fd6a1bb1d2b81d3cff8295cdd9bd5050291303a4ed2dff09a75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
a9b5dcb72d953fc46c38674109d941e2

SHA1
766cab76bb8c6441e12d43868f4fef0216f7f084

SHA256
06e1dbbc6db647a590322d8108218a56dea065dd1c8d2bc7a6e8883f65e7d1eb

SHA512
0d6186db8ab2ab21d0b6159c6629edf37fc2c64774ba5648da74dd38a9ec5b4b5722034766f4c47a8afa7fbb0d1eb4994f574d76586aa65bbe87567d06507c4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
412B

MD5
a36ddda7d7f015f780241b89bc853c11

SHA1
11596e3c8257e8951f4fbcf0882ca9e78225da5d

SHA256
840c369502c6d4bc4a5b2d3403f51ad6da0a97930200d619cbf304d61abe7392

SHA512
006086ac90fe53bc6a15048e7783eee98bc1414dc022b4a9bc807b6830eaa732a0badff34c51e27e279bfc7cf6b44963b6e7c09aefc33fa964fecc90703a0e6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67d1a60d018966305605ca2e1a3a2773

SHA1
ec1a0a8eb41bf9b8e0e5f6aa5827840dcb1e9c19

SHA256
f5760a136c3bfe7900e9ec8743d787226c694d3e738736d0b927aaec1834e16a

SHA512
bd5e7e86d30a8d07000e0328b01203b1d438e808b7a37b3d82327d37419ff85fc6fae33678245b7831b81b47d5e6dc8b1592072c73fe234b730eb0192dafb068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
41870d5c1dd8cbdffd336ec2251fa25a

SHA1
fca7b3aa4435e3136ee63d792e5cd3f0ff7047a2

SHA256
ddb4d4bd84b582f768868a9cd6b73f4f7d4f259664ea9b413b9226386e67ffc8

SHA512
9bfa4778006887306ebe494490742cee8645f1e909ee111a4603fbd1c8f4ae7c19f5b49bc947e459734f6368937170d6ecadbc1a38b4d9a7c5a43e0b089255ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4FD7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB740.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI52CA.tmp

Filesize
324KB

MD5
0653ce43996240dde250d557ef940bed

SHA1
da125564fadda9bea308bd7325d4664ee14c69a8

SHA256
d2fd21376c4595e60299e37cb55dceb92b531685f1a4545c6bb73681dbcad193

SHA512
27ab2bd553fa390315d360e593ca95e90f8de13d0d60326549fd5e63479143b33a0a7a49c4111e2041cfb05d5f2e9b516eaa7261acae3884094e3842a8309a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5009.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB743.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Installer\MSI91BB.tmp

Filesize
234KB

MD5
8edc1557e9fc7f25f89ad384d01bcec4

SHA1
98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

SHA256
78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

SHA512
d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

Download Submit
C:\Windows\Installer\MSI95F2.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSIB680.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit