fa3544162eee87b660999bd913f76ccb2e5a706928ef2c2e29811e4ac76fb166

Analysis

max time kernel
38s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.0.20-163906-Win.exe
Size

105.1MB
MD5

b822835698e76fff193342effc92d286
SHA1

e049adb24caf0153b94e801da9835d485c67e38c
SHA256

fa3544162eee87b660999bd913f76ccb2e5a706928ef2c2e29811e4ac76fb166
SHA512

0381b27478dc25d4b3707fb21a34be66ca42eb18d93ce8ec90be7325015f540a39ebfea58b7992a38cc2c861e6e86d89c67f5b3a84ddb65e339fcca0dc314bed
SSDEEP

3145728:VuwDpzeIGwA7iKVCv8hxxgFYHey3WCfEOiP1e48TetH+H9:VuwDpz9A70Cno1XZBtHC9

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETF190.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETF190.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF5A6.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETF5A6.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.20-163906-Win.exe
File opened (read-only)	\??\N:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
96	discord.com

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_99945AF90D9C8273571E67CAB5A51A23C46AA482\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_neutral_a9022bf4ead6c18b\vboxusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_99945AF90D9C8273571E67CAB5A51A23C46AA482\VBoxUSBMon.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\VBoxUSB.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\SETF77A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_neutral_a9022bf4ead6c18b\VBoxUSB.PNF	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_D038A2CBD8FB3F43618A40C3B4BE8C01C0CF3B28\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\SETF77B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\SETF77B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\SETF77A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\VBoxUSB.sys	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_D038A2CBD8FB3F43618A40C3B4BE8C01C0CF3B28\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_99945AF90D9C8273571E67CAB5A51A23C46AA482\VBoxUSBMon.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_D038A2CBD8FB3F43618A40C3B4BE8C01C0CF3B28\VBoxSup.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\SETF779.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\SETF779.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_neutral_a9022bf4ead6c18b\vboxusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_D038A2CBD8FB3F43618A40C3B4BE8C01C0CF3B28\VBoxSup.inf	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxManage.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qminimal.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5HelpVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol8_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRes.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_70px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\vbox-img.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5CoreVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxC.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxExtPackHelperApp.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxClient-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UICommon.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSID7EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBC7.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\Installer\f76d346.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID878.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE05C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6BD.tmp	msiexec.exe
File created	C:\Windows\Installer\{95DEBF01-7029-4E37-BDB1-94EFEA3B263C}\IconVirtualBox	msiexec.exe
File created	C:\Windows\Installer\f76d347.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE108.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF391.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\f76d346.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC35.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\{95DEBF01-7029-4E37-BDB1-94EFEA3B263C}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID78C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8B8.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSID907.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIEC7E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe

Loads dropped DLL 18 IoCs

pid	Process
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1956	MsiExec.exe
1956	MsiExec.exe
1956	MsiExec.exe
1956	MsiExec.exe
2576	MsiExec.exe
1956	MsiExec.exe
1956	MsiExec.exe
2948	MsiExec.exe
2948	MsiExec.exe
2948	MsiExec.exe
2948	MsiExec.exe
2948	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirtualBox-7.0.20-163906-Win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b004c7cf06e5da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 01000000000000007050cacf06e5da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000090b6c6cf06e5da01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VirtualBox.VirtualBoxClient\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\VersionIndependentProgID\ = "VirtualBox.Session"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VirtualBox.Session\CurVer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\ = "IClipboardFileTransferModeChangedEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08E25756-08A2-41AF-A05F-D7C661ABAEBE}\NumMethods\ = "30"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\NumMethods\ = "15"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{08889892-1EC6-4883-801D-77F56CFD0103}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\ = "IGuestProcessInputNotifyEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090}\ = "IGuestMonitorChangedEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\ = "IDnDBase"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00892186-A4AF-4627-B21F-FC561CE4473C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\ = "IFsObjInfo"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\NumMethods\ = "12"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VirtualBox.Session.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VirtualBox.VirtualBoxClient\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\NumMethods\ = "14"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{01510F40-C196-4D26-B8DB-4C8C389F1F82}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07541941-8079-447A-A33E-47A69C7980DB}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\ = "VirtualBoxClient Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{08889892-1EC6-4883-801D-77F56CFD0103}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\ = "IEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\NumMethods\ = "13"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{07541941-8079-447A-A33E-47A69C7980DB}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\ProgID\ = "VirtualBox.Session.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{819B4D85-9CEE-493C-B6FC-64FFE759B3C9}\ = "VirtualBox Application\n "	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00892186-A4AF-4627-B21F-FC561CE4473C}\ = "IGuest"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\x86\\VBoxProxyStub-x86.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08E25756-08A2-41AF-A05F-D7C661ABAEBE}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08889892-1EC6-4883-801D-77F56CFD0103}\NumMethods\ = "13"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VirtualBox.Session.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\CLSID\ = "{3C02F46D-C9D2-4F11-A384-53F0CF917214}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{08889892-1EC6-4883-801D-77F56CFD0103}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\ProgID\ = "VirtualBox.VirtualBoxClient.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{08E25756-08A2-41AF-A05F-D7C661ABAEBE}	msiexec.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 0f00000001000000140000006135597bf3e5090eda793e29a604b1e4995f132d030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 140000000100000014000000f116993ca2d97cd4756acf02af9febdfe731993e030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f0f00000001000000140000006135597bf3e5090eda793e29a604b1e4995f132d2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A2F9C670FAF5B654641E0989AD30165D480B0D4F\Blob = 19000000010000001000000015a6a7f09e2304a29823e91ef5af979d0f00000001000000140000006135597bf3e5090eda793e29a604b1e4995f132d030000000100000014000000a2f9c670faf5b654641e0989ad30165d480b0d4f140000000100000014000000f116993ca2d97cd4756acf02af9febdfe731993e2000000001000000430600003082063f30820427a00302010202141834630ee20ad1c97d81495caf0907822bba0071300d06092a864886f70d010105050030819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d702043412053484131301e170d3130303130313030303030305a170d3337313233313233353935395a30819a310b30090603550406130244453110300e06035504080c0742617661726961310f300d06035504070c064d756e69636831293027060355040a0c204f7261636c6520446575747363686c616e6420422e562e202620436f2e204b47313d303b06035504030c345669727475616c426f7820666f72204c65676163792057696e646f7773204f6e6c792054696d657374616d70204341205348413130820222300d06092a864886f70d01010105000382020f003082020a0282020100eb2b2b32449d3ac8cd6ea98e9c3e43bd55973e96f546bedb5c770345493699ee661b27fab66c57c106d1cdc4676f6e25629cd9bd04226544c306f068e7b23a0c4dffca31a9b61cf104a11cda08648e29369f704ed3289f728b61e06c842e4edac6b798e1ca28647d3967f9dafc847d0f6ef7192c1973ea4b7b98d01bd8a82876d248e35ac69074932df4f8903d0536c3c8792ba3e7b4cfe34a231f8b06cfd78eeda189cadfcf3788198b12cbf61b90b909f86f8d2975be4795d8481356cd68be81b938f3daa6157fd4c56f0af7559e948351f23eb7edd1b21bf6b56d569db644e918b2bb8b1ca827ebaabbf34a9354dd5b844048295b44955112463eb6dee03fb94ce61e86f17056e2553d5ad743fbe20f5271851b4414a774b4234f1f5ed7f3ae7f0b01ee6dfe87a9b28ec96b1373c4c4c3bf401d0d56d60a5702213506703d6cb8a98e989023072b3a7691a3fceabc3cdb9b4edf2cb95859d0b9b6e7b70f14ee6b791b88a7bae8bde38c8dd7e4d08405c2b687984306e1758cdb4e3d7d7aba8866f5d8ccf79bcc96314473e291946ca0a37324d30d5884e5fd51f782e5b455d4d8554ac19b054e96ee2fc5846c866b6ba7fd06388fa3cf58142ec938f8c6d4cf0d375d9851eedd9c26e39f3e318145800d8f61442b6fff479eb1b9d692d82b3fc76c07bc3fdfbabcba9c7c07e419ffa373383d9ade010a96ec8fcb6731f35f0203010001a37b307930130603551d25040c300a06082b06010505070308301d0603551d0e04160414f116993ca2d97cd4756acf02af9febdfe731993e301f0603551d23041830168014f116993ca2d97cd4756acf02af9febdfe731993e30120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820201000cb7dbfa07f92940dae81f341ee5c7d5b1a5b49b3399d5f4bc4bea0ee60607eacaf9ae1bf5101b0cbf5262b08b6121fa4f6a8a823291ea8cef7f1767bfe7675d70bc6320e877c04f87021d338210930870e23ceab922b472b1abb66e8878620dfb07d3f496d66da89ac6964ae4d996f477ed586fabb590d2b190871747dcc89a8c337848a554309f363d875a8fe4c37e4a0f86350bc3f47751555af75e83c7310dbb23d17bff06900b405c794042115891400585fb60d0de9939d556f5b1ab7c998f2e79b7749b5f9a21e26c845bb5eacfd15e1238193d94e2707d6cc0e12cfc607efe4f668cd4089fdb59365961cf982479b71ff59e84e98e46b368b85d9fbf42ef151e37da25fbcfc7f187531e25499d9025c9dbca99818019af64eafbfd6990ba62c700e2119db6507fa482d3799843f971c13db473752a4647959fad6936e63386a261704137b120578384ce52f068ff00f4c2e91f395cda4fd95ae527fe01a95325b78923e18b5245e070a0c1991f010a54c7c6dbcf0b5ea2502260d1648a3aa75bfed9110011c6edf049994ba6c63525a09d2a16bed8ff04d08e196f257c7dc4ae85542299db8f238c76d6aa16a7d3e9a788bac56ec7146fb8fd443810e59a96b77f3f9eedf4e8c2187c94171eeb708c28b1565049a8509a87401f392adeabf11b148584fe35ecaff93cdbcfc9a4047c7188abf7b78b76fbefeed4c7b3	VirtualBox-7.0.20-163906-Win.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.20-163906-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.20-163906-Win.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1816	chrome.exe
1816	chrome.exe
2892	msiexec.exe
2892	msiexec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncreaseQuotaPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: SeCreateTokenPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeLockMemoryPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncreaseQuotaPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeMachineAccountPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeTcbPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSecurityPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeTakeOwnershipPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeLoadDriverPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemProfilePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemtimePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeProfSingleProcessPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncBasePriorityPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePagefilePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePermanentPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeBackupPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeRestorePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeShutdownPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeDebugPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeAuditPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemEnvironmentPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeChangeNotifyPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeRemoteShutdownPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeUndockPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSyncAgentPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeEnableDelegationPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeManageVolumePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeImpersonatePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateGlobalPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateTokenPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeLockMemoryPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncreaseQuotaPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeMachineAccountPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeTcbPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSecurityPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeTakeOwnershipPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeLoadDriverPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemProfilePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemtimePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeProfSingleProcessPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeIncBasePriorityPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePagefilePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreatePermanentPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeBackupPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeRestorePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeShutdownPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeDebugPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeAuditPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSystemEnvironmentPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeChangeNotifyPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeRemoteShutdownPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeUndockPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeSyncAgentPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeEnableDelegationPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeManageVolumePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeImpersonatePrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateGlobalPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe
Token: SeCreateTokenPrivilege	2564	VirtualBox-7.0.20-163906-Win.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2564	VirtualBox-7.0.20-163906-Win.exe
2564	VirtualBox-7.0.20-163906-Win.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe
1816	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1292	2892	msiexec.exe	31
PID 2892 wrote to memory of 1292	2892	msiexec.exe	31
PID 2892 wrote to memory of 1292	2892	msiexec.exe	31
PID 2892 wrote to memory of 1292	2892	msiexec.exe	31
PID 2892 wrote to memory of 1292	2892	msiexec.exe	31
PID 1816 wrote to memory of 1928	1816	chrome.exe	35
PID 1816 wrote to memory of 1928	1816	chrome.exe	35
PID 1816 wrote to memory of 1928	1816	chrome.exe	35
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2184	1816	chrome.exe	37
PID 1816 wrote to memory of 2444	1816	chrome.exe	38
PID 1816 wrote to memory of 2444	1816	chrome.exe	38
PID 1816 wrote to memory of 2444	1816	chrome.exe	38
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39
PID 1816 wrote to memory of 2344	1816	chrome.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A31BBB34A8C2818CD0057D101703DBC4 C
  2⤵
  - Loads dropped DLL
  PID:1292
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 85C0DF9EAD02473C0EC9C729C13273C3
  2⤵
  - Loads dropped DLL
  PID:1956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15D7A7E9125E49FBAA7433E917D0D9DC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2576
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 83C9C26CA5712857513D1C5163DD81B7 M Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C679896F4465274A4F16B86D3CE0042 M Global\MSI0000
  2⤵
  PID:2684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef57f9758,0x7fef57f9768,0x7fef57f9778
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:2
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:2
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1252 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4000 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2196 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1924 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4084 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4056 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1900 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2804 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3704 --field-trial-handle=1360,i,11883655872957283376,12533653286969479429,131072 /prefetch:8
  2⤵
  PID:2416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2568

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A4" "00000000000005E4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2652

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1baa7dba-b516-054f-b63b-854b361d4e6c}\VBoxUSB.inf" "9" "66237d90b" "00000000000005B0" "WinSta0\Default" "00000000000005E0" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1664
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{71f38050-284e-3718-6967-9e22f9733c39} Global\{69a292b5-4a94-0b90-28af-d877b6c51408} C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\VBoxUSB.inf C:\Windows\System32\DriverStore\Temp\{63e841f6-9c6b-66c7-0b43-b71996d4ad71}\VBoxUSB.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1840

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{387a7675-52f7-3299-24d0-993512fedd75}\VBoxNetAdp6.inf" "9" "673b17b7b" "00000000000005A4" "WinSta0\Default" "00000000000003C8" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
1⤵
PID:2128
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2ec5f7cb-5ddd-2fe2-15a3-d47a8c07dc57} Global\{2ff3443a-a720-720a-d398-5407df778752} C:\Windows\System32\DriverStore\Temp\{10cd0149-4c1d-2b54-4e43-e46030d91668}\VBoxNetAdp6.inf C:\Windows\System32\DriverStore\Temp\{10cd0149-4c1d-2b54-4e43-e46030d91668}\VBoxNetAdp6.cat
  2⤵
  PID:2376

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7f044836-99a6-2b95-fb47-c35821edbc63}\VBoxNetLwf.inf" "9" "631e52bcb" "00000000000003C8" "WinSta0\Default" "0000000000000608" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
1⤵
PID:2832
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{7a7a5698-4cef-75cd-7923-de2c01d29b69} Global\{6365e902-eb7f-4cfa-929d-d502584c5051} C:\Windows\System32\DriverStore\Temp\{61adff82-657b-2037-8ddb-81723c469f3a}\VBoxNetLwf.inf C:\Windows\System32\DriverStore\Temp\{61adff82-657b-2037-8ddb-81723c469f3a}\VBoxNetLwf.cat
  2⤵
  PID:840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x60c
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d348.rbs

Filesize
2.6MB

MD5
1fe950aa76ad2cc407b0239ff50bcedc

SHA1
d28b94bed8c03af0f5ebb9e3f2948a0e68189699

SHA256
42c41f839ca1cf870fc22aa7d4b6701380148cbb70a0e3e343ad7f599125666f

SHA512
d78266004ca3f3ea0c3d1a642ccb17f8e7209403b585947197b370dce6e7e5bc793abeb55ef87026753bd89161c05246dbacd83d0d2dffc53fab067669d2d16c

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
184KB

MD5
477569c254917d2c3e92108aee4d84b9

SHA1
49a8714c3e8fddd31c3725e39272c21b892cd681

SHA256
3eaa6ca9447f36c9f6e759244ae0ab64ef070a906809863b1a3d02725dd1c23a

SHA512
cd973c0bbca122da1a117c948969849f53788910a3a113317fc9dc6c27d9e79992117a06bd7d01be6e5faf9ce83942326d72ff3ba205ad19a6f2afdc05c25d75

Download Submit
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

Filesize
2.5MB

MD5
18f815f3791e22dd44efd13353d90e53

SHA1
88ea52f11dd1913a113616c5b8511d300f9370fb

SHA256
47388354db1a6378040e5543e54f28398e78f2fdbfdb202620801a7f4d21c8ed

SHA512
0108d2b1282c5363b024924aa1116d32d68118c9f85e9d6df79bc1561790e437c8826a28caae4268536435dc684db83aed2bcaaadbf6ed180a5c296a2ad718ec

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat

Filesize
19KB

MD5
efcd24c4e96c670449494be9bab36d04

SHA1
e0e6f34d3cbfab8e52508764176a9c37305bf453

SHA256
b35a06b5511f3d40765406bcb1de7ed8b9eba89a06a4fcbed983b4c6f6159471

SHA512
7fa3be5099f34a76ca7690467101de04007acb0ecbc2a9ca2ddc112280b29fadae80c04b344222e669cdbe50ffeb89e9aa95481bde1d83cdce1dfefad03885fa

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
3155160d6548ce4433d1611ba4872451

SHA1
46b7099f85af93155de58e5b4e41e8d48937b68b

SHA256
054385912c2f74a171572e750862f2ec75ab93c59f92213b40d007ce9aecc6e6

SHA512
3b2d79b8910b939f605f5c8d7a6ece541b80347602b3dc9f066f943a67fe90ec56607d29f2fe3824ab57b5781554171e800ed8ba549e9d535e16831fd368703a

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
19KB

MD5
f02290e0e12c2a240842faa0d0b4e8bd

SHA1
99945af90d9c8273571e67cab5a51a23c46aa482

SHA256
7071e601d25284a091c4bf4b44e96073439f02fb18461be622a427fdedbd5235

SHA512
eab09ee7de948eeb0c00912b1d0cce4aebc8f4b8ea56804d1eff2a7278a0503bca049f83f3bcefeca740f167cfedf5d3c66c89f1cde76f8fc8976836fd40f115

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
b0a35c2ca1180c2e4963e5be1235d93d

SHA1
862d17275c5e82430f37813c107f852af954bbdf

SHA256
ba5c69eee5390746fe9cd29a26197853d74d46b4248162c39be8f5212a9bf17d

SHA512
a8a842c3c9c10fb2c4d55589b64dd48d60a6bf5f41fd7092a2965d8f3ab7c3b8dc32822217df3f761ea77981395fa847a67bb9944ce9c718b747340db805c6bd

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
199KB

MD5
d0a8b437866db80fd1661174886f56dd

SHA1
2166c3f54262cae094073a2bc3b0c86f349ca51b

SHA256
05c99ae7cf556e8e35f22c51f5e52233baf236a6dccbdb15c5611da0e20b805f

SHA512
fa3d23e39bc607ca96af92ab4e382233e2194aeec2de95af8196bb72c5304327b590c230da211521a26405ac0e1042c190f344fd34bc0878bd39ad02b255f72d

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
19KB

MD5
4e6f0c0c56e0f9432113c49ece3dda62

SHA1
d038a2cbd8fb3f43618a40c3b4be8c01c0cf3b28

SHA256
6d16a05e733476a129cf9e8c1c876671094a1749e67291535a8124d749a0fa94

SHA512
fa378b3d17028713a9d29371253b00945707f179629672932e26f0073ee9ca8d51d820860a2cf9628434bab3f79e01f3b1ac6e1f73977bcf39b33aa1848363f0

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
cdff988430eb1bc5b00282cf72940e73

SHA1
65ea17e6e88cc4feb17031836b501fbb0f1b1d4e

SHA256
4cd64a11a7bdf1f18cc684f3ee6c8eeae8474074bd7fbebd7fe543656bb05b41

SHA512
8e01d8ad58f679ead7b35b5128f49f32535afa52a6844e4a53b714f4df538eb372a6345489e2994921557846460ea990407a811976439f69062f176b5f11a11a

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
146ccf9c24cd243b27919caeace73f74

SHA1
7df3bc16502a2dd2420f5d81e1d8acbe05c8fc7a

SHA256
95bf86954288bc187f0b034675a75a9e06ff5dc500c4a317c387c3cf22b5a628

SHA512
8e21fcef6456d27acc7811e624791ac8724d8b3345772578910848ce67c6f13855d5c5af3f057eb0f8c5c20aee4923f25ced5fcc1c309d127ff2a0b6a10a5700

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
2fe44c94e0e9c088ae4e21bcb0856a1c

SHA1
979f3444cffd8911af5eac25a35ae5b02439bd56

SHA256
5884545be81cd89ec21374e05e8387dfc9e66ceee63874c592c3038326d07f08

SHA512
5a0005e6387765ba9997a547bbf9db70ec6be1d67b33ccb99d81f0c87f168f76cadbad6f4eff953b3d12fe36040964bc54d49245bea16158e6f3377e2fc05019

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
727B

MD5
ea4fdb4b4d5660905d17d6372add9bf8

SHA1
4f598a0aa8605338cf1094aa72237a2f1b300493

SHA256
7c14c28d218bd075bc8036e1d55f31dc799c3ef483aa14bf351d4e2d7cbeb415

SHA512
fbe6d9d7c5493d7cff829e3ef93cf802a8e1420c286d0ad3390a7efbb9f721a181070a15be7e5a7319bed025fcb11e3f8dc1d2a5b62ba5b16e79bf0740947358

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
dd365e25f759f7328480ea16eb5a323d

SHA1
d2f1f1eae2c40b3445a0d58196307228ad7bc34c

SHA256
57799c176863fce4c6e82e041434139f84f7eb3724a210255a6e1f2cf93b9651

SHA512
03e435c1e061495704c486da907edfde779720e127e28f517880c238e537431a166353d4972c5ec32abe6edd575608e8f5514cf6bd0f975e315efa7830d82f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
b918326ff22b09dacd9621fe671f2c47

SHA1
f55f17b54149d40ccf15bea5e2a86fb8963481b5

SHA256
aab2922778ec6a8a94551943d9dc4774eb01d035555de7b55dd98bc326744cdb

SHA512
f82570abcf5800efe5c11e88dc8fdc5116cf57ca2bf314c65abe496a05b65f5cc9f4f2e2c5700dc51bd7af48a40e8deb3ed59abef2d7bb63692102898ed9c7c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
412B

MD5
9c104500a670712d890727bcec25bc94

SHA1
0bde34740a3303a47cff50ea48880b5de697673f

SHA256
19fd518aaeba747ae961ae98149494e6b8fad5f555728747747d73d46cca41b1

SHA512
83ded014afd24715fb2bd352f31bb352f2a69885ebdad75e943e233a7142ede0ad0861b65ec20b1c3b446407defd71d41819a6871e8350182642cccbc928efa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c47fda823ba5da85aea85963e97e9f04

SHA1
869553c0543ff9d379f4742d402e8a77bf300886

SHA256
53d7c2f443a35461ccfe87da0b4b741b996653abe6988c58c8b6087240695441

SHA512
bdf1dd18727aee35f3a88ef41f8042ec1eaf2e21485a361cf8451c49c7e00a1da69b3149e6da8abbc4f86b10cb15b304476c4f3c8953f020a643f98d012aec1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4b30c560df244fc04b3d691d52590b89

SHA1
d8d54d6f70e7bc43c2d979985ce8a4056c1c922b

SHA256
e1156e1dffa025538c61119e92a18a8014d94194ad2928beff27c272602baf01

SHA512
28df0c511c618da308c2ca3bd4e15734ded412f1a0931c8d823edb70cfac21b823041a17fdf64faed12948d87e471a597c0f3dbe753df50558e87cfd7ff93fd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
68cb5ec0f5abfed6a5bbe5055f1108ac

SHA1
77124aa99235e647afb0d47c22249b1417b4b887

SHA256
5acd859099802e0dfc07d3d8bcd7df6a7d4d4ef55453908cac8faf090e1ae2b7

SHA512
4b4577ca4695c045a9313606758f97443656d8e852378db5a7b295290f99afc01d645265a60400fdc8ed8af049511681d7e2031ec226a532755cf06652e4d716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
920a21159bab69c33150221adb6c4246

SHA1
ac88bc2723a5666edbbf42caa59b8199729367f5

SHA256
d180df916c9ccfa28767b10dd8b8bc29ee198abbdbeb3fdcdea2536c49c9b284

SHA512
7365c1dc8c2207d072ff5d1bcb678a12d337ae79df8b481f307c6b5c6a114969e877a6b7f6e4f21ef5d3abb69f28b2eb59286c45377f481d2b6ea83ed27e9501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
86b48c8964d7d8ffb31775c0616400f8

SHA1
a1d1d4b975f4e0a654f082f811bada0889be4ce8

SHA256
1991f9b854849a7a886a11a11c244012ab4b01c739414fbfebe9fa072f5cdefe

SHA512
a3b84c0e1a44f20850111f129db9d24564b366bdcd9395561150cab68597cdf91ca4537a467c199d7b10bf49b7200f14c871c89823e5caa6b121863d350ee173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000043

Filesize
1024KB

MD5
db6d94096510a63a163dc3a89fb482d1

SHA1
b87304653024b01bc59b2d2f74386bfbe86b1fd3

SHA256
2d6d20583e69370baedeb772d5529554b680daf27322648b1a6d334efd0e24c0

SHA512
b7e7355aa0b928c8270419dd510654b7d476339553536c4da949ec276711e9b78362c0e621a324dd27d7187303d610332286a3179ff691f212d3b3b75c02840a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000044

Filesize
387KB

MD5
c3ef0f63ded91a7cd577c3c9b0b6f596

SHA1
f8c3a99d95280266f0661d674f516b2ac5a1a461

SHA256
8564768aba3a5785c6983090ac750064a18549a67c57f133cbe3a13f7384842d

SHA512
37895a05481d0bc801100dda546edb79dd1936e4ab98682ead751ba3bb836ab0d02a8a3faf09095ae58dec67162f2baf5d95addfa9af537f97fee9f03053c900

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000046

Filesize
1024KB

MD5
7b7fb52fc9471ea920e710cc0fe4b809

SHA1
c73e0b9b56118d928fb22a2b30c0d632037cd557

SHA256
e7ecfe84fbdc838f4305bcdfc6883672d3cf3b83b816f6e423152e00512d1dcf

SHA512
be318c58d355d86c0449c43b33500b54e84e25d47f19875e42bb15055f4c4cff9fea5fb3f0a423100dcf5ef7b0f4852eead38f1e0662d588e439b6d02f44a327

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
a222db63cabc3775cac5f3fd71064c30

SHA1
1f7912007af42a939f222278ef571a8b57e8d996

SHA256
cff9f147f80106b2c2887761c558dacc7f4c63186bd89c864b0a8638724d8169

SHA512
5608620c1c40f8ad0133d7754babfd0e7b0fd30c70a9a8e4720a48df7da1f07f4ba2f6f93891783f3917100aa62e53823e8e916f585b51c1fe8c923a37497027

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c7fe4280ecbfb79403fb9631df30ef2e

SHA1
005c710b0a2ab5ecb261fe20083c3698ccbbab72

SHA256
1e4a861bcb7a84eea3d51690e1688bbe7a1e8fac81874e4c8ee5096e93e2baa0

SHA512
c033b3279c2fd846e39224bc606d1777a485e474f576327e9d72c6a6fe00e296e666ec6084f617ea625cc252f6db1a3f8b60f3cca4da0faac19e8f317da6004a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
bd61d8389441493258303e067f8ec785

SHA1
eda32670f0420b843b84cada082a6ee7df7f5125

SHA256
d04d570a9f6787dee5229bd7dc069c350bf877d7f5b711595c98b1a9e1a63cdd

SHA512
769c400ab98046b0d27b53546df78e00e658e829aef133582db7b36ae3621c970119206efea3a431d81b6911fd53e545ceb8dc1f23fc7474c94b255d0e1cd3ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
69f6fadec971c0f2b783f9f2899ebbc6

SHA1
7dc7474ac4e8f91778112b3001e914ed97b1f784

SHA256
fa11f7bab4da7aa7dc7c6a1c41db0e75e320dbf3a60385e1bce5ac5ccdccd92e

SHA512
ad27e40ad632d755d09a23642018204ec8f4b8c9a4ebafeccdecf89286a789a5d863426bbac721591f31e8b6170667627f315d77244918b5e8add6f181f934fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a0c55e6313cb290dcd7b791c1baced30

SHA1
dbb1c973318a8a6d70ae816694a46c617aa1ff58

SHA256
62f3f494ae0a8f6a7899b07e44fdc58093c67fb2e7ca05614f9c40026fd0cec1

SHA512
383ff773c6696b111b1814dc021aabab393f73b1b46f63e9f4f9a6bd950743627adf7a8cf6a62251f269490b7c0b9c223a95654e8ac4244366579ddda7761ec5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
807155b4749ed8052c6d864c90da800d

SHA1
d154a3dd5461db8c1f84a3f44b63f1a9b487fb0b

SHA256
b9c9d611f30ce362e39cd0e13c78ded4392cf820b3518e3e36b1bc4777a68f3e

SHA512
d0a5e67e35acb2d0d33d07b394d1900ea705ff36e2053930774ffeb77fdceb549e43257280e7664c6d39d487241afe7f55ef9a716f85d8d35a8cfa2601269162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1010B

MD5
d33d7456868f67f556e6555fbb0c41c6

SHA1
5875061e9a2dad33f790d5e847b14ed6cb22a00e

SHA256
b40d67fc444ee60a29001f39c33f0f3d29ad87be3820ea48b05bbbc5047b4b07

SHA512
2f1443764b443d70052cb4909a2e515a427d0fc178680482fafb45dcf7b542c7a550a113805b7e6138634a5c824616e3b2aba56419ecd026a361c86a8226b6b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
b6b394f66ac0d4ed0b44a01f9dc5dbdf

SHA1
ee164dfcb3d3c3261b292d161f51339d8bc5913c

SHA256
6902726fc3e1d81a9342193ccd67fc99bafb3204dc68e59840d4fc0b0fbffbf9

SHA512
94b5e1356c14b3636e0fe3434933487d9edfeac8188f64b954ed6c77cec443b37fd1aadb3f28c1861a275f69896a35fa8a11c81d4af9ad9c34f022241bf2eb06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
6d9bb1a82180e314936c81a12588e98e

SHA1
b1c0a84029f13b2a1ddc5eba0ce5885b1a803547

SHA256
122354d10a0433f07a4e121e1b49fb968fbfcd3d3b77a8faa76e2def760b8e70

SHA512
ec21f99345141a09da832da6ff9169cb4267398f13c9075c0c533f1c44ca5eccb3feb6822d7ec93d9ac50df4ff419bdf4a6d0c14a3d6be8d148c38cec5a3981c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
0cc68788c8d04bfa0d3e73cef7a099db

SHA1
79101e788331b927187627e1bea9424b4529295d

SHA256
5882c72bb9f34ef54e1bbb76214d02d406651d28fe4e9d8dc9aeb0fb5710d26f

SHA512
0c41b8e86dcc4a9dab71c3cd1d0614455b4f6c72a9fc98470ec7cd51c028dea356d5f0aee024dde69c06849290ee986b26162a43d159277485295940e4752d91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
80b1fd319d979738452aa28193e8bce8

SHA1
1c4b30d51d6112e3250b08f3d017fa193d884f39

SHA256
89ea3fd3134d2f352c9515d4503f031f6619b0a838cc9081a7eaeb3baa240cd9

SHA512
cf947996875bfebc997fb0ae4eddb133e86f4266b399664eab404cbbb081635b49e33cf943f327e5ebb3316b23c3a24665d06b91ddc5eeb6643c3ab9ac6bd1dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3d08d8497b081578f08ff5685e9254b8

SHA1
5aee51011fbe1c954be19998d244389d0967f920

SHA256
750c515159ae7288967a560d4f0bd4c6a11ae11a048044fb800b36dd4d38a417

SHA512
6b68126f93bd2a06b0a965c8f45d2104e6e3d66602ade2ab3c59f58dfb9ce370c437f7c805e607a620e8e612409472664197736d9e28f545232462575e9e29bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
972ecf6ce2757529b606ac85f87b460b

SHA1
35dc62c76e7d408fa3fd5ff0249d26394a819b4b

SHA256
6bb700e15a7f3c17622bb0210cfabfb5c2709d7931b54a83b67f96b7433bbe33

SHA512
5b02f232ca90f06c8a114db07ce14a4dddcbb4c6e391e1c021cdd7df6a1ac43d30874c59a209cbb65e1cfe43ea9840232487288438d8ae64c10826046dd3c441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
864133d8fa7ecd08f9b04f003a29aac0

SHA1
e6cc1494595e0d59eb63748d83fbd56680611823

SHA256
ad0277eedf6a3efd5c578011fd44ba0d2e9526e7030bb47eb79539cbb5db729c

SHA512
995d9ec70ffbca0360d1ac6ad8c54fe52e9ab6485e4d7e442eaff87658922fd0e372c9b461f7c32a2d4cf804a3cc118c7c01bdacf6a46f0a8bf3ca0982cc9d68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf77cc15.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
311KB

MD5
ef4ae84836e0c8cfd85e4dcc9fb9e855

SHA1
b99d15147d8e6853bd808b7bf5085ce5f9181b11

SHA256
1af9f1d378bcc01c7bedda807d25081ce015fec13f3e4c8a4291544eba793ecb

SHA512
cb0bc81f3656253c6becb89c2a3f4758b9e6aea8fd72e534718a039b8fc2c3031ebec1daec0bfe80ac5e1a67f2281606754b1f1f1a97315f81e03c256e2790e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
311KB

MD5
94bf992fa78b5e08ed82eea897ab0b5b

SHA1
c82513c7b0dcccd857f55fbc2db76417a807010f

SHA256
11b04ec09651ed7bbf311f562b896cfbb121ed40bb3c4af84c9914deea481181

SHA512
3c078ddf7436131945e0a57fd908927ae5b0dafe6345f0b1047b322e7c1d5a9c1032e63950fbf4a1c7199bc93ae609c810575e347429cafd606f624c96e488c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab88E1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF0F6.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI92B6.tmp

Filesize
324KB

MD5
0653ce43996240dde250d557ef940bed

SHA1
da125564fadda9bea308bd7325d4664ee14c69a8

SHA256
d2fd21376c4595e60299e37cb55dceb92b531685f1a4545c6bb73681dbcad193

SHA512
27ab2bd553fa390315d360e593ca95e90f8de13d0d60326549fd5e63479143b33a0a7a49c4111e2041cfb05d5f2e9b516eaa7261acae3884094e3842a8309a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar88F3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF108.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Installer\MSID907.tmp

Filesize
234KB

MD5
8edc1557e9fc7f25f89ad384d01bcec4

SHA1
98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

SHA256
78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

SHA512
d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

Download Submit
C:\Windows\Installer\MSIDC35.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSIEC7E.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\System32\DriverStore\Temp\{10cd0149-4c1d-2b54-4e43-e46030d91668}\SET22BD.tmp

Filesize
248KB

MD5
5a42fd4fe07b75cc841af29626e04e1d

SHA1
ca3505352788a21960c8213f91078c0b07e777c7

SHA256
416f1c2ce6467d0d596522b8d155e08aacf210f7c2f37d6c1c0694ae1cef4ae3

SHA512
d9d4a9102b36658dac78b3dbfcff4a1811ad6441c2cec422dae201716ca7630ed918d76417482c79d54d9bf3dcfcaba5e5d4b3a5d3b0c425da2f40b035d09f07

Download Submit
C:\Windows\System32\DriverStore\Temp\{10cd0149-4c1d-2b54-4e43-e46030d91668}\SET22BE.tmp

Filesize
19KB

MD5
674dbb11a28babacfb1dfd615a83456b

SHA1
5f499693f6642edf28a29674d3e1c427674cab61

SHA256
27e8c09f3e3cca47f8417dcdf2a0ea5af1f79d26fb410a166d093a579ff59ed2

SHA512
8bb551db964f3b7fa55247c58090ab028a59bb0020bed0dab4383d70a45dc28dd9a3cd7b93247b6f104de71efd7499c691aa4d06951c2e9207b841fc653df38b

Download Submit
C:\Windows\System32\DriverStore\Temp\{10cd0149-4c1d-2b54-4e43-e46030d91668}\SET22BF.tmp

Filesize
3KB

MD5
6b3fa213490c6f16d205e88f1291d996

SHA1
ec49d2336dccab27b42a53a96f7d2618e4c0101f

SHA256
bfdeea0ff03a48b192de9b9c4dbf59deeddf09b13399d3a860249b06c85615b3

SHA512
e8a9f55aedc46636f39ba892d275b73a959d507ded6890cb29f83479e8785c852812aec44e5f7bb4db6a9e7a70a346233d5690c2350f342250df6f716d4fc254

Download Submit
C:\Windows\System32\DriverStore\Temp\{61adff82-657b-2037-8ddb-81723c469f3a}\SET5773.tmp

Filesize
19KB

MD5
04e74382e94317f3cea5679d61f89e67

SHA1
ec9e880be2829b5ed49a03b2264983d83cc532cf

SHA256
91b88ed4a5662ea8d76eea6a3d69db335c097dcb5c53dc46114745d811893665

SHA512
b11409bffedbf33c8c740253a7cc303b777e48706174717a21e7b7e2189593c4ec32ef7708f781450d290f436efc6adb72fa5eead656a62207a922d766007e2b

Download Submit
C:\Windows\System32\DriverStore\Temp\{61adff82-657b-2037-8ddb-81723c469f3a}\SET5774.tmp

Filesize
4KB

MD5
58aa41a4df0b4d9e77a576d1306bef77

SHA1
ecf3d90629d021e18399728848dd7ccedc54f1e9

SHA256
2d479ead5715faa9b1de5e873a377373add4f151942c9881fc1da607f773f723

SHA512
7624e3d7947c39a872f10d4493780181a24111f9bfe5395fdb3f9cfe13e62c5b46d0d4c24198f392f07cd74e0012b0b19fcf78d787d9192d4f10a5e325c274b8

Download Submit
C:\Windows\System32\DriverStore\Temp\{61adff82-657b-2037-8ddb-81723c469f3a}\SET5775.tmp

Filesize
259KB

MD5
db91352985fdf76c4d8d7bf22d75d323

SHA1
600cc772fca941ec03e83823d2401b7085afc6ac

SHA256
9f9c839e8883ae1f5104a26262374dfa5ecc24590bb57275f0493ad9b226f45f

SHA512
9a0cd545d3018e9d350194e2debcb7ed159b60fc6ca033e607dd1eaacd2e7ee3c4776f4fb7f27af0d1118c8fb8a29a82df16a860abf4105d1f61d8efa8ffb933

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
191KB

MD5
864db5f482892bb25d1d6cf3c6f9aaeb

SHA1
82c4e59b0eb391f10ade5a2858718582e8d6e1fd

SHA256
57a47f306cc1457219698f3b4e4c1d4af4677232a2a7e583df7497a3c3c6c19b

SHA512
e7ffabc08f4f90faec0378b2ad9b0e3190cd88bd0d84cb625030f59c9ee9304e0f5bffe04004a70260948a8d812da4b0dbb39f006aca1f9974445c5481c25b17

Download Submit
memory/2948-772-0x0000000001E90000-0x0000000001EB6000-memory.dmp

Filesize
152KB

Download