Malware Analysis Report

2025-06-16 07:05

Sample ID 240531-s9rbysda9t
Target VirtualBox-7.0.18-162988-Win.exe
SHA256 4c83894c00aa9f55f7e0f70807210896ba32e1222d4ff1d0b9487af81f328f36
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4c83894c00aa9f55f7e0f70807210896ba32e1222d4ff1d0b9487af81f328f36

Threat Level: Likely malicious

The file VirtualBox-7.0.18-162988-Win.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence

Drops file in Drivers directory

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Loads dropped DLL

Drops file in Windows directory

Executes dropped EXE

Registers COM server for autorun

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious behavior: AddClipboardFormatListener

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 15:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 15:49

Reported

2024-05-31 15:52

Platform

win11-20240508-en

Max time kernel

99s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SETE3D6.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SETE3D6.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SETC87B.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SETC87B.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxSup.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SETDD2E.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetLwf.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SETC9D4.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SETC9D4.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxUSBMon.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SETDD2E.tmp C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEE.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBE5.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_3debe5e78bab1bca\netbrdg.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_bc519c177a90877a\c_netservice.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAED.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_8074ac14f1ab2957\netpacer.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1E0.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1E0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1F1.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEC.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\VBoxUSB.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_c50c384d0cbfb450\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1F1.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAED.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\vboxnetlwf.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_10acfa4b924dd181\netnb.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBE5.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\VBoxNetLwf.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_76C300885A3BEF8EB122594DD2B3D02A309D39C3\VBoxUSBMon.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_76C300885A3BEF8EB122594DD2B3D02A309D39C3\VBoxUSBMon.cat C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBD4.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBD4.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBF6.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.cat C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEC.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_c50c384d0cbfb450\VBoxUSB.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_0525128a3d54207e\netnwifi.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.inf C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_108aa80dcbfa6952\VBoxNetAdp6.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\VBoxNetLwf.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_56c163d21e8c2b62\netserv.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1D0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBF6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_108aa80dcbfa6952\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_882899f2b1006416\netvwififlt.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_76C300885A3BEF8EB122594DD2B3D02A309D39C3\VBoxUSBMon.inf C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_c50c384d0cbfb450\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_108aa80dcbfa6952\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEE.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Oracle\VirtualBox\Qt5WinExtrasVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VMMR0.r0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UserManual.qch C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqlite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\platforms\qminimal.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\License_en_US.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_el.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_response_files.rsp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5CoreVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxRes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxC.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_util.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxAudioTest.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBox.VisualElementsManifest.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIC980.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{7431991E-0534-4E1E-89C8-2AF6968C017C}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE162.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE470.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58b34d.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFC68B191DE07D8600.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBC8C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC7F9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem1.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSIE4DF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC111.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDB64.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\SourceHash{7431991E-0534-4E1E-89C8-2AF6968C017C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE141.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem5.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSIB831.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB890.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICA0E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58b34f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE4CF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC160.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIB716.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB830.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF5076B0124C6A168B.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem0.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SystemTemp\~DF462F058BE183502F.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58b34d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\{7431991E-0534-4E1E-89C8-2AF6968C017C}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem3.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSIB8B0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB92E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBBCF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\SystemTemp\~DF341B4D79B59646FE.TMP C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\"" C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000c993a456edcb2280000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000c993a450000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000c993a45000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0c993a45000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000c993a4500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\System32\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\NumMethods C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\TypeLib C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A773393-7A8C-4D57-B228-9ADE4049A81F}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A88033D-82DB-4AC2-97B5-E786C839420E}\ = "IUpdateAgentErrorEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E19913474350E1E4988CA26F69C810C7 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9}\NumMethods C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6AC83D89-6EE7-4E33-8AE6-B257B2E81BE8}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A0A7F210-B857-4468-BE26-C29F36A84345} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E19913474350E1E4988CA26F69C810C7\SourceList\PackageName = "dj7mb20gltxh17s9g54ngsac.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A338ED20-58D9-43AE-8B03-C1FD7088EF15}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{232E9151-AE84-4B8E-B0F3-5C20C35CAAC9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{9B6E1AEE-35F3-4F4D-B5BB-ED0ECEFD8538}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7932CB8-F6D4-4AB6-9CBF-558EB8959A6A}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F01E8B48-F44D-42CC-8A83-512F6A8552F1}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F05D7E60-1BCF-4218-9807-04E036CC70F1} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{243829CB-15B7-42A4-8664-7AA4E34993DA}\ = "IUpdateAgentAvailableEvent" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FAC49A-B7F1-4A5A-A4EF-A11DD9C2A458}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78861431-D545-44AA-8013-181B8C288554}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B55CF856-1F8B-4692-ABB4-462429FAE5E9}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.vbox\shell\open\ = "Open" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.ova\ = "Open Virtualization Format Archive" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{31587F93-2D12-4D7C-BA6D-CE51D0D5B265}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00892186-A4AF-4627-B21F-FC561CE4473C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\TypeLib C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5045C372-2E8F-4D9E-AD9D-121AB1661146}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{537707F7-EBF9-4D5C-7AEA-877BFC4256BA}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5}\NumMethods\ = "13" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E54F6256-97A7-4947-8A78-10C013DDF4B8}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA11554}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CADEF0A2-A1A9-4AC2-8E80-C049AF69DAC8}\NumMethods\ = "27" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E8F79A21-1207-4179-94CF-CA250036308F} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6F89464F-7773-436A-A4DF-592E4E537FA0}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{AAC6C7CB-A371-4C58-AB51-0616896B2F2C}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C39EF4D6-7532-45E8-96DA-EB5986AE76E4}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\ = "IUpdateAgent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2514881B-23D0-430A-A7FF-7ED7F05534BC}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{758D7EAC-E4B1-486A-8F2E-747AE346C3E9}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DCC633F-7B03-4F0A-9F40-7A784DD0835A}\ = "IHostAudioDeviceChangedEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F01E8B48-F44D-42CC-8A83-512F6A8552F1}\ = "IRangedInteger64FormValue" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFD8965-B81B-469F-8649-F717CE97A5D5}\NumMethods C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}\ = "ICloudNetworkGatewayInfo" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 424 wrote to memory of 4616 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 424 wrote to memory of 4616 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 424 wrote to memory of 3184 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 424 wrote to memory of 3184 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 424 wrote to memory of 3344 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 424 wrote to memory of 3344 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 424 wrote to memory of 4188 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 424 wrote to memory of 4188 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 424 wrote to memory of 4188 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 424 wrote to memory of 4972 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 424 wrote to memory of 4972 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3552 wrote to memory of 3124 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3552 wrote to memory of 3124 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 424 wrote to memory of 4804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 424 wrote to memory of 4804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 424 wrote to memory of 4804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3552 wrote to memory of 4908 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3552 wrote to memory of 4908 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3552 wrote to memory of 1012 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3552 wrote to memory of 1012 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2528 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
PID 2528 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe

"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding FA6D6A135EC3275B5BAE5803823096BF C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 90CB6E367090ED2BEC232FA0AFC06FC1

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding EEEED849BDC03DCAAEDCE23F97CEE6A9

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding EFBB24C7EF95813B082674AF7683F894 E Global\MSI0000

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8D6F2CAA08BC00DCC3DC3CF4E9DD20C5 M Global\MSI0000

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "000000000000010C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000168" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"

C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe

"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe

"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 b.3.9.0.b.c.5.d.2.0.f.9.8.7.5.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
N/A 255.255.255.255:67 udp
US 8.8.8.8:53 1.56.168.192.in-addr.arpa udp
US 8.8.8.8:53 255.56.168.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI8CDE.tmp

MD5 d045098c42378ebe26f6da17977551ee
SHA1 80a93acee96419dd9c44d0d15d7518aea21f782a
SHA256 92b89b56400e8d01a813513ef8af685fb23adcaba49d7775853e650266b2f63a
SHA512 9e110110c6ec6aa43e64069744901c955ac90253a036b9837d2e0150c5da97cb8f927db4a36e9f289684c3b91724a4d93aa189a3fde9d06d07d62dd4b8c08a35

\??\Volume{453a990c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{17cb499b-a315-4ce0-b85b-fd6a4d55cfb3}_OnDiskSnapshotProp

MD5 b0fe8f3c958e92f528c78e1fc7624aec
SHA1 8dd4ba9ab61968bb53342a4991d269cea4b6cb57
SHA256 a16771cf7e0c1eb62fe8fc29dbd58eb2969550cea3acca412cf5b197eee42541
SHA512 31f148d36946a50f82a9ec53b7e97f29bd8451b51fcc6bbe48d0acbed89915750ef3f45e4655231a88b2fd86f5a209bea376dcd714a5824f10534029425f40bd

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 d87327d0dfd235de9d0483c9d8f0967d
SHA1 9b514f65d447cf1b480a43b82795a608f2e7c0f4
SHA256 84ec19c2f796aa2d55888edab6af1743d05324f2b4ab592b544d5aa0583fffe7
SHA512 12df72e0cd431cab78888bfc0f226b3fcf61dbdc5ff9bdcacd91befabe9a8589cc67ea3fc74c50e08afaa6df61cae17cb30cb4089fef341a0d171e912f827446

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 cc51fb79bd21243ac498b54da8e2a21c
SHA1 9d10aab72fcd89cce3f1f1742d053c9ea60cde95
SHA256 d8f234a198f1e7fce24a823b3d0176d228418f0a91d65fb2b1274cded335f848
SHA512 e6e729ded383205f14f6514b3de0400d9c89cd8acdabe71d9cd9a272f607efdf73ee3b0dc89fed7e538f7b67dc1a42d86525c115fde4b139379cf6eeb6c34f35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 872a1f94ee3eec12def97c9e437c4d9f
SHA1 f61fd955c0a533fc5404b19476804ef8e2523206
SHA256 757b2057febaa6ed1a8585525d48e6238711b1fd334091c1385d5d265c44fe20
SHA512 7be41e53df2b9fc06467564dc5d1f63a7bfb4545841223e15186c00bf574d82c81d465ba0a856aa210d8589f6a3039bb1d1735f59bfb61af41719958aa187d33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 7e0ef0efadc88753665392f7f2f0b91a
SHA1 9cd0c8bd9dddd0d579331c54a5da57011c39f522
SHA256 ffb860a5beda6b34accc16e573415225296727964d5d587f52907e8a4f10025d
SHA512 24572e84441d1156a14c43202c5d310df85eaecf8191d251bf94fe3b283899cc7922072b1fcd0e454a6be344ffab1e35c2d40902ad785d1e36386d06320edd51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 d90b241db1039fd2122e2386d692427e
SHA1 eb2e224d6205d90df1101b024c8234369ef24654
SHA256 7c81c821d465fe2e0584934503d4006e8fb18f3f4ae6a6cc46ef418641de85aa
SHA512 dafe924d6e81d03e90a89922ae2e68957f4425483f096192004d52cf0dde217ce56d49c76ceb14bda8bf64b2d5c2039318be6818d00a9a638374ca1434ea2522

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

MD5 e9630eddcf798c9b9f17d3ab17b7b328
SHA1 0531a5f5e55ed4dd019a33adf0500a2ab6df20a7
SHA256 5a706f02d55d11fb1ae6c99d25241e8399c800d5262e82f0edc837e6c21aa019
SHA512 5f807f19dea1fdcf49fdd5f9b4e78fa1e714f0fa65d46e469a3c4fb9ef74cfb81f6fbd2db606fefb76c125f3ce788cc427fd194954468183c23cc4373c52e07e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

MD5 28f06a492e308192a4b781a9a35b4f60
SHA1 c02f78c84c0959ce07227301cb5d75acfa493242
SHA256 dab94e437880b56506b49dfc948bba5a31622ee9520d79570b2e185f543ed2f1
SHA512 122e5305b69658e41b85c8ed369cc27d19dfc77e5b27527e9c6708f4a6b4d9bf5cf7213f70bb29c639297e0bb7941e573e3dcdaaad0bfd4c828168bdb274334e

C:\Windows\Installer\MSIB8B0.tmp

MD5 8edc1557e9fc7f25f89ad384d01bcec4
SHA1 98e64d7f92b8254fe3f258e3238b9e0f033b5a9c
SHA256 78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5
SHA512 d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

C:\Windows\Installer\MSIBC8C.tmp

MD5 418322f7be2b68e88a93a048ac75a757
SHA1 09739792ff1c30f73dacafbe503630615922b561
SHA256 ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

C:\Windows\Installer\MSIC7F9.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

MD5 18344eb15d0a3efb7b72eb6e75b18811
SHA1 9f88f5eac5bb5e9a9b6894d1d78ee0887bd94dd8
SHA256 80e3772271bf6f6c35062e6e163d81392cfc65b837f638f2ca4808429909cd91
SHA512 10458bace0531bba2296bc50fd9e2dba339abb1e04ed8601f958472502552010fb8f5b58b6a351dd51245d056fa2abbf8ea176a21ae051e8e2a4bd3b314add90

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

MD5 e881b08efbf1537d69492e92d0053bc4
SHA1 c1568b0197f11f03068219f1fc3418496ea5f1e1
SHA256 5d2b1de4402457fd908ef206bde69a6213dc9d7252a91db83fe3861675479484
SHA512 9e0030a0a92c9fd2e7c120f143b6ce734c521038e3d0ddb30c1c7ae9f2992c48b82c5a6d77cff603b1a459505e3ee3450fb5c175e275ed6986a268990f76b1e3

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

MD5 8dc26c500f411c68a1cbd2523fe85dfc
SHA1 c43446b2005130ad83579132c979def6841ff43f
SHA256 5eddb05714b93fcbf3d9dc9210f2e29a7d49d738fecb63f89021a2b17cebc382
SHA512 78974b608dc671eff7f1d7b31435d3bda4bb7897f8dd835b265cbf4d8a5f1367f1f7e09b387d1199046a44797bac5d180f488400a35d2946373b1f9fa576d0a4

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

MD5 07bbbda4185e4ee2acc39cbbf3587d39
SHA1 690d99470d0611e5d4341f78d468354e24516b45
SHA256 4ca28bcb2f7a024df37830aa6314d2f6c0fc0ec6b46231a9255abb32a39502ac
SHA512 ed55425344f5158b0e5ad46228a223bfebd246df32ef628c177d514b8e3677c4e12ac4d64f5989329f6283cecf1a5f3a7f5516296ed0dbeec703cb71cc0985e4

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

MD5 af2bb27f5dd42782f344a03672ea428c
SHA1 76c300885a3bef8eb122594dd2b3d02a309d39c3
SHA256 34450ab69b7ae1d286c1dc6a7aae1a82647d37c4a18c3222a8a7db975cd99b52
SHA512 c88a10298b6bcbdb43fcb2a974525b715d6b8f14d352298c923988ef57cd6736634a7a9649320bf2a6464a5c89325fb4bb0d8080f6a5c12008dd17a9f50412af

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

MD5 6bc9768cdd545c056faeaa153e73c686
SHA1 8dbfeff04cb7a6a32f3f2a09fbbfaff31dd34792
SHA256 2e19d29e7e6b1d1a9093eb7f0bd2e2825ed08785d6042b90e3748f3d087e59c9
SHA512 7b4e293dd8c1e7cb466d71c5a2b98814ebc973d717e46fcf5e63dcde925d9905fd5ec87f729c1feace5baba74eef9a8a769b47e191df6651d1122432fb8e6739

C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

MD5 35806a0ffff129546450cdcaffafc06b
SHA1 11251df1fbe7ab027059768154077eb985cca790
SHA256 66a137a1a716e2d673666e74074b69b6f68f46072b359b4c17fee5055a3b98f3
SHA512 ac3d4a434b75b22d3334c9e7c6dd2be51e55d5439c78b8e05c83ce84da78016d111a95f3890f950de57431b03cfc136fce7563ef7931b3e1724ada6f19defc4d

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

MD5 e01c0f59ee96483ee31dd70fb1218795
SHA1 4dc98fcfa6dffdcc9fdb9733b58a0cfbb0957e39
SHA256 775427086b53136855c0d6b65bf32412a06c92155e67351033cc4ff8be565d49
SHA512 2ac8c7363fa40f5c2dc4e1e69905670ec890506b2cac7ba6b8ecfd1ed0b7abb65d252c3c2982c829393e3dea1712b5a2cf2dc728d49c36ebedc431f0eaca1a3d

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

MD5 1f50fa5bf6487796d2913e78ed8cb8b0
SHA1 8be143b0a7d6963e9ab911cfba9d3e4ec508f368
SHA256 d38854405d1b7e9602bc288e2db9b8492d82f14410b44f655f5505ba9e41aa90
SHA512 bfebbd90662901ea80a2f7eff4446c02bd0549f823b310908fc4e2e11b8cc370fc70a0da6945aa4335de81d61dd95980cd3a7bd58acdd06b015d5b4e163c6a29

C:\Windows\System32\CatRoot2\dberr.txt

MD5 f48b3781fc7ebe97071b5dca008b85bf
SHA1 9fbecc6afd55cf20b3a65c9106122513f74acc87
SHA256 de3edb35bb07f89715ecec15131e3402ad1279e2835826639494ff63e10ac5f4
SHA512 78856df1a80c64ef90266234f36e1998e551f0e381df36fa32cf5bce82f7b3dd92aa6c051a5c806549f3bdedf66225ad436059204d39d9269022ac4d79c226d4

C:\Windows\System32\CatRoot2\dberr.txt

MD5 5a7bffa5bc25ae7038d02653d1740fcf
SHA1 ea1504c9301fb50ad59ae6a45a213d54bcbbe844
SHA256 32f50af16a2a1e610c71c4eb15ff044bb30471cbc44a5e384032cbbccb7fb1dc
SHA512 b6487289a8cef6a638b42f2d7bf480814dc3d9efb65bdd7b1feb0805f536bc6a5742de54adfb3a2b915572de59a9ddd44d8e9c5a3bf4d636d3e7cb84a5f86988

C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

MD5 798dda25ae933ec87d20974df6b998c7
SHA1 28f97c07cb49b679ca71d415067987f339097631
SHA256 6c7420e68eb52e3d998b953b1c004496878bf151a147dc66e2211c8ec29599b5
SHA512 e8ba3d3db8f19be0417057294cbc4526d5af064171c0ffd9fde5b9ab2c81af830101a9753c18a3ead4939daf4c0c91ad2af635d8582c26c276fadb6d36e244f6

C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

MD5 bfd6b0969fa03a7d0559d226cb227a1c
SHA1 b68951fffc275c680577f8389f15bb1031c5a5a8
SHA256 895cd205aa5d3b046203e9c019f1b5bd0a9fd0dd2f2400f2211d79cc38a3f324
SHA512 a95ce7b5e9ea076cfb63af8026013fcb3bab5d6ab72e850c6af383a9ee940073f01bf3225ddc4a4ea28accc742e6ad3b22767c518785e567644fe15490ec4db2

C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

MD5 7234da69902f8d9af9e20a20919a786b
SHA1 dc7f87dca6f3ae2ae56cb519cb7cb7a746ce8a31
SHA256 217e2e07b15ed0a57ce536821292139ce3326cd158892a5eb474157fe6c51918
SHA512 3bdf2a04fe263f4e38a14057cf4ab6887e2b72fd58b23cbb984a914ea13a9a2ffe633e7cb79dcd1072e3aa58e9b5250b542fe01486ed5a5a4350a62eff4a9414

C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

MD5 4dee77e6d95b41afa3cf5582706438d7
SHA1 7e6914f9ca78d2b0022f1ba5db083a72165b3cda
SHA256 81ac95d678978f9f82dccebe5887f52a9660a729f564698af7a4253e29032a88
SHA512 7a3cf6a9d64ab9456206a066eb89968d64f9b459e5e7947c6201c25722e6122bfd8f2d24bdc57338db149a81f3e68cc3b3b9ac085059fe4cff1d9674903f1eb7

C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.cat

MD5 d8ca5a996bf2d542fc111586aa122cd7
SHA1 002d5343fb1a35283f231d5d6d5f3537602ff94e
SHA256 d2d1296289411c8c469312a9569549ba24f4b2d3d525047fded6b4cd178154af
SHA512 d0e1617f91ebf93488a949d6f8548f0721b66786ef9788e176d5f2aa4daf84e0aeafaad097c22c8dd0f77f560f7cba2f597c7deef13abb0593d337f1d8652cf7

C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.sys

MD5 dd03fbee01f74530584061fe46a3aee5
SHA1 49177c7d906c66b322499eaef9b26a0ba36e060e
SHA256 44f9d678b6018602bf200772ac5588c2003ae9f413a5a5ef53fb73a70f0fe0be
SHA512 4cf701d356a9ae529618e69fc1d9ae518dd20a2d3469f90d5b379f84b748dff4703ddc56e5c9bcc7f44f201bcc422b761b7313e09399f52ec0d2614e5e996dad

C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.inf

MD5 7cf28d3145d8b0f9cdde7f94a8729e03
SHA1 0cc9adc8322fe07ce03dd1e7e91a276a953fbefe
SHA256 2585f5715d6a5ebf1e0ae04f11408bdded6789f677a6c4cc7111cf418a296c85
SHA512 7b234e92235bf2422020da65cfcf9c05a884057e921befeda5c61cf0116e6bc549a06b53cec641e31b07bd378f711ad9911e74f0dece057d2660689438c138f9

C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.cat

MD5 60b2f9f910c1458e203a34fbcf0e1915
SHA1 10f1ea3e3ce1fc54d45d1ee2c9fe56e4a2b5dc1f
SHA256 73eb94e2977c6b32799037de23da54adbd0f61d5c585dd1b65368c863e98fa7c
SHA512 5514903acd301a6d865f37a3b8f8ec90d3b4846e5fc28a1372aa3af5e4201ab8011e1eedf1cf9e88809276bfeeac41b8ab33eea6a5c9b56991451105aae207c4

C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.sys

MD5 98c5be1edffae7850132d9950e8ed658
SHA1 3a04c50447bc8e8cf4f72fa3a21ac66e952dc19f
SHA256 be8c1e532b226bc5882d62eeed88dfb45a230cf6f78dc65a3ae1de3b142cb171
SHA512 7d1d3209fa2bd2123584ec4776ecb5e5e1ff1b239d5d35532cda0c60f26122faa74b0ab3c7e30ed31efc5ebc0d3a134604e2af4d1c8a72068776f6b71376f498

C:\Config.Msi\e58b34e.rbs

MD5 0f17979ccf3c794bfc8a34dafe6bb2aa
SHA1 4469a20717e7477121e4956d2c593b149a31910e
SHA256 6cc0062eedcbf0290924ee2bf48a5670e9904c9eef84e28a61fde8cb9e74f48a
SHA512 81a7a0dfe92d92517b32d8e789ee94122b1522f38fc3d5ba16d4513fe37da015a6ec142d6914b186823b317b26207bc30f6693207e3f1c60b987e2f43caccc91

memory/3464-554-0x00007FFCDE140000-0x00007FFCDE681000-memory.dmp

memory/3464-552-0x00007FF7E3580000-0x00007FF7E3804000-memory.dmp

memory/3464-553-0x00007FFCDF9E0000-0x00007FFCE15BE000-memory.dmp

C:\Users\Admin\.VirtualBox\VirtualBox.xml

MD5 d9d28bd2ef7192fb0efb99607d7a0807
SHA1 7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a
SHA256 dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5
SHA512 e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13