Analysis Overview
SHA256
4c83894c00aa9f55f7e0f70807210896ba32e1222d4ff1d0b9487af81f328f36
Threat Level: Likely malicious
The file VirtualBox-7.0.18-162988-Win.exe was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Enumerates connected drives
Drops file in System32 directory
Drops file in Program Files directory
Loads dropped DLL
Drops file in Windows directory
Executes dropped EXE
Registers COM server for autorun
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: AddClipboardFormatListener
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 15:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 15:49
Reported
2024-05-31 15:52
Platform
win11-20240508-en
Max time kernel
99s
Max time network
111s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\SETE3D6.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SETE3D6.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SETC87B.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SETC87B.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\VBoxSup.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SETDD2E.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\VBoxNetLwf.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SETC9D4.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SETC9D4.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\VBoxUSBMon.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SETDD2E.tmp | C:\Windows\System32\MsiExec.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\VBoxUSB.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEE.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBE5.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_3debe5e78bab1bca\netbrdg.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_bc519c177a90877a\c_netservice.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAED.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_8074ac14f1ab2957\netpacer.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1E0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1E0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1F1.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEC.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\VBoxUSB.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_c50c384d0cbfb450\VBoxUSB.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1F1.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log | C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAED.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\vboxnetlwf.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.inf | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_10acfa4b924dd181\netnb.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBE5.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\VBoxNetLwf.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\VBoxNetLwf.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxUSBMon_76C300885A3BEF8EB122594DD2B3D02A309D39C3\VBoxUSBMon.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxUSBMon_76C300885A3BEF8EB122594DD2B3D02A309D39C3\VBoxUSBMon.cat | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\VBoxUSB.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBD4.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBD4.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBF6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.cat | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEC.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_c50c384d0cbfb450\VBoxUSB.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_0525128a3d54207e\netnwifi.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxSup_C1568B0197F11F03068219F1FC3418496EA5F1E1\VBoxSup.inf | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_108aa80dcbfa6952\VBoxNetAdp6.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c7737e90db5729fb\VBoxNetLwf.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_56c163d21e8c2b62\netserv.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\SETE1D0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\SETDBF6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_108aa80dcbfa6952\VBoxNetAdp6.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_882899f2b1006416\netvwififlt.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxUSBMon_76C300885A3BEF8EB122594DD2B3D02A309D39C3\VBoxUSBMon.inf | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_c50c384d0cbfb450\VBoxUSB.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_108aa80dcbfa6952\VBoxNetAdp6.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{94ecdc25-a53f-e24e-ab5a-c9d5c4b98847}\SETCAEE.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Oracle\VirtualBox\Qt5WinExtrasVBox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VMMR0.r0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UserManual.qch | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqlite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\platforms\qminimal.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_postinstall.sh | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\License_en_US.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_el.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_response_files.rsp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\Qt5CoreVBox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxRes.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxC.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_util.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxAudioTest.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VirtualBox.VisualElementsManifest.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIC980.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{7431991E-0534-4E1E-89C8-2AF6968C017C}\IconVirtualBox | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE162.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE470.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58b34d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFC68B191DE07D8600.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBC8C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC7F9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem1.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE4DF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC111.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDB64.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{7431991E-0534-4E1E-89C8-2AF6968C017C} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE141.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem2.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem5.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem5.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB831.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB890.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICA0E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58b34f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE4CF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem5.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC160.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB716.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB830.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF5076B0124C6A168B.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem0.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF462F058BE183502F.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58b34d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\{7431991E-0534-4E1E-89C8-2AF6968C017C}\IconVirtualBox | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem3.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB8B0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB92E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBBCF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF341B4D79B59646FE.TMP | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe | N/A |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\"" | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000c993a456edcb2280000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000c993a450000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000c993a45000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0c993a45000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000c993a4500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\System32\MsiExec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\MsiExec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\NumMethods | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\TypeLib | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A773393-7A8C-4D57-B228-9ADE4049A81F}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A88033D-82DB-4AC2-97B5-E786C839420E}\ = "IUpdateAgentErrorEvent" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E19913474350E1E4988CA26F69C810C7 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9}\NumMethods | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6AC83D89-6EE7-4E33-8AE6-B257B2E81BE8}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A0A7F210-B857-4468-BE26-C29F36A84345} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E19913474350E1E4988CA26F69C810C7\SourceList\PackageName = "dj7mb20gltxh17s9g54ngsac.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\ProxyStubClsid32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A338ED20-58D9-43AE-8B03-C1FD7088EF15}\ProxyStubClsid32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0D93830-70A2-487E-895E-D3FC9679F7B3}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{232E9151-AE84-4B8E-B0F3-5C20C35CAAC9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\TypeLib\Version = "1.3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{9B6E1AEE-35F3-4F4D-B5BB-ED0ECEFD8538}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7932CB8-F6D4-4AB6-9CBF-558EB8959A6A}\NumMethods\ = "14" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F01E8B48-F44D-42CC-8A83-512F6A8552F1}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{F05D7E60-1BCF-4218-9807-04E036CC70F1} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{243829CB-15B7-42A4-8664-7AA4E34993DA}\ = "IUpdateAgentAvailableEvent" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FAC49A-B7F1-4A5A-A4EF-A11DD9C2A458}\TypeLib\Version = "1.3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78861431-D545-44AA-8013-181B8C288554}\ProxyStubClsid32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B55CF856-1F8B-4692-ABB4-462429FAE5E9}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.vbox\shell\open\ = "Open" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.ova\ = "Open Virtualization Format Archive" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{31587F93-2D12-4D7C-BA6D-CE51D0D5B265}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00892186-A4AF-4627-B21F-FC561CE4473C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\TypeLib | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5045C372-2E8F-4D9E-AD9D-121AB1661146}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{537707F7-EBF9-4D5C-7AEA-877BFC4256BA}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5}\NumMethods\ = "13" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E54F6256-97A7-4947-8A78-10C013DDF4B8}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA11554}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9}\TypeLib\Version = "1.3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CADEF0A2-A1A9-4AC2-8E80-C049AF69DAC8}\NumMethods\ = "27" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{E8F79A21-1207-4179-94CF-CA250036308F} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{6F89464F-7773-436A-A4DF-592E4E537FA0}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{AAC6C7CB-A371-4C58-AB51-0616896B2F2C}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C39EF4D6-7532-45E8-96DA-EB5986AE76E4}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\ = "IUpdateAgent" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2514881B-23D0-430A-A7FF-7ED7F05534BC}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{758D7EAC-E4B1-486A-8F2E-747AE346C3E9}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DCC633F-7B03-4F0A-9F40-7A784DD0835A}\ = "IHostAudioDeviceChangedEvent" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F01E8B48-F44D-42CC-8A83-512F6A8552F1}\ = "IRangedInteger64FormValue" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFD8965-B81B-469F-8649-F717CE97A5D5}\NumMethods | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}\ = "ICloudNetworkGatewayInfo" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe | N/A |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.18-162988-Win.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding FA6D6A135EC3275B5BAE5803823096BF C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 90CB6E367090ED2BEC232FA0AFC06FC1
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EEEED849BDC03DCAAEDCE23F97CEE6A9
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding EFBB24C7EF95813B082674AF7683F894 E Global\MSI0000
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8D6F2CAA08BC00DCC3DC3CF4E9DD20C5 M Global\MSI0000
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "000000000000010C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000168" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | b.3.9.0.b.c.5.d.2.0.f.9.8.7.5.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| N/A | 255.255.255.255:67 | udp | |
| US | 8.8.8.8:53 | 1.56.168.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.56.168.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSI8CDE.tmp
| MD5 | d045098c42378ebe26f6da17977551ee |
| SHA1 | 80a93acee96419dd9c44d0d15d7518aea21f782a |
| SHA256 | 92b89b56400e8d01a813513ef8af685fb23adcaba49d7775853e650266b2f63a |
| SHA512 | 9e110110c6ec6aa43e64069744901c955ac90253a036b9837d2e0150c5da97cb8f927db4a36e9f289684c3b91724a4d93aa189a3fde9d06d07d62dd4b8c08a35 |
\??\Volume{453a990c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{17cb499b-a315-4ce0-b85b-fd6a4d55cfb3}_OnDiskSnapshotProp
| MD5 | b0fe8f3c958e92f528c78e1fc7624aec |
| SHA1 | 8dd4ba9ab61968bb53342a4991d269cea4b6cb57 |
| SHA256 | a16771cf7e0c1eb62fe8fc29dbd58eb2969550cea3acca412cf5b197eee42541 |
| SHA512 | 31f148d36946a50f82a9ec53b7e97f29bd8451b51fcc6bbe48d0acbed89915750ef3f45e4655231a88b2fd86f5a209bea376dcd714a5824f10534029425f40bd |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | d87327d0dfd235de9d0483c9d8f0967d |
| SHA1 | 9b514f65d447cf1b480a43b82795a608f2e7c0f4 |
| SHA256 | 84ec19c2f796aa2d55888edab6af1743d05324f2b4ab592b544d5aa0583fffe7 |
| SHA512 | 12df72e0cd431cab78888bfc0f226b3fcf61dbdc5ff9bdcacd91befabe9a8589cc67ea3fc74c50e08afaa6df61cae17cb30cb4089fef341a0d171e912f827446 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | cc51fb79bd21243ac498b54da8e2a21c |
| SHA1 | 9d10aab72fcd89cce3f1f1742d053c9ea60cde95 |
| SHA256 | d8f234a198f1e7fce24a823b3d0176d228418f0a91d65fb2b1274cded335f848 |
| SHA512 | e6e729ded383205f14f6514b3de0400d9c89cd8acdabe71d9cd9a272f607efdf73ee3b0dc89fed7e538f7b67dc1a42d86525c115fde4b139379cf6eeb6c34f35 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | 872a1f94ee3eec12def97c9e437c4d9f |
| SHA1 | f61fd955c0a533fc5404b19476804ef8e2523206 |
| SHA256 | 757b2057febaa6ed1a8585525d48e6238711b1fd334091c1385d5d265c44fe20 |
| SHA512 | 7be41e53df2b9fc06467564dc5d1f63a7bfb4545841223e15186c00bf574d82c81d465ba0a856aa210d8589f6a3039bb1d1735f59bfb61af41719958aa187d33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | 7e0ef0efadc88753665392f7f2f0b91a |
| SHA1 | 9cd0c8bd9dddd0d579331c54a5da57011c39f522 |
| SHA256 | ffb860a5beda6b34accc16e573415225296727964d5d587f52907e8a4f10025d |
| SHA512 | 24572e84441d1156a14c43202c5d310df85eaecf8191d251bf94fe3b283899cc7922072b1fcd0e454a6be344ffab1e35c2d40902ad785d1e36386d06320edd51 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | d90b241db1039fd2122e2386d692427e |
| SHA1 | eb2e224d6205d90df1101b024c8234369ef24654 |
| SHA256 | 7c81c821d465fe2e0584934503d4006e8fb18f3f4ae6a6cc46ef418641de85aa |
| SHA512 | dafe924d6e81d03e90a89922ae2e68957f4425483f096192004d52cf0dde217ce56d49c76ceb14bda8bf64b2d5c2039318be6818d00a9a638374ca1434ea2522 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
| MD5 | e9630eddcf798c9b9f17d3ab17b7b328 |
| SHA1 | 0531a5f5e55ed4dd019a33adf0500a2ab6df20a7 |
| SHA256 | 5a706f02d55d11fb1ae6c99d25241e8399c800d5262e82f0edc837e6c21aa019 |
| SHA512 | 5f807f19dea1fdcf49fdd5f9b4e78fa1e714f0fa65d46e469a3c4fb9ef74cfb81f6fbd2db606fefb76c125f3ce788cc427fd194954468183c23cc4373c52e07e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
| MD5 | 28f06a492e308192a4b781a9a35b4f60 |
| SHA1 | c02f78c84c0959ce07227301cb5d75acfa493242 |
| SHA256 | dab94e437880b56506b49dfc948bba5a31622ee9520d79570b2e185f543ed2f1 |
| SHA512 | 122e5305b69658e41b85c8ed369cc27d19dfc77e5b27527e9c6708f4a6b4d9bf5cf7213f70bb29c639297e0bb7941e573e3dcdaaad0bfd4c828168bdb274334e |
C:\Windows\Installer\MSIB8B0.tmp
| MD5 | 8edc1557e9fc7f25f89ad384d01bcec4 |
| SHA1 | 98e64d7f92b8254fe3f258e3238b9e0f033b5a9c |
| SHA256 | 78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5 |
| SHA512 | d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd |
C:\Windows\Installer\MSIBC8C.tmp
| MD5 | 418322f7be2b68e88a93a048ac75a757 |
| SHA1 | 09739792ff1c30f73dacafbe503630615922b561 |
| SHA256 | ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b |
| SHA512 | 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef |
C:\Windows\Installer\MSIC7F9.tmp
| MD5 | 8deb7d2f91c7392925718b3ba0aade22 |
| SHA1 | fc8e9b10c83e16eb0af1b6f10128f5c37b389682 |
| SHA256 | cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4 |
| SHA512 | 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c |
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf
| MD5 | 18344eb15d0a3efb7b72eb6e75b18811 |
| SHA1 | 9f88f5eac5bb5e9a9b6894d1d78ee0887bd94dd8 |
| SHA256 | 80e3772271bf6f6c35062e6e163d81392cfc65b837f638f2ca4808429909cd91 |
| SHA512 | 10458bace0531bba2296bc50fd9e2dba339abb1e04ed8601f958472502552010fb8f5b58b6a351dd51245d056fa2abbf8ea176a21ae051e8e2a4bd3b314add90 |
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat
| MD5 | e881b08efbf1537d69492e92d0053bc4 |
| SHA1 | c1568b0197f11f03068219f1fc3418496ea5f1e1 |
| SHA256 | 5d2b1de4402457fd908ef206bde69a6213dc9d7252a91db83fe3861675479484 |
| SHA512 | 9e0030a0a92c9fd2e7c120f143b6ce734c521038e3d0ddb30c1c7ae9f2992c48b82c5a6d77cff603b1a459505e3ee3450fb5c175e275ed6986a268990f76b1e3 |
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys
| MD5 | 8dc26c500f411c68a1cbd2523fe85dfc |
| SHA1 | c43446b2005130ad83579132c979def6841ff43f |
| SHA256 | 5eddb05714b93fcbf3d9dc9210f2e29a7d49d738fecb63f89021a2b17cebc382 |
| SHA512 | 78974b608dc671eff7f1d7b31435d3bda4bb7897f8dd835b265cbf4d8a5f1367f1f7e09b387d1199046a44797bac5d180f488400a35d2946373b1f9fa576d0a4 |
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf
| MD5 | 07bbbda4185e4ee2acc39cbbf3587d39 |
| SHA1 | 690d99470d0611e5d4341f78d468354e24516b45 |
| SHA256 | 4ca28bcb2f7a024df37830aa6314d2f6c0fc0ec6b46231a9255abb32a39502ac |
| SHA512 | ed55425344f5158b0e5ad46228a223bfebd246df32ef628c177d514b8e3677c4e12ac4d64f5989329f6283cecf1a5f3a7f5516296ed0dbeec703cb71cc0985e4 |
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat
| MD5 | af2bb27f5dd42782f344a03672ea428c |
| SHA1 | 76c300885a3bef8eb122594dd2b3d02a309d39c3 |
| SHA256 | 34450ab69b7ae1d286c1dc6a7aae1a82647d37c4a18c3222a8a7db975cd99b52 |
| SHA512 | c88a10298b6bcbdb43fcb2a974525b715d6b8f14d352298c923988ef57cd6736634a7a9649320bf2a6464a5c89325fb4bb0d8080f6a5c12008dd17a9f50412af |
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys
| MD5 | 6bc9768cdd545c056faeaa153e73c686 |
| SHA1 | 8dbfeff04cb7a6a32f3f2a09fbbfaff31dd34792 |
| SHA256 | 2e19d29e7e6b1d1a9093eb7f0bd2e2825ed08785d6042b90e3748f3d087e59c9 |
| SHA512 | 7b4e293dd8c1e7cb466d71c5a2b98814ebc973d717e46fcf5e63dcde925d9905fd5ec87f729c1feace5baba74eef9a8a769b47e191df6651d1122432fb8e6739 |
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf
| MD5 | 35806a0ffff129546450cdcaffafc06b |
| SHA1 | 11251df1fbe7ab027059768154077eb985cca790 |
| SHA256 | 66a137a1a716e2d673666e74074b69b6f68f46072b359b4c17fee5055a3b98f3 |
| SHA512 | ac3d4a434b75b22d3334c9e7c6dd2be51e55d5439c78b8e05c83ce84da78016d111a95f3890f950de57431b03cfc136fce7563ef7931b3e1724ada6f19defc4d |
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat
| MD5 | e01c0f59ee96483ee31dd70fb1218795 |
| SHA1 | 4dc98fcfa6dffdcc9fdb9733b58a0cfbb0957e39 |
| SHA256 | 775427086b53136855c0d6b65bf32412a06c92155e67351033cc4ff8be565d49 |
| SHA512 | 2ac8c7363fa40f5c2dc4e1e69905670ec890506b2cac7ba6b8ecfd1ed0b7abb65d252c3c2982c829393e3dea1712b5a2cf2dc728d49c36ebedc431f0eaca1a3d |
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys
| MD5 | 1f50fa5bf6487796d2913e78ed8cb8b0 |
| SHA1 | 8be143b0a7d6963e9ab911cfba9d3e4ec508f368 |
| SHA256 | d38854405d1b7e9602bc288e2db9b8492d82f14410b44f655f5505ba9e41aa90 |
| SHA512 | bfebbd90662901ea80a2f7eff4446c02bd0549f823b310908fc4e2e11b8cc370fc70a0da6945aa4335de81d61dd95980cd3a7bd58acdd06b015d5b4e163c6a29 |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | f48b3781fc7ebe97071b5dca008b85bf |
| SHA1 | 9fbecc6afd55cf20b3a65c9106122513f74acc87 |
| SHA256 | de3edb35bb07f89715ecec15131e3402ad1279e2835826639494ff63e10ac5f4 |
| SHA512 | 78856df1a80c64ef90266234f36e1998e551f0e381df36fa32cf5bce82f7b3dd92aa6c051a5c806549f3bdedf66225ad436059204d39d9269022ac4d79c226d4 |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | 5a7bffa5bc25ae7038d02653d1740fcf |
| SHA1 | ea1504c9301fb50ad59ae6a45a213d54bcbbe844 |
| SHA256 | 32f50af16a2a1e610c71c4eb15ff044bb30471cbc44a5e384032cbbccb7fb1dc |
| SHA512 | b6487289a8cef6a638b42f2d7bf480814dc3d9efb65bdd7b1feb0805f536bc6a5742de54adfb3a2b915572de59a9ddd44d8e9c5a3bf4d636d3e7cb84a5f86988 |
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
| MD5 | 798dda25ae933ec87d20974df6b998c7 |
| SHA1 | 28f97c07cb49b679ca71d415067987f339097631 |
| SHA256 | 6c7420e68eb52e3d998b953b1c004496878bf151a147dc66e2211c8ec29599b5 |
| SHA512 | e8ba3d3db8f19be0417057294cbc4526d5af064171c0ffd9fde5b9ab2c81af830101a9753c18a3ead4939daf4c0c91ad2af635d8582c26c276fadb6d36e244f6 |
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll
| MD5 | bfd6b0969fa03a7d0559d226cb227a1c |
| SHA1 | b68951fffc275c680577f8389f15bb1031c5a5a8 |
| SHA256 | 895cd205aa5d3b046203e9c019f1b5bd0a9fd0dd2f2400f2211d79cc38a3f324 |
| SHA512 | a95ce7b5e9ea076cfb63af8026013fcb3bab5d6ab72e850c6af383a9ee940073f01bf3225ddc4a4ea28accc742e6ad3b22767c518785e567644fe15490ec4db2 |
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll
| MD5 | 7234da69902f8d9af9e20a20919a786b |
| SHA1 | dc7f87dca6f3ae2ae56cb519cb7cb7a746ce8a31 |
| SHA256 | 217e2e07b15ed0a57ce536821292139ce3326cd158892a5eb474157fe6c51918 |
| SHA512 | 3bdf2a04fe263f4e38a14057cf4ab6887e2b72fd58b23cbb984a914ea13a9a2ffe633e7cb79dcd1072e3aa58e9b5250b542fe01486ed5a5a4350a62eff4a9414 |
C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf
| MD5 | 4dee77e6d95b41afa3cf5582706438d7 |
| SHA1 | 7e6914f9ca78d2b0022f1ba5db083a72165b3cda |
| SHA256 | 81ac95d678978f9f82dccebe5887f52a9660a729f564698af7a4253e29032a88 |
| SHA512 | 7a3cf6a9d64ab9456206a066eb89968d64f9b459e5e7947c6201c25722e6122bfd8f2d24bdc57338db149a81f3e68cc3b3b9ac085059fe4cff1d9674903f1eb7 |
C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.cat
| MD5 | d8ca5a996bf2d542fc111586aa122cd7 |
| SHA1 | 002d5343fb1a35283f231d5d6d5f3537602ff94e |
| SHA256 | d2d1296289411c8c469312a9569549ba24f4b2d3d525047fded6b4cd178154af |
| SHA512 | d0e1617f91ebf93488a949d6f8548f0721b66786ef9788e176d5f2aa4daf84e0aeafaad097c22c8dd0f77f560f7cba2f597c7deef13abb0593d337f1d8652cf7 |
C:\Windows\System32\DriverStore\Temp\{c66b785a-b94c-054c-ad4b-cc6d0e3edb46}\VBoxNetAdp6.sys
| MD5 | dd03fbee01f74530584061fe46a3aee5 |
| SHA1 | 49177c7d906c66b322499eaef9b26a0ba36e060e |
| SHA256 | 44f9d678b6018602bf200772ac5588c2003ae9f413a5a5ef53fb73a70f0fe0be |
| SHA512 | 4cf701d356a9ae529618e69fc1d9ae518dd20a2d3469f90d5b379f84b748dff4703ddc56e5c9bcc7f44f201bcc422b761b7313e09399f52ec0d2614e5e996dad |
C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.inf
| MD5 | 7cf28d3145d8b0f9cdde7f94a8729e03 |
| SHA1 | 0cc9adc8322fe07ce03dd1e7e91a276a953fbefe |
| SHA256 | 2585f5715d6a5ebf1e0ae04f11408bdded6789f677a6c4cc7111cf418a296c85 |
| SHA512 | 7b234e92235bf2422020da65cfcf9c05a884057e921befeda5c61cf0116e6bc549a06b53cec641e31b07bd378f711ad9911e74f0dece057d2660689438c138f9 |
C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.cat
| MD5 | 60b2f9f910c1458e203a34fbcf0e1915 |
| SHA1 | 10f1ea3e3ce1fc54d45d1ee2c9fe56e4a2b5dc1f |
| SHA256 | 73eb94e2977c6b32799037de23da54adbd0f61d5c585dd1b65368c863e98fa7c |
| SHA512 | 5514903acd301a6d865f37a3b8f8ec90d3b4846e5fc28a1372aa3af5e4201ab8011e1eedf1cf9e88809276bfeeac41b8ab33eea6a5c9b56991451105aae207c4 |
C:\Windows\System32\DriverStore\Temp\{16f8d9dc-099f-3b4b-a549-84c88b809843}\VBoxNetLwf.sys
| MD5 | 98c5be1edffae7850132d9950e8ed658 |
| SHA1 | 3a04c50447bc8e8cf4f72fa3a21ac66e952dc19f |
| SHA256 | be8c1e532b226bc5882d62eeed88dfb45a230cf6f78dc65a3ae1de3b142cb171 |
| SHA512 | 7d1d3209fa2bd2123584ec4776ecb5e5e1ff1b239d5d35532cda0c60f26122faa74b0ab3c7e30ed31efc5ebc0d3a134604e2af4d1c8a72068776f6b71376f498 |
C:\Config.Msi\e58b34e.rbs
| MD5 | 0f17979ccf3c794bfc8a34dafe6bb2aa |
| SHA1 | 4469a20717e7477121e4956d2c593b149a31910e |
| SHA256 | 6cc0062eedcbf0290924ee2bf48a5670e9904c9eef84e28a61fde8cb9e74f48a |
| SHA512 | 81a7a0dfe92d92517b32d8e789ee94122b1522f38fc3d5ba16d4513fe37da015a6ec142d6914b186823b317b26207bc30f6693207e3f1c60b987e2f43caccc91 |
memory/3464-554-0x00007FFCDE140000-0x00007FFCDE681000-memory.dmp
memory/3464-552-0x00007FF7E3580000-0x00007FF7E3804000-memory.dmp
memory/3464-553-0x00007FFCDF9E0000-0x00007FFCE15BE000-memory.dmp
C:\Users\Admin\.VirtualBox\VirtualBox.xml
| MD5 | d9d28bd2ef7192fb0efb99607d7a0807 |
| SHA1 | 7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a |
| SHA256 | dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5 |
| SHA512 | e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13 |