Malware Analysis Report

2024-11-16 12:48

Sample ID 240811-yrkpcavgrn
Target https://www.virtualbox.org/
Tags
discovery exploit persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://www.virtualbox.org/ was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit persistence privilege_escalation

Drops file in Drivers directory

Downloads MZ/PE file

Possible privilege escalation attempt

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Event Triggered Execution: Component Object Model Hijacking

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Opens file in notepad (likely ransom note)

NTFS ADS

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 20:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 20:01

Reported

2024-08-11 20:06

Platform

win10v2004-20240802-en

Max time kernel

277s

Max time network

277s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.virtualbox.org/

Signatures

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetLwf.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxSup.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxUSBMon.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SETA62E.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SETAB8E.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SETAB8E.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET8AD6.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET8AD6.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET8C3D.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET8C3D.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SETA62E.tmp C:\Windows\System32\MsiExec.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRVSTORE\VBoxSup_555BF96062BAD5F61973AF420575FECDF748F53D\VBoxSup.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\SET8D39.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\SETA4E6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\SETA4F7.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_eb4066015771f3db\vboxnetlwf.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a9022bf4ead6c18b\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_7417ee86f5328abf\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_7417ee86f5328abf\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_868224FB61115FF0B90F68D1722423187EB14CFE\VBoxUSBMon.cat C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_868224FB61115FF0B90F68D1722423187EB14CFE\VBoxUSBMon.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\SET8D28.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a9022bf4ead6c18b\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\SETA4F7.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_555BF96062BAD5F61973AF420575FECDF748F53D\VBoxSup.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\SETA9C8.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\SETA9CA.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_555BF96062BAD5F61973AF420575FECDF748F53D\VBoxSup.cat C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_555BF96062BAD5F61973AF420575FECDF748F53D\VBoxSup.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\SET8D38.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\SETA9C8.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\VBoxNetAdp6.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\SET8D39.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_eb4066015771f3db\VBoxNetLwf.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\SET8D38.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_7417ee86f5328abf\VBoxNetAdp6.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\SETA9CA.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a9022bf4ead6c18b\VBoxUSB.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\SETA9C9.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\VBoxNetLwf.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\SETA9C9.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_eb4066015771f3db\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_eb4066015771f3db\VBoxNetLwf.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\SETA4E7.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_868224FB61115FF0B90F68D1722423187EB14CFE\VBoxUSBMon.inf C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\SET8D28.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a9022bf4ead6c18b\VBoxUSB.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\SETA4E6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\SETA4E7.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF C:\Windows\System32\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxRT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5CoreVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBox.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBox.VisualElementsManifest.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapisetup.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_da.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pl.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_hu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ka.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\License_en_US.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_util.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel3_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxC.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5HelpVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5WinExtrasVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_pt_BR.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UICommon.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_th.qm C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{95DEBF01-7029-4E37-BDB1-94EFEA3B263C}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{95DEBF01-7029-4E37-BDB1-94EFEA3B263C}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIA969.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem0.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSIADB1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7CF2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI7985.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A15.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI785A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8C97.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e586f32.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAC68.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e586f30.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7889.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{95DEBF01-7029-4E37-BDB1-94EFEA3B263C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIA4C4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA949.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem1.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\INF\oem3.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\INF\oem5.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI8418.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8BCB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7C55.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8476.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIADC2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI782A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI78D9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\e586f30.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI77AC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\System32\MsiExec.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B2F98F8-9641-4397-854A-040439D0114B}\TypeLib C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{70401EEF-C8E9-466B-9660-45CB3E9979E4}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{726EACA9-091E-41B4-BCA6-355EFE864107}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.ovf C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{83795A4C-FCE1-11EA-8A17-636028AE0BE2} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EA9227C-E9BB-49B3-BFC7-C5171E93EF38}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{5045C372-2E8F-4D9E-AD9D-121AB1661146}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45587218-4289-EF4E-8E6A-E5B07816B631}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6A5E65BA-EEB9-11EA-AE38-73242BC0F172}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{A6DCF6E8-416B-4181-8C4A-45EC95177AEF}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7682D5EB-F00E-44F1-8CA2-99D08B1CD607}\TypeLib C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABE94809-2E88-4436-83D7-50F3E64D0503}\ = "IMachineDataChangedEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EA05E40C-CB31-423B-B3B7-A5B19300F40C}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6DDEF35E-4737-457B-99FC-BC52C851A44F}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67099191-32E7-4F6C-85EE-422304C71B90}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA11554}\ = "IDnDTarget" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EA05E40C-CB31-423B-B3B7-A5B19300F40C}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CC49055-DAD4-4496-85CF-3F76BCB3B5FA}\NumMethods\ = "30" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{E54F6256-97A7-4947-8A78-10C013DDF4B8}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\ = "ICertificate" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C8ADB7B0-057D-4391-B928-F14B06B710C5} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F01E8B48-F44D-42CC-8A83-512F6A8552F1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{883DD18B-0721-4CDE-867C-1A82ABAF914C} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\VirtualBox.VirtualBoxClient.1\CLSID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4A773393-7A8C-4D57-B228-9ADE4049A81F} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2A88033D-82DB-4AC2-97B5-E786C839420E}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A443DA5B-AA82-4720-BC84-BD097B2B13B8} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{11BE93C7-A862-4DC9-8C89-BF4BA74A886A}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{179F8647-319C-4E7E-8150-C5837BD265F6}\ = "IGuestMouseEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{181DFB55-394D-44D3-9EDB-AF2C4472C40A}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABEF51AE-1493-49F4-AA03-EFAF106BF086}\NumMethods C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83795a4c-fce1-11ea-8a17-636028ae0be2} C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DB2AB1A-6CF7-42F1-8BF5-E1C0553E0B30}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{788B87DF-7708-444B-9EEF-C116CE423D39}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{179F8647-319C-4E7E-8150-C5837BD265F6}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\NumMethods\ = "44" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A5E65BA-EEB9-11EA-AE38-73242BC0F172}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{d7569351-1750-46f0-936e-bd127d5bc264} C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\TypeLib C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF58A51D-54A1-411C-93E9-3047EB4DCD21}\NumMethods C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{243829CB-15B7-42A4-8664-7AA4E34993DA}\ = "IUpdateAgentAvailableEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{966303D0-36A8-4180-8971-18650B0D1055} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24EEF068-C380-4510-BC7C-19314A7352F1}\NumMethods\ = "21" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{A0A7F210-B857-4468-BE26-C29F36A84345}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{AAC6C7CB-A371-4C58-AB51-0616896B2F2C}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A}\NumMethods\ = "13" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{0FE2DA40-5637-472A-9736-72019EABD7DE}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 802994.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
N/A N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 4256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 2412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2924 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.virtualbox.org/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffe15eb46f8,0x7ffe15eb4708,0x7ffe15eb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2280,13022630326957514509,130922203101988055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe

"C:\Users\Admin\Downloads\VirtualBox-7.0.20-163906-Win.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding CD59B933DED30352A07FDB0DE7F72D71 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 5F945B9833E0974782E96BB2C96A2AD0

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 70F675AC64983FC3AAEE3DB4D2F18E65

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 6B3F98EA9A0F34936FEB75C751B51515 E Global\MSI0000

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 0919EAE87A69C7FC546BD69D818B9FD4 M Global\MSI0000

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "000000000000015C" "WinSta0\Default" "0000000000000100" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000100" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"

C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe

"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe

"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"

C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe

"C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe" --comment bebe --startvm 698f7c73-bee8-4528-b36a-2cc89e1c9f25 --no-startvm-errormsgbox "--sup-hardening-log=C:\Users\Admin\VirtualBox VMs\bebe\Logs\VBoxHardening.log"

C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe

60eaff78-4bdd-042d-2e72-669728efd737-suplib-2ndchild --comment bebe --startvm 698f7c73-bee8-4528-b36a-2cc89e1c9f25 --no-startvm-errormsgbox "--sup-hardening-log=C:\Users\Admin\VirtualBox VMs\bebe\Logs\VBoxHardening.log"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x49c 0x464

C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe

"C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe" --comment bebe --startvm 698f7c73-bee8-4528-b36a-2cc89e1c9f25 --vrde config "--sup-hardening-log=C:\Users\Admin\VirtualBox VMs\bebe\Logs\VBoxHardening.log"

C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe

60eaff78-4bdd-042d-2e72-669728efd737-suplib-2ndchild --comment bebe --startvm 698f7c73-bee8-4528-b36a-2cc89e1c9f25 --vrde config "--sup-hardening-log=C:\Users\Admin\VirtualBox VMs\bebe\Logs\VBoxHardening.log"

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\crash.bat

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\crash.bat"

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.virtualbox.org udp
GB 104.103.255.213:443 www.virtualbox.org tcp
US 8.8.8.8:53 213.255.103.104.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 download.virtualbox.org udp
GB 95.100.244.78:443 download.virtualbox.org tcp
GB 95.100.244.78:443 download.virtualbox.org tcp
US 8.8.8.8:53 78.244.100.95.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 3.c.d.b.9.4.0.c.1.1.7.2.e.6.9.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa udp
N/A 255.255.255.255:67 udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 1.56.168.192.in-addr.arpa udp
US 8.8.8.8:53 255.56.168.192.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e765f3d75e6b0e4a7119c8b14d47d8da
SHA1 cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256 986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512 a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

\??\pipe\LOCAL\crashpad_2924_ASRJXYPKBKAYTQGN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 53bc70ecb115bdbabe67620c416fe9b3
SHA1 af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256 b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512 cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 659c9c13ed2578da56be732f0b69ae83
SHA1 3f2266a857cebbe4d36e930f879ebe6ffe132167
SHA256 04ec9f27dc8fc416d334a839e435b7008422e971b96561b504c462b6884c15c7
SHA512 7515c2e4e0469ba92ba47bf07bf1b30027d7bed511f695933c3459a2b6efa51db9f355aa2a85182dda065d331ff693de933e3138ecf8281afe457f3515936e55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4004490630685337fbbb536f55005d52
SHA1 c8aee252fecc985225ad907da6dd832fb894a739
SHA256 a1fdcf8d527b01eaa7e2becf303c3e65152729d64990de5273e8ef95f7550952
SHA512 af1a2f5ee7e5e0277a7f0b78c7c72b67779cc484cce1d2fe6f26b7c557eab6cc24f4041548c92a61e5d85078668b5169b71836a7ec606261730af4ac30e1261e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f66453fc4cce3015dbfc12ba99cce7cc
SHA1 47bb9d0a231f7d1bdc34eae7b2abebedace92ef4
SHA256 55477f67700ceaa4fb375fdc5eca1409bff3f2b32596a24168b7f7cf00fb4b40
SHA512 d46bb2c81f167a4b398265bf4118f4e79c4e24a0ec636ffbdaef5296ce6c367390f1eb53fdb51e1c117ea9218548f229888ef907c4468f61eb10db21df685985

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8a58ba87ffa87ecded129e7d11562348
SHA1 1566e17630dcfb5d8c03c9007ddcb6348f94ffe3
SHA256 6f305c2f2b0d7956097063b71a210e5a210c7f5dbb61bfd0a84a6f96ba77a73a
SHA512 3638b586a92a37747d7cac129bf8cf1125174b52c70623fa8e49f8dca730df76b5e6d197b37e2f9d6edd4483c1604d8d0a234e61f3bbeaa95f8a41dc06f67ab5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 04b0f5d65fe2adc9039d324076b53eb7
SHA1 0e6e99bf49ada4d332e5fb898febabcaf7b83c40
SHA256 534cb271d4e8b6c3c54cab25f336ed6dde04e714f8d31b39891e8fed46fc8f16
SHA512 dd380a83da211c1841fc1d29d7e27b497b33700cfce25300fa72dcf8823166d7466d75b42c8465eab87996ebf463865bd9b8b5f529c13f0d43e1d4c996d996d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

MD5 cc3569d60afaf07c47153531d11bb050
SHA1 0fa4ee1688ed4a426f281acad01333904b8f56e2
SHA256 f20c9a37f5f401c454b2a0bee7476edb0c3c1bede1bcb21a8cba509ed78d6adb
SHA512 c490752cb35fead6d30a8fc5d096a8f3b4588ff13e841e2d5b2f0d7daa277c4fffc0216faafee42826ba19324082157fca4e9aaabc6e11bc987ca6402f19088e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

MD5 337196701865cfa4852f3c1d390b400d
SHA1 96629080c8d31f29e0e41f0c44740a3842556f8f
SHA256 869d30337690c657aca1daaacfc29f21ae943c05bc7cd10b0018d814d59aef6e
SHA512 e1715622f2d212755d10060487ab56de38c7ff08d3f0aface8d5413b6cf3264c303c7ffd840bea2751dfac4b88910a8d813e9eeaeb0cd4c1cd209949a5b3433a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 469e41b26c0f1dca03a634af2e3eb946
SHA1 2814ef6d86e030973c0011548086e7e091668e79
SHA256 ffd999584e4afd9bdfc38e8773bae76e37b01899fdc956d96d2328b5f3907b24
SHA512 ddfb571b7a56b6d692215121686249261d80437142d647aabbaa67b179eec11f4a73e5e992099592cd7d92b52309bafe1e75d735e2a7a5145703a3862486278c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 a2ecb4ffcb5984256e37fcc7a454e2ed
SHA1 5b5cee63a26a8f93c79001d792cd1404cea6286f
SHA256 5e3d3cb8d2b905e4cb25af5f9d5d5b2d58f60a7bfb7614f06aff8b39428f8e8b
SHA512 5448fa14e83d43a1401c8e1112fd94e21ccc2949099d00417392c245fd70b662fd18f496f60e2e51d8b7352adccf5e4dc18318c316e63526453be1ec2cfcdd16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 8358092757b62f879cf39dc9274894ca
SHA1 e7068d70468359feb00884ba5e860b057762903e
SHA256 d72b634cd47262cf36febd296ba48f3f984f972da03116c3c0c16e94b7f5738e
SHA512 b46b91602490518f7c1e2517fc133c3a25408a635a06861753d89428c4e155ed48a216353af132e2989e4bfe6c79538cc17d669eee11cb2acd9dc6a01dc5e833

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 ffbb1a96f1fbca223de9ad0ea0aab675
SHA1 db62eaf68b65c4f30ab85561d762ac6a906cf141
SHA256 d59922502abb4b950b979b07a4715ae819a2b0626e3c0e14ddc28642a734a8c1
SHA512 42142584b839682a5bc90b32dfdfc7576a6ab973dfea28775be969afcca6f9a93985245624b4d5ffa0b84cd8aa2be13ce5512c75374ece7e7d2f5bfc430ba066

C:\Users\Admin\AppData\Local\Temp\MSI1141.tmp

MD5 0653ce43996240dde250d557ef940bed
SHA1 da125564fadda9bea308bd7325d4664ee14c69a8
SHA256 d2fd21376c4595e60299e37cb55dceb92b531685f1a4545c6bb73681dbcad193
SHA512 27ab2bd553fa390315d360e593ca95e90f8de13d0d60326549fd5e63479143b33a0a7a49c4111e2041cfb05d5f2e9b516eaa7261acae3884094e3842a8309a6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 70b6634bcfb850adb391a7b655f84a38
SHA1 dbaabd600ee4d472fdedfdb920f0ef3a88553231
SHA256 98e6dbe25d792e20e312f8d04645a86e68a020f95b3ba232cb40495f1b51bb9f
SHA512 4022eba50adcc1165488ff2de21f382df0dada5be3eaabd8ec2a7b2af628578fbe5d6b15041b58a0f775e46c1b4b292a539bfb20b308c8b25e8f001ecb714a5f

C:\Windows\Installer\MSI78D9.tmp

MD5 8edc1557e9fc7f25f89ad384d01bcec4
SHA1 98e64d7f92b8254fe3f258e3238b9e0f033b5a9c
SHA256 78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5
SHA512 d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

C:\Windows\Installer\MSI7CF2.tmp

MD5 418322f7be2b68e88a93a048ac75a757
SHA1 09739792ff1c30f73dacafbe503630615922b561
SHA256 ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4c3b8c568001d46e7232a4ed064e8afa
SHA1 324a8cfeae11cef564c26c3ef4dd3141206b019a
SHA256 a789be95585e639f04d6a1da5de7bb630cef326ba6001809e71536cfee3c0399
SHA512 b090860bc3e2f2ba5472cbb1442b810219eb5dc29fe6e852c2d842ad73b646256ef6c6fb36d5934b7ca49533a491945a135c0e4ba65ef7ac55a2c3ea19ca722a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5fcc9a7287c2181cac9c107ed9447509
SHA1 c8eca4b95b691372b5744a12eb37725128290f8b
SHA256 a8e5502beefa8657f6ccd27836420c941f18409e2be81d874bb651d5c87ea5bb
SHA512 857496dd2ce16f9255c0c7475b3a2a79ae480b90b87fdfa2d294cd3422d83eeb66d846366d2dea3405b4aec731f1cfb311a1fc7767f9434ae7b416d87b6b19a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9c7c1e4359798fb65aeb96176a3428a4
SHA1 332d6ccb7ddb5918eac8822f2ecb3311df6cea86
SHA256 731fd9782abd70f3c7e4bf776ddf08fd6e664487d0a940591f70a395f3f75cd9
SHA512 dd449c1fd012b68cdd331a205c2eac40dc94ac7f8aa647c4464b65564c23912a524bc31dd064f932cd5f4101cb1246d275efd8290446a750366ad424b2db456f

C:\Windows\Installer\MSI8A15.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

MD5 cdff988430eb1bc5b00282cf72940e73
SHA1 65ea17e6e88cc4feb17031836b501fbb0f1b1d4e
SHA256 4cd64a11a7bdf1f18cc684f3ee6c8eeae8474074bd7fbebd7fe543656bb05b41
SHA512 8e01d8ad58f679ead7b35b5128f49f32535afa52a6844e4a53b714f4df538eb372a6345489e2994921557846460ea990407a811976439f69062f176b5f11a11a

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

MD5 814ba3a3470df3bc9ea4db4425962dc6
SHA1 555bf96062bad5f61973af420575fecdf748f53d
SHA256 d617ca9c42fed44b6c6b3db16ace04b2545afaa2ad9cc3e4be2761da94327e12
SHA512 8ca5201a5c4645d67fbf1a6b1f8de8cb64ccb5282afdb35155f4c2bc9ec8daea2862e77b552f732800edf5538410d4611a98a6b323994c459cda77a4575eb7e7

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

MD5 146ccf9c24cd243b27919caeace73f74
SHA1 7df3bc16502a2dd2420f5d81e1d8acbe05c8fc7a
SHA256 95bf86954288bc187f0b034675a75a9e06ff5dc500c4a317c387c3cf22b5a628
SHA512 8e21fcef6456d27acc7811e624791ac8724d8b3345772578910848ce67c6f13855d5c5af3f057eb0f8c5c20aee4923f25ced5fcc1c309d127ff2a0b6a10a5700

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

MD5 b0a35c2ca1180c2e4963e5be1235d93d
SHA1 862d17275c5e82430f37813c107f852af954bbdf
SHA256 ba5c69eee5390746fe9cd29a26197853d74d46b4248162c39be8f5212a9bf17d
SHA512 a8a842c3c9c10fb2c4d55589b64dd48d60a6bf5f41fd7092a2965d8f3ab7c3b8dc32822217df3f761ea77981395fa847a67bb9944ce9c718b747340db805c6bd

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

MD5 f5cfc4cae166b9e81c89192f5e1a4d94
SHA1 868224fb61115ff0b90f68d1722423187eb14cfe
SHA256 0feed3207fb9853dd77b60bf611f26a65e3a932720d93f64bdd70082f1be955f
SHA512 712add1230397fe658b11f8f95b74a257348704315e96cb070d3f7a4e8dbe70c8d37d8add7cc151c050efe27fdc081bc6714438638d3d147605a54cb4d60fbc7

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

MD5 d0a8b437866db80fd1661174886f56dd
SHA1 2166c3f54262cae094073a2bc3b0c86f349ca51b
SHA256 05c99ae7cf556e8e35f22c51f5e52233baf236a6dccbdb15c5611da0e20b805f
SHA512 fa3d23e39bc607ca96af92ab4e382233e2194aeec2de95af8196bb72c5304327b590c230da211521a26405ac0e1042c190f344fd34bc0878bd39ad02b255f72d

C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\VBoxUSB.cat

MD5 709158bcc41950578c9a1e36b1ba8162
SHA1 34decc49a892356ca9c81a269f23588f5075f6c0
SHA256 875a40b2b5260ce866ab9a8b09c6286310d3a3725b0d94dc6ee473b8c7d435da
SHA512 6be3d2c2d20aa58c5192183c49a0f46e04e455d3b56fd7c4f4c3c66fd960fac54885c5284d7fe27aaa8cc95931ffb02e81f4995e6199aa5010c4263fbdf97d8f

C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\VBoxUSB.inf

MD5 3155160d6548ce4433d1611ba4872451
SHA1 46b7099f85af93155de58e5b4e41e8d48937b68b
SHA256 054385912c2f74a171572e750862f2ec75ab93c59f92213b40d007ce9aecc6e6
SHA512 3b2d79b8910b939f605f5c8d7a6ece541b80347602b3dc9f066f943a67fe90ec56607d29f2fe3824ab57b5781554171e800ed8ba549e9d535e16831fd368703a

C:\Windows\System32\DriverStore\Temp\{f37cb4de-08a7-fa4f-887f-97565570a683}\VBoxUSB.sys

MD5 477569c254917d2c3e92108aee4d84b9
SHA1 49a8714c3e8fddd31c3725e39272c21b892cd681
SHA256 3eaa6ca9447f36c9f6e759244ae0ab64ef070a906809863b1a3d02725dd1c23a
SHA512 cd973c0bbca122da1a117c948969849f53788910a3a113317fc9dc6c27d9e79992117a06bd7d01be6e5faf9ce83942326d72ff3ba205ad19a6f2afdc05c25d75

C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

MD5 18f815f3791e22dd44efd13353d90e53
SHA1 88ea52f11dd1913a113616c5b8511d300f9370fb
SHA256 47388354db1a6378040e5543e54f28398e78f2fdbfdb202620801a7f4d21c8ed
SHA512 0108d2b1282c5363b024924aa1116d32d68118c9f85e9d6df79bc1561790e437c8826a28caae4268536435dc684db83aed2bcaaadbf6ed180a5c296a2ad718ec

C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\VBoxNetAdp6.inf

MD5 6b3fa213490c6f16d205e88f1291d996
SHA1 ec49d2336dccab27b42a53a96f7d2618e4c0101f
SHA256 bfdeea0ff03a48b192de9b9c4dbf59deeddf09b13399d3a860249b06c85615b3
SHA512 e8a9f55aedc46636f39ba892d275b73a959d507ded6890cb29f83479e8785c852812aec44e5f7bb4db6a9e7a70a346233d5690c2350f342250df6f716d4fc254

C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\VBoxNetAdp6.cat

MD5 ec7d0a49c44f4a60efb1a1c1dbda8636
SHA1 c93ca5789141bd7063ac9db0df4ce22e737f4648
SHA256 d1d1a377777a0b6cf6bed09b235b45e2bd5ea1d5c86efdf25843aae5ed4a1d84
SHA512 d92babbf0f3bc0fbc08acfa6de38b28124f7bb74d718b711eb160100f4636fae37d27c2d0ae69b8313e40795ae36c73c3f662ef65b7f4a7bb0ff9d70f8540171

C:\Windows\System32\DriverStore\Temp\{12f8d538-2030-f84f-a11e-292dbd3243ac}\VBoxNetAdp6.sys

MD5 5a42fd4fe07b75cc841af29626e04e1d
SHA1 ca3505352788a21960c8213f91078c0b07e777c7
SHA256 416f1c2ce6467d0d596522b8d155e08aacf210f7c2f37d6c1c0694ae1cef4ae3
SHA512 d9d4a9102b36658dac78b3dbfcff4a1811ad6441c2cec422dae201716ca7630ed918d76417482c79d54d9bf3dcfcaba5e5d4b3a5d3b0c425da2f40b035d09f07

C:\Windows\System32\catroot2\dberr.txt

MD5 f24f52000426eed01c155c363483020b
SHA1 8d72338b44bd20ab5aa476c23c9d8236e3261a65
SHA256 700e75d9c8d6666507147ffe63b4aa94e684189c606ed6ede1117244b9416184
SHA512 b4bf1d64ac64fd22d64ececa9f66bfffd382be8d20ef4adf44e89603977bb9b22584bb4f5da9d725209c1e939402c8e2901602c60293bc3cd6714a4de6f39fc4

C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\VBoxNetLwf.cat

MD5 8efe8e5827cd8c5c9b07be9df8b6eb91
SHA1 0f682438473d6e87b7661e8cfb1a1b2980806f05
SHA256 aa7d8309c69f26d33ec92e4c2b68ffc7baf2a9d4009267346abe591027f4bec5
SHA512 6e4741ea43e9e6e2ba526d7883867d63e06705bb37cb889b9670d43485a3a92b28a15a795e9af01d8799ff28390f795a401ba621de819a0f40d215cfb4e44f40

C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\VBoxNetLwf.inf

MD5 58aa41a4df0b4d9e77a576d1306bef77
SHA1 ecf3d90629d021e18399728848dd7ccedc54f1e9
SHA256 2d479ead5715faa9b1de5e873a377373add4f151942c9881fc1da607f773f723
SHA512 7624e3d7947c39a872f10d4493780181a24111f9bfe5395fdb3f9cfe13e62c5b46d0d4c24198f392f07cd74e0012b0b19fcf78d787d9192d4f10a5e325c274b8

C:\Windows\System32\DriverStore\Temp\{0aa98a98-0aa3-8146-a5e9-978be9e4cd9e}\VBoxNetLwf.sys

MD5 db91352985fdf76c4d8d7bf22d75d323
SHA1 600cc772fca941ec03e83823d2401b7085afc6ac
SHA256 9f9c839e8883ae1f5104a26262374dfa5ecc24590bb57275f0493ad9b226f45f
SHA512 9a0cd545d3018e9d350194e2debcb7ed159b60fc6ca033e607dd1eaacd2e7ee3c4776f4fb7f27af0d1118c8fb8a29a82df16a860abf4105d1f61d8efa8ffb933

C:\Config.Msi\e586f31.rbs

MD5 4250a4ddd2b0658654d9d1f42283e50c
SHA1 4c5d20286cca4bb7b706bbc063f32bc97ebe02da
SHA256 2d7b919077bc3e08f1d3c2f6638e7889fcf91f2fcb9b59106153bae7ab25762e
SHA512 ea5fc3074141c3fbb2e29df92687dec7fd2203baff75fe5873d6ca13780ee33b7d5ba1c731ed4a4da9b65ede04f73b6f4bcdfa6a706026328aa8fbb2d3acc186

memory/2900-784-0x00007FF7D9280000-0x00007FF7D9504000-memory.dmp

memory/2900-783-0x00007FFE04190000-0x00007FFE046D1000-memory.dmp

memory/2900-786-0x00007FF7D9280000-0x00007FF7D9504000-memory.dmp

memory/2900-782-0x00007FFDF9900000-0x00007FFDFB4DE000-memory.dmp

memory/2900-785-0x00007FFDF9900000-0x00007FFDFB4DE000-memory.dmp

C:\Users\Admin\.VirtualBox\VirtualBox.xml

MD5 d9d28bd2ef7192fb0efb99607d7a0807
SHA1 7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a
SHA256 dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5
SHA512 e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

memory/6092-837-0x00007FF6B5FC0000-0x00007FF6B60D4000-memory.dmp

memory/5784-838-0x00007FF6B5FC0000-0x00007FF6B60D4000-memory.dmp

memory/5784-839-0x00007FF6B5FC0000-0x00007FF6B60D4000-memory.dmp

memory/6092-841-0x00007FFE067D0000-0x00007FFE06917000-memory.dmp

memory/6092-840-0x00007FFE04190000-0x00007FFE046D1000-memory.dmp

memory/6092-842-0x00007FFDF9900000-0x00007FFDFB4DE000-memory.dmp

memory/6092-844-0x00007FFE067D0000-0x00007FFE06917000-memory.dmp

memory/6092-843-0x00007FFDF9900000-0x00007FFDFB4DE000-memory.dmp

memory/6092-847-0x00007FF6B5FC0000-0x00007FF6B60D4000-memory.dmp

memory/5012-848-0x00007FF6286E0000-0x00007FF6287F4000-memory.dmp

memory/2212-849-0x00007FF6286E0000-0x00007FF6287F4000-memory.dmp

memory/2212-850-0x00007FF6286E0000-0x00007FF6287F4000-memory.dmp

memory/5012-851-0x00007FF6286E0000-0x00007FF6287F4000-memory.dmp