Malware Analysis Report

2025-05-06 00:30

Sample ID 241109-z84zzsvqbr
Target VirtualBox-7.1.4-165100-Win.exe
SHA256 f970e275f59eeeb129aab88a78dae80784370742b5051650a7926c9ea64afeac
Tags
discovery persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f970e275f59eeeb129aab88a78dae80784370742b5051650a7926c9ea64afeac

Threat Level: Likely malicious

The file VirtualBox-7.1.4-165100-Win.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation

Drops file in Drivers directory

Enumerates connected drives

Drops file in System32 directory

Event Triggered Execution: Component Object Model Hijacking

Drops file in Program Files directory

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:24

Reported

2024-11-09 21:25

Platform

win11-20241007-en

Max time kernel

49s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\VBoxSup.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET128A.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxUSBMon.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET2596.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET26C0.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET11AE.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET11AE.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetLwf.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET26C0.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET128A.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET2596.tmp C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2363.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2364.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\vboxnetlwf.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2362.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2640.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_0525128a3d54207e\netnwifi.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2642.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1375.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2641.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1364.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2642.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.cat C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1364.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2362.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2640.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_882899f2b1006416\netvwififlt.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_bc519c177a90877a\c_netservice.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_10acfa4b924dd181\netnb.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2641.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2363.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_56c163d21e8c2b62\netserv.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_8074ac14f1ab2957\netpacer.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1374.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1375.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1374.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.cat C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\VBoxUSB.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_3debe5e78bab1bca\netbrdg.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol8_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sdk\installer\python\vboxapisetup.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt5_unattended.sif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt6SqlVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBox.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxRT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqliteVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\x86\VBoxCAPI-x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt6StateMachineVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UserManual.qch C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel3_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UserManual.qhc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_fa.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI2AD4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI2208.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI263F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5FC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI66B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1275.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI2AE5.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFAEC6D5C52D1CDC46.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3E7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB00.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5800e7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem1.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\e5800e5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5800e5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI111C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem3.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI385.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3C5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFDE5B0D0C5388DF9E.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFC86CC7CE32703A3C.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB2F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem0.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\SystemTemp\~DFB45172B67C19A507.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI436.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI12D4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Installer\MSI21C9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem4.PNF C:\Windows\System32\MsiExec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe N/A
N/A N/A C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\NumMethods\ = "13" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{21637B0E-34B8-42D3-ACFB-7E96DAF77C22}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{726EACA9-091E-41B4-BCA6-355EFE864107}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\ = "IGuestMonitorInfoChangedEvent" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6AC83D89-6EE7-4E33-8AE6-B257B2E81BE8}\ = "IConsole" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A773393-7A8C-4D57-B228-9ADE4049A81F}\ = "IMouseCapabilityChangedEvent" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFD8965-B81B-469F-8649-F717CE97A5D5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA3EF5C-DE2F-4B74-AA3A-15D6249371A0}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA43579A-2272-47C4-A443-9713F19A902F}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\NumMethods\ = "47" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9709DB9B-3346-49D6-8F1C-41B0C4784FF2}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7932CB8-F6D4-4AB6-9CBF-558EB8959A6A}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{788B87DF-7708-444B-9EEF-C116CE423D39}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A}\NumMethods\ = "13" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\ = "VirtualBoxClient Class" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\ = "INATNetworkChangedEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5DCECE0-B202-4416-A138-03502784CC07}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D984A7E-B855-40B8-AB0C-44D3515B4528}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{86A98347-7619-41AA-AECE-B21AC5C1A7E6} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E}\TypeLib C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{41304F1B-7E72-4F34-B8F6-682785620C57}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A338ED20-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C354A762-3FF2-4F2E-8F09-07382EE25088} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{78861431-D545-44AA-8013-181B8C288554}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02B69798-7CC2-4005-AC57-1AD7FF7A0997}\ = "IGuestDirectoryEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5587D0F6-A227-4F23-8278-2F675EEA1BB2}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24eef068-c380-4510-bc7c-19314a7352f1} C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}\NumMethods C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\progId_VirtualBox.Shell.vhd C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB6F0F2C-8384-11E9-921D-8B984E28A686}\TypeLib C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D782DBA7-CD4F-4ACE-951A-58321C23E258}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{147816C8-17E0-11EB-81FA-87CEA6263E1A}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\ProxyStubClsid32 C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101ae042-1a29-4a19-92cf-02285773f3b5} C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DB2AB1A-6CF7-42F1-8BF5-E1C0553E0B30}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{890ED3DC-CC19-43FA-8EBF-BAECB6B9EC87}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{5094F67A-8084-11E9-B185-DBE296E54799}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d5dcece0-b202-4416-a138-03502784cc07} C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A670A023-E172-452C-B731-14EF855F4DA6}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB000A0E-2079-4F47-BBCC-C6B28A4E50DF}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABE94809-2E88-4436-83D7-50F3E64D0503}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FDA727-7A08-46EE-8DD8-F8D7308B519C}\NumMethods\ = "22" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{739160A6-53EA-465B-BB6B-5326C20A3C0C} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{883dd18b-0721-4cde-867c-1a82abaf914c} C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Oracle\VirtualBox\VirtualBox.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 3684 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1540 wrote to memory of 3684 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1540 wrote to memory of 1224 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1540 wrote to memory of 1224 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1540 wrote to memory of 2612 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1540 wrote to memory of 2612 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1540 wrote to memory of 2932 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1540 wrote to memory of 2932 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1540 wrote to memory of 2932 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1540 wrote to memory of 4960 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1540 wrote to memory of 4960 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2264 wrote to memory of 5100 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2264 wrote to memory of 5100 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 1540 wrote to memory of 4348 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1540 wrote to memory of 4348 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1540 wrote to memory of 4348 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2264 wrote to memory of 2348 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2264 wrote to memory of 2348 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2264 wrote to memory of 1252 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2264 wrote to memory of 1252 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 1112 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
PID 1112 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe

"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 681D4CDDC02BF24C3B201F02262B994F C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding EA17B10AD8B5C54D3F1D95EAAF5761BA

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E2C3F61558E84C01457E79B2B2FBF7D4

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 16327EE46E5A20ACB5DC184CB2232656 E Global\MSI0000

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7E58CF94CFD58FBB2416682ACEE6B8BF M Global\MSI0000

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000184" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000164" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"

C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe

"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe

"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39e0055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 9.8.6.6.d.c.a.c.b.8.6.3.1.5.c.5.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa udp
N/A 255.255.255.255:67 udp
US 8.8.8.8:53 1.56.168.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Temp\MSIA6FE.tmp

MD5 170b0049505e4312e410dcf1e683f0a7
SHA1 be2c41ff3c49a2ad7027df74d1107327b145e8d4
SHA256 67a1517109bbbdd924511a7896bdc1c245a939ec6fbe926e9077837b93848450
SHA512 dc5493b399e6781dd7bb28981e8835c4c004be9479b47b92cdc7300c1228bde4ee172f14be40155d5da7b71782b5f1a940a80d7aced8b610571c062873da3994

\??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{29647298-cdd3-4f3d-80fc-380652cc15b5}_OnDiskSnapshotProp

MD5 47a974bc551163b6a3dc036f6f83212d
SHA1 0fc57684c9799d222b30114b8c17696efeb8ba21
SHA256 8151ab8f03dd662c759a06a851730bd44d34988430a376327329088880f9440a
SHA512 cea98a8fdb3da65ffecbc2353167abb47d043d738486f8c51991348bff60a3335ee8f4eee55985d6455a8c95f6ff1d73fff664f5ac0212459e01079cd6a9ad47

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 733b842913fb6b20c5b2b86c61a7d666
SHA1 a00c089e9efaf4c744e91e8aecbfb4dd277fd913
SHA256 dd4db30762240a01ddccf7c8777afabef5f61fa564fca48b2742686285fd2da7
SHA512 55c091d79f8751fdbeb75dee592f620abe6f0c5b5719b318946ccdda89b79bf70cf23dda7057246cf751a301516d3d8e461b13bd306e6921309be7c5343555d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

MD5 d82d323ac43cb5f0ad3322b946d8b010
SHA1 3c37a23d9241f1b291421adeb7e3bfecedca134e
SHA256 443ca2a35f9045f48b38fb7b1b6c088fdea068afe3f72516d2b3f180ac3e2668
SHA512 cfb237a211bd1d89d96ea8f3d71f7b01d43a8036d63506fd34f5127cffa3d5fff83b971d850eff02ea2ddb9cbb46895aaa6acb6fe702c214c95e7b7ec7136010

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

MD5 a898ad52198fee59ed78967b3a041485
SHA1 7b78da243b27e65b90488c6b0df05ee9e0543e75
SHA256 35c8b319f0173d445b7b2ef57af4cf8b90e778f14787233a98dfeac9dbb372e5
SHA512 63530213637518236941183f68895e1f428d76bd8330ca729e4f8ab6f6f1f2b457b64e3118c3a2e86720e7870cd57eedf2117c3d058a1c61f47c142cf6bdb0a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 1425aae2b6e15ba77c0c4a8304422e63
SHA1 3c301b32c8d4193684f452a9c921d9135d085b6b
SHA256 4e948a3e1b38aa343e468510884a96f9def3270519b53f2e8734f1698fd954a9
SHA512 a9ecd4864f1139c8aa5aa5534a3cfb136b5e91121eb9d654a4b1dbb6149e5732d10bd5cbaf95b574848d06403c9cf1e096c5c7cb06bb6f41c3d116af69fe2262

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 93e288e54b96ac7856737a99440638d1
SHA1 392376d98057e0203356f894dff500e9fb78fd70
SHA256 a84a10a712123ea6e021a8a6fcb02db610c62bc36df189e3b00c14fe7ec8fb10
SHA512 5b56c96d19b9bbe90059eb4d15324e6f6aa2b01b3c6092287e709275befcf9784dc22f76231ba9f1b9210b5bdf37c48df98fcb59825595c5f55b868b31207ae4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 766cf5cd1ccee5f31bf4332b8c8629be
SHA1 b2937666b4f615601081a7e1bdaee0326b820e38
SHA256 1e929742ccc963109fe468e0efed37be626873b4d70006928d1ce413c4019c69
SHA512 242343410a5d8ebe6e9d8d0b2fe833e9320068ae163ef02eab7cbb784afd66eb5a9e210cbc12ca419f559e3366d790ccd541e9027efc244ead30035abef6c538

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 a2bfa80e4367f432bc4c783432732b8c
SHA1 d3666ac976bc6462e2566059f269d58270ecb7b1
SHA256 3e8f45e6a6a93fd03c91d103a7be7b02a25fc70ba9598191c9fe01237b2f6eb0
SHA512 488da70f39ed2ea9e53504665b715b9d424771b865afedbbd01acbcbb0acb5802ba57adc1150eebb26e8e1a25b2952a6c867ccbfc40555dce85b615282db0708

C:\Windows\Installer\MSI3E7.tmp

MD5 ac831c25bc16a05ee60aea5d79517434
SHA1 4946133e7fac34315a0ccaa30ca8ad383d5f0140
SHA256 947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869
SHA512 72f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b

C:\Windows\Installer\MSI66B.tmp

MD5 418322f7be2b68e88a93a048ac75a757
SHA1 09739792ff1c30f73dacafbe503630615922b561
SHA256 ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

C:\Windows\Installer\MSI111C.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

MD5 d76b6215058c8d581bc7ed476794ea05
SHA1 e9aac803d1ea08560064ea01d63214ef42e39931
SHA256 f657dd259d84dd60da119e8ffc0d0b70aae6655875af4d72674d072543ca259e
SHA512 eb25843f06078c1fc8a84a3312d22e2bea544f521a501b92f55df234068bcf309266b0ee18ad8c0858602de721d56073ad13a074d7343dd706dffb9e5a85c6d2

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

MD5 4a9b8ed2a7923c2f51b816bdabf265f2
SHA1 d519a98e5bce10a4dec8f29865e90007390d666e
SHA256 14bf761cf13d3caf19810350024747687f64fc2d05cb6b78393f42df93024bcc
SHA512 8491bf1d71aa90f114166088cc94046564ba0386175f382ba737320443baff654ea8584c0d314539df0da2b4ad9d4cc02ad3abee0d102b0ac1d56c02cd83f9c9

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

MD5 0809df0b4b50b73e67b73ce9754fb482
SHA1 5bbf156438c6f53b426d451800ad31c18113d30e
SHA256 70c9a26893e09801ef872a8d93555454b520f60867a99df501607346a60f1352
SHA512 da9dec78d03ba2db5db957dd45e926e17fd4656c3e9823f1e0582968a2f9f4d97d4cc9d9e3587056c74e6384260476617310ce13259b72b1cc5c0a6c175501c1

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

MD5 bd852ea819ac44f17b4beebbd568f212
SHA1 e2f549d235e5d2c6824c7dc50bb09c6c083dd304
SHA256 1c317b5c535efe02446d8793c6a473e3ed51f06881b310906344e9e3bc5792b9
SHA512 e162dacdba163feebf91acd43792aa2669cd4e7f13f0fdaedc1554492e8135ae104aad06c651959f20581d9bb2b49f3d6a559bbabc43ea8ab6ed06d850931f01

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

MD5 d9d4bb36efe7f7d20cbdf7475810dafc
SHA1 fdfedcba20da40d999dc2639739fef88b396ca38
SHA256 cfa38c85e7414dd6b4f13558c2ddde8e5ff1f5c4cfab2bc7b7827e0ab92a4d1e
SHA512 d73308307a723a401e5b2a89466314c9fe9955f47510a38e326dabdae85423756fc992fd1f8536200a72f1962f1d3091324f1040cbbd7e17f81d93bcf0fe29a7

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

MD5 f07b83bffa21b5820da5f2b1b3878c6e
SHA1 b182ec163b2a13692c5d496ee0a442d3e23e4f00
SHA256 898e05b1935264736eb69f9b0be36f2815ee7ec7135cfc8db38c6490ec10b944
SHA512 d9477953f8a2c53a213a4b9b8d8c09b030c3a265869d676d06566dfe95072c51f77f8eb6aa01f86f88485d7e856ef1581c33930d7469095d29bb1a295855fdf6

C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

MD5 81785d890d8115416554e545e3963651
SHA1 470cea23f5c8a0c64c84aceb35a0b8288d70400c
SHA256 c88c2da48932b247196ec915eb7e72403063376b4d8d35b582c236fdfd912bcb
SHA512 3a39f0d368eb15e73c69008b19f0b9561a56cc4ebdebe7d8cd2a57fa975d954a7660d2de2b74fe769dd0d78dd836d3033624109483f2e7784dbb470d38418ee1

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

MD5 ef3a8a5be39b7310aa1cae4f4e589208
SHA1 bce823d3ff3b7a4a5a7cc8efd693d3b36ace3e78
SHA256 b7a5d4285826327851a864698a938478bfc3a983a4386f7f70cabad9f7e7c6c9
SHA512 751c7cb03bcd6ce52d6171552ae3678a99076f0d5d216d3a95374b97b4cabcc338d155be9b8f84459ad755de875cfa0badd5018a85837e73e9a6815ac031f944

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

MD5 696b58e28b09b0ebaf4f27901a52e0e1
SHA1 eb1b5166c42bb96983889c873f45a1ef7ee62295
SHA256 1ff96c3462cf14e27da3c82b3c890972d48b2b9ecc168608ef631b2ade2bb95d
SHA512 f57171a2b8236daca57d152d8c6b5cfd3e45f2037465c14410c44b510f07ae18bf777b7599c9f63293f9ac1e7322fd473db0f2a69172860d44046d43fb5bc39c

C:\Windows\System32\CatRoot2\dberr.txt

MD5 3eff05398c8ce17428812667f97ba2c9
SHA1 ffc5e4ead3dd13c9230183cf702666e9c7cacbc8
SHA256 5b028183644b3b44fa860a4378521e012ef976f8bbae96c2d43aeda01b9e57f8
SHA512 8899e16aa3f5c06db070cbc40511afcd6862ebc15cc74f73e4a2083452fe38bc5b36742f8d6a8d6471211769af6ce3c42ea00ea3bd9d56427b178092ac5770dc

C:\Windows\System32\CatRoot2\dberr.txt

MD5 94337eb634b6569ccc3aa521c9e4708f
SHA1 7bae5e098f7a5ff82370bf5be0291a7bdf7aac23
SHA256 3ca9645459356cc4d58c50589df454d5998630116cf3a144036bbb04009b00fe
SHA512 b6c5b0764cbbbb2ea2b6de0034e0daa422da5a45bc705c033792f2ed896f381e7aa47b072d1d85e08704e5565a9b54e2112c0f55991dbe7a175814e855e26620

C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

MD5 8c2f0cb4fe0669d72b6fbeace9e375a6
SHA1 3ed426c730b7eab2068ced89f6aa1d8bdc4ac75c
SHA256 8672723927495625c1dd5fe5eefefc00cdeb2905db982522758ae2c5734137bf
SHA512 ceed87c3c8d418b8db827a52f995449ed114396a2b445528ee7e25343c01085d17308aab46a29d45d254b38c6ff0cf85e6ab31db34eb9ce20be60a0f2bd52873

C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

MD5 10f9b5bef3ae0d638915fbdc37e2c61e
SHA1 4b59849453ea99f415072c754d2073d863c8062f
SHA256 c1c89578869eba00f8e2dbdbc1f2683d8f1daced92b0ab23430ac0a982c24648
SHA512 e010231ce513438a449f2977c90ac91b56804940cc0e35f702b6d6a8aa78c8d9636cade7b5bfd2a7f2a0bbf2fa686738ebf168d40f3b54c98e2cd34853210fe7

C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

MD5 3612c59246d7a36c607f6904dc3ac1b7
SHA1 0d2a4d6c9acf84b7aa168a2e62f55f58166f568c
SHA256 dc4f8bf8ab2d4a593c398c8f4747c3b67aeda838aa4f28c4e4d6217d91aafab9
SHA512 143ca0192bec78796c6e9220d3d77854f67187a914f18acaa6cce9a5e879e619dee3601aae3cbdd563400e526bddfd3e8edecd0336922aaa8c71cfb65d0b0159

C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.inf

MD5 351856254220eb250d62f4547e9aeb96
SHA1 c7a72d9f7b783ba54b5d8839279dfcba689a7c11
SHA256 c62c8264b3add792c706a4e76b643fe969b69ec902651b5d31974c42a026e619
SHA512 4e6bc35063cb16c602dc4c6080c8ca8b48dedce63d01db7efe7576e24a82127ddfd4ae00f052a81e4779d517045e8477ec61a7cf71c378fbe491aec54504c2e6

C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.cat

MD5 c0261377e9c8115d9e67db2dcfe1143c
SHA1 115916d3fd1ca02bd1fbb5db9c846f0a9ac9f3d5
SHA256 c47acf6981dfc65fb25166e3df07fdcfc55c4eeddb79e3b8d1a066ed2596334a
SHA512 348d638710b14fdf509009d6e8bd7e0576bf3ce9144dbfd07b95c773653860284a0c2e1b8d5ffdacf097bf4328082a79fa457e1eeb65c4752b840ab17346236f

C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.sys

MD5 68c5f8884313e9c5ad1d54fd7181f140
SHA1 40e747ce98f899fb8beb31dacc2cb261092ad6cc
SHA256 de4a67670417fe97e0207d40f38317104548d4ee77bbbf50f269dfc8ef655a9c
SHA512 6433586185dd5d07ab9cf7141d64a55a33fea3872e6b2616ae0dd8e75820fd0eac7593cff39fd6262dc0b1c779c8c3a8a7bdbdde2b95e9e1aa74d3613419ee7b

C:\Windows\System32\catroot2\dberr.txt

MD5 318b7c48d02a11054264f9d017c22ca3
SHA1 369495c45bffbc205a795cf6c7e86bf42c604524
SHA256 8e26a598819568c146546a15d463cbfe3e78afaccb1cc1f66610ea9335143199
SHA512 8a92c992f5bf2c2c402002306386c86a4411d4e3c32a04e6b6bcedc14026e9f4ace18aef7183df758f70f0a1ebe425869d0e52698b415cf582c7b282677ab733

C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.sys

MD5 83e6380b648c6fa9659094bce716d9ba
SHA1 a8a97d3dcba0792644c29f04b832ddd4ffb0e35a
SHA256 7786fa5fde0234b77fd4fbc131857fac471b1dafd42ccf6f38b3012da3b8098d
SHA512 251613f93fb624da3c6daa30ca3b1ff80351c421639b3ee034898bcfa8dfc32c04af1370d0e470aa11c20dc64eaa8ea142bc31e544fbb358272efd2316ff73f6

C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.cat

MD5 5d3b6f1bf4205e0f41aa7ab4f0d1e954
SHA1 c5343a49ba2c8496de6a10c1ef13c4f45bc5aa7f
SHA256 6573b7f11080594cee694c545edbecaf2f577ddd996c3d1d6f5304847bd45a6d
SHA512 47190629218759c840e37f6b283bba8154c8fab6e8bee16b1f088848038cbe42dcb23fde6615d5e2d8b5e27a0c1f75377e76fd1b8147624f6293c8cb7a5f9acf

C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.inf

MD5 39d54baf75931606454607628b8cfd56
SHA1 0c0af5bcb13fa4f9303adcaa5e1bd863850d696b
SHA256 c96d4504e9fa5a7cbafbe01b3a436848b7ea8c95690a533ac7d4453b5ebd17db
SHA512 3dac9f6f911e2a1daf1b04ff6ea2f1e23cc78fa53e67d4fdd26e641e290921f5da9bf9c4f6442eaf418bdcd4d3a9f1dc5fe558c4b3d34db7773ae451ece3b66b

C:\Config.Msi\e5800e6.rbs

MD5 1469e0ca56a45c4b2c6feacaa2a0cd56
SHA1 622789397dda43f1d8b7e0372f27859556a4186e
SHA256 8928dd187efc067744f869ea9a2f9695ece4f1d2cd3fd9afd05fd0a90c7175ef
SHA512 70721836cecd668e1068fe402e0b989bfda7f392c1bd5daac1017d25f7ac2201895838147bd676f270be75ba164757acb6c0b5bfbb1e14ce24960f095824f507

memory/3748-562-0x00007FFE99180000-0x00007FFE99741000-memory.dmp

memory/3748-560-0x00007FF7FCD70000-0x00007FF7FD029000-memory.dmp

memory/3748-561-0x00007FFE9AB60000-0x00007FFE9C6A0000-memory.dmp

C:\Users\Admin\.VirtualBox\VirtualBox.xml

MD5 d9d28bd2ef7192fb0efb99607d7a0807
SHA1 7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a
SHA256 dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5
SHA512 e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13