Analysis Overview
SHA256
f970e275f59eeeb129aab88a78dae80784370742b5051650a7926c9ea64afeac
Threat Level: Likely malicious
The file VirtualBox-7.1.4-165100-Win.exe was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Enumerates connected drives
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Drops file in Program Files directory
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:24
Reported
2024-11-09 21:25
Platform
win11-20241007-en
Max time kernel
49s
Max time network
56s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\VBoxSup.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET128A.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\VBoxUSBMon.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET2596.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET26C0.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET11AE.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET11AE.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\VBoxNetLwf.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET26C0.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET128A.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET2596.tmp | C:\Windows\System32\MsiExec.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2363.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2364.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\vboxnetlwf.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2362.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2640.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.inf | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_0525128a3d54207e\netnwifi.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2642.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log | C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\VBoxUSB.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1375.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2641.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.inf | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1364.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2642.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxSup_D519A98E5BCE10A4DEC8F29865E90007390D666E\VBoxSup.cat | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1364.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2362.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_f7173b8d2ae4b6e5\VBoxNetLwf.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2640.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.inf | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_882899f2b1006416\netvwififlt.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_bc519c177a90877a\c_netservice.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_10acfa4b924dd181\netnb.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\SET2641.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\SET2363.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_56c163d21e8c2b62\netserv.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_8074ac14f1ab2957\netpacer.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1374.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1375.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\SET1374.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\VBoxUSBMon_FDFEDCBA20DA40D999DC2639739FEF88B396CA38\VBoxUSBMon.cat | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\VBoxUSB.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05244e62af87a9ac\VBoxUSB.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e4681b06b50d140c\VBoxNetAdp6.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{7f6cf4f2-d3fa-664b-84ec-56ac71742c3a}\VBoxUSB.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_3debe5e78bab1bca\netbrdg.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.inf | C:\Windows\system32\DrvInst.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol8_ks.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\sdk\installer\python\vboxapisetup.py | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt5_unattended.sif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol9_ks.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\Qt6SqlVBox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxRT.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqliteVBox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\x86\VBoxCAPI-x86.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\Qt6StateMachineVBox.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UserManual.qch | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel3_ks.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UserManual.qhc | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\nls\qt_fa.qm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\inf\oem5.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem5.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2AD4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2208.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem2.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI263F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5FC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI66B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1275.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2AE5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFAEC6D5C52D1CDC46.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3D5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3E7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB00.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA}\IconVirtualBox | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5800e7.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem1.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA}\IconVirtualBox | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\e5800e5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5800e5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3D6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B7EE9AB2-4188-4B5F-8499-43114E7AD7DA} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI111C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem3.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI385.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3C5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFDE5B0D0C5388DF9E.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFC86CC7CE32703A3C.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem0.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFB45172B67C19A507.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI436.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI12D4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI21C9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem4.PNF | C:\Windows\System32\MsiExec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe | N/A |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe | N/A |
Loads dropped DLL
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\NumMethods\ = "13" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{21637B0E-34B8-42D3-ACFB-7E96DAF77C22}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{726EACA9-091E-41B4-BCA6-355EFE864107}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\ = "IGuestMonitorInfoChangedEvent" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6AC83D89-6EE7-4E33-8AE6-B257B2E81BE8}\ = "IConsole" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A773393-7A8C-4D57-B228-9ADE4049A81F}\ = "IMouseCapabilityChangedEvent" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFD8965-B81B-469F-8649-F717CE97A5D5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA3EF5C-DE2F-4B74-AA3A-15D6249371A0}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA43579A-2272-47C4-A443-9713F19A902F}\TypeLib\Version = "1.3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\NumMethods\ = "47" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9709DB9B-3346-49D6-8F1C-41B0C4784FF2}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7932CB8-F6D4-4AB6-9CBF-558EB8959A6A}\ProxyStubClsid32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{788B87DF-7708-444B-9EEF-C116CE423D39}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A}\NumMethods\ = "13" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\ = "VirtualBoxClient Class" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\ = "INATNetworkChangedEvent" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5DCECE0-B202-4416-A138-03502784CC07}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D984A7E-B855-40B8-AB0C-44D3515B4528}\ProxyStubClsid32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{86A98347-7619-41AA-AECE-B21AC5C1A7E6} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92ED7B1A-0D96-40ED-AE46-A564D484325E}\TypeLib | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{41304F1B-7E72-4F34-B8F6-682785620C57}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\TypeLib\Version = "1.3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\NumMethods\ = "14" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A338ED20-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C354A762-3FF2-4F2E-8F09-07382EE25088} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{78861431-D545-44AA-8013-181B8C288554}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02B69798-7CC2-4005-AC57-1AD7FF7A0997}\ = "IGuestDirectoryEvent" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5587D0F6-A227-4F23-8278-2F675EEA1BB2}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24eef068-c380-4510-bc7c-19314a7352f1} | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}\NumMethods | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\progId_VirtualBox.Shell.vhd | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB6F0F2C-8384-11E9-921D-8B984E28A686}\TypeLib | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D782DBA7-CD4F-4ACE-951A-58321C23E258}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{147816C8-17E0-11EB-81FA-87CEA6263E1A}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\ProxyStubClsid32 | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101ae042-1a29-4a19-92cf-02285773f3b5} | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DB2AB1A-6CF7-42F1-8BF5-E1C0553E0B30}\TypeLib\Version = "1.3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{890ED3DC-CC19-43FA-8EBF-BAECB6B9EC87}\TypeLib\Version = "1.3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{5094F67A-8084-11E9-B185-DBE296E54799}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d5dcece0-b202-4416-a138-03502784cc07} | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A670A023-E172-452C-B731-14EF855F4DA6}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB000A0E-2079-4F47-BBCC-C6B28A4E50DF}\NumMethods\ = "14" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABE94809-2E88-4436-83D7-50F3E64D0503}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FDA727-7A08-46EE-8DD8-F8D7308B519C}\NumMethods\ = "22" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{739160A6-53EA-465B-BB6B-5326C20A3C0C} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{883dd18b-0721-4cde-867c-1a82abaf914c} | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe | N/A |
| N/A | N/A | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.4-165100-Win.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 681D4CDDC02BF24C3B201F02262B994F C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding EA17B10AD8B5C54D3F1D95EAAF5761BA
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E2C3F61558E84C01457E79B2B2FBF7D4
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 16327EE46E5A20ACB5DC184CB2232656 E Global\MSI0000
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7E58CF94CFD58FBB2416682ACEE6B8BF M Global\MSI0000
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000184" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000164" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e0055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 9.8.6.6.d.c.a.c.b.8.6.3.1.5.c.5.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa | udp |
| N/A | 255.255.255.255:67 | udp | |
| US | 8.8.8.8:53 | 1.56.168.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSIA6FE.tmp
| MD5 | 170b0049505e4312e410dcf1e683f0a7 |
| SHA1 | be2c41ff3c49a2ad7027df74d1107327b145e8d4 |
| SHA256 | 67a1517109bbbdd924511a7896bdc1c245a939ec6fbe926e9077837b93848450 |
| SHA512 | dc5493b399e6781dd7bb28981e8835c4c004be9479b47b92cdc7300c1228bde4ee172f14be40155d5da7b71782b5f1a940a80d7aced8b610571c062873da3994 |
\??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{29647298-cdd3-4f3d-80fc-380652cc15b5}_OnDiskSnapshotProp
| MD5 | 47a974bc551163b6a3dc036f6f83212d |
| SHA1 | 0fc57684c9799d222b30114b8c17696efeb8ba21 |
| SHA256 | 8151ab8f03dd662c759a06a851730bd44d34988430a376327329088880f9440a |
| SHA512 | cea98a8fdb3da65ffecbc2353167abb47d043d738486f8c51991348bff60a3335ee8f4eee55985d6455a8c95f6ff1d73fff664f5ac0212459e01079cd6a9ad47 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 733b842913fb6b20c5b2b86c61a7d666 |
| SHA1 | a00c089e9efaf4c744e91e8aecbfb4dd277fd913 |
| SHA256 | dd4db30762240a01ddccf7c8777afabef5f61fa564fca48b2742686285fd2da7 |
| SHA512 | 55c091d79f8751fdbeb75dee592f620abe6f0c5b5719b318946ccdda89b79bf70cf23dda7057246cf751a301516d3d8e461b13bd306e6921309be7c5343555d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
| MD5 | d82d323ac43cb5f0ad3322b946d8b010 |
| SHA1 | 3c37a23d9241f1b291421adeb7e3bfecedca134e |
| SHA256 | 443ca2a35f9045f48b38fb7b1b6c088fdea068afe3f72516d2b3f180ac3e2668 |
| SHA512 | cfb237a211bd1d89d96ea8f3d71f7b01d43a8036d63506fd34f5127cffa3d5fff83b971d850eff02ea2ddb9cbb46895aaa6acb6fe702c214c95e7b7ec7136010 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
| MD5 | a898ad52198fee59ed78967b3a041485 |
| SHA1 | 7b78da243b27e65b90488c6b0df05ee9e0543e75 |
| SHA256 | 35c8b319f0173d445b7b2ef57af4cf8b90e778f14787233a98dfeac9dbb372e5 |
| SHA512 | 63530213637518236941183f68895e1f428d76bd8330ca729e4f8ab6f6f1f2b457b64e3118c3a2e86720e7870cd57eedf2117c3d058a1c61f47c142cf6bdb0a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | 1425aae2b6e15ba77c0c4a8304422e63 |
| SHA1 | 3c301b32c8d4193684f452a9c921d9135d085b6b |
| SHA256 | 4e948a3e1b38aa343e468510884a96f9def3270519b53f2e8734f1698fd954a9 |
| SHA512 | a9ecd4864f1139c8aa5aa5534a3cfb136b5e91121eb9d654a4b1dbb6149e5732d10bd5cbaf95b574848d06403c9cf1e096c5c7cb06bb6f41c3d116af69fe2262 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | 93e288e54b96ac7856737a99440638d1 |
| SHA1 | 392376d98057e0203356f894dff500e9fb78fd70 |
| SHA256 | a84a10a712123ea6e021a8a6fcb02db610c62bc36df189e3b00c14fe7ec8fb10 |
| SHA512 | 5b56c96d19b9bbe90059eb4d15324e6f6aa2b01b3c6092287e709275befcf9784dc22f76231ba9f1b9210b5bdf37c48df98fcb59825595c5f55b868b31207ae4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | 766cf5cd1ccee5f31bf4332b8c8629be |
| SHA1 | b2937666b4f615601081a7e1bdaee0326b820e38 |
| SHA256 | 1e929742ccc963109fe468e0efed37be626873b4d70006928d1ce413c4019c69 |
| SHA512 | 242343410a5d8ebe6e9d8d0b2fe833e9320068ae163ef02eab7cbb784afd66eb5a9e210cbc12ca419f559e3366d790ccd541e9027efc244ead30035abef6c538 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | a2bfa80e4367f432bc4c783432732b8c |
| SHA1 | d3666ac976bc6462e2566059f269d58270ecb7b1 |
| SHA256 | 3e8f45e6a6a93fd03c91d103a7be7b02a25fc70ba9598191c9fe01237b2f6eb0 |
| SHA512 | 488da70f39ed2ea9e53504665b715b9d424771b865afedbbd01acbcbb0acb5802ba57adc1150eebb26e8e1a25b2952a6c867ccbfc40555dce85b615282db0708 |
C:\Windows\Installer\MSI3E7.tmp
| MD5 | ac831c25bc16a05ee60aea5d79517434 |
| SHA1 | 4946133e7fac34315a0ccaa30ca8ad383d5f0140 |
| SHA256 | 947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869 |
| SHA512 | 72f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b |
C:\Windows\Installer\MSI66B.tmp
| MD5 | 418322f7be2b68e88a93a048ac75a757 |
| SHA1 | 09739792ff1c30f73dacafbe503630615922b561 |
| SHA256 | ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b |
| SHA512 | 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef |
C:\Windows\Installer\MSI111C.tmp
| MD5 | 8deb7d2f91c7392925718b3ba0aade22 |
| SHA1 | fc8e9b10c83e16eb0af1b6f10128f5c37b389682 |
| SHA256 | cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4 |
| SHA512 | 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c |
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf
| MD5 | d76b6215058c8d581bc7ed476794ea05 |
| SHA1 | e9aac803d1ea08560064ea01d63214ef42e39931 |
| SHA256 | f657dd259d84dd60da119e8ffc0d0b70aae6655875af4d72674d072543ca259e |
| SHA512 | eb25843f06078c1fc8a84a3312d22e2bea544f521a501b92f55df234068bcf309266b0ee18ad8c0858602de721d56073ad13a074d7343dd706dffb9e5a85c6d2 |
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat
| MD5 | 4a9b8ed2a7923c2f51b816bdabf265f2 |
| SHA1 | d519a98e5bce10a4dec8f29865e90007390d666e |
| SHA256 | 14bf761cf13d3caf19810350024747687f64fc2d05cb6b78393f42df93024bcc |
| SHA512 | 8491bf1d71aa90f114166088cc94046564ba0386175f382ba737320443baff654ea8584c0d314539df0da2b4ad9d4cc02ad3abee0d102b0ac1d56c02cd83f9c9 |
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys
| MD5 | 0809df0b4b50b73e67b73ce9754fb482 |
| SHA1 | 5bbf156438c6f53b426d451800ad31c18113d30e |
| SHA256 | 70c9a26893e09801ef872a8d93555454b520f60867a99df501607346a60f1352 |
| SHA512 | da9dec78d03ba2db5db957dd45e926e17fd4656c3e9823f1e0582968a2f9f4d97d4cc9d9e3587056c74e6384260476617310ce13259b72b1cc5c0a6c175501c1 |
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys
| MD5 | bd852ea819ac44f17b4beebbd568f212 |
| SHA1 | e2f549d235e5d2c6824c7dc50bb09c6c083dd304 |
| SHA256 | 1c317b5c535efe02446d8793c6a473e3ed51f06881b310906344e9e3bc5792b9 |
| SHA512 | e162dacdba163feebf91acd43792aa2669cd4e7f13f0fdaedc1554492e8135ae104aad06c651959f20581d9bb2b49f3d6a559bbabc43ea8ab6ed06d850931f01 |
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat
| MD5 | d9d4bb36efe7f7d20cbdf7475810dafc |
| SHA1 | fdfedcba20da40d999dc2639739fef88b396ca38 |
| SHA256 | cfa38c85e7414dd6b4f13558c2ddde8e5ff1f5c4cfab2bc7b7827e0ab92a4d1e |
| SHA512 | d73308307a723a401e5b2a89466314c9fe9955f47510a38e326dabdae85423756fc992fd1f8536200a72f1962f1d3091324f1040cbbd7e17f81d93bcf0fe29a7 |
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf
| MD5 | f07b83bffa21b5820da5f2b1b3878c6e |
| SHA1 | b182ec163b2a13692c5d496ee0a442d3e23e4f00 |
| SHA256 | 898e05b1935264736eb69f9b0be36f2815ee7ec7135cfc8db38c6490ec10b944 |
| SHA512 | d9477953f8a2c53a213a4b9b8d8c09b030c3a265869d676d06566dfe95072c51f77f8eb6aa01f86f88485d7e856ef1581c33930d7469095d29bb1a295855fdf6 |
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf
| MD5 | 81785d890d8115416554e545e3963651 |
| SHA1 | 470cea23f5c8a0c64c84aceb35a0b8288d70400c |
| SHA256 | c88c2da48932b247196ec915eb7e72403063376b4d8d35b582c236fdfd912bcb |
| SHA512 | 3a39f0d368eb15e73c69008b19f0b9561a56cc4ebdebe7d8cd2a57fa975d954a7660d2de2b74fe769dd0d78dd836d3033624109483f2e7784dbb470d38418ee1 |
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat
| MD5 | ef3a8a5be39b7310aa1cae4f4e589208 |
| SHA1 | bce823d3ff3b7a4a5a7cc8efd693d3b36ace3e78 |
| SHA256 | b7a5d4285826327851a864698a938478bfc3a983a4386f7f70cabad9f7e7c6c9 |
| SHA512 | 751c7cb03bcd6ce52d6171552ae3678a99076f0d5d216d3a95374b97b4cabcc338d155be9b8f84459ad755de875cfa0badd5018a85837e73e9a6815ac031f944 |
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys
| MD5 | 696b58e28b09b0ebaf4f27901a52e0e1 |
| SHA1 | eb1b5166c42bb96983889c873f45a1ef7ee62295 |
| SHA256 | 1ff96c3462cf14e27da3c82b3c890972d48b2b9ecc168608ef631b2ade2bb95d |
| SHA512 | f57171a2b8236daca57d152d8c6b5cfd3e45f2037465c14410c44b510f07ae18bf777b7599c9f63293f9ac1e7322fd473db0f2a69172860d44046d43fb5bc39c |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | 3eff05398c8ce17428812667f97ba2c9 |
| SHA1 | ffc5e4ead3dd13c9230183cf702666e9c7cacbc8 |
| SHA256 | 5b028183644b3b44fa860a4378521e012ef976f8bbae96c2d43aeda01b9e57f8 |
| SHA512 | 8899e16aa3f5c06db070cbc40511afcd6862ebc15cc74f73e4a2083452fe38bc5b36742f8d6a8d6471211769af6ce3c42ea00ea3bd9d56427b178092ac5770dc |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | 94337eb634b6569ccc3aa521c9e4708f |
| SHA1 | 7bae5e098f7a5ff82370bf5be0291a7bdf7aac23 |
| SHA256 | 3ca9645459356cc4d58c50589df454d5998630116cf3a144036bbb04009b00fe |
| SHA512 | b6c5b0764cbbbb2ea2b6de0034e0daa422da5a45bc705c033792f2ed896f381e7aa47b072d1d85e08704e5565a9b54e2112c0f55991dbe7a175814e855e26620 |
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
| MD5 | 8c2f0cb4fe0669d72b6fbeace9e375a6 |
| SHA1 | 3ed426c730b7eab2068ced89f6aa1d8bdc4ac75c |
| SHA256 | 8672723927495625c1dd5fe5eefefc00cdeb2905db982522758ae2c5734137bf |
| SHA512 | ceed87c3c8d418b8db827a52f995449ed114396a2b445528ee7e25343c01085d17308aab46a29d45d254b38c6ff0cf85e6ab31db34eb9ce20be60a0f2bd52873 |
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll
| MD5 | 10f9b5bef3ae0d638915fbdc37e2c61e |
| SHA1 | 4b59849453ea99f415072c754d2073d863c8062f |
| SHA256 | c1c89578869eba00f8e2dbdbc1f2683d8f1daced92b0ab23430ac0a982c24648 |
| SHA512 | e010231ce513438a449f2977c90ac91b56804940cc0e35f702b6d6a8aa78c8d9636cade7b5bfd2a7f2a0bbf2fa686738ebf168d40f3b54c98e2cd34853210fe7 |
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll
| MD5 | 3612c59246d7a36c607f6904dc3ac1b7 |
| SHA1 | 0d2a4d6c9acf84b7aa168a2e62f55f58166f568c |
| SHA256 | dc4f8bf8ab2d4a593c398c8f4747c3b67aeda838aa4f28c4e4d6217d91aafab9 |
| SHA512 | 143ca0192bec78796c6e9220d3d77854f67187a914f18acaa6cce9a5e879e619dee3601aae3cbdd563400e526bddfd3e8edecd0336922aaa8c71cfb65d0b0159 |
C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.inf
| MD5 | 351856254220eb250d62f4547e9aeb96 |
| SHA1 | c7a72d9f7b783ba54b5d8839279dfcba689a7c11 |
| SHA256 | c62c8264b3add792c706a4e76b643fe969b69ec902651b5d31974c42a026e619 |
| SHA512 | 4e6bc35063cb16c602dc4c6080c8ca8b48dedce63d01db7efe7576e24a82127ddfd4ae00f052a81e4779d517045e8477ec61a7cf71c378fbe491aec54504c2e6 |
C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.cat
| MD5 | c0261377e9c8115d9e67db2dcfe1143c |
| SHA1 | 115916d3fd1ca02bd1fbb5db9c846f0a9ac9f3d5 |
| SHA256 | c47acf6981dfc65fb25166e3df07fdcfc55c4eeddb79e3b8d1a066ed2596334a |
| SHA512 | 348d638710b14fdf509009d6e8bd7e0576bf3ce9144dbfd07b95c773653860284a0c2e1b8d5ffdacf097bf4328082a79fa457e1eeb65c4752b840ab17346236f |
C:\Windows\System32\DriverStore\Temp\{6dbcbf9e-a2cb-e449-bcf8-fa044ff177b1}\VBoxNetLwf.sys
| MD5 | 68c5f8884313e9c5ad1d54fd7181f140 |
| SHA1 | 40e747ce98f899fb8beb31dacc2cb261092ad6cc |
| SHA256 | de4a67670417fe97e0207d40f38317104548d4ee77bbbf50f269dfc8ef655a9c |
| SHA512 | 6433586185dd5d07ab9cf7141d64a55a33fea3872e6b2616ae0dd8e75820fd0eac7593cff39fd6262dc0b1c779c8c3a8a7bdbdde2b95e9e1aa74d3613419ee7b |
C:\Windows\System32\catroot2\dberr.txt
| MD5 | 318b7c48d02a11054264f9d017c22ca3 |
| SHA1 | 369495c45bffbc205a795cf6c7e86bf42c604524 |
| SHA256 | 8e26a598819568c146546a15d463cbfe3e78afaccb1cc1f66610ea9335143199 |
| SHA512 | 8a92c992f5bf2c2c402002306386c86a4411d4e3c32a04e6b6bcedc14026e9f4ace18aef7183df758f70f0a1ebe425869d0e52698b415cf582c7b282677ab733 |
C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.sys
| MD5 | 83e6380b648c6fa9659094bce716d9ba |
| SHA1 | a8a97d3dcba0792644c29f04b832ddd4ffb0e35a |
| SHA256 | 7786fa5fde0234b77fd4fbc131857fac471b1dafd42ccf6f38b3012da3b8098d |
| SHA512 | 251613f93fb624da3c6daa30ca3b1ff80351c421639b3ee034898bcfa8dfc32c04af1370d0e470aa11c20dc64eaa8ea142bc31e544fbb358272efd2316ff73f6 |
C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.cat
| MD5 | 5d3b6f1bf4205e0f41aa7ab4f0d1e954 |
| SHA1 | c5343a49ba2c8496de6a10c1ef13c4f45bc5aa7f |
| SHA256 | 6573b7f11080594cee694c545edbecaf2f577ddd996c3d1d6f5304847bd45a6d |
| SHA512 | 47190629218759c840e37f6b283bba8154c8fab6e8bee16b1f088848038cbe42dcb23fde6615d5e2d8b5e27a0c1f75377e76fd1b8147624f6293c8cb7a5f9acf |
C:\Windows\System32\DriverStore\Temp\{432df94d-5e32-4740-b8e0-0c66a306f9c8}\VBoxNetAdp6.inf
| MD5 | 39d54baf75931606454607628b8cfd56 |
| SHA1 | 0c0af5bcb13fa4f9303adcaa5e1bd863850d696b |
| SHA256 | c96d4504e9fa5a7cbafbe01b3a436848b7ea8c95690a533ac7d4453b5ebd17db |
| SHA512 | 3dac9f6f911e2a1daf1b04ff6ea2f1e23cc78fa53e67d4fdd26e641e290921f5da9bf9c4f6442eaf418bdcd4d3a9f1dc5fe558c4b3d34db7773ae451ece3b66b |
C:\Config.Msi\e5800e6.rbs
| MD5 | 1469e0ca56a45c4b2c6feacaa2a0cd56 |
| SHA1 | 622789397dda43f1d8b7e0372f27859556a4186e |
| SHA256 | 8928dd187efc067744f869ea9a2f9695ece4f1d2cd3fd9afd05fd0a90c7175ef |
| SHA512 | 70721836cecd668e1068fe402e0b989bfda7f392c1bd5daac1017d25f7ac2201895838147bd676f270be75ba164757acb6c0b5bfbb1e14ce24960f095824f507 |
memory/3748-562-0x00007FFE99180000-0x00007FFE99741000-memory.dmp
memory/3748-560-0x00007FF7FCD70000-0x00007FF7FD029000-memory.dmp
memory/3748-561-0x00007FFE9AB60000-0x00007FFE9C6A0000-memory.dmp
C:\Users\Admin\.VirtualBox\VirtualBox.xml
| MD5 | d9d28bd2ef7192fb0efb99607d7a0807 |
| SHA1 | 7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a |
| SHA256 | dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5 |
| SHA512 | e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13 |