Malware Analysis Report

2024-12-07 11:34

Sample ID 241114-qgz3aatkfk
Target VirtualBox-7.0.14-161095-Win.exe
SHA256 4719b38e7a276b43099ce4d6349e6bfc80edf644ee59d9dafd264bc7ed7691f4
Tags
discovery persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4719b38e7a276b43099ce4d6349e6bfc80edf644ee59d9dafd264bc7ed7691f4

Threat Level: Likely malicious

The file VirtualBox-7.0.14-161095-Win.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation

Drops file in Drivers directory

Enumerates connected drives

Drops file in System32 directory

Event Triggered Execution: Component Object Model Hijacking

Drops file in Program Files directory

Loads dropped DLL

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 13:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 13:14

Reported

2024-11-14 13:32

Platform

win11-20241007-en

Max time kernel

76s

Max time network

81s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\DRIVERS\SET8847.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxUSBMon.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET97A9.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET9F1C.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetLwf.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET871D.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET871D.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET8847.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET9F1C.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxSup.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET97A9.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c}\SET96BE.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272}\VBoxUSB.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272}\SET897F.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272}\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_ee187df79249cd72\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\SET9D74.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\SET9D84.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c5e1a8904c87a072\vboxnetlwf.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_4DC22822E5ED15CFAF42864CC0F1E63EBC74D076\VBoxUSBMon.cat C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c}\SET96BF.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c}\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\VBoxNetLwf.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272}\SET897E.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272}\SET897E.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272}\SET8980.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c}\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c}\VBoxNetAdp6.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c}\SET96AD.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_4DC22822E5ED15CFAF42864CC0F1E63EBC74D076\VBoxUSBMon.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_882899f2b1006416\netvwififlt.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_0525128a3d54207e\netnwifi.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.inf C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c5e1a8904c87a072\VBoxNetLwf.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_56c163d21e8c2b62\netserv.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c}\SET96BE.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_bc519c177a90877a\c_netservice.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272}\SET8980.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c}\SET96AD.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\SET9D95.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_8074ac14f1ab2957\netpacer.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_10acfa4b924dd181\netnb.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_ee187df79249cd72\VBoxNetAdp6.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c5e1a8904c87a072\VBoxNetLwf.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272}\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{15e6ab1f-08ba-a343-8d6a-99a439e0041c}\SET96BF.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\SET9D74.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\VBoxNetLwf.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\SET9D95.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_3debe5e78bab1bca\netbrdg.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_4DC22822E5ED15CFAF42864CC0F1E63EBC74D076\VBoxUSBMon.inf C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c5e1a8904c87a072\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_ee187df79249cd72\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c520c231-88a5-724c-a548-77456a68a272}\SET897F.tmp C:\Windows\system32\DrvInst.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pl.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5SqlVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\x86\VBoxRT-x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel3_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxRT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_preseed.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UserManual.qch C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapisetup.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBox.VisualElementsManifest.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UserManual.qhc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxManage.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_th.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_util.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxAudioTest.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\oem3.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI7673.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\{8DDF4B7A-DE1A-4619-B426-959B44E40A87}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFB43136107F3A7F2A.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI77EE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI889F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem5.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\Installer\e587412.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7B3C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{8DDF4B7A-DE1A-4619-B426-959B44E40A87}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI7711.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7A8F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF2BB254C32C608942.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI9D33.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI77AF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI86B8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8802.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF9BBB5FB9032946A6.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7FF0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI803F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI9D23.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI9FB5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e587412.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{8DDF4B7A-DE1A-4619-B426-959B44E40A87} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4499D61A3D9FF46C.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI966B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem0.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\INF\oem1.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIA072.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI76E2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e587414.msi C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000089ac4f3df1c89d300000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000089ac4f3d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090089ac4f3d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d89ac4f3d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000089ac4f3d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\System32\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFD8965-B81B-469F-8649-F717CE97A5D5}\ = "INvramStore" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090}\ = "IGuestMonitorChangedEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{890ED3DC-CC19-43FA-8EBF-BAECB6B9EC87} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D095CB0-0126-43E0-B05D-326E74ABB356}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C354A762-3FF2-4F2E-8F09-07382EE25088}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{FA43579A-2272-47C4-A443-9713F19A902F}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.vbox\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9ACD33F-647D-45AC-8FE9-F49B3183BA37}\ = "IGuestSessionEvent" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F01F1066-F231-11EA-8EEE-33BB2AFB0B6E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{243829CB-15B7-42A4-8664-7AA4E34993DA}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{AAC6C7CB-A371-4C58-AB51-0616896B2F2C} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CAC21692-7997-4595-A731-3A509DB604E5}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\ = "IForm" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{A5BBDB7D-8CE7-469F-A4C2-6476F581FF72}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21637B0E-34B8-42D3-ACFB-7E96DAF77C22}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{243829CB-15B7-42A4-8664-7AA4E34993DA}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{334DF94A-7556-4CBC-8C04-043096B02D82}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\AppID = "{819B4D85-9CEE-493C-B6FC-64FFE759B3C9}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20479EAF-D8ED-44CF-85AC-C83A26C95A4D}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{726EACA9-091E-41B4-BCA6-355EFE864107}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5DDB370-08A7-4C8F-910D-47AABD67253A}\ = "IRecordingChangedEvent" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FDA727-7A08-46EE-8DD8-F8D7308B519C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{4680B2DE-8690-11E9-B83D-5719E53CF1DE}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5BBDB7D-8CE7-469F-A4C2-6476F581FF72}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAAF9016-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods\ = "13" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFA7E4F5-B4A4-44CE-85A8-127AC5EB59DC}\ = "ICPUExecutionCapChangedEvent" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{890ED3DC-CC19-43FA-8EBF-BAECB6B9EC87}\ = "IVirtualBoxSDS" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A7B4FDD8A1ED91644B6259B9444EA078\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C39EF4D6-7532-45E8-96DA-EB5986AE76E4}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{179F8647-319C-4E7E-8150-C5837BD265F6}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAC21692-7997-4595-A731-3A509DB604E5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\ = "IBooleanFormValue" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BB335CC-1C58-440C-BB7B-3A1397284C7B}\ = "IStorageControllerChangedEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C48F3401-4A9E-43F4-B7A7-54BD285E22F4}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\VirtualBox.VirtualBox C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\ = "IGuestFileSizeChangedEvent" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\NumMethods\ = "21" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A773393-7A8C-4D57-B228-9ADE4049A81F}\NumMethods\ = "17" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\NumMethods\ = "21" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{A06253A7-DCD2-44E3-8689-9C9C4B6B6234}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CA9E537-5A1D-43F1-6F27-6A0DB298A9A8}\NumMethods\ = "20" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ova\Content Type = "application/x-virtualbox-ova" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4EE3CBCB-486F-40DB-9150-DEEE3FD24189}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EE3CBCB-486F-40DB-9150-DEEE3FD24189}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9}\NumMethods\ = "13" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C2DB178A-7485-11EC-AEC4-2FBF90681A84}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D134C6B6-4479-430D-BB73-68A452BA3E67}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DB2AB1A-6CF7-42F1-8BF5-E1C0553E0B30}\ = "IFsInfo" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E775EA3-9070-4F9C-B0D5-53054496DBE0}\NumMethods\ = "18" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2A88033D-82DB-4AC2-97B5-E786C839420E} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3890B2C8-604D-11E9-92D3-53CB473DB9FB}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E8C25D4D-AC97-4C16-B3E2-81BD8A57CC27} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6CC49055-DAD4-4496-85CF-3F76BCB3B5FA}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{966303D0-36A8-4180-8971-18650B0D1055}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97C78FCD-D4FC-485F-8613-5AF88BFCFCDC}\ = "IVBoxSVCAvailabilityChangedEvent" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 3712 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2308 wrote to memory of 3712 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2308 wrote to memory of 1088 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2308 wrote to memory of 1088 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2308 wrote to memory of 2668 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2308 wrote to memory of 2668 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2308 wrote to memory of 3808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2308 wrote to memory of 3808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2308 wrote to memory of 3808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2308 wrote to memory of 4896 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2308 wrote to memory of 4896 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 436 wrote to memory of 4916 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 436 wrote to memory of 4916 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2308 wrote to memory of 5092 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2308 wrote to memory of 5092 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2308 wrote to memory of 5092 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 436 wrote to memory of 2872 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 436 wrote to memory of 2872 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 436 wrote to memory of 3848 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 436 wrote to memory of 3848 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe

"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 43B99A12DC119EDE1D118709C102C5F7 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding D9216B4A5620C4337ECDF44C71E2D69E

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F610A3F0E4C1F8A97B273F46E8E6F622

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding E179F65A585C88F9E3FBE4B80A742F27 E Global\MSI0000

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C90AC32DFA2719CF7FEA2D5383D8DBF6 M Global\MSI0000

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000168" "WinSta0\Default" "000000000000013C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000180" "WinSta0\Default" "000000000000013C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a25055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
SE 192.229.221.95:80 csc3-2010-crl.verisign.com tcp
SE 192.229.221.95:80 csc3-2010-crl.verisign.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
N/A 255.255.255.255:67 udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 1.56.168.192.in-addr.arpa udp
US 8.8.8.8:53 255.56.168.192.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSIC033.tmp

MD5 3e96d4bbea9f87cccdb9f1ba6d14309e
SHA1 1de6ef91b7d961ea5cbd4e23ca14174dc966b4e3
SHA256 b5cc30d5a2678bf4a8d1889e1db385bccac012156562551e6c508e0801e912ff
SHA512 e25fcca4699aaeae4f0953c69b65b2ea150c0049c5cf5e4370e279617d6553461f7ce2729fce049d4118ff66c2cd3f7eb537e0fcd8249fad32ce17373cf4b9b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

MD5 003ac8a88e59a77b9f5a05c3d03b01d3
SHA1 ec3a1bcba6de2121cb5ebb5c21b2733d37ca51c2
SHA256 91d1334b3f553edc9da85ad4d241215de09484ec933dd2269a21ab86057f374d
SHA512 fa8a181049ea45e15e05af472e5bcea2c1424f1b60bafe92ba0f310342c0495dee3809c6cd434fab49b3775ca997274ae0be425efd3e0f90031b6f91bade1db2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5 762f1cf4815715b6589cc0836b86e2fb
SHA1 1900b68eb067ed73adc803c6dff487d9f3989ebe
SHA256 5f25cc39d65660dafae0c878e4f403a36c659b1b28e1611324efe7b64d0d4a52
SHA512 bb05445ee3de7dc52ba18e37739674604704834a74b1aca629baeffe1d7077884a6f94c62b805c68729006510856dbe5aef4d607195584ca0e55fb775ec108a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

MD5 5c37e151d502924317d3027d790b3494
SHA1 63757861e09d29dfa1869a0f19bbc8eba1c44a3e
SHA256 2f92172447770bfa8b2bcbb6bffc98c72f3b10d3726b5fd05a148fddca86af30
SHA512 e0924e146a6b88686431898d1665f6cf05c9eae023102647ef02858094677e84f2097392f6050241d65accc2701ee55e7550c2f0f564a3bc718159f4500f064a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5 5db620292aeb2fbd25c8529ec2eb6b4c
SHA1 c4400780b1d4ddcdc7fefe20bf707bc5fbbf2bea
SHA256 ccca05c8bf30a3e49a786237750116c943e12a4f5355838e0bee53065f19e114
SHA512 d8da21180801c86369b3e17af147765ddde2dbd02acfa0bb962c3ee0fa7513161b334c9c22178580e06adc27e6003d906a76f5865d26b7cc55456e03be408231

\??\Volume{3d4fac89-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5d0728f8-5ec2-4b46-a740-a435d4c01dcd}_OnDiskSnapshotProp

MD5 0a458bab2664abe00474c5aca465b21e
SHA1 30d717f6fb129d50d9c5d2efea64967a122ee626
SHA256 ac0d6cc55ebd162d83786fd2167b107745440f1a232a7a5bcfab535c1122d54c
SHA512 3fad016b555a4f5a55fe3443c8c28ba20c20d32fdb9561690a764c7c635a1071e974018f35ce4aabfe01eabd9324eaec47348771dd1fa294f81857ce2dbd8288

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 41e9f479f2cf52a54edb645ec191d37f
SHA1 86f710b78cc378dcf4ab9eba4b9a9403f37d0ca0
SHA256 c103067d4bbbd5e4ed46382d2040e841886fc9917e36cd79bed876e3319214c4
SHA512 a9d6729c9b6f725a8f0bbd82c598848bee16c34c8f5f15b5e7205f206277b41b46df2912262e259cf87d940eebe9e7e3771cbcd978f480d2fbd69afb42b317e3

C:\Windows\Installer\MSI77AF.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Windows\Installer\MSI7B3C.tmp

MD5 418322f7be2b68e88a93a048ac75a757
SHA1 09739792ff1c30f73dacafbe503630615922b561
SHA256 ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

C:\Windows\Installer\MSI86B8.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

MD5 73baef81f0ea58b6dd1b8e38e199e567
SHA1 66e89f5fee1ebfa980160984940bd5fa910b7180
SHA256 b24d35b010526a896ddd4108f10e235054593d79f5939a2d484da12517d351a0
SHA512 978a94895e7a9d88eff50f4b552ba7ebdf73b4654d48590afda8b09cddd3d188d11d4bfcad3cac374348237b69d249467ccf04159c88da9fb783fb65d49f14aa

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

MD5 6276906d6a4ee29b29ca50b4825d4098
SHA1 b542ea87c12b788c87ed693d549fcffd562c354f
SHA256 73fa8b463ee9a95930d98da3f9dd0637e63f06e8cd510bcaa285d91e4dcae2c7
SHA512 bab6e0947bcc54b95e504e24d5305dbfb7d6c1e60795655a5c308c0a9fd2433bf4449b838f8cbb021479dcf6383f853445f719c8347a7e13f1e05b622b09207a

C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

MD5 0b017252806546852e7808267d223e93
SHA1 5018924056e84eaba285bb0de5b18677dc64c518
SHA256 dd54bdd004785dc8e0b0824f49b6ec0665ac0d4623162c3d9dd636ec11dd3a25
SHA512 155c330306ca91a4991ee9a5107a2339630e9cd34696206c7ae1526cd2b9fd092753f52cba2ff8bb0da6bb69fdb19fc6f9aaaef6473b5f5765aacd201573dff7

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

MD5 16ea0763f8e734401a17973aa0aa366c
SHA1 f206e753616e3ffda643a2f9c657df591020ee93
SHA256 23cfad6bdfdac3f08ac6f9d7b79292affe78c834d19939a3a554c2844f54f452
SHA512 0d7504e67cdab21733f95188776f1238c2f532d7aeb372963c221c33f2d971e0745ddc86862935c15ab8ed812a0cd77818cffefab221d5f4cac6ac8d8cf43563

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

MD5 421e43a41fac5422bead785c7dafece6
SHA1 4dc22822e5ed15cfaf42864cc0f1e63ebc74d076
SHA256 0d80dc9215057156589b2345f793df8884b6d684e83b1ac725c4e47debd6759e
SHA512 2d3af370d66e54b260c4ee27c01dd6f97111949593b05fdddd9d1b4a58f882982a96a3ae1628a3ddc7dc7a6e2729842723c1fcd62a180700390c6214b1d751c1

C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

MD5 ea4f74bf86589c6e8f0fb2866b3820aa
SHA1 17a542351d8cefbc25ba2a184f80a6897566ac7b
SHA256 ade2e8d684cb59bfea99ad09e55bc5f2a808d824c2905ded1366b7d32e906529
SHA512 397a2129d9df502636776d49c62ce2887999f3e24f975905f108bf7c2a7196e0227f20f7644cceba9513384781f2988c6e1ce8047f705c872fb3970ce15466cb

C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

MD5 9cbb45c10d1d5920e4d9320e8dde36d4
SHA1 3efb47a5381654a7f996c4049ffcb7ad671f2c3f
SHA256 b97746731c3f8ceb709020ef1be969721b004f001ea2e55f61a0c395d611b109
SHA512 e72d534560789d15a6bdaa481d022fb5111b75e8321f0e1947e653c598e7cb8ed1ca25dcc01a4c341cc7bb0fca133f6c92bbb7f3cfb188fdafa0babc7d558ee1

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

MD5 351ea41c61b4b84fbc0a461b1768e104
SHA1 e9fb74d027a25e4298eb751e2ae156c8806428c6
SHA256 36b73da2bc1b809022fa8c8072a52d082a869243dd78b08dfcf75f1146255a31
SHA512 d0b2f30bcce8e324856f6184f50f7bc24ecf220b575c14166a81ebad7acaa3b14250aefce10e095bb90ea0565be85c7638a03ea289f61c46921b800d3b5a5b5f

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

MD5 4669d1db0f07515d41f21f308b4b390d
SHA1 3400d9f8ce5541e5fd59f546a7a44d98ca7eb331
SHA256 a6c70813d6afd3c9e191de5127c219d912a11db1a6fda80fd6793a97e5a9e692
SHA512 3b285fa9b2fc63cd8f7b756dfcba56022b67aa4ddf5d40fd4611037af92a31502df43b0c2ffe8f28faf5ae97e69497d540cc4028be1abf42b34cc6433eb307a3

C:\Windows\System32\CatRoot2\dberr.txt

MD5 7343dde4de14d26d6a5a4f807a1541c5
SHA1 b0e5fce7dd2ae61485eb96b02a8747b53560b546
SHA256 7d4192f5e104ce1b3e4a012df963da6be75a9d8389a62b58dcd96ed8759f6a08
SHA512 9c9045e0ab82258a62eff28d183152ac5317a48ba824e4d4bcc5964197e3f639c0e5d177ae35ce6e1c7fe8211753bd8aba954ae670a1329d180b040e2423a267

C:\Windows\System32\CatRoot2\dberr.txt

MD5 97a153ce0035f4761e219b2e481b3835
SHA1 832de3f400dc765d6dfd4f3c98b1b94f27d1191a
SHA256 242a7052523f0b8496f0c44d278dbe6fce838b413a8192c567bfaf8b5ffe0e7c
SHA512 5767132de02d4458841a4d12216270a402b3fe3674f447ae6fb262362f560b24909d9d057767778678d6e9b6c4f7f6dd793ef6aa5186cfb2d0bcee04d05e1824

C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

MD5 be3cbab296ab1c9fbbe7dc8e97b06e07
SHA1 1f6a242ff2039606ac558c56e4237cc9a9fe28fd
SHA256 f640902d85cbeed89f1f2237297b2eba3240cb4431c64131f2253331e0b67f6d
SHA512 2742b09e99d45201d2f70df76d9d69369eb666194c39b99627c0d8a06da4de19f3bdc5b83fee7e7f84e7a26db123b5463060b748f4b27eeb3a27049a8589e28a

C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

MD5 166f9409ec301bd79860933cbb8b6708
SHA1 aa51281832ad1767b8480ae48760d0e8e1088710
SHA256 74dbea34d5b2c424281719df754bd1e4a28cc3c03759cc1d38e23b8fc120a7fd
SHA512 13f9953e5da10c778c39228e1b379e24647cecad07e8621220569e8869f84db4ce9c0f82faeccb0ec1935e9a161e052fc446e6dc83868554b8a9631a9627e356

C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

MD5 6d3c7d2e108cbb7b5389f51ff68bcb9a
SHA1 e47006dbd81b0ad005dfe95339bb54ac59b20f47
SHA256 53ed3512437fbeb4277c24790ce67db048f81b60c3669765541495ef88056b88
SHA512 0b69c294c32beff25e91ccfc5fd3b26ff76e8a92b81b3f69fc0065ae6c8d8a676039303cc5195bff1d71735a1af97f920ed1a9911bcbcd27a7532f7539605fdf

C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

MD5 6016637d32182738bfc71e7e86bfa1a3
SHA1 ee76c95ba76286743ab9d3420c58c41e0f1793eb
SHA256 68fca318c6f63b1d46f3a75ad62aedf1977d135411d82e850f09a6e6e7e8765d
SHA512 dc1c2584c8f25b527df9aaebba3ff7cb5ea9427825b1af9f72005f6789aa8502bfe2a16ce1c2229d1ee62b3d553b7792ff943807d753fb5dd50f084cc1815ddc

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.sys

MD5 2ac0caba931fd7736866c3867f8ca6eb
SHA1 610700909bb66d0842706dbdeb6540bc843a5d89
SHA256 4e619bb6370f4bc4be52f43d6c43f3a86e3e2ce7bb04baadff17d3b731f18f3f
SHA512 cfb1dbd3227941e3f04f366ae661ebe3503ef789e70bc0a438569fbbdc2a2bd89e8d3b978db44e5182f81a0b98b01cc5d70690ebc8d0b5b24a00bba48c3eb866

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.cat

MD5 75eb3dc02a8ee04f1f3c96bd80e253a2
SHA1 ace2f9f1eac41cf6bd3dbb2d69530c6f044afefb
SHA256 a27ffe3f719b5f87c694b273af7e5796cf93a495cd195aff25e44e24fecf8e1b
SHA512 3d451852408ac7045c1558fb97a21a61d99bae207e3e28050109170999fcaf7f091108d3a15596946aed55497611110040726bccb939850744c5b628db369a75

C:\Windows\System32\catroot2\dberr.txt

MD5 9145730c67b5cb0140017cd369f8fa20
SHA1 ce14a60883c46be41caa63f7466e52d6d9806798
SHA256 5138d577b7a8e8fdb00ec104be31efffa4fa148ae0e0752dfa73d53f684df685
SHA512 e30b0eacc985aff4d39254016044535745a00567b9961569a2463e08ae8880242d9fa9fa1139f4fa731f646de84e3cc23aca4bf60410dc449e7bcf450e823a55

C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf

MD5 4b79c4041164c4d8b24a4f51f25b026a
SHA1 e877f526967674a90108da7be7cf38744e5969c9
SHA256 dbcc2c6f3dc2a68eabc698d2d7d94837e9f79711dd13b414299e20c00c016779
SHA512 8c7ab281df799538f0dd1a2b353c072cb1cada3b57e6aceba5e7f228cecfe5634e26ff05b927d46a6fe0f9e6cdabb4c266cfc1e1a425f04f0f2be9a179bd4a30

C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\VBoxNetLwf.cat

MD5 6d9d62401ebc8d8b48e6724c2e162d2e
SHA1 7d64d6c2b98e6545382a5c3ec31bc71e2d6b3035
SHA256 e308cfc6edf3b6e969a115eeb111d0fefe0be93e00856ab1280459dd83a9f93f
SHA512 46244a02f61d6048630312a0827f0141b8e99501d367a6feeaa5d9ae5c157f98969dc50642ad4d03b5863b196456d8d903241b1077809d280b860bd6aba6bee4

C:\Windows\System32\DriverStore\Temp\{0e10fb9e-bda2-594e-bae9-2015d41967f8}\VBoxNetLwf.sys

MD5 96a60dbff3c4c7217741e0007d0f4abb
SHA1 1651f89d9ab8455dd4458f605bee3a4ce429e42c
SHA256 cd3af3b853c27626fcfc85997feead0a48e56d618e2129f62fe1b96a203a44c7
SHA512 bb7de376b7fbb8e8dcf2a49f9c4e195510ae5895d0f612dd9f80fa56197b55b81cd31151bdcacafc616c7998513cca81192460e09b9a433f9b688d706ebf3d48

C:\Config.Msi\e587413.rbs

MD5 8cb82c47c14d713296d4084b932a3b7b
SHA1 044675b7a3de1ad444b065560db2c9a4309861ea
SHA256 fbd8563462eee5098db1828c8045ff7a389f65adf1a9e475cdce6e978a8be018
SHA512 cb08def6f19a2c31ff431a59cdb5c5400fabb3379c3c0d4b533d2c91394ce06ff5cdcb8c652b4080dc3a876897a2c7f4d44b935f367b2994a7180265d3231a25