Some files are created by Virtualbox and VMware on the system.

Malware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.

Malware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.

Some Files Example

Below is a list of files that can be detected on virtual machines:

• "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\agent.pyw",
• "C:\WINDOWS\system32\drivers\vmmouse.sys",
• "C:\WINDOWS\system32\drivers\vmhgfs.sys",
• "C:\WINDOWS\system32\drivers\VBoxMouse.sys",
• "C:\WINDOWS\system32\drivers\VBoxGuest.sys",
• "C:\WINDOWS\system32\drivers\VBoxSF.sys",
• "C:\WINDOWS\system32\drivers\VBoxVideo.sys", …