758f7211d631b2b5b52df7214485fe2082661e5ba18054c8d91be0d7e27dbb2f

Analysis

max time kernel
152s
max time network
177s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02/06/2024, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VMware-workstation-full-16.2.4-20089737.exe
Size

615.6MB
MD5

d60f20003600b70defb72215417aadee
SHA1

b89035349ad4894e1837b81e3e826ca4572f4f88
SHA256

758f7211d631b2b5b52df7214485fe2082661e5ba18054c8d91be0d7e27dbb2f
SHA512

e9be925c8d3fe9fe81383398709fa4a992ccf2a50b833421ff54d629b1088cb8a773af64c87bed3c513f03a6a84f8eb5001f8cf52f895808c6f002c49d44abfe
SSDEEP

12582912:HsiQc7JR+tkXSznRL4KY0XxCDhc/jVPil7pbuhbKDe0uDe07:MiQc7JR+tMSznJY0XxCD6/jVPil7pbDi

Score

8^/10

discovery evasion

Malware Config

Signatures

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	VMware-workstation-full-16.2.4-20089737.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\J:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\W:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\M:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\N:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\P:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\V:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\I:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\Z:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\Y:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\X:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\R:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\S:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\U:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	VMware-workstation-full-16.2.4-20089737.exe
File opened (read-only)	\??\E:	VMware-workstation-full-16.2.4-20089737.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\VMware\InstallerCache\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}.msi	VMware-workstation-full-16.2.4-20089737.exe
File opened for modification	C:\Program Files (x86)\Common Files\VMware\InstallerCache\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}.msi	VMware-workstation-full-16.2.4-20089737.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Executes dropped EXE 4 IoCs

pid	Process
2368	vcredist_x86.exe
3808	vcredist_x86.exe
4024	vcredist_x64.exe
4196	vcredist_x64.exe

Loads dropped DLL 6 IoCs

pid	Process
3808	vcredist_x86.exe
4196	vcredist_x64.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
200	MsiExec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1624	4796	WerFault.exe	81

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618046853103354"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
4796	MsiExec.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3236	chrome.exe
3236	chrome.exe
3236	chrome.exe
3236	chrome.exe
3236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncreaseQuotaPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSecurityPrivilege	3444	msiexec.exe
Token: SeCreateTokenPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAssignPrimaryTokenPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLockMemoryPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncreaseQuotaPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeMachineAccountPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeTcbPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSecurityPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeTakeOwnershipPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLoadDriverPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemProfilePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemtimePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeProfSingleProcessPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncBasePriorityPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreatePagefilePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreatePermanentPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeBackupPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeRestorePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeShutdownPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeDebugPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAuditPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemEnvironmentPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeChangeNotifyPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeRemoteShutdownPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeUndockPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSyncAgentPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeEnableDelegationPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeManageVolumePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeImpersonatePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreateGlobalPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreateTokenPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAssignPrimaryTokenPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLockMemoryPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncreaseQuotaPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeMachineAccountPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeTcbPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSecurityPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeTakeOwnershipPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLoadDriverPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemProfilePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemtimePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeProfSingleProcessPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeIncBasePriorityPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreatePagefilePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreatePermanentPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeBackupPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeRestorePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeShutdownPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeDebugPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAuditPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSystemEnvironmentPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeChangeNotifyPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeRemoteShutdownPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeUndockPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeSyncAgentPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeEnableDelegationPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeManageVolumePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeImpersonatePrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreateGlobalPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeCreateTokenPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeAssignPrimaryTokenPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe
Token: SeLockMemoryPrivilege	3024	VMware-workstation-full-16.2.4-20089737.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3024	VMware-workstation-full-16.2.4-20089737.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2368	3024	VMware-workstation-full-16.2.4-20089737.exe	73
PID 3024 wrote to memory of 2368	3024	VMware-workstation-full-16.2.4-20089737.exe	73
PID 3024 wrote to memory of 2368	3024	VMware-workstation-full-16.2.4-20089737.exe	73
PID 2368 wrote to memory of 3808	2368	vcredist_x86.exe	74
PID 2368 wrote to memory of 3808	2368	vcredist_x86.exe	74
PID 2368 wrote to memory of 3808	2368	vcredist_x86.exe	74
PID 3024 wrote to memory of 4024	3024	VMware-workstation-full-16.2.4-20089737.exe	75
PID 3024 wrote to memory of 4024	3024	VMware-workstation-full-16.2.4-20089737.exe	75
PID 3024 wrote to memory of 4024	3024	VMware-workstation-full-16.2.4-20089737.exe	75
PID 4024 wrote to memory of 4196	4024	vcredist_x64.exe	76
PID 4024 wrote to memory of 4196	4024	vcredist_x64.exe	76
PID 4024 wrote to memory of 4196	4024	vcredist_x64.exe	76
PID 3444 wrote to memory of 4796	3444	msiexec.exe	81
PID 3444 wrote to memory of 4796	3444	msiexec.exe	81
PID 3444 wrote to memory of 4796	3444	msiexec.exe	81
PID 3444 wrote to memory of 200	3444	msiexec.exe	84
PID 3444 wrote to memory of 200	3444	msiexec.exe	84
PID 3236 wrote to memory of 4468	3236	chrome.exe	94
PID 3236 wrote to memory of 4468	3236	chrome.exe	94
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 3048	3236	chrome.exe	96
PID 3236 wrote to memory of 1640	3236	chrome.exe	97
PID 3236 wrote to memory of 1640	3236	chrome.exe	97
PID 3236 wrote to memory of 4208	3236	chrome.exe	98
PID 3236 wrote to memory of 4208	3236	chrome.exe	98
PID 3236 wrote to memory of 4208	3236	chrome.exe	98
PID 3236 wrote to memory of 4208	3236	chrome.exe	98
PID 3236 wrote to memory of 4208	3236	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\VMware-workstation-full-16.2.4-20089737.exe
"C:\Users\Admin\AppData\Local\Temp\VMware-workstation-full-16.2.4-20089737.exe"
1⤵
- Looks for VMWare Tools registry key
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x86.exe
  "C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x86.exe" /Q /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\Temp\{1F3D43BF-0EE7-4E9A-A5BC-6793ADAAC665}\.cr\vcredist_x86.exe
    "C:\Windows\Temp\{1F3D43BF-0EE7-4E9A-A5BC-6793ADAAC665}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x86.exe" -burn.filehandle.attached=512 -burn.filehandle.self=532 /Q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3808
- C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x64.exe" /Q /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\Temp\{8AEF3CA8-A1BE-44E8-9D96-70BFDEE23C00}\.cr\vcredist_x64.exe
    "C:\Windows\Temp\{8AEF3CA8-A1BE-44E8-9D96-70BFDEE23C00}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x64.exe" -burn.filehandle.attached=512 -burn.filehandle.self=532 /Q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1E48E30002975C2CDF0E5E01E7CEBDEB C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 908
    3⤵
    - Program crash
    PID:1624
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 86528DA053B1D68735B18AFE08600E3A C
  2⤵
  - Loads dropped DLL
  PID:200

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:3648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe240d9758,0x7ffe240d9768,0x7ffe240d9778
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:2
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4468 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5144 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3796 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3140 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1740,i,14294275870971194396,693789411154644157,131072 /prefetch:8
  2⤵
  PID:4816

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
7b34837c49b8f7b15f8beb19b2b14586

SHA1
9fbfce5d21656e67a9e28b97565b96ae1b0ce366

SHA256
d1d95a03908aefe8abd7c6b91324cd7539ff27cb4a6591ffc52f217540ca9690

SHA512
2307a90f68a452f31448023aeec8dab017869a9c3baf63319f97a75b8fcbb9429ed005237298cabc4098a86c7ad702b3929b961efa133e9bbd76883bfb266fc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
92cbcb14774e0df0ff3ab2644d3c54db

SHA1
d8217e7e8d33fdea57bf87993c9bc6f9ad67eedc

SHA256
38d83dcb3765db349bbaa16de126a2660a0538ab1c7dde7856f9e621bc49297a

SHA512
8b19e5ed922edbd84715f4340fec17e45e0968f9a3190ab65831e2e1ceab452f9ee848e7602d0571d079092210e485ca09c3f3e4bfb7d5eb121b621aab53b92f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9ddeeff698e4b91302d6e1c788456008

SHA1
7b8eff42551cb60b9a7aa31b1c6abf5766d92896

SHA256
09723aedc2a30ec08a8da6091b85cdd31c67a3b4d85c01df3c50064a97f546f1

SHA512
9a3dcc9b8c678cbe5443c21af9aadbaba8a75d3cbdcbd273714734659e4d370d0517ee73b702866430cbb63d17acc77b10e2e00f2ec27fad146efd184e21acd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1836bd68e569ae0c07f7ea1876fa5a7a

SHA1
a06121798a921ecacbadec5be9fa299ca757a6d2

SHA256
a44327df210e99f3ef5cf428dd30e53c96844c95ceb37085b48ce061f4c555d2

SHA512
41aa434d953829705c8e1c2b24f765fe1780ae976f90bbb23894dc4089ca15b22daf83869ba668458d99654c6f0769aa510c8999efd85c6859391edb52b518c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
15e08d8d60fb7b5c4c4b6ec73d39539e

SHA1
e57138e230acfb7fdc035a082261a928eba429cf

SHA256
f4e2a59f932ebd3c159ad1c0a7ba6c9f3204ce0b2d8ce98b6a63a251e041743f

SHA512
f415fd5192645d4c736b8bfb9e48e80d5d463926912c24b576cf76364bb6b26b4ce7b7ae86b8e89dda13831402feee18c9ff4fdaf42441786eefac8eb74a433a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
185B

MD5
507f0ed072a512e037fbba69f45c7e9e

SHA1
8cc7a2a69928eaa0fec7eb595580dc6331df9ccd

SHA256
350bd2865abf4dc7a8bea55889c8e27e78422df70614f17ed602c22f457c6d41

SHA512
d9ca18119ddd1ef30828f9c08d1da2d49d9e527b8a4a31309d38c4f3512facd9109e73c9efee7241a49a3c8a1e4add4b2898ee703e8aaae2f9be81ae02af3b2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
7e8e231687f057cfd4960c28c15766db

SHA1
d5a3c001f79030bc9a1209b3a96535351b009a30

SHA256
0bf9aed2bd9602240ca45f2fc2665438f8aa5fa723c6d32209506943672cdfd7

SHA512
63df6ad3e7aa99fc0016e3ca42b8faf2cdb966e2e07f47d04afdb2e6a09409350439e22e0ae2fdf2c5b6915a34d4bcdf02b4e3cae1e8e776c2093add04807f4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
9647d959caa476ed82e288c112c38ac4

SHA1
9f9ef4920a0b95a89a39a8603666212809baf797

SHA256
647ba93717f23eeeb8bf6bf29f8b9c2c333e175c1942532d5f714706835cf8fb

SHA512
8b40e6b53612d86208e6c818c2c89de00cb6c924972fda4caacdded181c2ebc7b8637b4e135d9f6366cb04deccae3c186e0fbe05032c47b5a3d5e9dbea84ae9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe59f60e.TMP

Filesize
119B

MD5
77e6c783d2bfaf4eb4e72fedacc31c04

SHA1
f79cde151cbc01d89c5877889601d795ad38d226

SHA256
b4c7bd75af146bab0a0cbb7faf5f370b1562fecbfec51f67405d2daf02359eff

SHA512
d75dd91894cff1b8a6b3ed069ba8305dc1076fa1c95c9045b6df597fb0082a08b5cb07c43488836272f79a4aec552714ad3a651268783c5b33e740b3ae74270d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3236_1315529803\Icons Monochrome\16.png

Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
9ad29bb13bb5fedbae087bbac59dba27

SHA1
4be6354c1aec400a7d2d48cf4ca7f59952913b8d

SHA256
ad089dfb6652dc160ac5274568142e014d5e7a3bdfd1c0ca92bc62940b7f0a80

SHA512
436b5b828b44d942e65cb3f292d2f7e586bfda179f3103580c9936f2d75a9e8058f9016391cc60fc4ea8082b5f446b266e4f8f832327d5ba1d4be9cd20387428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI149C.tmp

Filesize
2.7MB

MD5
828b8828a7600b984e212dec961d4c3f

SHA1
cb74a27bf2d09e90fe26cd058f72a663be9effb7

SHA256
ff3ffc884bfaf4717d60d0a07afd970479c24c560a25b625c21aaa231b1a3969

SHA512
c49a29e9981a6034f6049daae441e03a8e46690c6052eae84b83e05bfb915d4803140242bc7e5ece61c33f11ed22a4bb7dbfcebf0b6d16f24478224070dcf4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1662.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3F1A.tmp

Filesize
2.8MB

MD5
41c9826c5a28d6320e2ba68b7c07e527

SHA1
56d24a0962ba5aeaf542487bfcf9050dd7796111

SHA256
b5d30f659a38a7396ce5749a968295bdd2b1aaac872f7fff0bc97cfc0a5f6d76

SHA512
18fa82b8fc3549c7751abad4d82ab25b4b109f7912650d56326da14048c9aaf0eacb315fa23ddfa7c191cc308bd161ea06d2e0a66f67f6790f57f6891bfdf95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vminst.log

Filesize
34KB

MD5
8104ad496f71471edb39239faaf89d4a

SHA1
8970149af3154d02e3fefd546d5e797e83b80c93

SHA256
e8e0cacf3909ff101af924f7b51ea1804bc307eb65384ef5846e279f6bfe31ab

SHA512
a96141a8db82f2becb1d1b925c1f0b879e008285eb775bade2da5a30d17a9def0affd66b145c0436d86119263e06e9f31c191fe6a1796b671f1b46facf81805d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vminst.log

Filesize
40KB

MD5
161a8c7f3bf17de14a5d305f94e263bd

SHA1
07c2e83c1ff5f21db35f32a8b492749e2a7da013

SHA256
e1fd4b855a0b921ee8dd7033d5ced43e074c6d29e0d12e23bc3292f271b9d406

SHA512
fdccf8e01655b6cbf9d9e1ae2c58cadf95d553982f11fa3efed04b062190726982f32a1572049f7baa5af84a6abd6ecd02704ca75326a1963f5090bff5703321

Download Submit
C:\Users\Admin\AppData\Local\Temp\vminst.log

Filesize
41KB

MD5
adadba80d3c257115e9242eb999524af

SHA1
3dc83bb058869915042a01117ef45a3045fc0290

SHA256
0301006a83888f6d2bfe0df34c1a0380ccfb22f53c0fd72e92a11a77d7084a9e

SHA512
924dd9ea8284797f6615411dba7c4fd777c9d0c3c41a355c5b0443be487b32d141de96abd4f9b09c1f8a0ee9a04ef2935efec23def42fdf48b70094f2e1ebb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x64.exe

Filesize
14.2MB

MD5
a56672c4522a1b9bb767c8b6cfbe0ba4

SHA1
18a31b3f7fed28870b882909d91dfa8ec5bc87a6

SHA256
015edd4e5d36e053b23a01adb77a2b12444d3fb6eccefe23e3a8cd6388616a16

SHA512
5170b3fd4a0fc637184044c9dbe7ab3f8ca115fbac5ec851802c290139a3d99aacfd458fe2e925eb3282612c9b18d4c857f8c39284efbf3da49317a1fecc16ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{927A213D-406C-4CE6-9C80-7EFDB4FBE97A}~setup\vcredist_x86.exe

Filesize
13.7MB

MD5
b347c30bd3394b01039b1bf0c3efde53

SHA1
d7a91e4225d0b52310fdfec2331b15ad39f3391f

SHA256
e830c313aa99656748f9d2ed582c28101eaaf75f5377e3fb104c761bf3f808b2

SHA512
a5c33e0f588e11b228caf7da0d64ee1456601680703ed35769bd7bc56a891e182fd35d5501598e344ca46f2bcc83fc388f27489f7512c81d27bff4a61d1fdbda

Download Submit
C:\Windows\Temp\{1F3D43BF-0EE7-4E9A-A5BC-6793ADAAC665}\.cr\vcredist_x86.exe

Filesize
632KB

MD5
4d6b31d542ec3fd96bcf8a0cfae9f8ea

SHA1
b5be29ab2f0d30825c763df5a3cb071d1a708e05

SHA256
55d27902ffebfc7e5ab55962c0c3e6f9c901729a40abe5e564ee8e436a07ba17

SHA512
bbbb13c0aca849ebd5369a07e2b089d298f7d1f0ccb4dfaaf23c6d7deb9bda885f6c12d62f921dbdac2a473d0ffd23b60f04bc387210bf3e9ab33ee60e3f2c20

Download Submit
C:\Windows\Temp\{8AEF3CA8-A1BE-44E8-9D96-70BFDEE23C00}\.cr\vcredist_x64.exe

Filesize
632KB

MD5
cd3e6f264b47b68097363494b9a389ad

SHA1
a9af64b7608e66338e90709e7d1fd3aed8a3b83e

SHA256
63debb4675d2875d5787e7bae52e73bddc040939ea9235df897c3fd7818de9d3

SHA512
171e42561f3e9a2dcec37ead64bed9b754e52f8bcd45a4ad157e2ca1cc85cac94547cda5ade8d34b64029d14e4545cea7508d9ca9bb3e2b914dc953f7de332f4

Download Submit
C:\Windows\Temp\{BCFC1D6E-258A-4A12-84C3-2E2A7E09107B}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\Windows\Temp\{BCFC1D6E-258A-4A12-84C3-2E2A7E09107B}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit