Analysis

  • max time kernel
    184s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 16:48

General

  • Target

    VMware-player-17.5.2-23775571.exe

  • Size

    229.6MB

  • MD5

    eb01e99d908fa2742fe4e0c60635c68f

  • SHA1

    f2a8a6c3021d5a9fb5d228958145915fb802f477

  • SHA256

    85b3f341d654847fba6523dbdf4e30f1721870d194ec53f1065291e8ccbd3474

  • SHA512

    21693b7c8222afc6bbab7e81f7893c860b06e257a09571e9973930b946a2789bbb3051295d09ac4e781f5bb02aba0182c32ebaa3a8a7eb2863a2ff054e4d1cfb

  • SSDEEP

    6291456:vIAo5MRcHji9p+c5mod6xbo5GF1yrDe02ER/0W5UX:VoWqjUPmY6xbo5GCrDe05/0W5UX

Malware Config

Signatures

  • Drops file in Drivers directory 27 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Looks for VMWare drivers on disk 2 TTPs 1 IoCs
  • Looks for VMWare services registry key. 1 TTPs 12 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 64 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Executes dropped EXE 38 IoCs
  • Loads dropped DLL 64 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe
    "C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe"
    1⤵
    • Looks for VMWare Tools registry key
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe
      "C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe" /Q /norestart
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3996
      • C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe
        "C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /Q /norestart
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe
          "C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{9A5C5173-A80D-4FFA-942A-4B8396384C00} {6C20D074-B59B-4663-B85B-CC347CC09B32} 2648
          4⤵
          • Adds Run key to start application
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1420
          • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
            "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=1144 -burn.embedded BurnPipe.{1D2B9CD1-5948-4009-A0B0-CFDE18C5A0CC} {19BEC786-A9AE-4360-8942-ADCC37EF6C9C} 1420
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2152
            • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
              "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=1144 -burn.embedded BurnPipe.{1D2B9CD1-5948-4009-A0B0-CFDE18C5A0CC} {19BEC786-A9AE-4360-8942-ADCC37EF6C9C} 1420
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1884
              • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
                "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{D4355F92-730D-4F16-A428-6844A762B34B} {FF6AC24F-56AD-4628-8E79-10159F2675F3} 1884
                7⤵
                  PID:4012
      • C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe
        "C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe" /Q /norestart
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe
          "C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /Q /norestart
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1856
          • C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe
            "C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0CE161D1-B851-41E9-BBB1-A938848A9774} {03A0AF37-8F23-4574-A273-74A9AA806AFD} 1856
            4⤵
            • Adds Run key to start application
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:5028
            • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
              "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1128 -burn.embedded BurnPipe.{DE87A203-4DDA-4C6D-A93C-9E374FDE6681} {7F076D1C-CFB7-49C1-9040-82CC596AC296} 5028
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1572
              • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1128 -burn.embedded BurnPipe.{DE87A203-4DDA-4C6D-A93C-9E374FDE6681} {7F076D1C-CFB7-49C1-9040-82CC596AC296} 5028
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:3292
                • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                  "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9B454164-A3E2-48F1-9BF2-52DFC0B34441} {4C66DC50-81B4-4996-BF3A-1DFB9D7FFBD6} 3292
                  7⤵
                  • Modifies registry class
                  PID:4964
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      1⤵
        PID:2784
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Looks for VMWare services registry key.
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 5E5643F0707694DDD35E1A8CD0EC198D C
          2⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:4624
        • C:\Windows\System32\MsiExec.exe
          C:\Windows\System32\MsiExec.exe -Embedding 788F6EB4D6EA30599FE0B212D689D8FA C
          2⤵
          • Loads dropped DLL
          PID:112
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 8605B1E84BF1FB5E7B0FF1031604CF18
          2⤵
          • Looks for VMWare services registry key.
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Loads dropped DLL
          • Modifies registry class
          PID:1572
        • C:\Windows\System32\MsiExec.exe
          C:\Windows\System32\MsiExec.exe -Embedding B99A1964BBF8D7559CBA8DA3C6D82971
          2⤵
          • Loads dropped DLL
          PID:2912
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 8DC5AB95264739AFAEFE181381D0FE16 E Global\MSI0000
          2⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3984
          • C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
            "C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- uninstall usb
            3⤵
            • Drops file in Windows directory
            • Executes dropped EXE
            PID:1900
          • C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
            "C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- install vmusb Win8
            3⤵
            • Executes dropped EXE
            PID:1420
          • C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe
            "C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe" -- install hcmoninf 5;Win7
            3⤵
            • Drops file in Drivers directory
            • Drops file in System32 directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            PID:4196
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet0
            3⤵
            • Executes dropped EXE
            PID:3304
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet1
            3⤵
            • Executes dropped EXE
            PID:3272
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet2
            3⤵
            • Executes dropped EXE
            PID:4480
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet3
            3⤵
            • Executes dropped EXE
            PID:1088
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet4
            3⤵
            • Executes dropped EXE
            PID:3876
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet5
            3⤵
            • Executes dropped EXE
            PID:4364
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet6
            3⤵
            • Executes dropped EXE
            PID:1436
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet7
            3⤵
            • Executes dropped EXE
            PID:2916
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet8
            3⤵
            • Executes dropped EXE
            PID:1624
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet9
            3⤵
            • Executes dropped EXE
            PID:3736
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet10
            3⤵
            • Executes dropped EXE
            PID:3624
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet11
            3⤵
            • Executes dropped EXE
            PID:1696
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet12
            3⤵
            • Executes dropped EXE
            PID:2196
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet13
            3⤵
            • Executes dropped EXE
            PID:772
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet14
            3⤵
            • Executes dropped EXE
            PID:4896
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet15
            3⤵
            • Executes dropped EXE
            PID:744
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet16
            3⤵
            • Executes dropped EXE
            PID:3464
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet17
            3⤵
            • Executes dropped EXE
            PID:1504
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet18
            3⤵
            • Executes dropped EXE
            PID:4808
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet19
            3⤵
            • Executes dropped EXE
            PID:2748
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- uninstall bridge
            3⤵
            • Executes dropped EXE
            PID:2272
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- uninstall userif 5;None
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:924
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install bridge
            3⤵
            • Drops file in Drivers directory
            • Drops file in System32 directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Registers COM server for autorun
            • Checks SCSI registry key(s)
            • Modifies registry class
            PID:4556
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install userif 5;None
            3⤵
            • Drops file in Drivers directory
            • Drops file in System32 directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies data under HKEY_USERS
            PID:2544
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- add adapter vmnet1
            3⤵
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            PID:4480
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- add adapter vmnet8
            3⤵
            • Drops file in Windows directory
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            PID:3252
          • C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
            "C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install vmx86inf 5;Win8
            3⤵
            • Drops file in Drivers directory
            • Looks for VMWare services registry key.
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2628
        • C:\Windows\System32\MsiExec.exe
          C:\Windows\System32\MsiExec.exe -Embedding B7ECE69D9FF99AE2CBEB112607DDC7E8 E Global\MSI0000
          2⤵
          • Drops file in Drivers directory
          • Looks for VMWare services registry key.
          • Sets service image path in registry
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          • Suspicious behavior: LoadsDriver
          PID:2028
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2264
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8\vmusb.inf" "9" "454492f13" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8"
          2⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:3020
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Player\netbridge.inf" "9" "4f3176507" "0000000000000148" "WinSta0\Default" "0000000000000144" "208" "C:\Program Files (x86)\VMware\VMware Player"
          2⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:4156
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Player\netadapter.inf" "9" "4a5017fd3" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "C:\Program Files (x86)\VMware\VMware Player"
          2⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:4620
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "2" "211" "ROOT\VMWARE\0000" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2477c2bb3:VMnetAdapter1.Install:14.0.0.8:*vmnetadapter1," "4cbdd083b" "000000000000017C"
          2⤵
          • Drops file in Drivers directory
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:2492
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "2" "211" "ROOT\VMWARE\0001" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2df34f6ba:VMnetAdapter8.Install:14.0.0.8:*vmnetadapter8," "47eb20b4f" "000000000000017C"
          2⤵
          • Modifies data under HKEY_USERS
          PID:2748
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8\vmci.inf" "9" "4d941d7e3" "000000000000017C" "WinSta0\Default" "0000000000000144" "208" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8"
          2⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:4808
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "2" "211" "ROOT\VMWVMCIHOSTDEV\0000" "C:\Windows\INF\oem6.inf" "oem6.inf:9c00c72d390d9e8f:vmci.install.x64:9.8.18.0:root\vmwvmcihostdev," "42936a687" "000000000000017C"
          2⤵
          • Drops file in Drivers directory
          • Looks for VMWare drivers on disk
          • Looks for VMWare services registry key.
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          PID:4444
      • \??\c:\windows\system32\NetCfgNotifyObjectHost.exe
        c:\windows\system32\NetCfgNotifyObjectHost.exe {DD85BC8D-7FB6-4F72-A691-5B1A121EC2A4} 536
        1⤵
          PID:3376
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
          1⤵
            PID:2976
          • \??\c:\windows\system32\NetCfgNotifyObjectHost.exe
            c:\windows\system32\NetCfgNotifyObjectHost.exe {02162219-0FF9-421B-B6BD-AD499D9AF3DA} 504
            1⤵
              PID:2216
            • \??\c:\windows\system32\NetCfgNotifyObjectHost.exe
              c:\windows\system32\NetCfgNotifyObjectHost.exe {EC402F51-EC3D-4F48-B7DA-9198B5861FCC} 464
              1⤵
                PID:2972
              • \??\c:\windows\system32\NetCfgNotifyObjectHost.exe
                c:\windows\system32\NetCfgNotifyObjectHost.exe {38E743A8-3B20-4C9A-B93A-2EE59FCAE462} 644
                1⤵
                  PID:2176
                • C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
                  "C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe"
                  1⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1256
                • C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe
                  "C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe"
                  1⤵
                  • Enumerates connected drives
                  • Writes to the Master Boot Record (MBR)
                  • Executes dropped EXE
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:2948
                • C:\Windows\SysWOW64\DllHost.exe
                  C:\Windows\SysWOW64\DllHost.exe /Processid:{13B6B196-AD7B-4C7F-9BDC-B1CB2EE86552}
                  1⤵
                    PID:3624

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Config.Msi\e582626.rbs

                    Filesize

                    16KB

                    MD5

                    1677e97d624fea6ac1797490445333b8

                    SHA1

                    87d05483db1fbc66f52cbea8a9beb6e12334b83e

                    SHA256

                    990cd90c3fa5eac22add530eadd16bf3bc3fc48ee5f38b446a31b17390721e3d

                    SHA512

                    92c02a6f15c10632fbfaa2c81f9ce924de2ca695814871932473819c073a9fec77dcd4af8b306354758905cf3c51daba0d17e56394a8ee8e26fd1291080dcc1d

                  • C:\Config.Msi\e58262b.rbs

                    Filesize

                    18KB

                    MD5

                    28fdf15e8c81872e816ad21d087f76f2

                    SHA1

                    dcb1ce2a1f18c20afb07d981f94813e1e0ca5d65

                    SHA256

                    d84ed1beb3297fd5e2dee5f6d888998d96c8354ade0d571918c66ad3932647d0

                    SHA512

                    2865c986f99218762462b257e758d3b8edb6d2c7761b85fcafe0877e7bda606592e60d5c944ba860f77c7659396ea39c2d4819b318c59429757ba9e6409365c3

                  • C:\Config.Msi\e582638.rbs

                    Filesize

                    20KB

                    MD5

                    5eb2d156efe848dcaeb7ad05d6c70216

                    SHA1

                    a6d3a2aae83f68724eab5af0f9711ab943f54385

                    SHA256

                    8cb1d74b780a8e269c5f5f53b8423cd163ac8f23f38cda5154af8d19d0673099

                    SHA512

                    f8e39949f7e644a030fbdf6bc020d83feb99cab0130f7c318fb1b8e7ea3bf7410561be0604707f046df1736464231ba7a7a6451e7b2b2bfc38d8a438d5d42f57

                  • C:\Config.Msi\e582647.rbs

                    Filesize

                    19KB

                    MD5

                    df2d58b313b430c810f30b97e3b37df3

                    SHA1

                    b3a7e48890fae556c39edb08d33913116ffe5f47

                    SHA256

                    80dde3320860797d4c390083500056af1df521b17fcd5b6febbc7b819dc87f07

                    SHA512

                    3ec0ba154338d5983da741c1477a1e67925726619eaf7f1e4c7161069081d6bcc149a4e0b9b8c977bad309ed46cb5634ec3204d8b917b427aaaacdfe9fd9f3fe

                  • C:\Config.Msi\e58264e.rbs

                    Filesize

                    19KB

                    MD5

                    5aa505447df5f3180d9712b32e339733

                    SHA1

                    e64c9882d7185d3fb4329532fa24c01d6e17a9ba

                    SHA256

                    83b3a3238b6a8b4462bb3c7f45d61937e3329db0852f35cb3960ab89f804351e

                    SHA512

                    83bda356c606d8cbec4a685d9ac1eb9bcbc3287e5ccdcc6279cb416d839f8470e2848520d98b14ae8c6d88129c11dbcb7f8c9af4a8b5068b0a1a86c0742a2e67

                  • C:\Config.Msi\e58265a.rbs

                    Filesize

                    19KB

                    MD5

                    399169331c1ea2884c54177c60041ae9

                    SHA1

                    6bced54a0143a4affa3d11a0787a70b6d1387e1d

                    SHA256

                    35129f5723378dfc00fcff8805737dd24e3e325d3834656f2c0c29ead05e370b

                    SHA512

                    565cf674bc6e9296fabbbb3917843fb6f6ea620bfd0f7bc333936a7b76a60c54f9e8efb44d7017a3e197d1278f0f47982efce0bdb282c753b629c6c997778def

                  • C:\Config.Msi\e582661.rbs

                    Filesize

                    21KB

                    MD5

                    875e28f8a8f8516f275e564959665c43

                    SHA1

                    bfb356464841106bfbea8f30d085c8b0ac165ac6

                    SHA256

                    0456cac6043f2b27aa17def424398720f4bdb86333f85ef1fc35c9e5f2a93b6a

                    SHA512

                    fdf48c92f3e36606470a81c35058bb345723b527924daae75c1ab5ddcae799d272d68c4b2ea61f88444238ddfcd70db79aeeebf10f18ecba52ba1b4fdc285a26

                  • C:\Config.Msi\e582670.rbs

                    Filesize

                    21KB

                    MD5

                    74edd615e2097c3576251c86aff51221

                    SHA1

                    ccd2078ce781ac2dd3fe73efe0768937ca746c34

                    SHA256

                    aaffa11e4bd8571189b162095eb92d94a83e61a36983d9ac1fbe88af9a9cb34f

                    SHA512

                    2c8e668572a89cbe0550b4a2a1dd77712322b863b1f420a8991d872b07d45f06a57a7e62f70efcf8dbc6c52677443609d59d7ba551ca216b11554c644f277b4c

                  • C:\Config.Msi\e582673.rbs

                    Filesize

                    13.0MB

                    MD5

                    e7c8f1ef18136ec5882d4d3d02e71a25

                    SHA1

                    a1036ad48c737e7ac462cf141b96cbae2dae5267

                    SHA256

                    8a00e80341738624c5c8d6c9d4829d8ca07757a82f2d00e4844f07fe6858f105

                    SHA512

                    9ccacfac1952f484026633f2aab0f7d3a8c9fbe7591cea60d958e94bb010a04fda3c20c409bee331814a5ff6df1bc3ff2d60f294b0bc25a1828dff61df9c4630

                  • C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw9-config-option.xml

                    Filesize

                    861KB

                    MD5

                    cdae15f623a66d694d299f1390fff656

                    SHA1

                    fbfc1a118aec4ad7558b82fb5378fca06a12fa9f

                    SHA256

                    6a846f6e1e5112a3efd76dc23d97b9c36abb7bf62f9bc202c1f840a3f8dc182e

                    SHA512

                    a79ca6d4399b2c65090f45d0de1016806396ad05184d02ed54a55e6f8af1a2833220c1efaaebaca4fb777d224e409f5291d340df783a3db0963f8b01c39f76e2

                  • C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe

                    Filesize

                    1.8MB

                    MD5

                    1e8bcddbae1683d57ead466043a57d05

                    SHA1

                    0a4d2041b83e6b14805e3843fa73f877bd4a2445

                    SHA256

                    bf480d9a362caf6a7de4e51bc441d2df30c9ffcfedd6ec1ee0a40344c20b591d

                    SHA512

                    0c8e9568910931515c8db5223ca24444f75da159136d09db0d52f800880293f60a40dc13bd36e029aad3ec0cbeec2214b8520d67b6a75852982d0e54be516f63

                  • C:\Program Files (x86)\VMware\VMware Player\vmwarebase.dll

                    Filesize

                    6.7MB

                    MD5

                    f4d324028e750df5cef16598c6bf0cdb

                    SHA1

                    fa4e9004389bf2862d896529f766c75ec05f5e6d

                    SHA256

                    4bbd232ebbf2bdd929c667bce4476317fd6eaacf328dfb24a18e11994e1bc11d

                    SHA512

                    7256b842a4b45502e4288661d798f42319173e4e00bd233db044b92c5bf71b245a33442c920a91513d33d471232c2140b30874b72a32268a5e4e497dbe583965

                  • C:\Program Files (x86)\VMware\VMware Player\x64\icudt44l.dat

                    Filesize

                    9.2MB

                    MD5

                    58cccfc4824ce98be253981d1087740e

                    SHA1

                    69ff1822448fc25f56298890eeea62e974f44da9

                    SHA256

                    7e1fc96fcc98cb8f0cb44cfa94b40549a40bd0f9968c3c1141631aa0af95a1fe

                    SHA512

                    eff1ca414672758fa1bcfc3ff2d69bcf0bdbb4bb8e94442c1e9108d5b11203b355409de9af3f6ce943a693e7198329afebde2b0862959fd48ac674c341e49429

                  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware\VMware Workstation 17 Player.lnk

                    Filesize

                    1KB

                    MD5

                    17989d533547186dd73e225a93b1c12c

                    SHA1

                    a812d846a0380f5ccb76704844dcb21d6b5e6de8

                    SHA256

                    76ab9f14a5cdaca62ea1aefb3c4ecc81266e2ec5e36a992d9801cd85ecf78460

                    SHA512

                    eb86f2735c2d1bc833214a084b825c24410de0c7a9029128adaabf48a890e3bab255f57ca8ea230883581939076b9fb699a24fd2fba80e97466b6bb5006db577

                  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware\VMware Workstation 17 Player.lnk~RFe594c61.TMP

                    Filesize

                    1KB

                    MD5

                    1eb4cd7a814d12f703b48d767cb26f8b

                    SHA1

                    4e478ff84ed09d7561d828a5a24d218f79b1d3a1

                    SHA256

                    ae1fcf6cb540f0264b2896c87624478e4a66b1d074b1f4387a20498ab20be0a9

                    SHA512

                    ba4bf9bf6a0ea8d8add1b7c57a60f4fc18e6a8a91b5879ad2fcc03a5b26a4c88aa064a0cadb0b6c764aa67b83feb03e48b102292f6258d47068123a751271dac

                  • C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\state.rsm

                    Filesize

                    1KB

                    MD5

                    bda9df9362133b54074006bb0d7453e1

                    SHA1

                    9abc42c49ae0c13737c7cc335a72830113664988

                    SHA256

                    49d4fff53192a6fb860753da047fbb8fdca227c2e061c46de8a0c8fa22102226

                    SHA512

                    40f89e2b6fa0b4b38e1a7164eb57350d08bc94e7f2ca00c74441f98957155d1cf40a3ef1d9f6ad6380196247f1fb62da3f1d3f7beac767f5c72e03e0a0df8512

                  • C:\Users\Admin\AppData\Local\Temp\FKL36E5.tmp.dir\DIFXAPI.dll

                    Filesize

                    386KB

                    MD5

                    116eaa5c9bb2cce346a42eafde2dc152

                    SHA1

                    13c433306ebdafcd983410482fd42685bebadeb9

                    SHA256

                    57afba202253a7736e7296ca9ad606b9640ad6f5e9c231ee291f511dd469c783

                    SHA512

                    57d2ce75bd4a645eda5a9a77a6e92789cc527412722b2fcdcbb271c0d6eb8014b596d16e9ed0e72c9e1153e60549d13be2241fbd13223779dd9596e52ee8f944

                  • C:\Users\Admin\AppData\Local\Temp\MSIA301.tmp

                    Filesize

                    2.6MB

                    MD5

                    9e57e7ac2f0df06640c04936b787fa98

                    SHA1

                    9bb72b1fec9892a1e8027ad0f3009557a986d416

                    SHA256

                    5da4d187effdb2b88ec677b4f7620fd3be9ca0959dd5c37a641d18f19f908d58

                    SHA512

                    e39314dc2c3c39c18e58874a321ad4980a012be11a80e44bd76a2f7c2017b1f03b4e5d893a842c1c64cae74ec18d459fdc983b457e67e550813b7cd544db4cf8

                  • C:\Users\Admin\AppData\Local\Temp\MSIBC09.tmp

                    Filesize

                    2.9MB

                    MD5

                    fe69218ffef65a7c15aa4b59b295d6df

                    SHA1

                    6bb8d7fd4d9437e13635c7abd88d92d53797f7df

                    SHA256

                    8a421e5813d2afa810727cb54000e5bb5edac793310c4a90ab5146d56911b445

                    SHA512

                    da5747cc949aa4ce776af94d959452b8ea892b70624baa55de0d1410879dfc5153655cd6a82aaf7423f0ebd8ddcbabda58f480cdebeb1befc54db5d9110c95c1

                  • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240611165009_000_vcRuntimeMinimum_x64.log

                    Filesize

                    2KB

                    MD5

                    7ade859c521eab0c8f9c0ee382e3ba9f

                    SHA1

                    db3e153dc634f5e8d077dee888e48fc08864311b

                    SHA256

                    4a4faced3eb64b034a69f50a1491c24224468e2360bd866fbbe44a6fda6aedc9

                    SHA512

                    13d43dee5fffeb70a11216e207bb70ba1bb1b4680ccfdd16c40ba5a785e74abb38731f266975ce9af7d4dda9050ff4d05710eeffc026fe238a945b7ee76b58ae

                  • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240611165009_001_vcRuntimeAdditional_x64.log

                    Filesize

                    2KB

                    MD5

                    5e6f9e70dfee75f00822cd76e56a1d2e

                    SHA1

                    9067c14db5cec2331b5a439f3fc95704b076f506

                    SHA256

                    e659b363a00a132494ac76a28d5520ee4def26bde6798486fe9279232c03bf7e

                    SHA512

                    982e705ede3eb8a797ccba9450b34b8835647023f51780fd81d26f58c0f14933377e86ec6541c066cc2ff1cd3f35c8d789780b9d85fb57a1324684c412d107fd

                  • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240611164952_000_vcRuntimeMinimum_x86.log

                    Filesize

                    2KB

                    MD5

                    2ae81ef4f4d5973203ec75b9249e617f

                    SHA1

                    36d7dbafd220ec1d8bbbf86cacd542384af8eeac

                    SHA256

                    d51db041e8972de007934d91fcc8fd0d78b3a8b4c968339a7011846ba2278fcc

                    SHA512

                    64bd28235d9e5bd094e6ae2e1de32cf64d2225a2789277fbb9dd5ef06a31685a3f637fd5d8a51c323ddc6fe962d937f1bc11f171e7d1c7d2b94033b6d94b7714

                  • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240611164952_001_vcRuntimeAdditional_x86.log

                    Filesize

                    2KB

                    MD5

                    fe4648f5f83f7f905498dec97e34fb72

                    SHA1

                    daed5e7a56d9d111f4afd21df0fbbc9513e19cf8

                    SHA256

                    37bde36672df59e9fe876bbe9da2b639adecc65b8fb6cd7e5d3d6851de9df66b

                    SHA512

                    05df13988f7838f8579239028f0b326f0e5dd645972e506c9189adf1ed20ee25408c87b1b2ffcfe30faf8c1599a567f8751cc8284df04605717a90f09d68d294

                  • C:\Users\Admin\AppData\Local\Temp\vminst.log

                    Filesize

                    28KB

                    MD5

                    2474d3c409d60a137cd8b964d0bb70f9

                    SHA1

                    45f08256e823e9bc9c3448406f40981bf0410875

                    SHA256

                    45e672a7ea25003fbee702915f9000cee415e2f3a785c1678093d8c727e65ef4

                    SHA512

                    5a59dbb3cf4974945db036192af8b0f42fbea1a139de5fb911329bd046b98ca4cc7753e15a89dc716d47923d2fc1b652b2ee806d0e3dbd4e3552ad355b110e88

                  • C:\Users\Admin\AppData\Local\Temp\vminst.log

                    Filesize

                    33KB

                    MD5

                    b4e6da491b947f031c674e43822f4d92

                    SHA1

                    1c35e1ec9d688ff55b47aac4b3feee5a8df8e223

                    SHA256

                    daad78bbe41c37eadbc94f2ac132ed40e7515a529941e793906dfb1ec1078255

                    SHA512

                    ec91f539322fbc6b580639a7c37450b08bbc8dd82c1390e66ac088ba16e8b94d85dc285f149373a9e67697c6537c2bb239469519e435de6748f95777a41d0f22

                  • C:\Users\Admin\AppData\Local\Temp\vminst.log

                    Filesize

                    52KB

                    MD5

                    1e0b07e33eda5ea58dcbb06ab4ecfc81

                    SHA1

                    8ee27ce1dbd8fdf9482ceeb8dab505bc851d245c

                    SHA256

                    448d28e73e74c30773b0c60439c167a3f90fb3802c213a394afa4440a0bf5b87

                    SHA512

                    672ffe70136f5713d26090b56649e8fb3f097bec5bc32dec352ad9f7ccfac4027ea5b3295ecf7c6a90311686a26ef59ad1b53f361a97e3607a9e1084a3a0e800

                  • C:\Users\Admin\AppData\Local\Temp\vminst.log

                    Filesize

                    52KB

                    MD5

                    61fdb8f8121fd8b2eef446f1b76c9d3a

                    SHA1

                    b38a0e43b5eeb849e1c765e27cc71396fe825249

                    SHA256

                    8ff790aa95917c573f29b916abccd4a02473edd44dff6be38c87741f20cf381b

                    SHA512

                    dccaf55a6c8f8e71450b94dab0b151da05cd7c65f3fa2a71f689d95574bb1dc57bcafc98b73c78568e43ff3a44a42dc6b82aba2e41648394bbd6d4bb80ae3b98

                  • C:\Users\Admin\AppData\Local\Temp\vminst.log

                    Filesize

                    54KB

                    MD5

                    6eeed8583a7f9be8ec543cc605f24c5a

                    SHA1

                    4bf15287ab054b8b91c77c456dbc7b31c7ec5a0c

                    SHA256

                    1dba73e6861659624e187bc64cd13192faf6990ed3b640c6b8bf34c4b112cd3c

                    SHA512

                    33d1f7400aa0f1807201783ca2969fe301a71d3361dbfded962a133abcfd5733eb7a494323dea4ae8098eb5274001d5cd0769a0d83f7b5b723b9f8682384b3b5

                  • C:\Users\Admin\AppData\Local\Temp\vmmsi.log

                    Filesize

                    177KB

                    MD5

                    56cc696614b836c6e0e6453c74b727e4

                    SHA1

                    0e3d9b2b2db607301dcbff0698566e853e05fe04

                    SHA256

                    5e0bdc2cd9e070072db31cee92625c34f57866eb0db5ea27ecf02aedc8927531

                    SHA512

                    7d4a9b1866617df153925c7c0c7c7aeefaf997244eb83b2241c16b06a2d9f5e0b2ad871c539814d4107728636c579ecaa39ef5d35a1e2784cbf4dbc8082f0d5a

                  • C:\Users\Admin\AppData\Local\Temp\vmmsi.log_20240611_165144.log

                    Filesize

                    1.4MB

                    MD5

                    7b041470f992818a9de7c7f244d1aaed

                    SHA1

                    6a5f2475556d5b5df3a28528787dbf7cb05132bd

                    SHA256

                    2c04dab2cd293ac318844ba198539e58f5bf84eb22dcb0c9a67f9087688a73f4

                    SHA512

                    3a05a0da162a5e26e8c4486b2c9e9933512970d0d2defbece329a1bddf37e234154d9e77ba3272792d5211c3f390e3f9807bc52ac6ae2e1ca7e335d5a05d4e3a

                  • C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe

                    Filesize

                    24.2MB

                    MD5

                    077f0abdc2a3881d5c6c774af821f787

                    SHA1

                    c483f66c48ba83e99c764d957729789317b09c6b

                    SHA256

                    917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888

                    SHA512

                    70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

                  • C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe

                    Filesize

                    13.2MB

                    MD5

                    ae427c1329c3b211a6d09f8d9506eb74

                    SHA1

                    c9b5b7969e499a4fd9e580ef4187322778e1936a

                    SHA256

                    5365a927487945ecb040e143ea770adbb296074ece4021b1d14213bde538c490

                    SHA512

                    ec70786704ead0494fab8f7a9f46554feaca45c79b831c5963ecc20243fa0f31053b6e0ceb450f86c16e67e739c4be53ad202c2397c8541365b7252904169b41

                  • C:\Users\Admin\AppData\Roaming\VMware\preferences.ini

                    Filesize

                    173B

                    MD5

                    0ef7698b8e892b0283e1f49e20913d2e

                    SHA1

                    6545e20fe34446d867173e5b17f24b7ad14aaec7

                    SHA256

                    932b6fdc14bab4c1ae994e2a9d9bdbd9b80634f8319bd21d0ea2eaeb4a48f5e0

                    SHA512

                    16b8370f032c629f1a862ab2757524a347ffe2f1197178afef25769cb1d9884760c23695c4eb9b813ff6ca1d71aae9503263ab741574510c67666414b13716ed

                  • C:\Users\Admin\AppData\Roaming\VMware\preferences.ini

                    Filesize

                    213B

                    MD5

                    6c6decaa3c88ec9ad103bac9b8a689dd

                    SHA1

                    454635a54c324ecd914cd563c602cac7b87d5c67

                    SHA256

                    8eabfea2dd1733a2e84e09f3f7478cdfb7b9c704d15795c9da69826765965689

                    SHA512

                    da78a399ee9646851c4f409b9effee2f360b2826d0624558267506da6cdab89bd866ebf1a53da21ac71b005385de8e7dd72b026a516e39dcab05adb5a516e145

                  • C:\Users\Public\Desktop\VMware Workstation 17 Player.lnk

                    Filesize

                    1KB

                    MD5

                    70baabbbda4e606d45fa3ccd651d3329

                    SHA1

                    a81f178ccfa337a445c04bb0cf431b485bce7313

                    SHA256

                    1273e3eb81e8fb6176df29ffc7f4a027549420ec7692d99eab7f9d64eb100545

                    SHA512

                    5967d7486df1b4aec16de03c23b9626f8cfb693c6d1a44bfdc6e7784955b09f48bd42cebb1778c81e03e5aa578bc158815205b102e6d0662315a5ce7fac17e9c

                  • C:\Users\Public\Desktop\VMware Workstation 17 Player.lnk~RFe594c32.TMP

                    Filesize

                    1KB

                    MD5

                    444704c16f663f3d7f756622d706d91e

                    SHA1

                    dd0f696474664b4b2f1b4c63cd0bfa6f65d7c8e2

                    SHA256

                    e3f739d4a3d4d993a6f0ffb3a4b5de53502311b053b3c65c8aa404170d0c975e

                    SHA512

                    c389e4b57900110d7c2e3c4345a04245837564991b4bc9fec5419ade6ef3477a7f2670ff987b883af730781c8be9d47642ab49a8eea1d7a4e7458fee4b1c1a3e

                  • C:\Windows\INF\oem3.PNF

                    Filesize

                    7KB

                    MD5

                    eee517ae504ba11b520cfa3ff71e6c74

                    SHA1

                    80904fdaf3b2244a07173e3902b648b12dca0f43

                    SHA256

                    a895b3424c5b14cb33ec83b2b7620047f07e6030ed600c8e5084bc92ab8f7cad

                    SHA512

                    c258a02495f3f1e8035e2e383f945a4796d76c1455afd1d7b7008341ee4d7e73a4a01319f5205882fdf37d2acb2fbd46061bd20379c70e4368b5e49534be2b40

                  • C:\Windows\Installer\MSI3683.tmp

                    Filesize

                    518KB

                    MD5

                    4aa882a8a87d248e6b2d4144f47bd568

                    SHA1

                    6a949550f3c7fac710ea7d7801fd809f397c2d91

                    SHA256

                    6081f9d9040dd70c74c1f5ae51db1320ba3b3e9e6a5cdfda22a6f5e72ef38d4a

                    SHA512

                    9a91daf5c128e09912ffb6e8673d0088825ba13b0151cf23b17d531b855fb1271637ddd3c92e63c704fc135ce3b703d05dd3d1cddfe452b8844af78cdd2ba6f1

                  • C:\Windows\Installer\MSI36B3.tmp

                    Filesize

                    1.6MB

                    MD5

                    2ebde9d1a578ed1c78a79b2279be5f1b

                    SHA1

                    f55b8c2511d82032e4e8d503b4874396b91fff07

                    SHA256

                    fe793fc1b303f85837fc6a990caed01289c02e24f3ca497566108198fe6af5de

                    SHA512

                    f92709052fefc3fc89ba07562a093d7a22dbd62e0a38d3178a93275b9050984430bb4ef5908871d29f591bca75b2a19f9202794a07deecaa1a8df86d0ca94f20

                  • C:\Windows\Installer\MSI37AE.tmp

                    Filesize

                    118KB

                    MD5

                    ba3165ec14e657e6235d6d789e9e25ca

                    SHA1

                    f626fcc0e7e7f26a092da6a995f5936a45c4f71a

                    SHA256

                    bf93de4755822425f3fd3928b52d2a6e6c91ab069213aaaa95695ed3e17e72e9

                    SHA512

                    6d83dd60b1f8e8d93ddbda657b1c75f86c1f5f6eac899123f6ce498f5dd1a5abf05e29776144044c6a848e8fdd2b9a6a5367c4b249b879a310a260fb6b55b6da

                  • C:\Windows\System32\DRVSTORE\hcmon_AE2641AF84DF5670FA8422233CEAC89B307A0500\hcmon.sys

                    Filesize

                    70KB

                    MD5

                    0f300657289a1a2d168b8b80e900055a

                    SHA1

                    c5f93e3ef6c8227009736ac8b5d314ff21f48c51

                    SHA256

                    94938835f53b968665eda2a7a082788dac0a13ee486e3186387c0ff7ececfe8a

                    SHA512

                    035d0e1430ec7206cd7995f912f11310089367a452f10924f79dc2edbb958bf080e86c4501e3b7096ec07e7f4b503ec4751b475f60927a333edd9458b41f36d9

                  • C:\Windows\System32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vmnetuserif.sys

                    Filesize

                    29KB

                    MD5

                    502d7759a8ea951315b74ee12a629f3d

                    SHA1

                    0f045b7a26a8ec4e5647be4c423c7cb4327fc213

                    SHA256

                    26b2cd990adeb32ef7e4c00c0e447c64c9a7811de2f398d6a227ccf26e33da72

                    SHA512

                    33b270a48413e0478432ea3d1e1fec8d71d876deef63f106905dc57bbabf6aeea74f01ef539a2c17d583e4e10d9262187a6bd9531220c8278ab4a44191aa9c52

                  • C:\Windows\System32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vnetinst.dll

                    Filesize

                    115KB

                    MD5

                    f2338bf0d8f10fdc55b712e9c5240937

                    SHA1

                    f6e0b2151d08d2316b685aa1a8fda38af9c888fc

                    SHA256

                    11e605295b184468b69d444edf35707567615d16fe5b9ba924edcb76527f9002

                    SHA512

                    d15c92ef1e438fa4313332cc57d39a9ef19584cde8c02d328983215544d823ad838d68b975b825afaff2a6549eb06331d7fa0833fdbf2fcf43d5fedaeab2434b

                  • C:\Windows\System32\DRVSTORE\vmx86_0EB6D425AF13AF7EF7CCBE7DA93B4388751906C3\vmx86.sys

                    Filesize

                    98KB

                    MD5

                    73ebcf23e0e1ee82dedc376c1d312803

                    SHA1

                    aa6ee9d5798254b715ba1ac254ee11cbd70df864

                    SHA256

                    e8de7c03018755a37a2993b2688c5258b46919b15c5e55a85590d8ae3abf1eb3

                    SHA512

                    03863edc55d819378ed9aaab1771a7be6acc627b3512bf7555111135b486b5bdf709bee5e32f717112397e5db4579ff496fcbd6c92e96ed8d5c7321e1315f86a

                  • C:\Windows\System32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsock.sys

                    Filesize

                    86KB

                    MD5

                    64ba085bb02e9ecf3b21f0377199289f

                    SHA1

                    bf00ebb018e9b0fe63ef3af971ab395fc0ecb7f1

                    SHA256

                    dfdb2166d3010a1e7ccfdc38f0b1524fdc4b79b17b06093b7f9820b637d28343

                    SHA512

                    b2d3e43f291cfc0215c1e1df1d61b94c7e7d7780bdfa8d627edcb58b1298fcc96beb8eaff7567629e2ae1c7ae1b0ef60af6abd6fd9ec0b380c5e20ebb0a8a8f1

                  • C:\Windows\System32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsocklib_x64.dll

                    Filesize

                    30KB

                    MD5

                    abe700a6459d2d6fc9774e0277350ecf

                    SHA1

                    cefe9bb79520b3cadf6d1bbf44fdd771487b3d7e

                    SHA256

                    952603279b8851c3739d562247f3f0a373b5fd0eb5a9c3baf1e6b1e608ebc6c8

                    SHA512

                    c6fa33ff10523d408be2e5653100fb3aabf1cecaa810916a0cbcd32c5bc2da76ebfb73256719843700ee4d05a7adf7b18c9130dab1127b7bd8b1d089b8219349

                  • C:\Windows\System32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsocklib_x86.dll

                    Filesize

                    25KB

                    MD5

                    f7d359d175826bf28056ae1cbe1a02d9

                    SHA1

                    19409b176561fa710d37e04c664c837f5bf80bff

                    SHA256

                    af1df28834936aef92e142c14b1439ca64d070840b2c07b87351174ec0f71d8a

                    SHA512

                    e2d78cb2d6f1b2f3c410ccd5272d0b3e34f3cdf25c41605b12e9a1f408308084c28c4b427c915ed87e28f21d662846529711fa07f4357a7f7f727b96a5d0e7f7

                  • C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.cat

                    Filesize

                    11KB

                    MD5

                    c969983ba8f120def2953afe08b2f164

                    SHA1

                    2aff93389846c5b107d67ec0886a342ea18eea76

                    SHA256

                    ea696506747d3ab4a9c8b8d486b4a886ba4cba7b65eceb1d89c6ce54be6c9c20

                    SHA512

                    30f69f57ff3eb07cc0f787a22aa42245246d9b6e657b656c82335d6fa78b3f8534027c4ca28998d72872cbed099ed45b8ac59bd3c7e69ffcc133510a37632ad6

                  • C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.inf

                    Filesize

                    3KB

                    MD5

                    8d997d8d1105556cea9726b2aa38949e

                    SHA1

                    57f9c467fa48ad4585f58f40120778080d4003ef

                    SHA256

                    9cbf08670ee83cb7956473072d7d51a709da49522a1109ea582425d86d88d8f4

                    SHA512

                    d52e6ae4e66d33f3632e349fba6e13eda805764cc4d87920048af779148ac87a7918fcfa4f307a9fb19ae9b5c58b94247ac09433ba61afc0515a5bec3a5ae314

                  • C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.sys

                    Filesize

                    66KB

                    MD5

                    092cdfca61db22f6ec3ac01255bad56e

                    SHA1

                    565788f4cdaf423078006d4bf480eb4b022bfe72

                    SHA256

                    965c2e680140329f56f253f9a5bce8745a9664fc56aedb58bdb57e126b0aa1c5

                    SHA512

                    7d5e98e33a60d259f5bceb9431c1d9630bf43f479631b9ede5ba8f8d4e761f9c67971ed5347fb7d3c1234f15a75e252b4e93aa002a5d85fed751ca0b64a5e24c

                  • C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\netbridge.inf

                    Filesize

                    4KB

                    MD5

                    76e07de9fe56a25f27a695691c9bdade

                    SHA1

                    53fef434d80383dfa266c632e6d374611c38319e

                    SHA256

                    a3bbff5810e7d94a7490e06d5b420f734ec02f4fce66274930e024761e01049b

                    SHA512

                    813eb5cefc1075357dd70285e05e765ba911fbf65cf11975b1b241d2ae3bdb8520f07de9daaf29b28f979c97ef59bd079f63c297b8218072d0f405986fe4364e

                  • C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnet.sys

                    Filesize

                    30KB

                    MD5

                    acc036a64af0be34d7925e24f5bbce36

                    SHA1

                    8b9b372250219c3d08b153f630b36dfdd2823084

                    SHA256

                    7e3af2553ce93dca2a7b2c42e1c839573ba37e393e9e7a5e200dcc2df4f7fda7

                    SHA512

                    e2190fd5e3644acd73ca86485e8d8bc1886a5ce767dfc452cc8178fb6f24ede82baecbc9e1693982307efa442ee39c19911dbe8dd19eb291595ec671979f63f6

                  • C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnetbridge.cat

                    Filesize

                    12KB

                    MD5

                    24236822ba4e710e9fbd3401c78131db

                    SHA1

                    83ffc5830cfcb98b6957f7802e4e7fd7816dc1ff

                    SHA256

                    a58b885df4777c61b577af7569eaa5ac0202ea50f55fe141e9be0ffc77743a50

                    SHA512

                    714f005f882ad0551fbcb74ca4fe4a0ab6f3bd998879dc51ab2911190919080a55727f4590ddb96f866a02f6ff9cfa0cab9a48a543edd35e684f28b3391171e9

                  • C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnetbridge.dll

                    Filesize

                    79KB

                    MD5

                    70d6c2e1940824e5c9deac0a2467603d

                    SHA1

                    5dd4a84bfed0eb199a228abfd1804c142e3fcbfa

                    SHA256

                    0e8d73db78847ff2956c471c009088c1754640a06f877e9dea061bf9b6c287fd

                    SHA512

                    6bc3dba5d026896f64bc2131d37f155b3dab6a3c8bac758433b8776255aabb10e24b8553c05131ee13de31b323620b4d844c141e267eabfaa9c0d62084ca8417

                  • C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnetbridge.sys

                    Filesize

                    52KB

                    MD5

                    11e92a49a113d80fc43219ce21468bcd

                    SHA1

                    7401c5adec3f548195c1cf3fa85c266e476f1283

                    SHA256

                    9237ac240f3bef26001bc33a670245d368b727fc43e031b6a48fbf698fdc1def

                    SHA512

                    bd7dbe2b786a7b0de0377abfc3a7a97667750e842ab5d0e42ef898151cc8a81e615a70536753e243f5a61b727acf3a837536534e65c110a26799c9a2e3b7a7c4

                  • C:\Windows\System32\DriverStore\Temp\{902b461e-d928-cc47-8447-304a4efcd1ff}\vmci.cat

                    Filesize

                    11KB

                    MD5

                    c888f61b9b09bda1f1fc1506123753d4

                    SHA1

                    bc2be72275b899d848737bfac8e0ba1ea72af63e

                    SHA256

                    b69004749d69e2d826a4341d2ac409711fb984fe2ebb4afa2b3dbc03368493cd

                    SHA512

                    9a90df4b4e4eefb48e81853d02e3f2f9b6280636322436b717f0763bf7feca79660fc860f8142b915fc475a20de4d876c1a29687061468609e9cedcb725b88d4

                  • C:\Windows\System32\DriverStore\Temp\{902b461e-d928-cc47-8447-304a4efcd1ff}\vmci.inf

                    Filesize

                    3KB

                    MD5

                    fdb3c5882438a6e996d13a7ab48cf467

                    SHA1

                    7257251e1b43912d15defbdf01056aef80d043a2

                    SHA256

                    1e71d0b7aa6a8835986a2d603c7218e792886fec4ea889f13200cf0fdc78a73b

                    SHA512

                    551678e245c37c61433bb06f5bbc1075b76c1b86b06907b0a8d4c1e240b62d13922a0465919f361a6584388d80333201b5b6202b3fa1c6ff7771a58ba9ea8716

                  • C:\Windows\System32\DriverStore\Temp\{902b461e-d928-cc47-8447-304a4efcd1ff}\vmci.sys

                    Filesize

                    102KB

                    MD5

                    339e79b21cd73fe1174b56d6032e40d2

                    SHA1

                    d85e6a6a585fe4eba6f2601ae97a9db171f2b5b1

                    SHA256

                    91e68a9891339a8db757c9eceb65371db83822fa56305d61330e50194dc97131

                    SHA512

                    10d5783d92bcdcd536abbb3650321f150f4f8a0850e99a974dc3e445dd6421b41fd9ce0da951efcc553b5bb00719e11c4c22c01f2c0882e35380a15de0076484

                  • C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\netadapter.inf

                    Filesize

                    28KB

                    MD5

                    513ea5ad5d0192b4fab604bebaeba1ca

                    SHA1

                    37cadf97b3de820bb8a9cc82da50f969bd9ee742

                    SHA256

                    8d3180911c7397eda186969813dd6aa6447b2e247d1dddf8cf15c82f8c187c7b

                    SHA512

                    8459e0f67773be7ec6d3ef08c3c9018e78719797292e92471b7b8ba210cb5fe3946e3f99d23930d5454a223907bddf40e3d7c8cad8aa6063c1c26ae7f1744b33

                  • C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.cat

                    Filesize

                    13KB

                    MD5

                    f705d1b2884dd89de05b5be1b5f091cc

                    SHA1

                    15fda464b0e6152f20be66478e5637bac6738a44

                    SHA256

                    2fed201cfaabf39aa9d32531759ffb01b93e890ab28137983ac0a0f1b76cf4f6

                    SHA512

                    740331cb30d323bcd5ae0789ffbb0620baa7a485241b6c2e4064265397f40e8510fc6de9758b5f5cfd41888b29ed95392b73b3b0812a1e207e46d72e6d521eb4

                  • C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.sys

                    Filesize

                    30KB

                    MD5

                    83b9f3a1bd3afd531c19b5314525eaef

                    SHA1

                    f857b40f1d837ee9bbd0e33cf4795d4e8f20b1b9

                    SHA256

                    a75125186847fb0e6d4cd755ccd68431df3a64c8786125b6110589054f9c2389

                    SHA512

                    b48f3b039d8d11e25b9978eb9b38b7282793a264878258ceac12a243cbd344dbfcb9d5e071a422209a83f5330b7388caa8344cb6c11598e1fce1bc43f649384e

                  • C:\Windows\System32\catroot2\dberr.txt

                    Filesize

                    19KB

                    MD5

                    2d3597c2ae694e0f8b44b2a23db9a094

                    SHA1

                    a43b8a2ee87cc7e045e9efae08d352c5abafff93

                    SHA256

                    8fb8829cd5b6fb48b2311e41326fa2c9745bbb502c2006fa4b1694ea12ad4d6a

                    SHA512

                    df3d70b0037cf0973a24322949bc116431f1db3a9f312dea632a96418c9fba412a94f88be4cf13336bae0299f6d64365bfab9b554d6d9333bfbb219036f05191

                  • C:\Windows\Temp\vminst.log

                    Filesize

                    14KB

                    MD5

                    422e22f07522df4987026df70486b949

                    SHA1

                    15b7bdebd354846be987c78c7128173e22a9a6aa

                    SHA256

                    acd8758047ba9ff667fbdaf07c0dca1b729f38a46c0ee41f58239657f27c98be

                    SHA512

                    ef50a945c50cd18322a1d8c5eda0361ecc14e84bc595b84ad1f1fef46f4b2201c6be7691246f8c7f2e7fd25c8eb518ea7786dc22c83c93021bb64361856022e7

                  • C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.ba\logo.png

                    Filesize

                    1KB

                    MD5

                    d6bd210f227442b3362493d046cea233

                    SHA1

                    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

                    SHA256

                    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

                    SHA512

                    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

                  • C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.ba\wixstdba.dll

                    Filesize

                    191KB

                    MD5

                    eab9caf4277829abdf6223ec1efa0edd

                    SHA1

                    74862ecf349a9bedd32699f2a7a4e00b4727543d

                    SHA256

                    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

                    SHA512

                    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

                  • C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\cab54A5CABBE7274D8A22EB58060AAB7623

                    Filesize

                    800KB

                    MD5

                    f706d550cf905648ccb55b47e1364022

                    SHA1

                    3c382bfe0c4c14c1ed6cbe88d6a69ad6be28a08f

                    SHA256

                    7be2d324f0cb063be8335982096f17ed4f08a7592130e04459ae818824016589

                    SHA512

                    3c946d88447504c94227fec259bbeed7ef458a0740c12345e425821644f8e0d9358b68582a1f6e1b74597b5dfd2976f328b706a72df30e3c76c899cd435a349a

                  • C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\cabB3E1576D1FEFBB979E13B1A5379E0B16

                    Filesize

                    4.9MB

                    MD5

                    d141d64b6a3287548847abf5b4c1bc7e

                    SHA1

                    a161b984bb24d135353701e445a6a0babc5d25b3

                    SHA256

                    e38280421473e79ebaaa8398d86974fc7100cc8ec1c3273fb9bfe4f672c918a6

                    SHA512

                    282f64d928e19cf107b19ad39da1150045b60efb9ad599d827f9dde5f20a5bb499ea5996464a1f2ac79c21ec9af9307a363072f172f92c6669ea00c0ec48753f

                  • C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\vcRuntimeAdditional_x86

                    Filesize

                    180KB

                    MD5

                    df1b1ee46deb824a89f18e228f8a4a41

                    SHA1

                    001d86480ce0a9e1b2fed8c48296bb3384dad793

                    SHA256

                    ff8884498c3174b7d2bd35bd1a43d75d3538dca2c0821ca5876fa45eb2c8a47f

                    SHA512

                    6587452fa6ebef2eac6634cd3c6d8629cdcd9f214a5a13cfbebfd232318a3a5d3cd5d3c9baa721270f5283d3127d36475d40071132ba063bdda49bc48cc21fab

                  • C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\vcRuntimeMinimum_x86

                    Filesize

                    180KB

                    MD5

                    7c87329a66d4c22f03acea4e817971f9

                    SHA1

                    12a2134fa09fd7df026ffc20bfe58a7d30d6ae73

                    SHA256

                    c78bc45113d0270c2154930761c3b74db714987a16c0fbe5e7a05fa3a853d0c8

                    SHA512

                    73f11aa3f9b3dbfba157a0d47dc61ff2a22509b61339882a9c2cee53ee335b18820700d7a413b81b426e71c83443f0d99bea8b3638b8b87ee9a42f01f404f955

                  • C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe

                    Filesize

                    634KB

                    MD5

                    415e8d504ea08ee2d8515fe87b820910

                    SHA1

                    e90f591c730bd39b8343ca3689b2c0ee85aaea5f

                    SHA256

                    e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0

                    SHA512

                    e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

                  • C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe

                    Filesize

                    635KB

                    MD5

                    35e545dac78234e4040a99cbb53000ac

                    SHA1

                    ae674cc167601bd94e12d7ae190156e2c8913dc5

                    SHA256

                    9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

                    SHA512

                    bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

                  • C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.ba\license.rtf

                    Filesize

                    9KB

                    MD5

                    04b33f0a9081c10e85d0e495a1294f83

                    SHA1

                    1efe2fb2d014a731b752672745f9ffecdd716412

                    SHA256

                    8099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b

                    SHA512

                    d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685

                  • C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.ba\thm.wxl

                    Filesize

                    2KB

                    MD5

                    fbfcbc4dacc566a3c426f43ce10907b6

                    SHA1

                    63c45f9a771161740e100faf710f30eed017d723

                    SHA256

                    70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce

                    SHA512

                    063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

                  • C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.ba\thm.xml

                    Filesize

                    8KB

                    MD5

                    f62729c6d2540015e072514226c121c7

                    SHA1

                    c1e189d693f41ac2eafcc363f7890fc0fea6979c

                    SHA256

                    f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916

                    SHA512

                    cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471

                  • C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

                    Filesize

                    5.4MB

                    MD5

                    46efc5476e6d948067b9ba2e822fd300

                    SHA1

                    d17c2bf232f308e53544b2a773e646d4b35e3171

                    SHA256

                    2de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138

                    SHA512

                    58c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c

                  • C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\cab5046A8AB272BF37297BB7928664C9503

                    Filesize

                    935KB

                    MD5

                    c2df6cb9082ac285f6acfe56e3a4430a

                    SHA1

                    591e03bf436d448296798a4d80f6a39a00502595

                    SHA256

                    b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11

                    SHA512

                    9f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13

                  • C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\vcRuntimeAdditional_x64

                    Filesize

                    188KB

                    MD5

                    dd070483eda0af71a2e52b65867d7f5d

                    SHA1

                    2b182fc81d19ae8808e5b37d8e19c4dafeec8106

                    SHA256

                    1c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07

                    SHA512

                    69e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a

                  • C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\vcRuntimeMinimum_x64

                    Filesize

                    188KB

                    MD5

                    a4075b745d8e506c48581c4a99ec78aa

                    SHA1

                    389e8b1dbeebdff749834b63ae06644c30feac84

                    SHA256

                    ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93

                    SHA512

                    0b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada

                  • memory/1572-520-0x00000000006D0000-0x0000000000747000-memory.dmp

                    Filesize

                    476KB

                  • memory/1884-240-0x0000000000070000-0x00000000000E7000-memory.dmp

                    Filesize

                    476KB

                  • memory/2152-241-0x0000000000070000-0x00000000000E7000-memory.dmp

                    Filesize

                    476KB

                  • memory/2264-564-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/2264-562-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/2264-572-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/2264-574-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/2264-573-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/2264-568-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/2264-569-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/2264-570-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/2264-571-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/2264-563-0x0000021394620000-0x0000021394621000-memory.dmp

                    Filesize

                    4KB

                  • memory/3292-519-0x00000000006D0000-0x0000000000747000-memory.dmp

                    Filesize

                    476KB

                  • memory/4012-203-0x0000000000070000-0x00000000000E7000-memory.dmp

                    Filesize

                    476KB

                  • memory/4964-482-0x00000000006D0000-0x0000000000747000-memory.dmp

                    Filesize

                    476KB