Analysis
-
max time kernel
184s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 16:48
Static task
static1
Behavioral task
behavioral1
Sample
VMware-player-17.5.2-23775571.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VMware-player-17.5.2-23775571.exe
Resource
win10v2004-20240508-en
General
-
Target
VMware-player-17.5.2-23775571.exe
-
Size
229.6MB
-
MD5
eb01e99d908fa2742fe4e0c60635c68f
-
SHA1
f2a8a6c3021d5a9fb5d228958145915fb802f477
-
SHA256
85b3f341d654847fba6523dbdf4e30f1721870d194ec53f1065291e8ccbd3474
-
SHA512
21693b7c8222afc6bbab7e81f7893c860b06e257a09571e9973930b946a2789bbb3051295d09ac4e781f5bb02aba0182c32ebaa3a8a7eb2863a2ff054e4d1cfb
-
SSDEEP
6291456:vIAo5MRcHji9p+c5mod6xbo5GF1yrDe02ER/0W5UX:VoWqjUPmY6xbo5GCrDe05/0W5UX
Malware Config
Signatures
-
Drops file in Drivers directory 27 IoCs
Processes:
vnetlib64.exevnetlib64.exeDrvInst.exevnetlib64.exeMsiExec.exevnetlib64.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\SET54CD.tmp vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\SET64DA.tmp vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\vmnet.sys vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\SET64EB.tmp vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\vmnetuserif.sys vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\SET80CF.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\vmx86.sys vnetlib64.exe File created C:\Windows\system32\DRIVERS\SET8C87.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\vmnet.sys vnetlib64.exe File created C:\Windows\System32\drivers\SET8C48.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\vsock.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\hcmon.sys vnetlib64.exe File created C:\Windows\system32\DRIVERS\SET64DA.tmp vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\vmnetbridge.sys vnetlib64.exe File created C:\Windows\system32\DRIVERS\SET8A45.tmp vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\SET8C87.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SET62E8.tmp vnetlib64.exe File created C:\Windows\system32\DRIVERS\SET64EB.tmp vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\SET8A45.tmp vnetlib64.exe File opened for modification C:\Windows\System32\drivers\vmci.sys DrvInst.exe File created C:\Windows\system32\DRIVERS\SET54CD.tmp vnetlib64.exe File created C:\Windows\system32\DRIVERS\SET62E7.tmp vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\SET62E8.tmp vnetlib64.exe File opened for modification C:\Windows\system32\DRIVERS\vmnetadapter.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\SET8C48.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\SET62E7.tmp vnetlib64.exe File created C:\Windows\system32\DRIVERS\SET80CF.tmp DrvInst.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
VMware-player-17.5.2-23775571.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools VMware-player-17.5.2-23775571.exe -
Looks for VMWare drivers on disk 2 TTPs 1 IoCs
Processes:
DrvInst.exedescription ioc process File opened (read-only) C:\Windows\System32\drivers\vmci.sys DrvInst.exe -
Looks for VMWare services registry key. 1 TTPs 12 IoCs
Processes:
msiexec.exeMsiExec.exevnetlib64.exeMsiExec.exeDrvInst.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware msiexec.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware msiexec.exe Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware msiexec.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware MsiExec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmx86 vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci MsiExec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmx86 vnetlib64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci DrvInst.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
MsiExec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vsock\ImagePath = "system32\\DRIVERS\\vsock.sys" MsiExec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
VC_redist.x86.exeVC_redist.x64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{410c0ee1-00bb-41b6-9772-e12c2828b02f} = "\"C:\\ProgramData\\Package Cache\\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vmplayer.exeVMware-player-17.5.2-23775571.exemsiexec.exedescription ioc process File opened (read-only) \??\K: vmplayer.exe File opened (read-only) \??\W: vmplayer.exe File opened (read-only) \??\Q: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\W: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: vmplayer.exe File opened (read-only) \??\J: vmplayer.exe File opened (read-only) \??\O: vmplayer.exe File opened (read-only) \??\B: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\G: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\M: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\P: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: vmplayer.exe File opened (read-only) \??\Y: vmplayer.exe File opened (read-only) \??\V: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: vmplayer.exe File opened (read-only) \??\R: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: vmplayer.exe File opened (read-only) \??\I: vmplayer.exe File opened (read-only) \??\E: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\O: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\A: vmplayer.exe File opened (read-only) \??\E: vmplayer.exe File opened (read-only) \??\Z: vmplayer.exe File opened (read-only) \??\B: vmplayer.exe File opened (read-only) \??\U: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\X: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\Z: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: vmplayer.exe File opened (read-only) \??\S: vmplayer.exe File opened (read-only) \??\H: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\S: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\V: vmplayer.exe File opened (read-only) \??\M: vmplayer.exe File opened (read-only) \??\A: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\K: VMware-player-17.5.2-23775571.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: vmplayer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: vmplayer.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
vmplayer.exedescription ioc process File opened for modification \??\PhysicalDrive0 vmplayer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vcredist_x86.exevcredist_x64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation vcredist_x86.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation vcredist_x64.exe -
Drops file in System32 directory 64 IoCs
Processes:
msiexec.exeMsiExec.exeMsiExec.exevnetlib64.exeDrvInst.exeDrvInst.exeMsiExec.exevnetlib64.exevnetlib64.exeDrvInst.exevnetlib64.exedescription ioc process File opened for modification C:\Windows\system32\msvcp140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\SET8C89.tmp MsiExec.exe File created C:\Windows\SysWOW64\vmsrchTemp.txt MsiExec.exe File opened for modification C:\Windows\SysWOW64\mfc140u.dll msiexec.exe File created C:\Windows\system32\mfc140u.dll msiexec.exe File opened for modification C:\Windows\system32\vnetlib64.dll vnetlib64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.sys DrvInst.exe File opened for modification C:\Windows\SysWOW64\mfc140cht.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe File created C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6152.tmp DrvInst.exe File created C:\Windows\SysWOW64\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140u.dll msiexec.exe File created C:\Windows\system32\perfh010.dat MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF vnetlib64.exe File opened for modification C:\Windows\system32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsock.inf MsiExec.exe File created C:\Windows\system32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsock.inf MsiExec.exe File created C:\Windows\system32\SET8C88.tmp MsiExec.exe File created C:\Windows\SysWOW64\SET8C89.tmp MsiExec.exe File opened for modification C:\Windows\SysWOW64\vcomp140.dll msiexec.exe File created C:\Windows\system32\DRVSTORE\hcmon_AE2641AF84DF5670FA8422233CEAC89B307A0500\hcmon.sys vnetlib64.exe File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vmusb.inf_amd64_bb336ccced75363c\vmusb.inf DrvInst.exe File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\SET52F9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vnetinst.dll DrvInst.exe File opened for modification C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6151.tmp DrvInst.exe File created C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe File created C:\Windows\system32\perfh00C.dat MsiExec.exe File created C:\Windows\system32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vmnetuserif.sys vnetlib64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\SET7F49.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll msiexec.exe File created C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\system32\mfc140cht.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfcm140u.dll msiexec.exe File created C:\Windows\system32\mfcm140u.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\netadapter.inf_amd64_1b7e5f451712307a\netadapter.PNF vnetlib64.exe File created C:\Windows\system32\perfc00A.dat MsiExec.exe File opened for modification C:\Windows\system32\DRVSTORE\hcmon_AE2641AF84DF5670FA8422233CEAC89B307A0500\hcmon.inf vnetlib64.exe File opened for modification C:\Windows\SysWOW64\mfc140esn.dll msiexec.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6153.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF vnetlib64.exe File created C:\Windows\SysWOW64\vcruntime140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140rus.dll msiexec.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt vnetlib64.exe File opened for modification C:\Windows\system32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\netuserif.inf vnetlib64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\SET7F7B.tmp DrvInst.exe File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\system32\perfc011.dat MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\SET52FA.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6153.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnet.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netbridge.inf_amd64_795340d0273da4f7\vmnetbridge.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13} DrvInst.exe File created C:\Windows\system32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vmnet.sys vnetlib64.exe File created C:\Windows\system32\SET64EC.tmp vnetlib64.exe File opened for modification C:\Windows\system32\DRVSTORE vnetlib64.exe File opened for modification C:\Windows\system32\vnetinst.dll vnetlib64.exe File created C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.PNF MsiExec.exe File created C:\Windows\SysWOW64\vccorlib140.dll msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeVMware-player-17.5.2-23775571.exedescription ioc process File created C:\Program Files (x86)\VMware\VMware Player\vmappsdk.dll msiexec.exe File created C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw19-config-option.xml msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\iconv.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\x64\SCSI.ROM msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw20-config-option.xml msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\x64\BIOS.440.ROM msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vmnetBridge.dll msiexec.exe File created C:\Program Files\Common Files\VMware\Drivers\vmci\sockets\Win8\vsocklib_x86.dll msiexec.exe File opened for modification C:\Program Files (x86)\Common Files\VMware\InstallerCache\{F47C8797-293D-4702-A238-F1EF11F8A1B0}.msi VMware-player-17.5.2-23775571.exe File created C:\Program Files (x86)\VMware\VMware Player\vmauthd.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\iso2psx.vlcl msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\ico\import.ico msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\x64\zlib1.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\x64\mksSandbox.exe msiexec.exe File created C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe msiexec.exe File created C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\libexpat.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\7za.exe msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\glibmm-2.4.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\schemas\DMTF\CIM_VirtualSystemSettingData.xsd msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\zlib1.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\x64\PXE-VMXNET3.ROM msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\ico\vd.ico msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\open_source_licenses.txt msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw15-config-option.xml msiexec.exe File created C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8\vmci.inf msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vkd\lib-initrd msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\libcds.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\x64\PVSCSI.ROM msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\en\locmsg.vmsg msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\en\stask.vmsg msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vkd\crx-podvm-initrd msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vmapputil.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vmPerfmon.ini msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\messages\zh_CN\vmui-zh_CN.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\ovftool_open_source_licenses.txt msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vmPerfmon.h msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\vmacore.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vkd\vkd-initrd msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\x64\PXE-VMXNET.ROM msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\ico\suspend.ico msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\gthread-2.0.dll msiexec.exe File created C:\Program Files\Common Files\VMware\Drivers\hcmon\Win7\hcmonver.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vkd\coredns-initrd msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\libcurl.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\tools-upgraders\VMwareToolsUpgrader9x.exe msiexec.exe File created C:\Program Files\Common Files\VMware\Drivers\hcmon\Win7\hcmon.sys msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\en\auth.vmsg msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\vmware.eula msiexec.exe File created C:\Program Files\Common Files\VMware\Drivers\vmci\sockets\Win8\vsock.cat msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\x64\PXE-E1000.ROM msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vmnetuserif.cat msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\ico\snapshot.ico msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw10-config-option.xml msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\icudt44l.dat msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\libexpat.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\x64\vmware-vmx-debug.exe msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vnetlib.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\icuuc60.dll msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\iso2win.vlcl msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw13-config-option.xml msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vmnet.sys msiexec.exe File created C:\Program Files (x86)\VMware\VMware Player\vmnetadapter.cat msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exeMsiExec.exeDrvInst.exevnetlib64.exeDrvInst.exeMsiExec.exeDrvInst.exevnetlib64.exeDrvInst.exeMsiExec.exeDrvInst.exevnetlib64.exesvchost.exedescription ioc process File opened for modification C:\Windows\Installer\MSI9216.tmp msiexec.exe File created C:\Windows\Installer\e582672.msi msiexec.exe File opened for modification C:\Windows\inf\VMware\vmPerfmon.h MsiExec.exe File opened for modification C:\Windows\inf\VMware\vmPerfmon.ini MsiExec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI31FC.tmp msiexec.exe File created C:\Windows\Installer\e582621.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4EFA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4FD8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E04.tmp msiexec.exe File opened for modification C:\Windows\inf\oem6.inf DrvInst.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e582633.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI36B3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI37AE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3D44.tmp msiexec.exe File created C:\Windows\INF\oem1.PNF vnetlib64.exe File opened for modification C:\Windows\Installer\e582633.msi msiexec.exe File created C:\Windows\Installer\{F47C8797-293D-4702-A238-F1EF11F8A1B0}\_generic.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI4F3A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8AD6.tmp msiexec.exe File created C:\Windows\Installer\e582676.msi msiexec.exe File opened for modification C:\Windows\Installer\e582672.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI545E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F26.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58265c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI39E5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3B2F.tmp msiexec.exe File created C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\Installer\MSI8F05.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI2A0A.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050} msiexec.exe File opened for modification C:\Windows\Installer\MSI3625.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4E0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI551C.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log vnetlib64.exe File created C:\Windows\inf\oem6.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI3927.tmp msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI315F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4FE7.tmp msiexec.exe File created C:\Windows\INF\oem3.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSI8E34.tmp msiexec.exe File created C:\Windows\INF\oem2.PNF vnetlib64.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI8F94.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{73F77E4E-5A17-46E5-A5FC-8A061047725F} msiexec.exe File opened for modification C:\Windows\Installer\MSI2EED.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4FE9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6105.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log vnetlib64.exe File opened for modification C:\Windows\Installer\MSI8D86.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4FA8.tmp msiexec.exe File created C:\Windows\INF\oem0.PNF vnetlib64.exe File created C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2} msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\MSI89DB.tmp msiexec.exe File opened for modification C:\Windows\Installer\e582649.msi msiexec.exe File created C:\Windows\Installer\SourceHash{F47C8797-293D-4702-A238-F1EF11F8A1B0} msiexec.exe File created C:\Windows\inf\VMware\vmPerfmon.ini MsiExec.exe -
Executes dropped EXE 38 IoCs
Processes:
vcredist_x86.exevcredist_x86.exeVC_redist.x86.exevcredist_x64.exevcredist_x64.exeVC_redist.x64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exevmware-usbarbitrator64.exevmplayer.exepid process 3996 vcredist_x86.exe 2648 vcredist_x86.exe 1420 VC_redist.x86.exe 3988 vcredist_x64.exe 1856 vcredist_x64.exe 5028 VC_redist.x64.exe 1900 vnetlib64.exe 1420 vnetlib64.exe 4196 vnetlib64.exe 3304 vnetlib64.exe 3272 vnetlib64.exe 4480 vnetlib64.exe 1088 vnetlib64.exe 3876 vnetlib64.exe 4364 vnetlib64.exe 1436 vnetlib64.exe 2916 vnetlib64.exe 1624 vnetlib64.exe 3736 vnetlib64.exe 3624 vnetlib64.exe 1696 vnetlib64.exe 2196 vnetlib64.exe 772 vnetlib64.exe 4896 vnetlib64.exe 744 vnetlib64.exe 3464 vnetlib64.exe 1504 vnetlib64.exe 4808 vnetlib64.exe 2748 vnetlib64.exe 2272 vnetlib64.exe 924 vnetlib64.exe 4556 vnetlib64.exe 2544 vnetlib64.exe 4480 vnetlib64.exe 3252 vnetlib64.exe 2628 vnetlib64.exe 1256 vmware-usbarbitrator64.exe 2948 vmplayer.exe -
Loads dropped DLL 64 IoCs
Processes:
vcredist_x86.exeVC_redist.x86.exevcredist_x64.exeVC_redist.x64.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exevnetlib64.exevnetlib64.exevnetlib64.exevnetlib64.exeDrvInst.exepid process 2648 vcredist_x86.exe 1884 VC_redist.x86.exe 1856 vcredist_x64.exe 3292 VC_redist.x64.exe 4624 MsiExec.exe 112 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 1572 MsiExec.exe 1572 MsiExec.exe 1572 MsiExec.exe 1572 MsiExec.exe 2912 MsiExec.exe 1572 MsiExec.exe 1572 MsiExec.exe 1572 MsiExec.exe 1572 MsiExec.exe 1572 MsiExec.exe 2912 MsiExec.exe 3984 MsiExec.exe 2028 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 1572 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 4196 vnetlib64.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 924 vnetlib64.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 3984 MsiExec.exe 4556 vnetlib64.exe 4556 vnetlib64.exe 4556 vnetlib64.exe 4556 vnetlib64.exe 4556 vnetlib64.exe 4556 vnetlib64.exe 4556 vnetlib64.exe 4556 vnetlib64.exe 4556 vnetlib64.exe 4556 vnetlib64.exe 2544 vnetlib64.exe 2492 DrvInst.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
vnetlib64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32 vnetlib64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32\ = "C:\\Program Files (x86)\\VMware\\VMware Player\\vmnetbridge.dll" vnetlib64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32\ThreadingModel = "Both" vnetlib64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vnetlib64.exevnetlib64.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeMsiExec.exevnetlib64.exevssvc.exeDrvInst.exesvchost.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vnetlib64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 MsiExec.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs vnetlib64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom vnetlib64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vmplayer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 vmplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6 vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4 vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5 vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7 vmplayer.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
vmplayer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter vmplayer.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter vmplayer.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\SerialController vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\SerialController vmplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\SerialController vmplayer.exe -
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA}\Compatibility Flags = "1024" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DFC76A6B-4873-458C-AB00-40B1FC028001} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DFC76A6B-4873-458C-AB00-40B1FC028001}\Compatibility Flags = "1024" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{420F0000-71EB-4757-B979-418F039FC1F9} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{420F0000-71EB-4757-B979-418F039FC1F9}\Compatibility Flags = "1024" msiexec.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeMsiExec.exeDrvInst.exevnetlib64.exevnetlib64.exemsiexec.exevnetlib64.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs vnetlib64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
Processes:
MsiExec.exemsiexec.exeVC_redist.x64.exevnetlib64.exeVC_redist.x64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365} MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VMware.SuspendState\DefaultIcon\ = "C:\\Program Files (x86)\\VMware\\VMware Player\\ico\\suspend.ico,0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{420F0000-71EB-4757-B979-418F039FC1F9}\ProgID\ = "Elevated.ElevMgr.1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724E960E-F6FC-43F5-AF3F-98319A1306EF}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Elevated.VMXCreator\CLSID\ = "{DFC76A6B-4873-458C-AB00-40B1FC028001}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0F223F1-7DB1-44CA-BED8-3406303FE26F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA7F48B7-D5BF-4F7D-8C12-8EEDF60AB7F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA7F48B7-D5BF-4F7D-8C12-8EEDF60AB7F4} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20C19CE-FBF7-42CD-973A-6ACB5BBEFB9C}\TypeLib MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\vmware-rvm\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ovf msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{0025DD72-A959-45B5-A0A3-7EFEB15A8050}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\PackageCode = "1BE5B2DDE80EDC54D874D240756DB43A" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\PackageName = "vc_runtimeAdditional_x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9A6DAE7-CF0E-4D39-A914-B054FC37C99F}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VMware.OVAPackage\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E121724-EB62-476B-B55C-B14FCE7EACF5} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}\1.0\0\win32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E459BB84-7D3A-4FDD-B1E5-969E88F61DB6} MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Key created \REGISTRY\MACHINE\Software\Classes\vmrc\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32 vnetlib64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.vmss msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4548A7B2-5C17-400E-8D62-84DB4D79221F}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA}\Programmable MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724E960E-F6FC-43F5-AF3F-98319A1306EF}\ = "IHostDeviceInfos" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E121723-EB62-476B-B55C-B14FCE7EACF5}\TypeLib\Version = "1.0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E459BB84-7D3A-4FDD-B1E5-969E88F61DB6}\ = "ILicenseLib" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C2C59CAB-8766-4ABD-A8EF-1151A36C41E5}v14.36.32532\\packages\\vcRuntimeAdditional_x86\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E121724-EB62-476B-B55C-B14FCE7EACF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vmsn\VMware.Snapshot msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{420F0000-71EB-4757-B979-418F039FC1F9}\Programmable MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D04155-1876-4BC0-AA9D-A8616F36C601}\ = "IDiskLib" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D04155-1876-4BC0-AA9D-A8616F36C601} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7978C74FD39220742A831FFE118F1A0B\Networking msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0F223F1-7DB1-44CA-BED8-3406303FE26F}\TypeLib\Version = "1.0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0F223F1-7DB1-44CA-BED8-3406303FE26F}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7978C74FD39220742A831FFE118F1A0B\SourceList\Media\10 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{420F0000-71EB-4757-B979-418F039FC1F9}\ = "ElevMgr Class" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4548A7B2-5C17-400E-8D62-84DB4D79221F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AdvertiseFlags = "388" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VMware.OVAPackage\shell\Open\command\ = "\"C:\\Program Files (x86)\\VMware\\VMware Player\\vmplayer.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.vmdk msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724E960E-F6FC-43F5-AF3F-98319A1306EF}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9A6DAE7-CF0E-4D39-A914-B054FC37C99F}\TypeLib\ = "{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E121724-EB62-476B-B55C-B14FCE7EACF5}\TypeLib\Version = "1.0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44D04155-1876-4BC0-AA9D-A8616F36C601}\TypeLib MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7} VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7978C74FD39220742A831FFE118F1A0B\ParPort = "\x06" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}\1.0\FLAGS MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Elevated.VMXCreator.1\ = "VMXCreator Class" MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
msiexec.exetaskmgr.exeMsiExec.exevmware-usbarbitrator64.exevmplayer.exepid process 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 4000 msiexec.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 4624 MsiExec.exe 1256 vmware-usbarbitrator64.exe 1256 vmware-usbarbitrator64.exe 2948 vmplayer.exe 2948 vmplayer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vmplayer.exepid process 2948 vmplayer.exe -
Suspicious behavior: LoadsDriver 12 IoCs
Processes:
MsiExec.exepid process 664 664 664 664 664 664 664 664 664 2028 MsiExec.exe 664 664 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeVC_redist.x86.exemsiexec.exedescription pid process Token: SeBackupPrivilege 2004 vssvc.exe Token: SeRestorePrivilege 2004 vssvc.exe Token: SeAuditPrivilege 2004 vssvc.exe Token: SeShutdownPrivilege 1420 VC_redist.x86.exe Token: SeIncreaseQuotaPrivilege 1420 VC_redist.x86.exe Token: SeSecurityPrivilege 4000 msiexec.exe Token: SeCreateTokenPrivilege 1420 VC_redist.x86.exe Token: SeAssignPrimaryTokenPrivilege 1420 VC_redist.x86.exe Token: SeLockMemoryPrivilege 1420 VC_redist.x86.exe Token: SeIncreaseQuotaPrivilege 1420 VC_redist.x86.exe Token: SeMachineAccountPrivilege 1420 VC_redist.x86.exe Token: SeTcbPrivilege 1420 VC_redist.x86.exe Token: SeSecurityPrivilege 1420 VC_redist.x86.exe Token: SeTakeOwnershipPrivilege 1420 VC_redist.x86.exe Token: SeLoadDriverPrivilege 1420 VC_redist.x86.exe Token: SeSystemProfilePrivilege 1420 VC_redist.x86.exe Token: SeSystemtimePrivilege 1420 VC_redist.x86.exe Token: SeProfSingleProcessPrivilege 1420 VC_redist.x86.exe Token: SeIncBasePriorityPrivilege 1420 VC_redist.x86.exe Token: SeCreatePagefilePrivilege 1420 VC_redist.x86.exe Token: SeCreatePermanentPrivilege 1420 VC_redist.x86.exe Token: SeBackupPrivilege 1420 VC_redist.x86.exe Token: SeRestorePrivilege 1420 VC_redist.x86.exe Token: SeShutdownPrivilege 1420 VC_redist.x86.exe Token: SeDebugPrivilege 1420 VC_redist.x86.exe Token: SeAuditPrivilege 1420 VC_redist.x86.exe Token: SeSystemEnvironmentPrivilege 1420 VC_redist.x86.exe Token: SeChangeNotifyPrivilege 1420 VC_redist.x86.exe Token: SeRemoteShutdownPrivilege 1420 VC_redist.x86.exe Token: SeUndockPrivilege 1420 VC_redist.x86.exe Token: SeSyncAgentPrivilege 1420 VC_redist.x86.exe Token: SeEnableDelegationPrivilege 1420 VC_redist.x86.exe Token: SeManageVolumePrivilege 1420 VC_redist.x86.exe Token: SeImpersonatePrivilege 1420 VC_redist.x86.exe Token: SeCreateGlobalPrivilege 1420 VC_redist.x86.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe Token: SeTakeOwnershipPrivilege 4000 msiexec.exe Token: SeRestorePrivilege 4000 msiexec.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
Processes:
VMware-player-17.5.2-23775571.exetaskmgr.exevmplayer.exepid process 2400 VMware-player-17.5.2-23775571.exe 2400 VMware-player-17.5.2-23775571.exe 2400 VMware-player-17.5.2-23775571.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2400 VMware-player-17.5.2-23775571.exe 2400 VMware-player-17.5.2-23775571.exe 2948 vmplayer.exe 2948 vmplayer.exe -
Suspicious use of SendNotifyMessage 41 IoCs
Processes:
taskmgr.exepid process 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vmplayer.exepid process 2948 vmplayer.exe 2948 vmplayer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
VMware-player-17.5.2-23775571.exevcredist_x86.exevcredist_x86.exeVC_redist.x86.exeVC_redist.x86.exeVC_redist.x86.exevcredist_x64.exevcredist_x64.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exemsiexec.exeMsiExec.exesvchost.exedescription pid process target process PID 2400 wrote to memory of 3996 2400 VMware-player-17.5.2-23775571.exe vcredist_x86.exe PID 2400 wrote to memory of 3996 2400 VMware-player-17.5.2-23775571.exe vcredist_x86.exe PID 2400 wrote to memory of 3996 2400 VMware-player-17.5.2-23775571.exe vcredist_x86.exe PID 3996 wrote to memory of 2648 3996 vcredist_x86.exe vcredist_x86.exe PID 3996 wrote to memory of 2648 3996 vcredist_x86.exe vcredist_x86.exe PID 3996 wrote to memory of 2648 3996 vcredist_x86.exe vcredist_x86.exe PID 2648 wrote to memory of 1420 2648 vcredist_x86.exe VC_redist.x86.exe PID 2648 wrote to memory of 1420 2648 vcredist_x86.exe VC_redist.x86.exe PID 2648 wrote to memory of 1420 2648 vcredist_x86.exe VC_redist.x86.exe PID 1420 wrote to memory of 2152 1420 VC_redist.x86.exe VC_redist.x86.exe PID 1420 wrote to memory of 2152 1420 VC_redist.x86.exe VC_redist.x86.exe PID 1420 wrote to memory of 2152 1420 VC_redist.x86.exe VC_redist.x86.exe PID 2152 wrote to memory of 1884 2152 VC_redist.x86.exe VC_redist.x86.exe PID 2152 wrote to memory of 1884 2152 VC_redist.x86.exe VC_redist.x86.exe PID 2152 wrote to memory of 1884 2152 VC_redist.x86.exe VC_redist.x86.exe PID 1884 wrote to memory of 4012 1884 VC_redist.x86.exe VC_redist.x86.exe PID 1884 wrote to memory of 4012 1884 VC_redist.x86.exe VC_redist.x86.exe PID 1884 wrote to memory of 4012 1884 VC_redist.x86.exe VC_redist.x86.exe PID 2400 wrote to memory of 3988 2400 VMware-player-17.5.2-23775571.exe vcredist_x64.exe PID 2400 wrote to memory of 3988 2400 VMware-player-17.5.2-23775571.exe vcredist_x64.exe PID 2400 wrote to memory of 3988 2400 VMware-player-17.5.2-23775571.exe vcredist_x64.exe PID 3988 wrote to memory of 1856 3988 vcredist_x64.exe vcredist_x64.exe PID 3988 wrote to memory of 1856 3988 vcredist_x64.exe vcredist_x64.exe PID 3988 wrote to memory of 1856 3988 vcredist_x64.exe vcredist_x64.exe PID 1856 wrote to memory of 5028 1856 vcredist_x64.exe VC_redist.x64.exe PID 1856 wrote to memory of 5028 1856 vcredist_x64.exe VC_redist.x64.exe PID 1856 wrote to memory of 5028 1856 vcredist_x64.exe VC_redist.x64.exe PID 5028 wrote to memory of 1572 5028 VC_redist.x64.exe VC_redist.x64.exe PID 5028 wrote to memory of 1572 5028 VC_redist.x64.exe VC_redist.x64.exe PID 5028 wrote to memory of 1572 5028 VC_redist.x64.exe VC_redist.x64.exe PID 1572 wrote to memory of 3292 1572 VC_redist.x64.exe VC_redist.x64.exe PID 1572 wrote to memory of 3292 1572 VC_redist.x64.exe VC_redist.x64.exe PID 1572 wrote to memory of 3292 1572 VC_redist.x64.exe VC_redist.x64.exe PID 3292 wrote to memory of 4964 3292 VC_redist.x64.exe VC_redist.x64.exe PID 3292 wrote to memory of 4964 3292 VC_redist.x64.exe VC_redist.x64.exe PID 3292 wrote to memory of 4964 3292 VC_redist.x64.exe VC_redist.x64.exe PID 4000 wrote to memory of 4624 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 4624 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 4624 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 112 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 112 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 1572 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 1572 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 1572 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 2912 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 2912 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 3984 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 3984 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 3984 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 2028 4000 msiexec.exe MsiExec.exe PID 4000 wrote to memory of 2028 4000 msiexec.exe MsiExec.exe PID 3984 wrote to memory of 1900 3984 MsiExec.exe vnetlib64.exe PID 3984 wrote to memory of 1900 3984 MsiExec.exe vnetlib64.exe PID 3984 wrote to memory of 1420 3984 MsiExec.exe vnetlib64.exe PID 3984 wrote to memory of 1420 3984 MsiExec.exe vnetlib64.exe PID 3708 wrote to memory of 3020 3708 svchost.exe DrvInst.exe PID 3708 wrote to memory of 3020 3708 svchost.exe DrvInst.exe PID 3984 wrote to memory of 4196 3984 MsiExec.exe vnetlib64.exe PID 3984 wrote to memory of 4196 3984 MsiExec.exe vnetlib64.exe PID 3984 wrote to memory of 3304 3984 MsiExec.exe vnetlib64.exe PID 3984 wrote to memory of 3304 3984 MsiExec.exe vnetlib64.exe PID 3984 wrote to memory of 3272 3984 MsiExec.exe vnetlib64.exe PID 3984 wrote to memory of 3272 3984 MsiExec.exe vnetlib64.exe PID 3984 wrote to memory of 4480 3984 MsiExec.exe vnetlib64.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe"C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe"1⤵
- Looks for VMWare Tools registry key
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe"C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe" /Q /norestart2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe"C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /Q /norestart3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe"C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{9A5C5173-A80D-4FFA-942A-4B8396384C00} {6C20D074-B59B-4663-B85B-CC347CC09B32} 26484⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=1144 -burn.embedded BurnPipe.{1D2B9CD1-5948-4009-A0B0-CFDE18C5A0CC} {19BEC786-A9AE-4360-8942-ADCC37EF6C9C} 14205⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=1144 -burn.embedded BurnPipe.{1D2B9CD1-5948-4009-A0B0-CFDE18C5A0CC} {19BEC786-A9AE-4360-8942-ADCC37EF6C9C} 14206⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{D4355F92-730D-4F16-A428-6844A762B34B} {FF6AC24F-56AD-4628-8E79-10159F2675F3} 18847⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe"C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe" /Q /norestart2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe"C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /Q /norestart3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe"C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0CE161D1-B851-41E9-BBB1-A938848A9774} {03A0AF37-8F23-4574-A273-74A9AA806AFD} 18564⤵
- Adds Run key to start application
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1128 -burn.embedded BurnPipe.{DE87A203-4DDA-4C6D-A93C-9E374FDE6681} {7F076D1C-CFB7-49C1-9040-82CC596AC296} 50285⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1128 -burn.embedded BurnPipe.{DE87A203-4DDA-4C6D-A93C-9E374FDE6681} {7F076D1C-CFB7-49C1-9040-82CC596AC296} 50286⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9B454164-A3E2-48F1-9BF2-52DFC0B34441} {4C66DC50-81B4-4996-BF3A-1DFB9D7FFBD6} 32927⤵
- Modifies registry class
PID:4964
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:2784
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Looks for VMWare services registry key.
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5E5643F0707694DDD35E1A8CD0EC198D C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4624 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 788F6EB4D6EA30599FE0B212D689D8FA C2⤵
- Loads dropped DLL
PID:112 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8605B1E84BF1FB5E7B0FF1031604CF182⤵
- Looks for VMWare services registry key.
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies registry class
PID:1572 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding B99A1964BBF8D7559CBA8DA3C6D829712⤵
- Loads dropped DLL
PID:2912 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8DC5AB95264739AFAEFE181381D0FE16 E Global\MSI00002⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe"C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- uninstall usb3⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:1900 -
C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe"C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- install vmusb Win83⤵
- Executes dropped EXE
PID:1420 -
C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe"C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe" -- install hcmoninf 5;Win73⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4196 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet03⤵
- Executes dropped EXE
PID:3304 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet13⤵
- Executes dropped EXE
PID:3272 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet23⤵
- Executes dropped EXE
PID:4480 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet33⤵
- Executes dropped EXE
PID:1088 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet43⤵
- Executes dropped EXE
PID:3876 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet53⤵
- Executes dropped EXE
PID:4364 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet63⤵
- Executes dropped EXE
PID:1436 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet73⤵
- Executes dropped EXE
PID:2916 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet83⤵
- Executes dropped EXE
PID:1624 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet93⤵
- Executes dropped EXE
PID:3736 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet103⤵
- Executes dropped EXE
PID:3624 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet113⤵
- Executes dropped EXE
PID:1696 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet123⤵
- Executes dropped EXE
PID:2196 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet133⤵
- Executes dropped EXE
PID:772 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet143⤵
- Executes dropped EXE
PID:4896 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet153⤵
- Executes dropped EXE
PID:744 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet163⤵
- Executes dropped EXE
PID:3464 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet173⤵
- Executes dropped EXE
PID:1504 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet183⤵
- Executes dropped EXE
PID:4808 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet193⤵
- Executes dropped EXE
PID:2748 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- uninstall bridge3⤵
- Executes dropped EXE
PID:2272 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- uninstall userif 5;None3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install bridge3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks SCSI registry key(s)
- Modifies registry class
PID:4556 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install userif 5;None3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2544 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- add adapter vmnet13⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4480 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- add adapter vmnet83⤵
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3252 -
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install vmx86inf 5;Win83⤵
- Drops file in Drivers directory
- Looks for VMWare services registry key.
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2628 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding B7ECE69D9FF99AE2CBEB112607DDC7E8 E Global\MSI00002⤵
- Drops file in Drivers directory
- Looks for VMWare services registry key.
- Sets service image path in registry
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
PID:2028
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8\vmusb.inf" "9" "454492f13" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3020 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Player\netbridge.inf" "9" "4f3176507" "0000000000000148" "WinSta0\Default" "0000000000000144" "208" "C:\Program Files (x86)\VMware\VMware Player"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4156 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Player\netadapter.inf" "9" "4a5017fd3" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "C:\Program Files (x86)\VMware\VMware Player"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4620 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\VMWARE\0000" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2477c2bb3:VMnetAdapter1.Install:14.0.0.8:*vmnetadapter1," "4cbdd083b" "000000000000017C"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2492 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\VMWARE\0001" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2df34f6ba:VMnetAdapter8.Install:14.0.0.8:*vmnetadapter8," "47eb20b4f" "000000000000017C"2⤵
- Modifies data under HKEY_USERS
PID:2748 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8\vmci.inf" "9" "4d941d7e3" "000000000000017C" "WinSta0\Default" "0000000000000144" "208" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8"2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4808 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\VMWVMCIHOSTDEV\0000" "C:\Windows\INF\oem6.inf" "oem6.inf:9c00c72d390d9e8f:vmci.install.x64:9.8.18.0:root\vmwvmcihostdev," "42936a687" "000000000000017C"2⤵
- Drops file in Drivers directory
- Looks for VMWare drivers on disk
- Looks for VMWare services registry key.
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4444
-
\??\c:\windows\system32\NetCfgNotifyObjectHost.exec:\windows\system32\NetCfgNotifyObjectHost.exe {DD85BC8D-7FB6-4F72-A691-5B1A121EC2A4} 5361⤵PID:3376
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:2976
-
\??\c:\windows\system32\NetCfgNotifyObjectHost.exec:\windows\system32\NetCfgNotifyObjectHost.exe {02162219-0FF9-421B-B6BD-AD499D9AF3DA} 5041⤵PID:2216
-
\??\c:\windows\system32\NetCfgNotifyObjectHost.exec:\windows\system32\NetCfgNotifyObjectHost.exe {EC402F51-EC3D-4F48-B7DA-9198B5861FCC} 4641⤵PID:2972
-
\??\c:\windows\system32\NetCfgNotifyObjectHost.exec:\windows\system32\NetCfgNotifyObjectHost.exe {38E743A8-3B20-4C9A-B93A-2EE59FCAE462} 6441⤵PID:2176
-
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe"C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1256
-
C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe"C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe"1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2948
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{13B6B196-AD7B-4C7F-9BDC-B1CB2EE86552}1⤵PID:3624
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Defense Evasion
Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD51677e97d624fea6ac1797490445333b8
SHA187d05483db1fbc66f52cbea8a9beb6e12334b83e
SHA256990cd90c3fa5eac22add530eadd16bf3bc3fc48ee5f38b446a31b17390721e3d
SHA51292c02a6f15c10632fbfaa2c81f9ce924de2ca695814871932473819c073a9fec77dcd4af8b306354758905cf3c51daba0d17e56394a8ee8e26fd1291080dcc1d
-
Filesize
18KB
MD528fdf15e8c81872e816ad21d087f76f2
SHA1dcb1ce2a1f18c20afb07d981f94813e1e0ca5d65
SHA256d84ed1beb3297fd5e2dee5f6d888998d96c8354ade0d571918c66ad3932647d0
SHA5122865c986f99218762462b257e758d3b8edb6d2c7761b85fcafe0877e7bda606592e60d5c944ba860f77c7659396ea39c2d4819b318c59429757ba9e6409365c3
-
Filesize
20KB
MD55eb2d156efe848dcaeb7ad05d6c70216
SHA1a6d3a2aae83f68724eab5af0f9711ab943f54385
SHA2568cb1d74b780a8e269c5f5f53b8423cd163ac8f23f38cda5154af8d19d0673099
SHA512f8e39949f7e644a030fbdf6bc020d83feb99cab0130f7c318fb1b8e7ea3bf7410561be0604707f046df1736464231ba7a7a6451e7b2b2bfc38d8a438d5d42f57
-
Filesize
19KB
MD5df2d58b313b430c810f30b97e3b37df3
SHA1b3a7e48890fae556c39edb08d33913116ffe5f47
SHA25680dde3320860797d4c390083500056af1df521b17fcd5b6febbc7b819dc87f07
SHA5123ec0ba154338d5983da741c1477a1e67925726619eaf7f1e4c7161069081d6bcc149a4e0b9b8c977bad309ed46cb5634ec3204d8b917b427aaaacdfe9fd9f3fe
-
Filesize
19KB
MD55aa505447df5f3180d9712b32e339733
SHA1e64c9882d7185d3fb4329532fa24c01d6e17a9ba
SHA25683b3a3238b6a8b4462bb3c7f45d61937e3329db0852f35cb3960ab89f804351e
SHA51283bda356c606d8cbec4a685d9ac1eb9bcbc3287e5ccdcc6279cb416d839f8470e2848520d98b14ae8c6d88129c11dbcb7f8c9af4a8b5068b0a1a86c0742a2e67
-
Filesize
19KB
MD5399169331c1ea2884c54177c60041ae9
SHA16bced54a0143a4affa3d11a0787a70b6d1387e1d
SHA25635129f5723378dfc00fcff8805737dd24e3e325d3834656f2c0c29ead05e370b
SHA512565cf674bc6e9296fabbbb3917843fb6f6ea620bfd0f7bc333936a7b76a60c54f9e8efb44d7017a3e197d1278f0f47982efce0bdb282c753b629c6c997778def
-
Filesize
21KB
MD5875e28f8a8f8516f275e564959665c43
SHA1bfb356464841106bfbea8f30d085c8b0ac165ac6
SHA2560456cac6043f2b27aa17def424398720f4bdb86333f85ef1fc35c9e5f2a93b6a
SHA512fdf48c92f3e36606470a81c35058bb345723b527924daae75c1ab5ddcae799d272d68c4b2ea61f88444238ddfcd70db79aeeebf10f18ecba52ba1b4fdc285a26
-
Filesize
21KB
MD574edd615e2097c3576251c86aff51221
SHA1ccd2078ce781ac2dd3fe73efe0768937ca746c34
SHA256aaffa11e4bd8571189b162095eb92d94a83e61a36983d9ac1fbe88af9a9cb34f
SHA5122c8e668572a89cbe0550b4a2a1dd77712322b863b1f420a8991d872b07d45f06a57a7e62f70efcf8dbc6c52677443609d59d7ba551ca216b11554c644f277b4c
-
Filesize
13.0MB
MD5e7c8f1ef18136ec5882d4d3d02e71a25
SHA1a1036ad48c737e7ac462cf141b96cbae2dae5267
SHA2568a00e80341738624c5c8d6c9d4829d8ca07757a82f2d00e4844f07fe6858f105
SHA5129ccacfac1952f484026633f2aab0f7d3a8c9fbe7591cea60d958e94bb010a04fda3c20c409bee331814a5ff6df1bc3ff2d60f294b0bc25a1828dff61df9c4630
-
Filesize
861KB
MD5cdae15f623a66d694d299f1390fff656
SHA1fbfc1a118aec4ad7558b82fb5378fca06a12fa9f
SHA2566a846f6e1e5112a3efd76dc23d97b9c36abb7bf62f9bc202c1f840a3f8dc182e
SHA512a79ca6d4399b2c65090f45d0de1016806396ad05184d02ed54a55e6f8af1a2833220c1efaaebaca4fb777d224e409f5291d340df783a3db0963f8b01c39f76e2
-
Filesize
1.8MB
MD51e8bcddbae1683d57ead466043a57d05
SHA10a4d2041b83e6b14805e3843fa73f877bd4a2445
SHA256bf480d9a362caf6a7de4e51bc441d2df30c9ffcfedd6ec1ee0a40344c20b591d
SHA5120c8e9568910931515c8db5223ca24444f75da159136d09db0d52f800880293f60a40dc13bd36e029aad3ec0cbeec2214b8520d67b6a75852982d0e54be516f63
-
Filesize
6.7MB
MD5f4d324028e750df5cef16598c6bf0cdb
SHA1fa4e9004389bf2862d896529f766c75ec05f5e6d
SHA2564bbd232ebbf2bdd929c667bce4476317fd6eaacf328dfb24a18e11994e1bc11d
SHA5127256b842a4b45502e4288661d798f42319173e4e00bd233db044b92c5bf71b245a33442c920a91513d33d471232c2140b30874b72a32268a5e4e497dbe583965
-
Filesize
9.2MB
MD558cccfc4824ce98be253981d1087740e
SHA169ff1822448fc25f56298890eeea62e974f44da9
SHA2567e1fc96fcc98cb8f0cb44cfa94b40549a40bd0f9968c3c1141631aa0af95a1fe
SHA512eff1ca414672758fa1bcfc3ff2d69bcf0bdbb4bb8e94442c1e9108d5b11203b355409de9af3f6ce943a693e7198329afebde2b0862959fd48ac674c341e49429
-
Filesize
1KB
MD517989d533547186dd73e225a93b1c12c
SHA1a812d846a0380f5ccb76704844dcb21d6b5e6de8
SHA25676ab9f14a5cdaca62ea1aefb3c4ecc81266e2ec5e36a992d9801cd85ecf78460
SHA512eb86f2735c2d1bc833214a084b825c24410de0c7a9029128adaabf48a890e3bab255f57ca8ea230883581939076b9fb699a24fd2fba80e97466b6bb5006db577
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware\VMware Workstation 17 Player.lnk~RFe594c61.TMP
Filesize1KB
MD51eb4cd7a814d12f703b48d767cb26f8b
SHA14e478ff84ed09d7561d828a5a24d218f79b1d3a1
SHA256ae1fcf6cb540f0264b2896c87624478e4a66b1d074b1f4387a20498ab20be0a9
SHA512ba4bf9bf6a0ea8d8add1b7c57a60f4fc18e6a8a91b5879ad2fcc03a5b26a4c88aa064a0cadb0b6c764aa67b83feb03e48b102292f6258d47068123a751271dac
-
Filesize
1KB
MD5bda9df9362133b54074006bb0d7453e1
SHA19abc42c49ae0c13737c7cc335a72830113664988
SHA25649d4fff53192a6fb860753da047fbb8fdca227c2e061c46de8a0c8fa22102226
SHA51240f89e2b6fa0b4b38e1a7164eb57350d08bc94e7f2ca00c74441f98957155d1cf40a3ef1d9f6ad6380196247f1fb62da3f1d3f7beac767f5c72e03e0a0df8512
-
Filesize
386KB
MD5116eaa5c9bb2cce346a42eafde2dc152
SHA113c433306ebdafcd983410482fd42685bebadeb9
SHA25657afba202253a7736e7296ca9ad606b9640ad6f5e9c231ee291f511dd469c783
SHA51257d2ce75bd4a645eda5a9a77a6e92789cc527412722b2fcdcbb271c0d6eb8014b596d16e9ed0e72c9e1153e60549d13be2241fbd13223779dd9596e52ee8f944
-
Filesize
2.6MB
MD59e57e7ac2f0df06640c04936b787fa98
SHA19bb72b1fec9892a1e8027ad0f3009557a986d416
SHA2565da4d187effdb2b88ec677b4f7620fd3be9ca0959dd5c37a641d18f19f908d58
SHA512e39314dc2c3c39c18e58874a321ad4980a012be11a80e44bd76a2f7c2017b1f03b4e5d893a842c1c64cae74ec18d459fdc983b457e67e550813b7cd544db4cf8
-
Filesize
2.9MB
MD5fe69218ffef65a7c15aa4b59b295d6df
SHA16bb8d7fd4d9437e13635c7abd88d92d53797f7df
SHA2568a421e5813d2afa810727cb54000e5bb5edac793310c4a90ab5146d56911b445
SHA512da5747cc949aa4ce776af94d959452b8ea892b70624baa55de0d1410879dfc5153655cd6a82aaf7423f0ebd8ddcbabda58f480cdebeb1befc54db5d9110c95c1
-
Filesize
2KB
MD57ade859c521eab0c8f9c0ee382e3ba9f
SHA1db3e153dc634f5e8d077dee888e48fc08864311b
SHA2564a4faced3eb64b034a69f50a1491c24224468e2360bd866fbbe44a6fda6aedc9
SHA51213d43dee5fffeb70a11216e207bb70ba1bb1b4680ccfdd16c40ba5a785e74abb38731f266975ce9af7d4dda9050ff4d05710eeffc026fe238a945b7ee76b58ae
-
Filesize
2KB
MD55e6f9e70dfee75f00822cd76e56a1d2e
SHA19067c14db5cec2331b5a439f3fc95704b076f506
SHA256e659b363a00a132494ac76a28d5520ee4def26bde6798486fe9279232c03bf7e
SHA512982e705ede3eb8a797ccba9450b34b8835647023f51780fd81d26f58c0f14933377e86ec6541c066cc2ff1cd3f35c8d789780b9d85fb57a1324684c412d107fd
-
Filesize
2KB
MD52ae81ef4f4d5973203ec75b9249e617f
SHA136d7dbafd220ec1d8bbbf86cacd542384af8eeac
SHA256d51db041e8972de007934d91fcc8fd0d78b3a8b4c968339a7011846ba2278fcc
SHA51264bd28235d9e5bd094e6ae2e1de32cf64d2225a2789277fbb9dd5ef06a31685a3f637fd5d8a51c323ddc6fe962d937f1bc11f171e7d1c7d2b94033b6d94b7714
-
Filesize
2KB
MD5fe4648f5f83f7f905498dec97e34fb72
SHA1daed5e7a56d9d111f4afd21df0fbbc9513e19cf8
SHA25637bde36672df59e9fe876bbe9da2b639adecc65b8fb6cd7e5d3d6851de9df66b
SHA51205df13988f7838f8579239028f0b326f0e5dd645972e506c9189adf1ed20ee25408c87b1b2ffcfe30faf8c1599a567f8751cc8284df04605717a90f09d68d294
-
Filesize
28KB
MD52474d3c409d60a137cd8b964d0bb70f9
SHA145f08256e823e9bc9c3448406f40981bf0410875
SHA25645e672a7ea25003fbee702915f9000cee415e2f3a785c1678093d8c727e65ef4
SHA5125a59dbb3cf4974945db036192af8b0f42fbea1a139de5fb911329bd046b98ca4cc7753e15a89dc716d47923d2fc1b652b2ee806d0e3dbd4e3552ad355b110e88
-
Filesize
33KB
MD5b4e6da491b947f031c674e43822f4d92
SHA11c35e1ec9d688ff55b47aac4b3feee5a8df8e223
SHA256daad78bbe41c37eadbc94f2ac132ed40e7515a529941e793906dfb1ec1078255
SHA512ec91f539322fbc6b580639a7c37450b08bbc8dd82c1390e66ac088ba16e8b94d85dc285f149373a9e67697c6537c2bb239469519e435de6748f95777a41d0f22
-
Filesize
52KB
MD51e0b07e33eda5ea58dcbb06ab4ecfc81
SHA18ee27ce1dbd8fdf9482ceeb8dab505bc851d245c
SHA256448d28e73e74c30773b0c60439c167a3f90fb3802c213a394afa4440a0bf5b87
SHA512672ffe70136f5713d26090b56649e8fb3f097bec5bc32dec352ad9f7ccfac4027ea5b3295ecf7c6a90311686a26ef59ad1b53f361a97e3607a9e1084a3a0e800
-
Filesize
52KB
MD561fdb8f8121fd8b2eef446f1b76c9d3a
SHA1b38a0e43b5eeb849e1c765e27cc71396fe825249
SHA2568ff790aa95917c573f29b916abccd4a02473edd44dff6be38c87741f20cf381b
SHA512dccaf55a6c8f8e71450b94dab0b151da05cd7c65f3fa2a71f689d95574bb1dc57bcafc98b73c78568e43ff3a44a42dc6b82aba2e41648394bbd6d4bb80ae3b98
-
Filesize
54KB
MD56eeed8583a7f9be8ec543cc605f24c5a
SHA14bf15287ab054b8b91c77c456dbc7b31c7ec5a0c
SHA2561dba73e6861659624e187bc64cd13192faf6990ed3b640c6b8bf34c4b112cd3c
SHA51233d1f7400aa0f1807201783ca2969fe301a71d3361dbfded962a133abcfd5733eb7a494323dea4ae8098eb5274001d5cd0769a0d83f7b5b723b9f8682384b3b5
-
Filesize
177KB
MD556cc696614b836c6e0e6453c74b727e4
SHA10e3d9b2b2db607301dcbff0698566e853e05fe04
SHA2565e0bdc2cd9e070072db31cee92625c34f57866eb0db5ea27ecf02aedc8927531
SHA5127d4a9b1866617df153925c7c0c7c7aeefaf997244eb83b2241c16b06a2d9f5e0b2ad871c539814d4107728636c579ecaa39ef5d35a1e2784cbf4dbc8082f0d5a
-
Filesize
1.4MB
MD57b041470f992818a9de7c7f244d1aaed
SHA16a5f2475556d5b5df3a28528787dbf7cb05132bd
SHA2562c04dab2cd293ac318844ba198539e58f5bf84eb22dcb0c9a67f9087688a73f4
SHA5123a05a0da162a5e26e8c4486b2c9e9933512970d0d2defbece329a1bddf37e234154d9e77ba3272792d5211c3f390e3f9807bc52ac6ae2e1ca7e335d5a05d4e3a
-
Filesize
24.2MB
MD5077f0abdc2a3881d5c6c774af821f787
SHA1c483f66c48ba83e99c764d957729789317b09c6b
SHA256917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA51270a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939
-
Filesize
13.2MB
MD5ae427c1329c3b211a6d09f8d9506eb74
SHA1c9b5b7969e499a4fd9e580ef4187322778e1936a
SHA2565365a927487945ecb040e143ea770adbb296074ece4021b1d14213bde538c490
SHA512ec70786704ead0494fab8f7a9f46554feaca45c79b831c5963ecc20243fa0f31053b6e0ceb450f86c16e67e739c4be53ad202c2397c8541365b7252904169b41
-
Filesize
173B
MD50ef7698b8e892b0283e1f49e20913d2e
SHA16545e20fe34446d867173e5b17f24b7ad14aaec7
SHA256932b6fdc14bab4c1ae994e2a9d9bdbd9b80634f8319bd21d0ea2eaeb4a48f5e0
SHA51216b8370f032c629f1a862ab2757524a347ffe2f1197178afef25769cb1d9884760c23695c4eb9b813ff6ca1d71aae9503263ab741574510c67666414b13716ed
-
Filesize
213B
MD56c6decaa3c88ec9ad103bac9b8a689dd
SHA1454635a54c324ecd914cd563c602cac7b87d5c67
SHA2568eabfea2dd1733a2e84e09f3f7478cdfb7b9c704d15795c9da69826765965689
SHA512da78a399ee9646851c4f409b9effee2f360b2826d0624558267506da6cdab89bd866ebf1a53da21ac71b005385de8e7dd72b026a516e39dcab05adb5a516e145
-
Filesize
1KB
MD570baabbbda4e606d45fa3ccd651d3329
SHA1a81f178ccfa337a445c04bb0cf431b485bce7313
SHA2561273e3eb81e8fb6176df29ffc7f4a027549420ec7692d99eab7f9d64eb100545
SHA5125967d7486df1b4aec16de03c23b9626f8cfb693c6d1a44bfdc6e7784955b09f48bd42cebb1778c81e03e5aa578bc158815205b102e6d0662315a5ce7fac17e9c
-
Filesize
1KB
MD5444704c16f663f3d7f756622d706d91e
SHA1dd0f696474664b4b2f1b4c63cd0bfa6f65d7c8e2
SHA256e3f739d4a3d4d993a6f0ffb3a4b5de53502311b053b3c65c8aa404170d0c975e
SHA512c389e4b57900110d7c2e3c4345a04245837564991b4bc9fec5419ade6ef3477a7f2670ff987b883af730781c8be9d47642ab49a8eea1d7a4e7458fee4b1c1a3e
-
Filesize
7KB
MD5eee517ae504ba11b520cfa3ff71e6c74
SHA180904fdaf3b2244a07173e3902b648b12dca0f43
SHA256a895b3424c5b14cb33ec83b2b7620047f07e6030ed600c8e5084bc92ab8f7cad
SHA512c258a02495f3f1e8035e2e383f945a4796d76c1455afd1d7b7008341ee4d7e73a4a01319f5205882fdf37d2acb2fbd46061bd20379c70e4368b5e49534be2b40
-
Filesize
518KB
MD54aa882a8a87d248e6b2d4144f47bd568
SHA16a949550f3c7fac710ea7d7801fd809f397c2d91
SHA2566081f9d9040dd70c74c1f5ae51db1320ba3b3e9e6a5cdfda22a6f5e72ef38d4a
SHA5129a91daf5c128e09912ffb6e8673d0088825ba13b0151cf23b17d531b855fb1271637ddd3c92e63c704fc135ce3b703d05dd3d1cddfe452b8844af78cdd2ba6f1
-
Filesize
1.6MB
MD52ebde9d1a578ed1c78a79b2279be5f1b
SHA1f55b8c2511d82032e4e8d503b4874396b91fff07
SHA256fe793fc1b303f85837fc6a990caed01289c02e24f3ca497566108198fe6af5de
SHA512f92709052fefc3fc89ba07562a093d7a22dbd62e0a38d3178a93275b9050984430bb4ef5908871d29f591bca75b2a19f9202794a07deecaa1a8df86d0ca94f20
-
Filesize
118KB
MD5ba3165ec14e657e6235d6d789e9e25ca
SHA1f626fcc0e7e7f26a092da6a995f5936a45c4f71a
SHA256bf93de4755822425f3fd3928b52d2a6e6c91ab069213aaaa95695ed3e17e72e9
SHA5126d83dd60b1f8e8d93ddbda657b1c75f86c1f5f6eac899123f6ce498f5dd1a5abf05e29776144044c6a848e8fdd2b9a6a5367c4b249b879a310a260fb6b55b6da
-
Filesize
70KB
MD50f300657289a1a2d168b8b80e900055a
SHA1c5f93e3ef6c8227009736ac8b5d314ff21f48c51
SHA25694938835f53b968665eda2a7a082788dac0a13ee486e3186387c0ff7ececfe8a
SHA512035d0e1430ec7206cd7995f912f11310089367a452f10924f79dc2edbb958bf080e86c4501e3b7096ec07e7f4b503ec4751b475f60927a333edd9458b41f36d9
-
Filesize
29KB
MD5502d7759a8ea951315b74ee12a629f3d
SHA10f045b7a26a8ec4e5647be4c423c7cb4327fc213
SHA25626b2cd990adeb32ef7e4c00c0e447c64c9a7811de2f398d6a227ccf26e33da72
SHA51233b270a48413e0478432ea3d1e1fec8d71d876deef63f106905dc57bbabf6aeea74f01ef539a2c17d583e4e10d9262187a6bd9531220c8278ab4a44191aa9c52
-
Filesize
115KB
MD5f2338bf0d8f10fdc55b712e9c5240937
SHA1f6e0b2151d08d2316b685aa1a8fda38af9c888fc
SHA25611e605295b184468b69d444edf35707567615d16fe5b9ba924edcb76527f9002
SHA512d15c92ef1e438fa4313332cc57d39a9ef19584cde8c02d328983215544d823ad838d68b975b825afaff2a6549eb06331d7fa0833fdbf2fcf43d5fedaeab2434b
-
Filesize
98KB
MD573ebcf23e0e1ee82dedc376c1d312803
SHA1aa6ee9d5798254b715ba1ac254ee11cbd70df864
SHA256e8de7c03018755a37a2993b2688c5258b46919b15c5e55a85590d8ae3abf1eb3
SHA51203863edc55d819378ed9aaab1771a7be6acc627b3512bf7555111135b486b5bdf709bee5e32f717112397e5db4579ff496fcbd6c92e96ed8d5c7321e1315f86a
-
Filesize
86KB
MD564ba085bb02e9ecf3b21f0377199289f
SHA1bf00ebb018e9b0fe63ef3af971ab395fc0ecb7f1
SHA256dfdb2166d3010a1e7ccfdc38f0b1524fdc4b79b17b06093b7f9820b637d28343
SHA512b2d3e43f291cfc0215c1e1df1d61b94c7e7d7780bdfa8d627edcb58b1298fcc96beb8eaff7567629e2ae1c7ae1b0ef60af6abd6fd9ec0b380c5e20ebb0a8a8f1
-
Filesize
30KB
MD5abe700a6459d2d6fc9774e0277350ecf
SHA1cefe9bb79520b3cadf6d1bbf44fdd771487b3d7e
SHA256952603279b8851c3739d562247f3f0a373b5fd0eb5a9c3baf1e6b1e608ebc6c8
SHA512c6fa33ff10523d408be2e5653100fb3aabf1cecaa810916a0cbcd32c5bc2da76ebfb73256719843700ee4d05a7adf7b18c9130dab1127b7bd8b1d089b8219349
-
Filesize
25KB
MD5f7d359d175826bf28056ae1cbe1a02d9
SHA119409b176561fa710d37e04c664c837f5bf80bff
SHA256af1df28834936aef92e142c14b1439ca64d070840b2c07b87351174ec0f71d8a
SHA512e2d78cb2d6f1b2f3c410ccd5272d0b3e34f3cdf25c41605b12e9a1f408308084c28c4b427c915ed87e28f21d662846529711fa07f4357a7f7f727b96a5d0e7f7
-
Filesize
11KB
MD5c969983ba8f120def2953afe08b2f164
SHA12aff93389846c5b107d67ec0886a342ea18eea76
SHA256ea696506747d3ab4a9c8b8d486b4a886ba4cba7b65eceb1d89c6ce54be6c9c20
SHA51230f69f57ff3eb07cc0f787a22aa42245246d9b6e657b656c82335d6fa78b3f8534027c4ca28998d72872cbed099ed45b8ac59bd3c7e69ffcc133510a37632ad6
-
Filesize
3KB
MD58d997d8d1105556cea9726b2aa38949e
SHA157f9c467fa48ad4585f58f40120778080d4003ef
SHA2569cbf08670ee83cb7956473072d7d51a709da49522a1109ea582425d86d88d8f4
SHA512d52e6ae4e66d33f3632e349fba6e13eda805764cc4d87920048af779148ac87a7918fcfa4f307a9fb19ae9b5c58b94247ac09433ba61afc0515a5bec3a5ae314
-
Filesize
66KB
MD5092cdfca61db22f6ec3ac01255bad56e
SHA1565788f4cdaf423078006d4bf480eb4b022bfe72
SHA256965c2e680140329f56f253f9a5bce8745a9664fc56aedb58bdb57e126b0aa1c5
SHA5127d5e98e33a60d259f5bceb9431c1d9630bf43f479631b9ede5ba8f8d4e761f9c67971ed5347fb7d3c1234f15a75e252b4e93aa002a5d85fed751ca0b64a5e24c
-
Filesize
4KB
MD576e07de9fe56a25f27a695691c9bdade
SHA153fef434d80383dfa266c632e6d374611c38319e
SHA256a3bbff5810e7d94a7490e06d5b420f734ec02f4fce66274930e024761e01049b
SHA512813eb5cefc1075357dd70285e05e765ba911fbf65cf11975b1b241d2ae3bdb8520f07de9daaf29b28f979c97ef59bd079f63c297b8218072d0f405986fe4364e
-
Filesize
30KB
MD5acc036a64af0be34d7925e24f5bbce36
SHA18b9b372250219c3d08b153f630b36dfdd2823084
SHA2567e3af2553ce93dca2a7b2c42e1c839573ba37e393e9e7a5e200dcc2df4f7fda7
SHA512e2190fd5e3644acd73ca86485e8d8bc1886a5ce767dfc452cc8178fb6f24ede82baecbc9e1693982307efa442ee39c19911dbe8dd19eb291595ec671979f63f6
-
Filesize
12KB
MD524236822ba4e710e9fbd3401c78131db
SHA183ffc5830cfcb98b6957f7802e4e7fd7816dc1ff
SHA256a58b885df4777c61b577af7569eaa5ac0202ea50f55fe141e9be0ffc77743a50
SHA512714f005f882ad0551fbcb74ca4fe4a0ab6f3bd998879dc51ab2911190919080a55727f4590ddb96f866a02f6ff9cfa0cab9a48a543edd35e684f28b3391171e9
-
Filesize
79KB
MD570d6c2e1940824e5c9deac0a2467603d
SHA15dd4a84bfed0eb199a228abfd1804c142e3fcbfa
SHA2560e8d73db78847ff2956c471c009088c1754640a06f877e9dea061bf9b6c287fd
SHA5126bc3dba5d026896f64bc2131d37f155b3dab6a3c8bac758433b8776255aabb10e24b8553c05131ee13de31b323620b4d844c141e267eabfaa9c0d62084ca8417
-
Filesize
52KB
MD511e92a49a113d80fc43219ce21468bcd
SHA17401c5adec3f548195c1cf3fa85c266e476f1283
SHA2569237ac240f3bef26001bc33a670245d368b727fc43e031b6a48fbf698fdc1def
SHA512bd7dbe2b786a7b0de0377abfc3a7a97667750e842ab5d0e42ef898151cc8a81e615a70536753e243f5a61b727acf3a837536534e65c110a26799c9a2e3b7a7c4
-
Filesize
11KB
MD5c888f61b9b09bda1f1fc1506123753d4
SHA1bc2be72275b899d848737bfac8e0ba1ea72af63e
SHA256b69004749d69e2d826a4341d2ac409711fb984fe2ebb4afa2b3dbc03368493cd
SHA5129a90df4b4e4eefb48e81853d02e3f2f9b6280636322436b717f0763bf7feca79660fc860f8142b915fc475a20de4d876c1a29687061468609e9cedcb725b88d4
-
Filesize
3KB
MD5fdb3c5882438a6e996d13a7ab48cf467
SHA17257251e1b43912d15defbdf01056aef80d043a2
SHA2561e71d0b7aa6a8835986a2d603c7218e792886fec4ea889f13200cf0fdc78a73b
SHA512551678e245c37c61433bb06f5bbc1075b76c1b86b06907b0a8d4c1e240b62d13922a0465919f361a6584388d80333201b5b6202b3fa1c6ff7771a58ba9ea8716
-
Filesize
102KB
MD5339e79b21cd73fe1174b56d6032e40d2
SHA1d85e6a6a585fe4eba6f2601ae97a9db171f2b5b1
SHA25691e68a9891339a8db757c9eceb65371db83822fa56305d61330e50194dc97131
SHA51210d5783d92bcdcd536abbb3650321f150f4f8a0850e99a974dc3e445dd6421b41fd9ce0da951efcc553b5bb00719e11c4c22c01f2c0882e35380a15de0076484
-
Filesize
28KB
MD5513ea5ad5d0192b4fab604bebaeba1ca
SHA137cadf97b3de820bb8a9cc82da50f969bd9ee742
SHA2568d3180911c7397eda186969813dd6aa6447b2e247d1dddf8cf15c82f8c187c7b
SHA5128459e0f67773be7ec6d3ef08c3c9018e78719797292e92471b7b8ba210cb5fe3946e3f99d23930d5454a223907bddf40e3d7c8cad8aa6063c1c26ae7f1744b33
-
Filesize
13KB
MD5f705d1b2884dd89de05b5be1b5f091cc
SHA115fda464b0e6152f20be66478e5637bac6738a44
SHA2562fed201cfaabf39aa9d32531759ffb01b93e890ab28137983ac0a0f1b76cf4f6
SHA512740331cb30d323bcd5ae0789ffbb0620baa7a485241b6c2e4064265397f40e8510fc6de9758b5f5cfd41888b29ed95392b73b3b0812a1e207e46d72e6d521eb4
-
Filesize
30KB
MD583b9f3a1bd3afd531c19b5314525eaef
SHA1f857b40f1d837ee9bbd0e33cf4795d4e8f20b1b9
SHA256a75125186847fb0e6d4cd755ccd68431df3a64c8786125b6110589054f9c2389
SHA512b48f3b039d8d11e25b9978eb9b38b7282793a264878258ceac12a243cbd344dbfcb9d5e071a422209a83f5330b7388caa8344cb6c11598e1fce1bc43f649384e
-
Filesize
19KB
MD52d3597c2ae694e0f8b44b2a23db9a094
SHA1a43b8a2ee87cc7e045e9efae08d352c5abafff93
SHA2568fb8829cd5b6fb48b2311e41326fa2c9745bbb502c2006fa4b1694ea12ad4d6a
SHA512df3d70b0037cf0973a24322949bc116431f1db3a9f312dea632a96418c9fba412a94f88be4cf13336bae0299f6d64365bfab9b554d6d9333bfbb219036f05191
-
Filesize
14KB
MD5422e22f07522df4987026df70486b949
SHA115b7bdebd354846be987c78c7128173e22a9a6aa
SHA256acd8758047ba9ff667fbdaf07c0dca1b729f38a46c0ee41f58239657f27c98be
SHA512ef50a945c50cd18322a1d8c5eda0361ecc14e84bc595b84ad1f1fef46f4b2201c6be7691246f8c7f2e7fd25c8eb518ea7786dc22c83c93021bb64361856022e7
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
800KB
MD5f706d550cf905648ccb55b47e1364022
SHA13c382bfe0c4c14c1ed6cbe88d6a69ad6be28a08f
SHA2567be2d324f0cb063be8335982096f17ed4f08a7592130e04459ae818824016589
SHA5123c946d88447504c94227fec259bbeed7ef458a0740c12345e425821644f8e0d9358b68582a1f6e1b74597b5dfd2976f328b706a72df30e3c76c899cd435a349a
-
Filesize
4.9MB
MD5d141d64b6a3287548847abf5b4c1bc7e
SHA1a161b984bb24d135353701e445a6a0babc5d25b3
SHA256e38280421473e79ebaaa8398d86974fc7100cc8ec1c3273fb9bfe4f672c918a6
SHA512282f64d928e19cf107b19ad39da1150045b60efb9ad599d827f9dde5f20a5bb499ea5996464a1f2ac79c21ec9af9307a363072f172f92c6669ea00c0ec48753f
-
Filesize
180KB
MD5df1b1ee46deb824a89f18e228f8a4a41
SHA1001d86480ce0a9e1b2fed8c48296bb3384dad793
SHA256ff8884498c3174b7d2bd35bd1a43d75d3538dca2c0821ca5876fa45eb2c8a47f
SHA5126587452fa6ebef2eac6634cd3c6d8629cdcd9f214a5a13cfbebfd232318a3a5d3cd5d3c9baa721270f5283d3127d36475d40071132ba063bdda49bc48cc21fab
-
Filesize
180KB
MD57c87329a66d4c22f03acea4e817971f9
SHA112a2134fa09fd7df026ffc20bfe58a7d30d6ae73
SHA256c78bc45113d0270c2154930761c3b74db714987a16c0fbe5e7a05fa3a853d0c8
SHA51273f11aa3f9b3dbfba157a0d47dc61ff2a22509b61339882a9c2cee53ee335b18820700d7a413b81b426e71c83443f0d99bea8b3638b8b87ee9a42f01f404f955
-
Filesize
634KB
MD5415e8d504ea08ee2d8515fe87b820910
SHA1e90f591c730bd39b8343ca3689b2c0ee85aaea5f
SHA256e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0
SHA512e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3
-
Filesize
9KB
MD504b33f0a9081c10e85d0e495a1294f83
SHA11efe2fb2d014a731b752672745f9ffecdd716412
SHA2568099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b
SHA512d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685
-
Filesize
2KB
MD5fbfcbc4dacc566a3c426f43ce10907b6
SHA163c45f9a771161740e100faf710f30eed017d723
SHA25670400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
SHA512063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e
-
Filesize
8KB
MD5f62729c6d2540015e072514226c121c7
SHA1c1e189d693f41ac2eafcc363f7890fc0fea6979c
SHA256f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916
SHA512cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471
-
Filesize
5.4MB
MD546efc5476e6d948067b9ba2e822fd300
SHA1d17c2bf232f308e53544b2a773e646d4b35e3171
SHA2562de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138
SHA51258c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c
-
Filesize
935KB
MD5c2df6cb9082ac285f6acfe56e3a4430a
SHA1591e03bf436d448296798a4d80f6a39a00502595
SHA256b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11
SHA5129f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13
-
Filesize
188KB
MD5dd070483eda0af71a2e52b65867d7f5d
SHA12b182fc81d19ae8808e5b37d8e19c4dafeec8106
SHA2561c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07
SHA51269e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a
-
Filesize
188KB
MD5a4075b745d8e506c48581c4a99ec78aa
SHA1389e8b1dbeebdff749834b63ae06644c30feac84
SHA256ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93
SHA5120b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada