Malware Analysis Report

2024-10-18 22:07

Sample ID 240611-va6zgatgpj
Target VMware-player-17.5.2-23775571.exe
SHA256 85b3f341d654847fba6523dbdf4e30f1721870d194ec53f1065291e8ccbd3474
Tags
bootkit discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

85b3f341d654847fba6523dbdf4e30f1721870d194ec53f1065291e8ccbd3474

Threat Level: Likely malicious

The file VMware-player-17.5.2-23775571.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery evasion persistence

Looks for VMWare Tools registry key

Looks for VMWare services registry key.

Sets service image path in registry

Drops file in Drivers directory

Looks for VMWare drivers on disk

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks computer location settings

Drops file in System32 directory

Drops file in Program Files directory

Checks installed software on the system

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Registers COM server for autorun

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Modifies data under HKEY_USERS

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 16:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 16:48

Reported

2024-06-11 16:53

Platform

win7-20240221-en

Max time kernel

117s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe

"C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe"

Network

N/A

Files

memory/2212-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 16:48

Reported

2024-06-11 16:52

Platform

win10v2004-20240508-en

Max time kernel

184s

Max time network

193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SET54CD.tmp C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET64DA.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\vmnet.sys C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET64EB.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\vmnetuserif.sys C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET80CF.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\vmx86.sys C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\system32\DRIVERS\SET8C87.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\vmnet.sys C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\System32\drivers\SET8C48.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\vsock.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\hcmon.sys C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
File created C:\Windows\system32\DRIVERS\SET64DA.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\vmnetbridge.sys C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\system32\DRIVERS\SET8A45.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET8C87.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET62E8.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\system32\DRIVERS\SET64EB.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET8A45.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\System32\drivers\vmci.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRIVERS\SET54CD.tmp C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
File created C:\Windows\system32\DRIVERS\SET62E7.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET62E8.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\vmnetadapter.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\SET8C48.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET62E7.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\system32\DRIVERS\SET80CF.tmp C:\Windows\system32\DrvInst.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A

Looks for VMWare drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\Windows\System32\drivers\vmci.sys C:\Windows\system32\DrvInst.exe N/A

Looks for VMWare services registry key.

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware C:\Windows\system32\msiexec.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware C:\Windows\system32\msiexec.exe N/A
Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware C:\Windows\system32\msiexec.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmx86 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware C:\Windows\system32\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmx86 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci C:\Windows\system32\DrvInst.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vsock\ImagePath = "system32\\DRIVERS\\vsock.sys" C:\Windows\System32\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{410c0ee1-00bb-41b6-9772-e12c2828b02f} = "\"C:\\ProgramData\\Package Cache\\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\\VC_redist.x86.exe\" /burn.runonce" C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce" C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\SET8C89.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\SysWOW64\vmsrchTemp.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vnetlib64.dll C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6152.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsock.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsock.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\SET8C88.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\SysWOW64\SET8C89.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\DRVSTORE\hcmon_AE2641AF84DF5670FA8422233CEAC89B307A0500\hcmon.sys C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vmusb.inf_amd64_bb336ccced75363c\vmusb.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\SET52F9.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vnetinst.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6151.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vmnetuserif.sys C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\SET7F49.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netadapter.inf_amd64_1b7e5f451712307a\netadapter.PNF C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\hcmon_AE2641AF84DF5670FA8422233CEAC89B307A0500\hcmon.inf C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6153.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\netuserif.inf C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\SET7F7B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\SET52FA.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6153.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnet.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netbridge.inf_amd64_795340d0273da4f7\vmnetbridge.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vmnet.sys C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\system32\SET64EC.tmp C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
File opened for modification C:\Windows\system32\vnetinst.dll C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\VMware\VMware Player\vmappsdk.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw19-config-option.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\iconv.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\x64\SCSI.ROM C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw20-config-option.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\x64\BIOS.440.ROM C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vmnetBridge.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VMware\Drivers\vmci\sockets\Win8\vsocklib_x86.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\VMware\InstallerCache\{F47C8797-293D-4702-A238-F1EF11F8A1B0}.msi C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vmauthd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\iso2psx.vlcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\ico\import.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\x64\zlib1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\x64\mksSandbox.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\libexpat.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\7za.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\glibmm-2.4.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\schemas\DMTF\CIM_VirtualSystemSettingData.xsd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\zlib1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\x64\PXE-VMXNET3.ROM C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\ico\vd.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\open_source_licenses.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw15-config-option.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8\vmci.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vkd\lib-initrd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\libcds.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\x64\PVSCSI.ROM C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\en\locmsg.vmsg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\en\stask.vmsg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vkd\crx-podvm-initrd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vmapputil.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vmPerfmon.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\messages\zh_CN\vmui-zh_CN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\ovftool_open_source_licenses.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vmPerfmon.h C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\vmacore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vkd\vkd-initrd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\x64\PXE-VMXNET.ROM C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\ico\suspend.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\gthread-2.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VMware\Drivers\hcmon\Win7\hcmonver.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vkd\coredns-initrd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\libcurl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\tools-upgraders\VMwareToolsUpgrader9x.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VMware\Drivers\hcmon\Win7\hcmon.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\en\auth.vmsg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\vmware.eula C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VMware\Drivers\vmci\sockets\Win8\vsock.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\x64\PXE-E1000.ROM C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vmnetuserif.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\ico\snapshot.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw10-config-option.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\icudt44l.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\libexpat.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\x64\vmware-vmx-debug.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vnetlib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\icuuc60.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\iso2win.vlcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw13-config-option.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vmnet.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\VMware\VMware Player\vmnetadapter.cat C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI9216.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e582672.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\VMware\vmPerfmon.h C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\inf\VMware\vmPerfmon.ini C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI31FC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e582621.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4EFA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4FD8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8E04.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem6.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e582633.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI36B3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI37AE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D44.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem1.PNF C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe N/A
File opened for modification C:\Windows\Installer\e582633.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{F47C8797-293D-4702-A238-F1EF11F8A1B0}\_generic.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4F3A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8AD6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e582676.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e582672.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI545E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8F26.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58265c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI39E5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3B2F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI8F05.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI2A0A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3625.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4E0F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI551C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File created C:\Windows\inf\oem6.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI3927.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI315F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4FE7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem3.PNF C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI8E34.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI8F94.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{73F77E4E-5A17-46E5-A5FC-8A061047725F} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2EED.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4FE9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6105.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
File opened for modification C:\Windows\Installer\MSI8D86.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4FA8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem0.PNF C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe N/A
File created C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Installer\MSI89DB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e582649.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{F47C8797-293D-4702-A238-F1EF11F8A1B0} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\VMware\vmPerfmon.ini C:\Windows\syswow64\MsiExec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe N/A
N/A N/A C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe N/A
N/A N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe N/A
N/A N/A C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe N/A
N/A N/A C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe N/A
N/A N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
N/A N/A C:\Windows\system32\DrvInst.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32\ = "C:\\Program Files (x86)\\VMware\\VMware Player\\vmnetbridge.dll" C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\System32\MsiExec.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\system32\DrvInst.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6 C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4 C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5 C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7 C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\SerialController C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\SerialController C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\SerialController C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DFC76A6B-4873-458C-AB00-40B1FC028001} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DFC76A6B-4873-458C-AB00-40B1FC028001}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{420F0000-71EB-4757-B979-418F039FC1F9} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{420F0000-71EB-4757-B979-418F039FC1F9}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VMware.SuspendState\DefaultIcon\ = "C:\\Program Files (x86)\\VMware\\VMware Player\\ico\\suspend.ico,0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{420F0000-71EB-4757-B979-418F039FC1F9}\ProgID\ = "Elevated.ElevMgr.1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724E960E-F6FC-43F5-AF3F-98319A1306EF}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Elevated.VMXCreator\CLSID\ = "{DFC76A6B-4873-458C-AB00-40B1FC028001}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0F223F1-7DB1-44CA-BED8-3406303FE26F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA7F48B7-D5BF-4F7D-8C12-8EEDF60AB7F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA7F48B7-D5BF-4F7D-8C12-8EEDF60AB7F4} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20C19CE-FBF7-42CD-973A-6ACB5BBEFB9C}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\vmware-rvm\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ovf C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{0025DD72-A959-45B5-A0A3-7EFEB15A8050}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\PackageCode = "1BE5B2DDE80EDC54D874D240756DB43A" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\PackageName = "vc_runtimeAdditional_x64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9A6DAE7-CF0E-4D39-A914-B054FC37C99F}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VMware.OVAPackage\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E121724-EB62-476B-B55C-B14FCE7EACF5} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}\1.0\0\win32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E459BB84-7D3A-4FDD-B1E5-969E88F61DB6} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\vmrc\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32 C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.vmss C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4548A7B2-5C17-400E-8D62-84DB4D79221F}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724E960E-F6FC-43F5-AF3F-98319A1306EF}\ = "IHostDeviceInfos" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E121723-EB62-476B-B55C-B14FCE7EACF5}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E459BB84-7D3A-4FDD-B1E5-969E88F61DB6}\ = "ILicenseLib" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C2C59CAB-8766-4ABD-A8EF-1151A36C41E5}v14.36.32532\\packages\\vcRuntimeAdditional_x86\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E121724-EB62-476B-B55C-B14FCE7EACF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vmsn\VMware.Snapshot C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{420F0000-71EB-4757-B979-418F039FC1F9}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D04155-1876-4BC0-AA9D-A8616F36C601}\ = "IDiskLib" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D04155-1876-4BC0-AA9D-A8616F36C601} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7978C74FD39220742A831FFE118F1A0B\Networking C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0F223F1-7DB1-44CA-BED8-3406303FE26F}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0F223F1-7DB1-44CA-BED8-3406303FE26F}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7978C74FD39220742A831FFE118F1A0B\SourceList\Media\10 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{420F0000-71EB-4757-B979-418F039FC1F9}\ = "ElevMgr Class" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4548A7B2-5C17-400E-8D62-84DB4D79221F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VMware.OVAPackage\shell\Open\command\ = "\"C:\\Program Files (x86)\\VMware\\VMware Player\\vmplayer.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.vmdk C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724E960E-F6FC-43F5-AF3F-98319A1306EF}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9A6DAE7-CF0E-4D39-A914-B054FC37C99F}\TypeLib\ = "{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E121724-EB62-476B-B55C-B14FCE7EACF5}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44D04155-1876-4BC0-AA9D-A8616F36C601}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7} C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7978C74FD39220742A831FFE118F1A0B\ParPort = "\x06" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}\1.0\FLAGS C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Elevated.VMXCreator.1\ = "VMXCreator Class" C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A
N/A N/A C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe
PID 2400 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe
PID 2400 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe
PID 3996 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe
PID 3996 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe
PID 3996 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe
PID 2648 wrote to memory of 1420 N/A C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe
PID 2648 wrote to memory of 1420 N/A C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe
PID 2648 wrote to memory of 1420 N/A C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe
PID 1420 wrote to memory of 2152 N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 1420 wrote to memory of 2152 N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 1420 wrote to memory of 2152 N/A C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2152 wrote to memory of 1884 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2152 wrote to memory of 1884 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2152 wrote to memory of 1884 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 1884 wrote to memory of 4012 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 1884 wrote to memory of 4012 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 1884 wrote to memory of 4012 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2400 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe
PID 2400 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe
PID 2400 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe
PID 3988 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe
PID 3988 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe
PID 3988 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe
PID 1856 wrote to memory of 5028 N/A C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe
PID 1856 wrote to memory of 5028 N/A C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe
PID 1856 wrote to memory of 5028 N/A C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe
PID 5028 wrote to memory of 1572 N/A C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 5028 wrote to memory of 1572 N/A C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 5028 wrote to memory of 1572 N/A C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 1572 wrote to memory of 3292 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 1572 wrote to memory of 3292 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 1572 wrote to memory of 3292 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 3292 wrote to memory of 4964 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 3292 wrote to memory of 4964 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 3292 wrote to memory of 4964 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 4000 wrote to memory of 4624 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4000 wrote to memory of 4624 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4000 wrote to memory of 4624 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4000 wrote to memory of 112 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4000 wrote to memory of 112 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4000 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4000 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4000 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4000 wrote to memory of 2912 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4000 wrote to memory of 2912 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4000 wrote to memory of 3984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4000 wrote to memory of 3984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4000 wrote to memory of 3984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4000 wrote to memory of 2028 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4000 wrote to memory of 2028 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3984 wrote to memory of 1900 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
PID 3984 wrote to memory of 1900 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
PID 3984 wrote to memory of 1420 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
PID 3984 wrote to memory of 1420 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
PID 3708 wrote to memory of 3020 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3708 wrote to memory of 3020 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3984 wrote to memory of 4196 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe
PID 3984 wrote to memory of 4196 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe
PID 3984 wrote to memory of 3304 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
PID 3984 wrote to memory of 3304 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
PID 3984 wrote to memory of 3272 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
PID 3984 wrote to memory of 3272 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
PID 3984 wrote to memory of 4480 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe

"C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe"

C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe" /Q /norestart

C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe

"C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /Q /norestart

C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe

"C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{9A5C5173-A80D-4FFA-942A-4B8396384C00} {6C20D074-B59B-4663-B85B-CC347CC09B32} 2648

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=1144 -burn.embedded BurnPipe.{1D2B9CD1-5948-4009-A0B0-CFDE18C5A0CC} {19BEC786-A9AE-4360-8942-ADCC37EF6C9C} 1420

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=1144 -burn.embedded BurnPipe.{1D2B9CD1-5948-4009-A0B0-CFDE18C5A0CC} {19BEC786-A9AE-4360-8942-ADCC37EF6C9C} 1420

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{D4355F92-730D-4F16-A428-6844A762B34B} {FF6AC24F-56AD-4628-8E79-10159F2675F3} 1884

C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe" /Q /norestart

C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe

"C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /Q /norestart

C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0CE161D1-B851-41E9-BBB1-A938848A9774} {03A0AF37-8F23-4574-A273-74A9AA806AFD} 1856

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1128 -burn.embedded BurnPipe.{DE87A203-4DDA-4C6D-A93C-9E374FDE6681} {7F076D1C-CFB7-49C1-9040-82CC596AC296} 5028

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1128 -burn.embedded BurnPipe.{DE87A203-4DDA-4C6D-A93C-9E374FDE6681} {7F076D1C-CFB7-49C1-9040-82CC596AC296} 5028

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9B454164-A3E2-48F1-9BF2-52DFC0B34441} {4C66DC50-81B4-4996-BF3A-1DFB9D7FFBD6} 3292

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5E5643F0707694DDD35E1A8CD0EC198D C

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 788F6EB4D6EA30599FE0B212D689D8FA C

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8605B1E84BF1FB5E7B0FF1031604CF18

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding B99A1964BBF8D7559CBA8DA3C6D82971

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8DC5AB95264739AFAEFE181381D0FE16 E Global\MSI0000

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding B7ECE69D9FF99AE2CBEB112607DDC7E8 E Global\MSI0000

C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe

"C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- uninstall usb

C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe

"C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- install vmusb Win8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8\vmusb.inf" "9" "454492f13" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8"

C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe

"C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe" -- install hcmoninf 5;Win7

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet0

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet1

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet2

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet3

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet4

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet5

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet6

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet7

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet8

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet9

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet10

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet11

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet12

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet13

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet14

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet15

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet16

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet17

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet18

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet19

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- uninstall bridge

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- uninstall userif 5;None

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install bridge

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Player\netbridge.inf" "9" "4f3176507" "0000000000000148" "WinSta0\Default" "0000000000000144" "208" "C:\Program Files (x86)\VMware\VMware Player"

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install userif 5;None

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- add adapter vmnet1

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Player\netadapter.inf" "9" "4a5017fd3" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "C:\Program Files (x86)\VMware\VMware Player"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\VMWARE\0000" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2477c2bb3:VMnetAdapter1.Install:14.0.0.8:*vmnetadapter1," "4cbdd083b" "000000000000017C"

\??\c:\windows\system32\NetCfgNotifyObjectHost.exe

c:\windows\system32\NetCfgNotifyObjectHost.exe {DD85BC8D-7FB6-4F72-A691-5B1A121EC2A4} 536

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

\??\c:\windows\system32\NetCfgNotifyObjectHost.exe

c:\windows\system32\NetCfgNotifyObjectHost.exe {02162219-0FF9-421B-B6BD-AD499D9AF3DA} 504

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- add adapter vmnet8

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\VMWARE\0001" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2df34f6ba:VMnetAdapter8.Install:14.0.0.8:*vmnetadapter8," "47eb20b4f" "000000000000017C"

\??\c:\windows\system32\NetCfgNotifyObjectHost.exe

c:\windows\system32\NetCfgNotifyObjectHost.exe {EC402F51-EC3D-4F48-B7DA-9198B5861FCC} 464

\??\c:\windows\system32\NetCfgNotifyObjectHost.exe

c:\windows\system32\NetCfgNotifyObjectHost.exe {38E743A8-3B20-4C9A-B93A-2EE59FCAE462} 644

C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe

"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install vmx86inf 5;Win8

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8\vmci.inf" "9" "4d941d7e3" "000000000000017C" "WinSta0\Default" "0000000000000144" "208" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\VMWVMCIHOSTDEV\0000" "C:\Windows\INF\oem6.inf" "oem6.inf:9c00c72d390d9e8f:vmci.install.x64:9.8.18.0:root\vmwvmcihostdev," "42936a687" "000000000000017C"

C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe

"C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe"

C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe

"C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{13B6B196-AD7B-4C7F-9BDC-B1CB2EE86552}

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp
N/A 192.168.137.1:0 icmp
US 8.8.8.8:53 cxcs.microsoft.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 9.6.5.3.8.a.f.b.7.2.7.7.1.f.c.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa udp
N/A 192.168.159.1:0 icmp
US 8.8.8.8:53 f.6.c.2.7.9.f.5.1.e.a.0.2.e.d.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa udp
N/A 255.255.255.255:67 udp
US 8.8.8.8:53 105.53.254.169.in-addr.arpa udp
US 8.8.8.8:53 255.255.254.169.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 111.44.254.169.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 softwareupdate.vmware.com udp
N/A 127.0.0.1:64657 tcp
N/A 127.0.0.1:64678 tcp
US 8.8.8.8:53 vcsa.vmware.com udp

Files

C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe

MD5 ae427c1329c3b211a6d09f8d9506eb74
SHA1 c9b5b7969e499a4fd9e580ef4187322778e1936a
SHA256 5365a927487945ecb040e143ea770adbb296074ece4021b1d14213bde538c490
SHA512 ec70786704ead0494fab8f7a9f46554feaca45c79b831c5963ecc20243fa0f31053b6e0ceb450f86c16e67e739c4be53ad202c2397c8541365b7252904169b41

C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe

MD5 415e8d504ea08ee2d8515fe87b820910
SHA1 e90f591c730bd39b8343ca3689b2c0ee85aaea5f
SHA256 e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0
SHA512 e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\vcRuntimeMinimum_x86

MD5 7c87329a66d4c22f03acea4e817971f9
SHA1 12a2134fa09fd7df026ffc20bfe58a7d30d6ae73
SHA256 c78bc45113d0270c2154930761c3b74db714987a16c0fbe5e7a05fa3a853d0c8
SHA512 73f11aa3f9b3dbfba157a0d47dc61ff2a22509b61339882a9c2cee53ee335b18820700d7a413b81b426e71c83443f0d99bea8b3638b8b87ee9a42f01f404f955

C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\cab54A5CABBE7274D8A22EB58060AAB7623

MD5 f706d550cf905648ccb55b47e1364022
SHA1 3c382bfe0c4c14c1ed6cbe88d6a69ad6be28a08f
SHA256 7be2d324f0cb063be8335982096f17ed4f08a7592130e04459ae818824016589
SHA512 3c946d88447504c94227fec259bbeed7ef458a0740c12345e425821644f8e0d9358b68582a1f6e1b74597b5dfd2976f328b706a72df30e3c76c899cd435a349a

C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\vcRuntimeAdditional_x86

MD5 df1b1ee46deb824a89f18e228f8a4a41
SHA1 001d86480ce0a9e1b2fed8c48296bb3384dad793
SHA256 ff8884498c3174b7d2bd35bd1a43d75d3538dca2c0821ca5876fa45eb2c8a47f
SHA512 6587452fa6ebef2eac6634cd3c6d8629cdcd9f214a5a13cfbebfd232318a3a5d3cd5d3c9baa721270f5283d3127d36475d40071132ba063bdda49bc48cc21fab

C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\cabB3E1576D1FEFBB979E13B1A5379E0B16

MD5 d141d64b6a3287548847abf5b4c1bc7e
SHA1 a161b984bb24d135353701e445a6a0babc5d25b3
SHA256 e38280421473e79ebaaa8398d86974fc7100cc8ec1c3273fb9bfe4f672c918a6
SHA512 282f64d928e19cf107b19ad39da1150045b60efb9ad599d827f9dde5f20a5bb499ea5996464a1f2ac79c21ec9af9307a363072f172f92c6669ea00c0ec48753f

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240611164952_000_vcRuntimeMinimum_x86.log

MD5 2ae81ef4f4d5973203ec75b9249e617f
SHA1 36d7dbafd220ec1d8bbbf86cacd542384af8eeac
SHA256 d51db041e8972de007934d91fcc8fd0d78b3a8b4c968339a7011846ba2278fcc
SHA512 64bd28235d9e5bd094e6ae2e1de32cf64d2225a2789277fbb9dd5ef06a31685a3f637fd5d8a51c323ddc6fe962d937f1bc11f171e7d1c7d2b94033b6d94b7714

C:\Config.Msi\e582626.rbs

MD5 1677e97d624fea6ac1797490445333b8
SHA1 87d05483db1fbc66f52cbea8a9beb6e12334b83e
SHA256 990cd90c3fa5eac22add530eadd16bf3bc3fc48ee5f38b446a31b17390721e3d
SHA512 92c02a6f15c10632fbfaa2c81f9ce924de2ca695814871932473819c073a9fec77dcd4af8b306354758905cf3c51daba0d17e56394a8ee8e26fd1291080dcc1d

C:\Config.Msi\e58262b.rbs

MD5 28fdf15e8c81872e816ad21d087f76f2
SHA1 dcb1ce2a1f18c20afb07d981f94813e1e0ca5d65
SHA256 d84ed1beb3297fd5e2dee5f6d888998d96c8354ade0d571918c66ad3932647d0
SHA512 2865c986f99218762462b257e758d3b8edb6d2c7761b85fcafe0877e7bda606592e60d5c944ba860f77c7659396ea39c2d4819b318c59429757ba9e6409365c3

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240611164952_001_vcRuntimeAdditional_x86.log

MD5 fe4648f5f83f7f905498dec97e34fb72
SHA1 daed5e7a56d9d111f4afd21df0fbbc9513e19cf8
SHA256 37bde36672df59e9fe876bbe9da2b639adecc65b8fb6cd7e5d3d6851de9df66b
SHA512 05df13988f7838f8579239028f0b326f0e5dd645972e506c9189adf1ed20ee25408c87b1b2ffcfe30faf8c1599a567f8751cc8284df04605717a90f09d68d294

C:\Config.Msi\e582638.rbs

MD5 5eb2d156efe848dcaeb7ad05d6c70216
SHA1 a6d3a2aae83f68724eab5af0f9711ab943f54385
SHA256 8cb1d74b780a8e269c5f5f53b8423cd163ac8f23f38cda5154af8d19d0673099
SHA512 f8e39949f7e644a030fbdf6bc020d83feb99cab0130f7c318fb1b8e7ea3bf7410561be0604707f046df1736464231ba7a7a6451e7b2b2bfc38d8a438d5d42f57

C:\Config.Msi\e582647.rbs

MD5 df2d58b313b430c810f30b97e3b37df3
SHA1 b3a7e48890fae556c39edb08d33913116ffe5f47
SHA256 80dde3320860797d4c390083500056af1df521b17fcd5b6febbc7b819dc87f07
SHA512 3ec0ba154338d5983da741c1477a1e67925726619eaf7f1e4c7161069081d6bcc149a4e0b9b8c977bad309ed46cb5634ec3204d8b917b427aaaacdfe9fd9f3fe

memory/4012-203-0x0000000000070000-0x00000000000E7000-memory.dmp

memory/1884-240-0x0000000000070000-0x00000000000E7000-memory.dmp

memory/2152-241-0x0000000000070000-0x00000000000E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe

MD5 077f0abdc2a3881d5c6c774af821f787
SHA1 c483f66c48ba83e99c764d957729789317b09c6b
SHA256 917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA512 70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe

MD5 35e545dac78234e4040a99cbb53000ac
SHA1 ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA256 9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512 bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.ba\license.rtf

MD5 04b33f0a9081c10e85d0e495a1294f83
SHA1 1efe2fb2d014a731b752672745f9ffecdd716412
SHA256 8099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b
SHA512 d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685

C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.ba\thm.wxl

MD5 fbfcbc4dacc566a3c426f43ce10907b6
SHA1 63c45f9a771161740e100faf710f30eed017d723
SHA256 70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
SHA512 063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.ba\thm.xml

MD5 f62729c6d2540015e072514226c121c7
SHA1 c1e189d693f41ac2eafcc363f7890fc0fea6979c
SHA256 f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916
SHA512 cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471

C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\state.rsm

MD5 bda9df9362133b54074006bb0d7453e1
SHA1 9abc42c49ae0c13737c7cc335a72830113664988
SHA256 49d4fff53192a6fb860753da047fbb8fdca227c2e061c46de8a0c8fa22102226
SHA512 40f89e2b6fa0b4b38e1a7164eb57350d08bc94e7f2ca00c74441f98957155d1cf40a3ef1d9f6ad6380196247f1fb62da3f1d3f7beac767f5c72e03e0a0df8512

C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\vcRuntimeMinimum_x64

MD5 a4075b745d8e506c48581c4a99ec78aa
SHA1 389e8b1dbeebdff749834b63ae06644c30feac84
SHA256 ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93
SHA512 0b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada

C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\cab5046A8AB272BF37297BB7928664C9503

MD5 c2df6cb9082ac285f6acfe56e3a4430a
SHA1 591e03bf436d448296798a4d80f6a39a00502595
SHA256 b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11
SHA512 9f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13

C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\vcRuntimeAdditional_x64

MD5 dd070483eda0af71a2e52b65867d7f5d
SHA1 2b182fc81d19ae8808e5b37d8e19c4dafeec8106
SHA256 1c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07
SHA512 69e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a

C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

MD5 46efc5476e6d948067b9ba2e822fd300
SHA1 d17c2bf232f308e53544b2a773e646d4b35e3171
SHA256 2de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138
SHA512 58c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240611165009_000_vcRuntimeMinimum_x64.log

MD5 7ade859c521eab0c8f9c0ee382e3ba9f
SHA1 db3e153dc634f5e8d077dee888e48fc08864311b
SHA256 4a4faced3eb64b034a69f50a1491c24224468e2360bd866fbbe44a6fda6aedc9
SHA512 13d43dee5fffeb70a11216e207bb70ba1bb1b4680ccfdd16c40ba5a785e74abb38731f266975ce9af7d4dda9050ff4d05710eeffc026fe238a945b7ee76b58ae

C:\Config.Msi\e58264e.rbs

MD5 5aa505447df5f3180d9712b32e339733
SHA1 e64c9882d7185d3fb4329532fa24c01d6e17a9ba
SHA256 83b3a3238b6a8b4462bb3c7f45d61937e3329db0852f35cb3960ab89f804351e
SHA512 83bda356c606d8cbec4a685d9ac1eb9bcbc3287e5ccdcc6279cb416d839f8470e2848520d98b14ae8c6d88129c11dbcb7f8c9af4a8b5068b0a1a86c0742a2e67

C:\Config.Msi\e58265a.rbs

MD5 399169331c1ea2884c54177c60041ae9
SHA1 6bced54a0143a4affa3d11a0787a70b6d1387e1d
SHA256 35129f5723378dfc00fcff8805737dd24e3e325d3834656f2c0c29ead05e370b
SHA512 565cf674bc6e9296fabbbb3917843fb6f6ea620bfd0f7bc333936a7b76a60c54f9e8efb44d7017a3e197d1278f0f47982efce0bdb282c753b629c6c997778def

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240611165009_001_vcRuntimeAdditional_x64.log

MD5 5e6f9e70dfee75f00822cd76e56a1d2e
SHA1 9067c14db5cec2331b5a439f3fc95704b076f506
SHA256 e659b363a00a132494ac76a28d5520ee4def26bde6798486fe9279232c03bf7e
SHA512 982e705ede3eb8a797ccba9450b34b8835647023f51780fd81d26f58c0f14933377e86ec6541c066cc2ff1cd3f35c8d789780b9d85fb57a1324684c412d107fd

C:\Config.Msi\e582661.rbs

MD5 875e28f8a8f8516f275e564959665c43
SHA1 bfb356464841106bfbea8f30d085c8b0ac165ac6
SHA256 0456cac6043f2b27aa17def424398720f4bdb86333f85ef1fc35c9e5f2a93b6a
SHA512 fdf48c92f3e36606470a81c35058bb345723b527924daae75c1ab5ddcae799d272d68c4b2ea61f88444238ddfcd70db79aeeebf10f18ecba52ba1b4fdc285a26

C:\Config.Msi\e582670.rbs

MD5 74edd615e2097c3576251c86aff51221
SHA1 ccd2078ce781ac2dd3fe73efe0768937ca746c34
SHA256 aaffa11e4bd8571189b162095eb92d94a83e61a36983d9ac1fbe88af9a9cb34f
SHA512 2c8e668572a89cbe0550b4a2a1dd77712322b863b1f420a8991d872b07d45f06a57a7e62f70efcf8dbc6c52677443609d59d7ba551ca216b11554c644f277b4c

memory/4964-482-0x00000000006D0000-0x0000000000747000-memory.dmp

memory/3292-519-0x00000000006D0000-0x0000000000747000-memory.dmp

memory/1572-520-0x00000000006D0000-0x0000000000747000-memory.dmp

memory/2264-564-0x0000021394620000-0x0000021394621000-memory.dmp

memory/2264-563-0x0000021394620000-0x0000021394621000-memory.dmp

memory/2264-562-0x0000021394620000-0x0000021394621000-memory.dmp

memory/2264-574-0x0000021394620000-0x0000021394621000-memory.dmp

memory/2264-573-0x0000021394620000-0x0000021394621000-memory.dmp

memory/2264-572-0x0000021394620000-0x0000021394621000-memory.dmp

memory/2264-571-0x0000021394620000-0x0000021394621000-memory.dmp

memory/2264-570-0x0000021394620000-0x0000021394621000-memory.dmp

memory/2264-569-0x0000021394620000-0x0000021394621000-memory.dmp

memory/2264-568-0x0000021394620000-0x0000021394621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIA301.tmp

MD5 9e57e7ac2f0df06640c04936b787fa98
SHA1 9bb72b1fec9892a1e8027ad0f3009557a986d416
SHA256 5da4d187effdb2b88ec677b4f7620fd3be9ca0959dd5c37a641d18f19f908d58
SHA512 e39314dc2c3c39c18e58874a321ad4980a012be11a80e44bd76a2f7c2017b1f03b4e5d893a842c1c64cae74ec18d459fdc983b457e67e550813b7cd544db4cf8

C:\Users\Admin\AppData\Local\Temp\vminst.log

MD5 2474d3c409d60a137cd8b964d0bb70f9
SHA1 45f08256e823e9bc9c3448406f40981bf0410875
SHA256 45e672a7ea25003fbee702915f9000cee415e2f3a785c1678093d8c727e65ef4
SHA512 5a59dbb3cf4974945db036192af8b0f42fbea1a139de5fb911329bd046b98ca4cc7753e15a89dc716d47923d2fc1b652b2ee806d0e3dbd4e3552ad355b110e88

C:\Users\Admin\AppData\Local\Temp\MSIBC09.tmp

MD5 fe69218ffef65a7c15aa4b59b295d6df
SHA1 6bb8d7fd4d9437e13635c7abd88d92d53797f7df
SHA256 8a421e5813d2afa810727cb54000e5bb5edac793310c4a90ab5146d56911b445
SHA512 da5747cc949aa4ce776af94d959452b8ea892b70624baa55de0d1410879dfc5153655cd6a82aaf7423f0ebd8ddcbabda58f480cdebeb1befc54db5d9110c95c1

C:\Users\Admin\AppData\Local\Temp\vminst.log

MD5 b4e6da491b947f031c674e43822f4d92
SHA1 1c35e1ec9d688ff55b47aac4b3feee5a8df8e223
SHA256 daad78bbe41c37eadbc94f2ac132ed40e7515a529941e793906dfb1ec1078255
SHA512 ec91f539322fbc6b580639a7c37450b08bbc8dd82c1390e66ac088ba16e8b94d85dc285f149373a9e67697c6537c2bb239469519e435de6748f95777a41d0f22

C:\Users\Admin\AppData\Local\Temp\vminst.log

MD5 1e0b07e33eda5ea58dcbb06ab4ecfc81
SHA1 8ee27ce1dbd8fdf9482ceeb8dab505bc851d245c
SHA256 448d28e73e74c30773b0c60439c167a3f90fb3802c213a394afa4440a0bf5b87
SHA512 672ffe70136f5713d26090b56649e8fb3f097bec5bc32dec352ad9f7ccfac4027ea5b3295ecf7c6a90311686a26ef59ad1b53f361a97e3607a9e1084a3a0e800

C:\Users\Admin\AppData\Local\Temp\vmmsi.log

MD5 56cc696614b836c6e0e6453c74b727e4
SHA1 0e3d9b2b2db607301dcbff0698566e853e05fe04
SHA256 5e0bdc2cd9e070072db31cee92625c34f57866eb0db5ea27ecf02aedc8927531
SHA512 7d4a9b1866617df153925c7c0c7c7aeefaf997244eb83b2241c16b06a2d9f5e0b2ad871c539814d4107728636c579ecaa39ef5d35a1e2784cbf4dbc8082f0d5a

C:\Users\Admin\AppData\Local\Temp\vminst.log

MD5 61fdb8f8121fd8b2eef446f1b76c9d3a
SHA1 b38a0e43b5eeb849e1c765e27cc71396fe825249
SHA256 8ff790aa95917c573f29b916abccd4a02473edd44dff6be38c87741f20cf381b
SHA512 dccaf55a6c8f8e71450b94dab0b151da05cd7c65f3fa2a71f689d95574bb1dc57bcafc98b73c78568e43ff3a44a42dc6b82aba2e41648394bbd6d4bb80ae3b98

C:\Windows\Installer\MSI3683.tmp

MD5 4aa882a8a87d248e6b2d4144f47bd568
SHA1 6a949550f3c7fac710ea7d7801fd809f397c2d91
SHA256 6081f9d9040dd70c74c1f5ae51db1320ba3b3e9e6a5cdfda22a6f5e72ef38d4a
SHA512 9a91daf5c128e09912ffb6e8673d0088825ba13b0151cf23b17d531b855fb1271637ddd3c92e63c704fc135ce3b703d05dd3d1cddfe452b8844af78cdd2ba6f1

C:\Windows\Installer\MSI36B3.tmp

MD5 2ebde9d1a578ed1c78a79b2279be5f1b
SHA1 f55b8c2511d82032e4e8d503b4874396b91fff07
SHA256 fe793fc1b303f85837fc6a990caed01289c02e24f3ca497566108198fe6af5de
SHA512 f92709052fefc3fc89ba07562a093d7a22dbd62e0a38d3178a93275b9050984430bb4ef5908871d29f591bca75b2a19f9202794a07deecaa1a8df86d0ca94f20

C:\Users\Admin\AppData\Local\Temp\vminst.log

MD5 6eeed8583a7f9be8ec543cc605f24c5a
SHA1 4bf15287ab054b8b91c77c456dbc7b31c7ec5a0c
SHA256 1dba73e6861659624e187bc64cd13192faf6990ed3b640c6b8bf34c4b112cd3c
SHA512 33d1f7400aa0f1807201783ca2969fe301a71d3361dbfded962a133abcfd5733eb7a494323dea4ae8098eb5274001d5cd0769a0d83f7b5b723b9f8682384b3b5

C:\Windows\Installer\MSI37AE.tmp

MD5 ba3165ec14e657e6235d6d789e9e25ca
SHA1 f626fcc0e7e7f26a092da6a995f5936a45c4f71a
SHA256 bf93de4755822425f3fd3928b52d2a6e6c91ab069213aaaa95695ed3e17e72e9
SHA512 6d83dd60b1f8e8d93ddbda657b1c75f86c1f5f6eac899123f6ce498f5dd1a5abf05e29776144044c6a848e8fdd2b9a6a5367c4b249b879a310a260fb6b55b6da

C:\Program Files (x86)\VMware\VMware Player\vmwarebase.dll

MD5 f4d324028e750df5cef16598c6bf0cdb
SHA1 fa4e9004389bf2862d896529f766c75ec05f5e6d
SHA256 4bbd232ebbf2bdd929c667bce4476317fd6eaacf328dfb24a18e11994e1bc11d
SHA512 7256b842a4b45502e4288661d798f42319173e4e00bd233db044b92c5bf71b245a33442c920a91513d33d471232c2140b30874b72a32268a5e4e497dbe583965

C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw9-config-option.xml

MD5 cdae15f623a66d694d299f1390fff656
SHA1 fbfc1a118aec4ad7558b82fb5378fca06a12fa9f
SHA256 6a846f6e1e5112a3efd76dc23d97b9c36abb7bf62f9bc202c1f840a3f8dc182e
SHA512 a79ca6d4399b2c65090f45d0de1016806396ad05184d02ed54a55e6f8af1a2833220c1efaaebaca4fb777d224e409f5291d340df783a3db0963f8b01c39f76e2

C:\Program Files (x86)\VMware\VMware Player\x64\icudt44l.dat

MD5 58cccfc4824ce98be253981d1087740e
SHA1 69ff1822448fc25f56298890eeea62e974f44da9
SHA256 7e1fc96fcc98cb8f0cb44cfa94b40549a40bd0f9968c3c1141631aa0af95a1fe
SHA512 eff1ca414672758fa1bcfc3ff2d69bcf0bdbb4bb8e94442c1e9108d5b11203b355409de9af3f6ce943a693e7198329afebde2b0862959fd48ac674c341e49429

C:\Users\Public\Desktop\VMware Workstation 17 Player.lnk~RFe594c32.TMP

MD5 444704c16f663f3d7f756622d706d91e
SHA1 dd0f696474664b4b2f1b4c63cd0bfa6f65d7c8e2
SHA256 e3f739d4a3d4d993a6f0ffb3a4b5de53502311b053b3c65c8aa404170d0c975e
SHA512 c389e4b57900110d7c2e3c4345a04245837564991b4bc9fec5419ade6ef3477a7f2670ff987b883af730781c8be9d47642ab49a8eea1d7a4e7458fee4b1c1a3e

C:\Users\Public\Desktop\VMware Workstation 17 Player.lnk

MD5 70baabbbda4e606d45fa3ccd651d3329
SHA1 a81f178ccfa337a445c04bb0cf431b485bce7313
SHA256 1273e3eb81e8fb6176df29ffc7f4a027549420ec7692d99eab7f9d64eb100545
SHA512 5967d7486df1b4aec16de03c23b9626f8cfb693c6d1a44bfdc6e7784955b09f48bd42cebb1778c81e03e5aa578bc158815205b102e6d0662315a5ce7fac17e9c

C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe

MD5 1e8bcddbae1683d57ead466043a57d05
SHA1 0a4d2041b83e6b14805e3843fa73f877bd4a2445
SHA256 bf480d9a362caf6a7de4e51bc441d2df30c9ffcfedd6ec1ee0a40344c20b591d
SHA512 0c8e9568910931515c8db5223ca24444f75da159136d09db0d52f800880293f60a40dc13bd36e029aad3ec0cbeec2214b8520d67b6a75852982d0e54be516f63

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware\VMware Workstation 17 Player.lnk~RFe594c61.TMP

MD5 1eb4cd7a814d12f703b48d767cb26f8b
SHA1 4e478ff84ed09d7561d828a5a24d218f79b1d3a1
SHA256 ae1fcf6cb540f0264b2896c87624478e4a66b1d074b1f4387a20498ab20be0a9
SHA512 ba4bf9bf6a0ea8d8add1b7c57a60f4fc18e6a8a91b5879ad2fcc03a5b26a4c88aa064a0cadb0b6c764aa67b83feb03e48b102292f6258d47068123a751271dac

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware\VMware Workstation 17 Player.lnk

MD5 17989d533547186dd73e225a93b1c12c
SHA1 a812d846a0380f5ccb76704844dcb21d6b5e6de8
SHA256 76ab9f14a5cdaca62ea1aefb3c4ecc81266e2ec5e36a992d9801cd85ecf78460
SHA512 eb86f2735c2d1bc833214a084b825c24410de0c7a9029128adaabf48a890e3bab255f57ca8ea230883581939076b9fb699a24fd2fba80e97466b6bb5006db577

C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.inf

MD5 8d997d8d1105556cea9726b2aa38949e
SHA1 57f9c467fa48ad4585f58f40120778080d4003ef
SHA256 9cbf08670ee83cb7956473072d7d51a709da49522a1109ea582425d86d88d8f4
SHA512 d52e6ae4e66d33f3632e349fba6e13eda805764cc4d87920048af779148ac87a7918fcfa4f307a9fb19ae9b5c58b94247ac09433ba61afc0515a5bec3a5ae314

C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.cat

MD5 c969983ba8f120def2953afe08b2f164
SHA1 2aff93389846c5b107d67ec0886a342ea18eea76
SHA256 ea696506747d3ab4a9c8b8d486b4a886ba4cba7b65eceb1d89c6ce54be6c9c20
SHA512 30f69f57ff3eb07cc0f787a22aa42245246d9b6e657b656c82335d6fa78b3f8534027c4ca28998d72872cbed099ed45b8ac59bd3c7e69ffcc133510a37632ad6

C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.sys

MD5 092cdfca61db22f6ec3ac01255bad56e
SHA1 565788f4cdaf423078006d4bf480eb4b022bfe72
SHA256 965c2e680140329f56f253f9a5bce8745a9664fc56aedb58bdb57e126b0aa1c5
SHA512 7d5e98e33a60d259f5bceb9431c1d9630bf43f479631b9ede5ba8f8d4e761f9c67971ed5347fb7d3c1234f15a75e252b4e93aa002a5d85fed751ca0b64a5e24c

C:\Windows\System32\DRVSTORE\hcmon_AE2641AF84DF5670FA8422233CEAC89B307A0500\hcmon.sys

MD5 0f300657289a1a2d168b8b80e900055a
SHA1 c5f93e3ef6c8227009736ac8b5d314ff21f48c51
SHA256 94938835f53b968665eda2a7a082788dac0a13ee486e3186387c0ff7ececfe8a
SHA512 035d0e1430ec7206cd7995f912f11310089367a452f10924f79dc2edbb958bf080e86c4501e3b7096ec07e7f4b503ec4751b475f60927a333edd9458b41f36d9

C:\Windows\INF\oem3.PNF

MD5 eee517ae504ba11b520cfa3ff71e6c74
SHA1 80904fdaf3b2244a07173e3902b648b12dca0f43
SHA256 a895b3424c5b14cb33ec83b2b7620047f07e6030ed600c8e5084bc92ab8f7cad
SHA512 c258a02495f3f1e8035e2e383f945a4796d76c1455afd1d7b7008341ee4d7e73a4a01319f5205882fdf37d2acb2fbd46061bd20379c70e4368b5e49534be2b40

C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnetbridge.cat

MD5 24236822ba4e710e9fbd3401c78131db
SHA1 83ffc5830cfcb98b6957f7802e4e7fd7816dc1ff
SHA256 a58b885df4777c61b577af7569eaa5ac0202ea50f55fe141e9be0ffc77743a50
SHA512 714f005f882ad0551fbcb74ca4fe4a0ab6f3bd998879dc51ab2911190919080a55727f4590ddb96f866a02f6ff9cfa0cab9a48a543edd35e684f28b3391171e9

C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\netbridge.inf

MD5 76e07de9fe56a25f27a695691c9bdade
SHA1 53fef434d80383dfa266c632e6d374611c38319e
SHA256 a3bbff5810e7d94a7490e06d5b420f734ec02f4fce66274930e024761e01049b
SHA512 813eb5cefc1075357dd70285e05e765ba911fbf65cf11975b1b241d2ae3bdb8520f07de9daaf29b28f979c97ef59bd079f63c297b8218072d0f405986fe4364e

C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnetbridge.dll

MD5 70d6c2e1940824e5c9deac0a2467603d
SHA1 5dd4a84bfed0eb199a228abfd1804c142e3fcbfa
SHA256 0e8d73db78847ff2956c471c009088c1754640a06f877e9dea061bf9b6c287fd
SHA512 6bc3dba5d026896f64bc2131d37f155b3dab6a3c8bac758433b8776255aabb10e24b8553c05131ee13de31b323620b4d844c141e267eabfaa9c0d62084ca8417

C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnet.sys

MD5 acc036a64af0be34d7925e24f5bbce36
SHA1 8b9b372250219c3d08b153f630b36dfdd2823084
SHA256 7e3af2553ce93dca2a7b2c42e1c839573ba37e393e9e7a5e200dcc2df4f7fda7
SHA512 e2190fd5e3644acd73ca86485e8d8bc1886a5ce767dfc452cc8178fb6f24ede82baecbc9e1693982307efa442ee39c19911dbe8dd19eb291595ec671979f63f6

C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnetbridge.sys

MD5 11e92a49a113d80fc43219ce21468bcd
SHA1 7401c5adec3f548195c1cf3fa85c266e476f1283
SHA256 9237ac240f3bef26001bc33a670245d368b727fc43e031b6a48fbf698fdc1def
SHA512 bd7dbe2b786a7b0de0377abfc3a7a97667750e842ab5d0e42ef898151cc8a81e615a70536753e243f5a61b727acf3a837536534e65c110a26799c9a2e3b7a7c4

C:\Windows\System32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vmnetuserif.sys

MD5 502d7759a8ea951315b74ee12a629f3d
SHA1 0f045b7a26a8ec4e5647be4c423c7cb4327fc213
SHA256 26b2cd990adeb32ef7e4c00c0e447c64c9a7811de2f398d6a227ccf26e33da72
SHA512 33b270a48413e0478432ea3d1e1fec8d71d876deef63f106905dc57bbabf6aeea74f01ef539a2c17d583e4e10d9262187a6bd9531220c8278ab4a44191aa9c52

C:\Windows\System32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vnetinst.dll

MD5 f2338bf0d8f10fdc55b712e9c5240937
SHA1 f6e0b2151d08d2316b685aa1a8fda38af9c888fc
SHA256 11e605295b184468b69d444edf35707567615d16fe5b9ba924edcb76527f9002
SHA512 d15c92ef1e438fa4313332cc57d39a9ef19584cde8c02d328983215544d823ad838d68b975b825afaff2a6549eb06331d7fa0833fdbf2fcf43d5fedaeab2434b

C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\netadapter.inf

MD5 513ea5ad5d0192b4fab604bebaeba1ca
SHA1 37cadf97b3de820bb8a9cc82da50f969bd9ee742
SHA256 8d3180911c7397eda186969813dd6aa6447b2e247d1dddf8cf15c82f8c187c7b
SHA512 8459e0f67773be7ec6d3ef08c3c9018e78719797292e92471b7b8ba210cb5fe3946e3f99d23930d5454a223907bddf40e3d7c8cad8aa6063c1c26ae7f1744b33

C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.cat

MD5 f705d1b2884dd89de05b5be1b5f091cc
SHA1 15fda464b0e6152f20be66478e5637bac6738a44
SHA256 2fed201cfaabf39aa9d32531759ffb01b93e890ab28137983ac0a0f1b76cf4f6
SHA512 740331cb30d323bcd5ae0789ffbb0620baa7a485241b6c2e4064265397f40e8510fc6de9758b5f5cfd41888b29ed95392b73b3b0812a1e207e46d72e6d521eb4

C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.sys

MD5 83b9f3a1bd3afd531c19b5314525eaef
SHA1 f857b40f1d837ee9bbd0e33cf4795d4e8f20b1b9
SHA256 a75125186847fb0e6d4cd755ccd68431df3a64c8786125b6110589054f9c2389
SHA512 b48f3b039d8d11e25b9978eb9b38b7282793a264878258ceac12a243cbd344dbfcb9d5e071a422209a83f5330b7388caa8344cb6c11598e1fce1bc43f649384e

C:\Windows\System32\catroot2\dberr.txt

MD5 2d3597c2ae694e0f8b44b2a23db9a094
SHA1 a43b8a2ee87cc7e045e9efae08d352c5abafff93
SHA256 8fb8829cd5b6fb48b2311e41326fa2c9745bbb502c2006fa4b1694ea12ad4d6a
SHA512 df3d70b0037cf0973a24322949bc116431f1db3a9f312dea632a96418c9fba412a94f88be4cf13336bae0299f6d64365bfab9b554d6d9333bfbb219036f05191

C:\Windows\Temp\vminst.log

MD5 422e22f07522df4987026df70486b949
SHA1 15b7bdebd354846be987c78c7128173e22a9a6aa
SHA256 acd8758047ba9ff667fbdaf07c0dca1b729f38a46c0ee41f58239657f27c98be
SHA512 ef50a945c50cd18322a1d8c5eda0361ecc14e84bc595b84ad1f1fef46f4b2201c6be7691246f8c7f2e7fd25c8eb518ea7786dc22c83c93021bb64361856022e7

C:\Windows\System32\DRVSTORE\vmx86_0EB6D425AF13AF7EF7CCBE7DA93B4388751906C3\vmx86.sys

MD5 73ebcf23e0e1ee82dedc376c1d312803
SHA1 aa6ee9d5798254b715ba1ac254ee11cbd70df864
SHA256 e8de7c03018755a37a2993b2688c5258b46919b15c5e55a85590d8ae3abf1eb3
SHA512 03863edc55d819378ed9aaab1771a7be6acc627b3512bf7555111135b486b5bdf709bee5e32f717112397e5db4579ff496fcbd6c92e96ed8d5c7321e1315f86a

C:\Users\Admin\AppData\Local\Temp\FKL36E5.tmp.dir\DIFXAPI.dll

MD5 116eaa5c9bb2cce346a42eafde2dc152
SHA1 13c433306ebdafcd983410482fd42685bebadeb9
SHA256 57afba202253a7736e7296ca9ad606b9640ad6f5e9c231ee291f511dd469c783
SHA512 57d2ce75bd4a645eda5a9a77a6e92789cc527412722b2fcdcbb271c0d6eb8014b596d16e9ed0e72c9e1153e60549d13be2241fbd13223779dd9596e52ee8f944

C:\Windows\System32\DriverStore\Temp\{902b461e-d928-cc47-8447-304a4efcd1ff}\vmci.sys

MD5 339e79b21cd73fe1174b56d6032e40d2
SHA1 d85e6a6a585fe4eba6f2601ae97a9db171f2b5b1
SHA256 91e68a9891339a8db757c9eceb65371db83822fa56305d61330e50194dc97131
SHA512 10d5783d92bcdcd536abbb3650321f150f4f8a0850e99a974dc3e445dd6421b41fd9ce0da951efcc553b5bb00719e11c4c22c01f2c0882e35380a15de0076484

C:\Windows\System32\DriverStore\Temp\{902b461e-d928-cc47-8447-304a4efcd1ff}\vmci.inf

MD5 fdb3c5882438a6e996d13a7ab48cf467
SHA1 7257251e1b43912d15defbdf01056aef80d043a2
SHA256 1e71d0b7aa6a8835986a2d603c7218e792886fec4ea889f13200cf0fdc78a73b
SHA512 551678e245c37c61433bb06f5bbc1075b76c1b86b06907b0a8d4c1e240b62d13922a0465919f361a6584388d80333201b5b6202b3fa1c6ff7771a58ba9ea8716

C:\Windows\System32\DriverStore\Temp\{902b461e-d928-cc47-8447-304a4efcd1ff}\vmci.cat

MD5 c888f61b9b09bda1f1fc1506123753d4
SHA1 bc2be72275b899d848737bfac8e0ba1ea72af63e
SHA256 b69004749d69e2d826a4341d2ac409711fb984fe2ebb4afa2b3dbc03368493cd
SHA512 9a90df4b4e4eefb48e81853d02e3f2f9b6280636322436b717f0763bf7feca79660fc860f8142b915fc475a20de4d876c1a29687061468609e9cedcb725b88d4

C:\Windows\System32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsocklib_x86.dll

MD5 f7d359d175826bf28056ae1cbe1a02d9
SHA1 19409b176561fa710d37e04c664c837f5bf80bff
SHA256 af1df28834936aef92e142c14b1439ca64d070840b2c07b87351174ec0f71d8a
SHA512 e2d78cb2d6f1b2f3c410ccd5272d0b3e34f3cdf25c41605b12e9a1f408308084c28c4b427c915ed87e28f21d662846529711fa07f4357a7f7f727b96a5d0e7f7

C:\Windows\System32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsocklib_x64.dll

MD5 abe700a6459d2d6fc9774e0277350ecf
SHA1 cefe9bb79520b3cadf6d1bbf44fdd771487b3d7e
SHA256 952603279b8851c3739d562247f3f0a373b5fd0eb5a9c3baf1e6b1e608ebc6c8
SHA512 c6fa33ff10523d408be2e5653100fb3aabf1cecaa810916a0cbcd32c5bc2da76ebfb73256719843700ee4d05a7adf7b18c9130dab1127b7bd8b1d089b8219349

C:\Windows\System32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsock.sys

MD5 64ba085bb02e9ecf3b21f0377199289f
SHA1 bf00ebb018e9b0fe63ef3af971ab395fc0ecb7f1
SHA256 dfdb2166d3010a1e7ccfdc38f0b1524fdc4b79b17b06093b7f9820b637d28343
SHA512 b2d3e43f291cfc0215c1e1df1d61b94c7e7d7780bdfa8d627edcb58b1298fcc96beb8eaff7567629e2ae1c7ae1b0ef60af6abd6fd9ec0b380c5e20ebb0a8a8f1

C:\Config.Msi\e582673.rbs

MD5 e7c8f1ef18136ec5882d4d3d02e71a25
SHA1 a1036ad48c737e7ac462cf141b96cbae2dae5267
SHA256 8a00e80341738624c5c8d6c9d4829d8ca07757a82f2d00e4844f07fe6858f105
SHA512 9ccacfac1952f484026633f2aab0f7d3a8c9fbe7591cea60d958e94bb010a04fda3c20c409bee331814a5ff6df1bc3ff2d60f294b0bc25a1828dff61df9c4630

C:\Users\Admin\AppData\Local\Temp\vmmsi.log_20240611_165144.log

MD5 7b041470f992818a9de7c7f244d1aaed
SHA1 6a5f2475556d5b5df3a28528787dbf7cb05132bd
SHA256 2c04dab2cd293ac318844ba198539e58f5bf84eb22dcb0c9a67f9087688a73f4
SHA512 3a05a0da162a5e26e8c4486b2c9e9933512970d0d2defbece329a1bddf37e234154d9e77ba3272792d5211c3f390e3f9807bc52ac6ae2e1ca7e335d5a05d4e3a

C:\Users\Admin\AppData\Roaming\VMware\preferences.ini

MD5 0ef7698b8e892b0283e1f49e20913d2e
SHA1 6545e20fe34446d867173e5b17f24b7ad14aaec7
SHA256 932b6fdc14bab4c1ae994e2a9d9bdbd9b80634f8319bd21d0ea2eaeb4a48f5e0
SHA512 16b8370f032c629f1a862ab2757524a347ffe2f1197178afef25769cb1d9884760c23695c4eb9b813ff6ca1d71aae9503263ab741574510c67666414b13716ed

C:\Users\Admin\AppData\Roaming\VMware\preferences.ini

MD5 6c6decaa3c88ec9ad103bac9b8a689dd
SHA1 454635a54c324ecd914cd563c602cac7b87d5c67
SHA256 8eabfea2dd1733a2e84e09f3f7478cdfb7b9c704d15795c9da69826765965689
SHA512 da78a399ee9646851c4f409b9effee2f360b2826d0624558267506da6cdab89bd866ebf1a53da21ac71b005385de8e7dd72b026a516e39dcab05adb5a516e145