Analysis Overview
SHA256
85b3f341d654847fba6523dbdf4e30f1721870d194ec53f1065291e8ccbd3474
Threat Level: Likely malicious
The file VMware-player-17.5.2-23775571.exe was found to be: Likely malicious.
Malicious Activity Summary
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Sets service image path in registry
Drops file in Drivers directory
Looks for VMWare drivers on disk
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Checks computer location settings
Drops file in System32 directory
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Registers COM server for autorun
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Modifies data under HKEY_USERS
Enumerates system info in registry
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: LoadsDriver
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 16:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 16:48
Reported
2024-06-11 16:53
Platform
win7-20240221-en
Max time kernel
117s
Max time network
144s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe
"C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe"
Network
Files
memory/2212-0-0x00000000001A0000-0x00000000001A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 16:48
Reported
2024-06-11 16:52
Platform
win10v2004-20240508-en
Max time kernel
184s
Max time network
193s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\SET54CD.tmp | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET64DA.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\vmnet.sys | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET64EB.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\vmnetuserif.sys | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET80CF.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\vmx86.sys | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET8C87.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\vmnet.sys | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\System32\drivers\SET8C48.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\vsock.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\hcmon.sys | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET64DA.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\vmnetbridge.sys | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET8A45.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET8C87.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET62E8.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET64EB.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET8A45.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\vmci.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET54CD.tmp | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET62E7.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET62E8.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\vmnetadapter.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SET8C48.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET62E7.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET80CF.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe | N/A |
Looks for VMWare drivers on disk
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Windows\System32\drivers\vmci.sys | C:\Windows\system32\DrvInst.exe | N/A |
Looks for VMWare services registry key.
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware | C:\Windows\system32\msiexec.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware | C:\Windows\system32\msiexec.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware | C:\Windows\system32\msiexec.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmx86 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware | C:\Windows\system32\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMware | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmx86 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmci | C:\Windows\system32\DrvInst.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vsock\ImagePath = "system32\\DRIVERS\\vsock.sys" | C:\Windows\System32\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{410c0ee1-00bb-41b6-9772-e12c2828b02f} = "\"C:\\ProgramData\\Package Cache\\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\\VC_redist.x86.exe\" /burn.runonce" | C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce" | C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe | N/A |
Enumerates connected drives
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SET8C89.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\SysWOW64\vmsrchTemp.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\vnetlib64.dll | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140cht.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140enu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6152.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140fra.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsock.inf | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsock.inf | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\system32\SET8C88.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\SysWOW64\SET8C89.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vcomp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\hcmon_AE2641AF84DF5670FA8422233CEAC89B307A0500\hcmon.sys | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\vmusb.inf_amd64_bb336ccced75363c\vmusb.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp140_atomic_wait.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\SET52F9.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vnetinst.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140chs.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6151.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140kor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vmnetuserif.sys | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\SET7F49.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140jpn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp140_atomic_wait.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140cht.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfcm140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfcm140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netadapter.inf_amd64_1b7e5f451712307a\netadapter.PNF | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE\hcmon_AE2641AF84DF5670FA8422233CEAC89B307A0500\hcmon.inf | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc140esn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\PerfStringBackup.TMP | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6153.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\SysWOW64\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc140rus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\netuserif.inf | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\SET7F7B.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp140_codecvt_ids.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\SET52FA.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\SET6153.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnet.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netbridge.inf_amd64_795340d0273da4f7\vmnetbridge.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vmnet.sys | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\system32\SET64EC.tmp | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\system32\vnetinst.dll | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\SysWOW64\vccorlib140.dll | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\VMware\VMware Player\vmappsdk.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw19-config-option.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\iconv.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\x64\SCSI.ROM | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw20-config-option.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\x64\BIOS.440.ROM | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vmnetBridge.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\VMware\Drivers\vmci\sockets\Win8\vsocklib_x86.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\VMware\InstallerCache\{F47C8797-293D-4702-A238-F1EF11F8A1B0}.msi | C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vmauthd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\iso2psx.vlcl | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\ico\import.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\x64\zlib1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\x64\mksSandbox.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\libexpat.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\7za.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\glibmm-2.4.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\schemas\DMTF\CIM_VirtualSystemSettingData.xsd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\zlib1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\x64\PXE-VMXNET3.ROM | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\ico\vd.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\open_source_licenses.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw15-config-option.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8\vmci.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vkd\lib-initrd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\libcds.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\x64\PVSCSI.ROM | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\en\locmsg.vmsg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\en\stask.vmsg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vkd\crx-podvm-initrd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vmapputil.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vmPerfmon.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\messages\zh_CN\vmui-zh_CN.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\ovftool_open_source_licenses.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vmPerfmon.h | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\vmacore.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vkd\vkd-initrd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\x64\PXE-VMXNET.ROM | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\ico\suspend.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\gthread-2.0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\VMware\Drivers\hcmon\Win7\hcmonver.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vkd\coredns-initrd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\libcurl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\tools-upgraders\VMwareToolsUpgrader9x.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\VMware\Drivers\hcmon\Win7\hcmon.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\en\auth.vmsg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\vmware.eula | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\VMware\Drivers\vmci\sockets\Win8\vsock.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\x64\PXE-E1000.ROM | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vmnetuserif.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\ico\snapshot.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw10-config-option.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\icudt44l.dat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\libexpat.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\x64\vmware-vmx-debug.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vnetlib.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\icuuc60.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\iso2win.vlcl | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw13-config-option.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vmnet.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\VMware\VMware Player\vmnetadapter.cat | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI9216.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e582672.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\VMware\vmPerfmon.h | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\inf\VMware\vmPerfmon.ini | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI31FC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e582621.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4EFA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4FD8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E04.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem6.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e582633.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI36B3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI37AE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3D44.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem1.PNF | C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\Installer\e582633.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{F47C8797-293D-4702-A238-F1EF11F8A1B0}\_generic.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4F3A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8AD6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e582676.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e582672.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI545E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8F26.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58265c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI39E5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3B2F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem5.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8F05.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2A0A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3625.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4E0F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI551C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File created | C:\Windows\inf\oem6.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3927.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI315F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4FE7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem3.PNF | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E34.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem2.PNF | C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8F94.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{73F77E4E-5A17-46E5-A5FC-8A061047725F} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2EED.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4FE9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6105.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8D86.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4FA8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem0.PNF | C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89DB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e582649.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{F47C8797-293D-4702-A238-F1EF11F8A1B0} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\VMware\vmPerfmon.ini | C:\Windows\syswow64\MsiExec.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32\ = "C:\\Program Files (x86)\\VMware\\VMware Player\\vmnetbridge.dll" | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32\ThreadingModel = "Both" | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\System32\MsiExec.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6 | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4 | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5 | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7 | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\SerialController | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\SerialController | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\SerialController | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA}\Compatibility Flags = "1024" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DFC76A6B-4873-458C-AB00-40B1FC028001} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DFC76A6B-4873-458C-AB00-40B1FC028001}\Compatibility Flags = "1024" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{420F0000-71EB-4757-B979-418F039FC1F9} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{420F0000-71EB-4757-B979-418F039FC1F9}\Compatibility Flags = "1024" | C:\Windows\system32\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VMware.SuspendState\DefaultIcon\ = "C:\\Program Files (x86)\\VMware\\VMware Player\\ico\\suspend.ico,0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{420F0000-71EB-4757-B979-418F039FC1F9}\ProgID\ = "Elevated.ElevMgr.1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{724E960E-F6FC-43F5-AF3F-98319A1306EF}\ProxyStubClsid32 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Elevated.VMXCreator\CLSID\ = "{DFC76A6B-4873-458C-AB00-40B1FC028001}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0F223F1-7DB1-44CA-BED8-3406303FE26F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA7F48B7-D5BF-4F7D-8C12-8EEDF60AB7F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA7F48B7-D5BF-4F7D-8C12-8EEDF60AB7F4} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20C19CE-FBF7-42CD-973A-6ACB5BBEFB9C}\TypeLib | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\vmware-rvm\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ovf | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{0025DD72-A959-45B5-A0A3-7EFEB15A8050}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\PackageCode = "1BE5B2DDE80EDC54D874D240756DB43A" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\PackageName = "vc_runtimeAdditional_x64.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9A6DAE7-CF0E-4D39-A914-B054FC37C99F}\TypeLib | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VMware.OVAPackage\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E121724-EB62-476B-B55C-B14FCE7EACF5} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}\1.0\0\win32 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E459BB84-7D3A-4FDD-B1E5-969E88F61DB6} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} | C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\vmrc\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d09c1ca-2bcc-40b7-b9bb-3f3ec143a87b}\InProcServer32 | C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.vmss | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4548A7B2-5C17-400E-8D62-84DB4D79221F}\TypeLib | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 | C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA}\Programmable | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724E960E-F6FC-43F5-AF3F-98319A1306EF}\ = "IHostDeviceInfos" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E121723-EB62-476B-B55C-B14FCE7EACF5}\TypeLib\Version = "1.0" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E459BB84-7D3A-4FDD-B1E5-969E88F61DB6}\ = "ILicenseLib" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C2C59CAB-8766-4ABD-A8EF-1151A36C41E5}v14.36.32532\\packages\\vcRuntimeAdditional_x86\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E121724-EB62-476B-B55C-B14FCE7EACF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365}\ProxyStubClsid32 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35FCE01E-8917-496E-A509-497C5F2FA365} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.vmsn\VMware.Snapshot | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{420F0000-71EB-4757-B979-418F039FC1F9}\Programmable | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D04155-1876-4BC0-AA9D-A8616F36C601}\ = "IDiskLib" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D04155-1876-4BC0-AA9D-A8616F36C601} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7978C74FD39220742A831FFE118F1A0B\Networking | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0F223F1-7DB1-44CA-BED8-3406303FE26F}\TypeLib\Version = "1.0" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0F223F1-7DB1-44CA-BED8-3406303FE26F}\ProxyStubClsid32 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7978C74FD39220742A831FFE118F1A0B\SourceList\Media\10 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{420F0000-71EB-4757-B979-418F039FC1F9}\ = "ElevMgr Class" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4548A7B2-5C17-400E-8D62-84DB4D79221F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VMware.OVAPackage\shell\Open\command\ = "\"C:\\Program Files (x86)\\VMware\\VMware Player\\vmplayer.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.vmdk | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{724E960E-F6FC-43F5-AF3F-98319A1306EF}\ProxyStubClsid32 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9A6DAE7-CF0E-4D39-A914-B054FC37C99F}\TypeLib\ = "{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E121724-EB62-476B-B55C-B14FCE7EACF5}\TypeLib\Version = "1.0" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44D04155-1876-4BC0-AA9D-A8616F36C601}\TypeLib | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7} | C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7978C74FD39220742A831FFE118F1A0B\ParPort = "\x06" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{68C57A6A-2F94-4D7A-A1F9-3433C46E6D0F}\1.0\FLAGS | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Elevated.VMXCreator.1\ = "VMXCreator Class" | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe
"C:\Users\Admin\AppData\Local\Temp\VMware-player-17.5.2-23775571.exe"
C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe" /Q /norestart
C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe
"C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /Q /norestart
C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe
"C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{9A5C5173-A80D-4FFA-942A-4B8396384C00} {6C20D074-B59B-4663-B85B-CC347CC09B32} 2648
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=1144 -burn.embedded BurnPipe.{1D2B9CD1-5948-4009-A0B0-CFDE18C5A0CC} {19BEC786-A9AE-4360-8942-ADCC37EF6C9C} 1420
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=1144 -burn.embedded BurnPipe.{1D2B9CD1-5948-4009-A0B0-CFDE18C5A0CC} {19BEC786-A9AE-4360-8942-ADCC37EF6C9C} 1420
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{D4355F92-730D-4F16-A428-6844A762B34B} {FF6AC24F-56AD-4628-8E79-10159F2675F3} 1884
C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe
"C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe" /Q /norestart
C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe
"C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /Q /norestart
C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0CE161D1-B851-41E9-BBB1-A938848A9774} {03A0AF37-8F23-4574-A273-74A9AA806AFD} 1856
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1128 -burn.embedded BurnPipe.{DE87A203-4DDA-4C6D-A93C-9E374FDE6681} {7F076D1C-CFB7-49C1-9040-82CC596AC296} 5028
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1128 -burn.embedded BurnPipe.{DE87A203-4DDA-4C6D-A93C-9E374FDE6681} {7F076D1C-CFB7-49C1-9040-82CC596AC296} 5028
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9B454164-A3E2-48F1-9BF2-52DFC0B34441} {4C66DC50-81B4-4996-BF3A-1DFB9D7FFBD6} 3292
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5E5643F0707694DDD35E1A8CD0EC198D C
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 788F6EB4D6EA30599FE0B212D689D8FA C
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8605B1E84BF1FB5E7B0FF1031604CF18
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding B99A1964BBF8D7559CBA8DA3C6D82971
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8DC5AB95264739AFAEFE181381D0FE16 E Global\MSI0000
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding B7ECE69D9FF99AE2CBEB112607DDC7E8 E Global\MSI0000
C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
"C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- uninstall usb
C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe
"C:\Program Files (x86)\Common Files\VMware\USB\DriverCache\vnetlib64.exe" -- install vmusb Win8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8\vmusb.inf" "9" "454492f13" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Common Files\VMware\Drivers\vmusb\Win8"
C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe
"C:\Program Files (x86)\Common Files\VMware\USB\vnetlib64.exe" -- install hcmoninf 5;Win7
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet0
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet1
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet2
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet3
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet4
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet5
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet6
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet7
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet8
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet9
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet10
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet11
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet12
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet13
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet14
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet15
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet16
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet17
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet18
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- remove adapter vmnet19
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- uninstall bridge
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- uninstall userif 5;None
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install bridge
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Player\netbridge.inf" "9" "4f3176507" "0000000000000148" "WinSta0\Default" "0000000000000144" "208" "C:\Program Files (x86)\VMware\VMware Player"
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install userif 5;None
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- add adapter vmnet1
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files (x86)\VMware\VMware Player\netadapter.inf" "9" "4a5017fd3" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "C:\Program Files (x86)\VMware\VMware Player"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\VMWARE\0000" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2477c2bb3:VMnetAdapter1.Install:14.0.0.8:*vmnetadapter1," "4cbdd083b" "000000000000017C"
\??\c:\windows\system32\NetCfgNotifyObjectHost.exe
c:\windows\system32\NetCfgNotifyObjectHost.exe {DD85BC8D-7FB6-4F72-A691-5B1A121EC2A4} 536
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
\??\c:\windows\system32\NetCfgNotifyObjectHost.exe
c:\windows\system32\NetCfgNotifyObjectHost.exe {02162219-0FF9-421B-B6BD-AD499D9AF3DA} 504
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- add adapter vmnet8
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\VMWARE\0001" "C:\Windows\INF\oem5.inf" "oem5.inf:fc9f1aa2df34f6ba:VMnetAdapter8.Install:14.0.0.8:*vmnetadapter8," "47eb20b4f" "000000000000017C"
\??\c:\windows\system32\NetCfgNotifyObjectHost.exe
c:\windows\system32\NetCfgNotifyObjectHost.exe {EC402F51-EC3D-4F48-B7DA-9198B5861FCC} 464
\??\c:\windows\system32\NetCfgNotifyObjectHost.exe
c:\windows\system32\NetCfgNotifyObjectHost.exe {38E743A8-3B20-4C9A-B93A-2EE59FCAE462} 644
C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe
"C:\Program Files (x86)\VMware\VMware Player\vnetlib64.exe" -- install vmx86inf 5;Win8
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8\vmci.inf" "9" "4d941d7e3" "000000000000017C" "WinSta0\Default" "0000000000000144" "208" "C:\Program Files\Common Files\VMware\Drivers\vmci\device\Win8"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\VMWVMCIHOSTDEV\0000" "C:\Windows\INF\oem6.inf" "oem6.inf:9c00c72d390d9e8f:vmci.install.x64:9.8.18.0:root\vmwvmcihostdev," "42936a687" "000000000000017C"
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
"C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe"
C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe
"C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{13B6B196-AD7B-4C7F-9BDC-B1CB2EE86552}
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.48:443 | tcp | |
| N/A | 192.168.137.1:0 | icmp | |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 9.6.5.3.8.a.f.b.7.2.7.7.1.f.c.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa | udp |
| N/A | 192.168.159.1:0 | icmp | |
| US | 8.8.8.8:53 | f.6.c.2.7.9.f.5.1.e.a.0.2.e.d.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa | udp |
| N/A | 255.255.255.255:67 | udp | |
| US | 8.8.8.8:53 | 105.53.254.169.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.254.169.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 111.44.254.169.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | softwareupdate.vmware.com | udp |
| N/A | 127.0.0.1:64657 | tcp | |
| N/A | 127.0.0.1:64678 | tcp | |
| US | 8.8.8.8:53 | vcsa.vmware.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x86.exe
| MD5 | ae427c1329c3b211a6d09f8d9506eb74 |
| SHA1 | c9b5b7969e499a4fd9e580ef4187322778e1936a |
| SHA256 | 5365a927487945ecb040e143ea770adbb296074ece4021b1d14213bde538c490 |
| SHA512 | ec70786704ead0494fab8f7a9f46554feaca45c79b831c5963ecc20243fa0f31053b6e0ceb450f86c16e67e739c4be53ad202c2397c8541365b7252904169b41 |
C:\Windows\Temp\{52B97F84-1588-4D19-BE38-1998F9E2175C}\.cr\vcredist_x86.exe
| MD5 | 415e8d504ea08ee2d8515fe87b820910 |
| SHA1 | e90f591c730bd39b8343ca3689b2c0ee85aaea5f |
| SHA256 | e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0 |
| SHA512 | e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1 |
C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\vcRuntimeMinimum_x86
| MD5 | 7c87329a66d4c22f03acea4e817971f9 |
| SHA1 | 12a2134fa09fd7df026ffc20bfe58a7d30d6ae73 |
| SHA256 | c78bc45113d0270c2154930761c3b74db714987a16c0fbe5e7a05fa3a853d0c8 |
| SHA512 | 73f11aa3f9b3dbfba157a0d47dc61ff2a22509b61339882a9c2cee53ee335b18820700d7a413b81b426e71c83443f0d99bea8b3638b8b87ee9a42f01f404f955 |
C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\cab54A5CABBE7274D8A22EB58060AAB7623
| MD5 | f706d550cf905648ccb55b47e1364022 |
| SHA1 | 3c382bfe0c4c14c1ed6cbe88d6a69ad6be28a08f |
| SHA256 | 7be2d324f0cb063be8335982096f17ed4f08a7592130e04459ae818824016589 |
| SHA512 | 3c946d88447504c94227fec259bbeed7ef458a0740c12345e425821644f8e0d9358b68582a1f6e1b74597b5dfd2976f328b706a72df30e3c76c899cd435a349a |
C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\vcRuntimeAdditional_x86
| MD5 | df1b1ee46deb824a89f18e228f8a4a41 |
| SHA1 | 001d86480ce0a9e1b2fed8c48296bb3384dad793 |
| SHA256 | ff8884498c3174b7d2bd35bd1a43d75d3538dca2c0821ca5876fa45eb2c8a47f |
| SHA512 | 6587452fa6ebef2eac6634cd3c6d8629cdcd9f214a5a13cfbebfd232318a3a5d3cd5d3c9baa721270f5283d3127d36475d40071132ba063bdda49bc48cc21fab |
C:\Windows\Temp\{040980F8-08CD-4BA2-8388-C5A4988B2D55}\cabB3E1576D1FEFBB979E13B1A5379E0B16
| MD5 | d141d64b6a3287548847abf5b4c1bc7e |
| SHA1 | a161b984bb24d135353701e445a6a0babc5d25b3 |
| SHA256 | e38280421473e79ebaaa8398d86974fc7100cc8ec1c3273fb9bfe4f672c918a6 |
| SHA512 | 282f64d928e19cf107b19ad39da1150045b60efb9ad599d827f9dde5f20a5bb499ea5996464a1f2ac79c21ec9af9307a363072f172f92c6669ea00c0ec48753f |
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240611164952_000_vcRuntimeMinimum_x86.log
| MD5 | 2ae81ef4f4d5973203ec75b9249e617f |
| SHA1 | 36d7dbafd220ec1d8bbbf86cacd542384af8eeac |
| SHA256 | d51db041e8972de007934d91fcc8fd0d78b3a8b4c968339a7011846ba2278fcc |
| SHA512 | 64bd28235d9e5bd094e6ae2e1de32cf64d2225a2789277fbb9dd5ef06a31685a3f637fd5d8a51c323ddc6fe962d937f1bc11f171e7d1c7d2b94033b6d94b7714 |
C:\Config.Msi\e582626.rbs
| MD5 | 1677e97d624fea6ac1797490445333b8 |
| SHA1 | 87d05483db1fbc66f52cbea8a9beb6e12334b83e |
| SHA256 | 990cd90c3fa5eac22add530eadd16bf3bc3fc48ee5f38b446a31b17390721e3d |
| SHA512 | 92c02a6f15c10632fbfaa2c81f9ce924de2ca695814871932473819c073a9fec77dcd4af8b306354758905cf3c51daba0d17e56394a8ee8e26fd1291080dcc1d |
C:\Config.Msi\e58262b.rbs
| MD5 | 28fdf15e8c81872e816ad21d087f76f2 |
| SHA1 | dcb1ce2a1f18c20afb07d981f94813e1e0ca5d65 |
| SHA256 | d84ed1beb3297fd5e2dee5f6d888998d96c8354ade0d571918c66ad3932647d0 |
| SHA512 | 2865c986f99218762462b257e758d3b8edb6d2c7761b85fcafe0877e7bda606592e60d5c944ba860f77c7659396ea39c2d4819b318c59429757ba9e6409365c3 |
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240611164952_001_vcRuntimeAdditional_x86.log
| MD5 | fe4648f5f83f7f905498dec97e34fb72 |
| SHA1 | daed5e7a56d9d111f4afd21df0fbbc9513e19cf8 |
| SHA256 | 37bde36672df59e9fe876bbe9da2b639adecc65b8fb6cd7e5d3d6851de9df66b |
| SHA512 | 05df13988f7838f8579239028f0b326f0e5dd645972e506c9189adf1ed20ee25408c87b1b2ffcfe30faf8c1599a567f8751cc8284df04605717a90f09d68d294 |
C:\Config.Msi\e582638.rbs
| MD5 | 5eb2d156efe848dcaeb7ad05d6c70216 |
| SHA1 | a6d3a2aae83f68724eab5af0f9711ab943f54385 |
| SHA256 | 8cb1d74b780a8e269c5f5f53b8423cd163ac8f23f38cda5154af8d19d0673099 |
| SHA512 | f8e39949f7e644a030fbdf6bc020d83feb99cab0130f7c318fb1b8e7ea3bf7410561be0604707f046df1736464231ba7a7a6451e7b2b2bfc38d8a438d5d42f57 |
C:\Config.Msi\e582647.rbs
| MD5 | df2d58b313b430c810f30b97e3b37df3 |
| SHA1 | b3a7e48890fae556c39edb08d33913116ffe5f47 |
| SHA256 | 80dde3320860797d4c390083500056af1df521b17fcd5b6febbc7b819dc87f07 |
| SHA512 | 3ec0ba154338d5983da741c1477a1e67925726619eaf7f1e4c7161069081d6bcc149a4e0b9b8c977bad309ed46cb5634ec3204d8b917b427aaaacdfe9fd9f3fe |
memory/4012-203-0x0000000000070000-0x00000000000E7000-memory.dmp
memory/1884-240-0x0000000000070000-0x00000000000E7000-memory.dmp
memory/2152-241-0x0000000000070000-0x00000000000E7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{F47C8797-293D-4702-A238-F1EF11F8A1B0}~setup\vcredist_x64.exe
| MD5 | 077f0abdc2a3881d5c6c774af821f787 |
| SHA1 | c483f66c48ba83e99c764d957729789317b09c6b |
| SHA256 | 917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888 |
| SHA512 | 70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939 |
C:\Windows\Temp\{A4D93C42-2F99-4C21-A0C5-89E2B351CAE3}\.cr\vcredist_x64.exe
| MD5 | 35e545dac78234e4040a99cbb53000ac |
| SHA1 | ae674cc167601bd94e12d7ae190156e2c8913dc5 |
| SHA256 | 9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6 |
| SHA512 | bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3 |
C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.ba\license.rtf
| MD5 | 04b33f0a9081c10e85d0e495a1294f83 |
| SHA1 | 1efe2fb2d014a731b752672745f9ffecdd716412 |
| SHA256 | 8099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b |
| SHA512 | d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685 |
C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.ba\thm.wxl
| MD5 | fbfcbc4dacc566a3c426f43ce10907b6 |
| SHA1 | 63c45f9a771161740e100faf710f30eed017d723 |
| SHA256 | 70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce |
| SHA512 | 063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e |
C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\.ba\thm.xml
| MD5 | f62729c6d2540015e072514226c121c7 |
| SHA1 | c1e189d693f41ac2eafcc363f7890fc0fea6979c |
| SHA256 | f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916 |
| SHA512 | cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471 |
C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\state.rsm
| MD5 | bda9df9362133b54074006bb0d7453e1 |
| SHA1 | 9abc42c49ae0c13737c7cc335a72830113664988 |
| SHA256 | 49d4fff53192a6fb860753da047fbb8fdca227c2e061c46de8a0c8fa22102226 |
| SHA512 | 40f89e2b6fa0b4b38e1a7164eb57350d08bc94e7f2ca00c74441f98957155d1cf40a3ef1d9f6ad6380196247f1fb62da3f1d3f7beac767f5c72e03e0a0df8512 |
C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\vcRuntimeMinimum_x64
| MD5 | a4075b745d8e506c48581c4a99ec78aa |
| SHA1 | 389e8b1dbeebdff749834b63ae06644c30feac84 |
| SHA256 | ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93 |
| SHA512 | 0b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada |
C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\cab5046A8AB272BF37297BB7928664C9503
| MD5 | c2df6cb9082ac285f6acfe56e3a4430a |
| SHA1 | 591e03bf436d448296798a4d80f6a39a00502595 |
| SHA256 | b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11 |
| SHA512 | 9f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13 |
C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\vcRuntimeAdditional_x64
| MD5 | dd070483eda0af71a2e52b65867d7f5d |
| SHA1 | 2b182fc81d19ae8808e5b37d8e19c4dafeec8106 |
| SHA256 | 1c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07 |
| SHA512 | 69e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a |
C:\Windows\Temp\{E8D00CD8-A320-4CCB-94EE-495D94D999EF}\cab2C04DDC374BD96EB5C8EB8208F2C7C92
| MD5 | 46efc5476e6d948067b9ba2e822fd300 |
| SHA1 | d17c2bf232f308e53544b2a773e646d4b35e3171 |
| SHA256 | 2de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138 |
| SHA512 | 58c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c |
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240611165009_000_vcRuntimeMinimum_x64.log
| MD5 | 7ade859c521eab0c8f9c0ee382e3ba9f |
| SHA1 | db3e153dc634f5e8d077dee888e48fc08864311b |
| SHA256 | 4a4faced3eb64b034a69f50a1491c24224468e2360bd866fbbe44a6fda6aedc9 |
| SHA512 | 13d43dee5fffeb70a11216e207bb70ba1bb1b4680ccfdd16c40ba5a785e74abb38731f266975ce9af7d4dda9050ff4d05710eeffc026fe238a945b7ee76b58ae |
C:\Config.Msi\e58264e.rbs
| MD5 | 5aa505447df5f3180d9712b32e339733 |
| SHA1 | e64c9882d7185d3fb4329532fa24c01d6e17a9ba |
| SHA256 | 83b3a3238b6a8b4462bb3c7f45d61937e3329db0852f35cb3960ab89f804351e |
| SHA512 | 83bda356c606d8cbec4a685d9ac1eb9bcbc3287e5ccdcc6279cb416d839f8470e2848520d98b14ae8c6d88129c11dbcb7f8c9af4a8b5068b0a1a86c0742a2e67 |
C:\Config.Msi\e58265a.rbs
| MD5 | 399169331c1ea2884c54177c60041ae9 |
| SHA1 | 6bced54a0143a4affa3d11a0787a70b6d1387e1d |
| SHA256 | 35129f5723378dfc00fcff8805737dd24e3e325d3834656f2c0c29ead05e370b |
| SHA512 | 565cf674bc6e9296fabbbb3917843fb6f6ea620bfd0f7bc333936a7b76a60c54f9e8efb44d7017a3e197d1278f0f47982efce0bdb282c753b629c6c997778def |
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240611165009_001_vcRuntimeAdditional_x64.log
| MD5 | 5e6f9e70dfee75f00822cd76e56a1d2e |
| SHA1 | 9067c14db5cec2331b5a439f3fc95704b076f506 |
| SHA256 | e659b363a00a132494ac76a28d5520ee4def26bde6798486fe9279232c03bf7e |
| SHA512 | 982e705ede3eb8a797ccba9450b34b8835647023f51780fd81d26f58c0f14933377e86ec6541c066cc2ff1cd3f35c8d789780b9d85fb57a1324684c412d107fd |
C:\Config.Msi\e582661.rbs
| MD5 | 875e28f8a8f8516f275e564959665c43 |
| SHA1 | bfb356464841106bfbea8f30d085c8b0ac165ac6 |
| SHA256 | 0456cac6043f2b27aa17def424398720f4bdb86333f85ef1fc35c9e5f2a93b6a |
| SHA512 | fdf48c92f3e36606470a81c35058bb345723b527924daae75c1ab5ddcae799d272d68c4b2ea61f88444238ddfcd70db79aeeebf10f18ecba52ba1b4fdc285a26 |
C:\Config.Msi\e582670.rbs
| MD5 | 74edd615e2097c3576251c86aff51221 |
| SHA1 | ccd2078ce781ac2dd3fe73efe0768937ca746c34 |
| SHA256 | aaffa11e4bd8571189b162095eb92d94a83e61a36983d9ac1fbe88af9a9cb34f |
| SHA512 | 2c8e668572a89cbe0550b4a2a1dd77712322b863b1f420a8991d872b07d45f06a57a7e62f70efcf8dbc6c52677443609d59d7ba551ca216b11554c644f277b4c |
memory/4964-482-0x00000000006D0000-0x0000000000747000-memory.dmp
memory/3292-519-0x00000000006D0000-0x0000000000747000-memory.dmp
memory/1572-520-0x00000000006D0000-0x0000000000747000-memory.dmp
memory/2264-564-0x0000021394620000-0x0000021394621000-memory.dmp
memory/2264-563-0x0000021394620000-0x0000021394621000-memory.dmp
memory/2264-562-0x0000021394620000-0x0000021394621000-memory.dmp
memory/2264-574-0x0000021394620000-0x0000021394621000-memory.dmp
memory/2264-573-0x0000021394620000-0x0000021394621000-memory.dmp
memory/2264-572-0x0000021394620000-0x0000021394621000-memory.dmp
memory/2264-571-0x0000021394620000-0x0000021394621000-memory.dmp
memory/2264-570-0x0000021394620000-0x0000021394621000-memory.dmp
memory/2264-569-0x0000021394620000-0x0000021394621000-memory.dmp
memory/2264-568-0x0000021394620000-0x0000021394621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIA301.tmp
| MD5 | 9e57e7ac2f0df06640c04936b787fa98 |
| SHA1 | 9bb72b1fec9892a1e8027ad0f3009557a986d416 |
| SHA256 | 5da4d187effdb2b88ec677b4f7620fd3be9ca0959dd5c37a641d18f19f908d58 |
| SHA512 | e39314dc2c3c39c18e58874a321ad4980a012be11a80e44bd76a2f7c2017b1f03b4e5d893a842c1c64cae74ec18d459fdc983b457e67e550813b7cd544db4cf8 |
C:\Users\Admin\AppData\Local\Temp\vminst.log
| MD5 | 2474d3c409d60a137cd8b964d0bb70f9 |
| SHA1 | 45f08256e823e9bc9c3448406f40981bf0410875 |
| SHA256 | 45e672a7ea25003fbee702915f9000cee415e2f3a785c1678093d8c727e65ef4 |
| SHA512 | 5a59dbb3cf4974945db036192af8b0f42fbea1a139de5fb911329bd046b98ca4cc7753e15a89dc716d47923d2fc1b652b2ee806d0e3dbd4e3552ad355b110e88 |
C:\Users\Admin\AppData\Local\Temp\MSIBC09.tmp
| MD5 | fe69218ffef65a7c15aa4b59b295d6df |
| SHA1 | 6bb8d7fd4d9437e13635c7abd88d92d53797f7df |
| SHA256 | 8a421e5813d2afa810727cb54000e5bb5edac793310c4a90ab5146d56911b445 |
| SHA512 | da5747cc949aa4ce776af94d959452b8ea892b70624baa55de0d1410879dfc5153655cd6a82aaf7423f0ebd8ddcbabda58f480cdebeb1befc54db5d9110c95c1 |
C:\Users\Admin\AppData\Local\Temp\vminst.log
| MD5 | b4e6da491b947f031c674e43822f4d92 |
| SHA1 | 1c35e1ec9d688ff55b47aac4b3feee5a8df8e223 |
| SHA256 | daad78bbe41c37eadbc94f2ac132ed40e7515a529941e793906dfb1ec1078255 |
| SHA512 | ec91f539322fbc6b580639a7c37450b08bbc8dd82c1390e66ac088ba16e8b94d85dc285f149373a9e67697c6537c2bb239469519e435de6748f95777a41d0f22 |
C:\Users\Admin\AppData\Local\Temp\vminst.log
| MD5 | 1e0b07e33eda5ea58dcbb06ab4ecfc81 |
| SHA1 | 8ee27ce1dbd8fdf9482ceeb8dab505bc851d245c |
| SHA256 | 448d28e73e74c30773b0c60439c167a3f90fb3802c213a394afa4440a0bf5b87 |
| SHA512 | 672ffe70136f5713d26090b56649e8fb3f097bec5bc32dec352ad9f7ccfac4027ea5b3295ecf7c6a90311686a26ef59ad1b53f361a97e3607a9e1084a3a0e800 |
C:\Users\Admin\AppData\Local\Temp\vmmsi.log
| MD5 | 56cc696614b836c6e0e6453c74b727e4 |
| SHA1 | 0e3d9b2b2db607301dcbff0698566e853e05fe04 |
| SHA256 | 5e0bdc2cd9e070072db31cee92625c34f57866eb0db5ea27ecf02aedc8927531 |
| SHA512 | 7d4a9b1866617df153925c7c0c7c7aeefaf997244eb83b2241c16b06a2d9f5e0b2ad871c539814d4107728636c579ecaa39ef5d35a1e2784cbf4dbc8082f0d5a |
C:\Users\Admin\AppData\Local\Temp\vminst.log
| MD5 | 61fdb8f8121fd8b2eef446f1b76c9d3a |
| SHA1 | b38a0e43b5eeb849e1c765e27cc71396fe825249 |
| SHA256 | 8ff790aa95917c573f29b916abccd4a02473edd44dff6be38c87741f20cf381b |
| SHA512 | dccaf55a6c8f8e71450b94dab0b151da05cd7c65f3fa2a71f689d95574bb1dc57bcafc98b73c78568e43ff3a44a42dc6b82aba2e41648394bbd6d4bb80ae3b98 |
C:\Windows\Installer\MSI3683.tmp
| MD5 | 4aa882a8a87d248e6b2d4144f47bd568 |
| SHA1 | 6a949550f3c7fac710ea7d7801fd809f397c2d91 |
| SHA256 | 6081f9d9040dd70c74c1f5ae51db1320ba3b3e9e6a5cdfda22a6f5e72ef38d4a |
| SHA512 | 9a91daf5c128e09912ffb6e8673d0088825ba13b0151cf23b17d531b855fb1271637ddd3c92e63c704fc135ce3b703d05dd3d1cddfe452b8844af78cdd2ba6f1 |
C:\Windows\Installer\MSI36B3.tmp
| MD5 | 2ebde9d1a578ed1c78a79b2279be5f1b |
| SHA1 | f55b8c2511d82032e4e8d503b4874396b91fff07 |
| SHA256 | fe793fc1b303f85837fc6a990caed01289c02e24f3ca497566108198fe6af5de |
| SHA512 | f92709052fefc3fc89ba07562a093d7a22dbd62e0a38d3178a93275b9050984430bb4ef5908871d29f591bca75b2a19f9202794a07deecaa1a8df86d0ca94f20 |
C:\Users\Admin\AppData\Local\Temp\vminst.log
| MD5 | 6eeed8583a7f9be8ec543cc605f24c5a |
| SHA1 | 4bf15287ab054b8b91c77c456dbc7b31c7ec5a0c |
| SHA256 | 1dba73e6861659624e187bc64cd13192faf6990ed3b640c6b8bf34c4b112cd3c |
| SHA512 | 33d1f7400aa0f1807201783ca2969fe301a71d3361dbfded962a133abcfd5733eb7a494323dea4ae8098eb5274001d5cd0769a0d83f7b5b723b9f8682384b3b5 |
C:\Windows\Installer\MSI37AE.tmp
| MD5 | ba3165ec14e657e6235d6d789e9e25ca |
| SHA1 | f626fcc0e7e7f26a092da6a995f5936a45c4f71a |
| SHA256 | bf93de4755822425f3fd3928b52d2a6e6c91ab069213aaaa95695ed3e17e72e9 |
| SHA512 | 6d83dd60b1f8e8d93ddbda657b1c75f86c1f5f6eac899123f6ce498f5dd1a5abf05e29776144044c6a848e8fdd2b9a6a5367c4b249b879a310a260fb6b55b6da |
C:\Program Files (x86)\VMware\VMware Player\vmwarebase.dll
| MD5 | f4d324028e750df5cef16598c6bf0cdb |
| SHA1 | fa4e9004389bf2862d896529f766c75ec05f5e6d |
| SHA256 | 4bbd232ebbf2bdd929c667bce4476317fd6eaacf328dfb24a18e11994e1bc11d |
| SHA512 | 7256b842a4b45502e4288661d798f42319173e4e00bd233db044b92c5bf71b245a33442c920a91513d33d471232c2140b30874b72a32268a5e4e497dbe583965 |
C:\Program Files (x86)\VMware\VMware Player\OVFTool\env\ovftool-hw9-config-option.xml
| MD5 | cdae15f623a66d694d299f1390fff656 |
| SHA1 | fbfc1a118aec4ad7558b82fb5378fca06a12fa9f |
| SHA256 | 6a846f6e1e5112a3efd76dc23d97b9c36abb7bf62f9bc202c1f840a3f8dc182e |
| SHA512 | a79ca6d4399b2c65090f45d0de1016806396ad05184d02ed54a55e6f8af1a2833220c1efaaebaca4fb777d224e409f5291d340df783a3db0963f8b01c39f76e2 |
C:\Program Files (x86)\VMware\VMware Player\x64\icudt44l.dat
| MD5 | 58cccfc4824ce98be253981d1087740e |
| SHA1 | 69ff1822448fc25f56298890eeea62e974f44da9 |
| SHA256 | 7e1fc96fcc98cb8f0cb44cfa94b40549a40bd0f9968c3c1141631aa0af95a1fe |
| SHA512 | eff1ca414672758fa1bcfc3ff2d69bcf0bdbb4bb8e94442c1e9108d5b11203b355409de9af3f6ce943a693e7198329afebde2b0862959fd48ac674c341e49429 |
C:\Users\Public\Desktop\VMware Workstation 17 Player.lnk~RFe594c32.TMP
| MD5 | 444704c16f663f3d7f756622d706d91e |
| SHA1 | dd0f696474664b4b2f1b4c63cd0bfa6f65d7c8e2 |
| SHA256 | e3f739d4a3d4d993a6f0ffb3a4b5de53502311b053b3c65c8aa404170d0c975e |
| SHA512 | c389e4b57900110d7c2e3c4345a04245837564991b4bc9fec5419ade6ef3477a7f2670ff987b883af730781c8be9d47642ab49a8eea1d7a4e7458fee4b1c1a3e |
C:\Users\Public\Desktop\VMware Workstation 17 Player.lnk
| MD5 | 70baabbbda4e606d45fa3ccd651d3329 |
| SHA1 | a81f178ccfa337a445c04bb0cf431b485bce7313 |
| SHA256 | 1273e3eb81e8fb6176df29ffc7f4a027549420ec7692d99eab7f9d64eb100545 |
| SHA512 | 5967d7486df1b4aec16de03c23b9626f8cfb693c6d1a44bfdc6e7784955b09f48bd42cebb1778c81e03e5aa578bc158815205b102e6d0662315a5ce7fac17e9c |
C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe
| MD5 | 1e8bcddbae1683d57ead466043a57d05 |
| SHA1 | 0a4d2041b83e6b14805e3843fa73f877bd4a2445 |
| SHA256 | bf480d9a362caf6a7de4e51bc441d2df30c9ffcfedd6ec1ee0a40344c20b591d |
| SHA512 | 0c8e9568910931515c8db5223ca24444f75da159136d09db0d52f800880293f60a40dc13bd36e029aad3ec0cbeec2214b8520d67b6a75852982d0e54be516f63 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware\VMware Workstation 17 Player.lnk~RFe594c61.TMP
| MD5 | 1eb4cd7a814d12f703b48d767cb26f8b |
| SHA1 | 4e478ff84ed09d7561d828a5a24d218f79b1d3a1 |
| SHA256 | ae1fcf6cb540f0264b2896c87624478e4a66b1d074b1f4387a20498ab20be0a9 |
| SHA512 | ba4bf9bf6a0ea8d8add1b7c57a60f4fc18e6a8a91b5879ad2fcc03a5b26a4c88aa064a0cadb0b6c764aa67b83feb03e48b102292f6258d47068123a751271dac |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware\VMware Workstation 17 Player.lnk
| MD5 | 17989d533547186dd73e225a93b1c12c |
| SHA1 | a812d846a0380f5ccb76704844dcb21d6b5e6de8 |
| SHA256 | 76ab9f14a5cdaca62ea1aefb3c4ecc81266e2ec5e36a992d9801cd85ecf78460 |
| SHA512 | eb86f2735c2d1bc833214a084b825c24410de0c7a9029128adaabf48a890e3bab255f57ca8ea230883581939076b9fb699a24fd2fba80e97466b6bb5006db577 |
C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.inf
| MD5 | 8d997d8d1105556cea9726b2aa38949e |
| SHA1 | 57f9c467fa48ad4585f58f40120778080d4003ef |
| SHA256 | 9cbf08670ee83cb7956473072d7d51a709da49522a1109ea582425d86d88d8f4 |
| SHA512 | d52e6ae4e66d33f3632e349fba6e13eda805764cc4d87920048af779148ac87a7918fcfa4f307a9fb19ae9b5c58b94247ac09433ba61afc0515a5bec3a5ae314 |
C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.cat
| MD5 | c969983ba8f120def2953afe08b2f164 |
| SHA1 | 2aff93389846c5b107d67ec0886a342ea18eea76 |
| SHA256 | ea696506747d3ab4a9c8b8d486b4a886ba4cba7b65eceb1d89c6ce54be6c9c20 |
| SHA512 | 30f69f57ff3eb07cc0f787a22aa42245246d9b6e657b656c82335d6fa78b3f8534027c4ca28998d72872cbed099ed45b8ac59bd3c7e69ffcc133510a37632ad6 |
C:\Windows\System32\DriverStore\Temp\{193dbe67-77cd-154c-8238-c823f971a0c7}\vmusb.sys
| MD5 | 092cdfca61db22f6ec3ac01255bad56e |
| SHA1 | 565788f4cdaf423078006d4bf480eb4b022bfe72 |
| SHA256 | 965c2e680140329f56f253f9a5bce8745a9664fc56aedb58bdb57e126b0aa1c5 |
| SHA512 | 7d5e98e33a60d259f5bceb9431c1d9630bf43f479631b9ede5ba8f8d4e761f9c67971ed5347fb7d3c1234f15a75e252b4e93aa002a5d85fed751ca0b64a5e24c |
C:\Windows\System32\DRVSTORE\hcmon_AE2641AF84DF5670FA8422233CEAC89B307A0500\hcmon.sys
| MD5 | 0f300657289a1a2d168b8b80e900055a |
| SHA1 | c5f93e3ef6c8227009736ac8b5d314ff21f48c51 |
| SHA256 | 94938835f53b968665eda2a7a082788dac0a13ee486e3186387c0ff7ececfe8a |
| SHA512 | 035d0e1430ec7206cd7995f912f11310089367a452f10924f79dc2edbb958bf080e86c4501e3b7096ec07e7f4b503ec4751b475f60927a333edd9458b41f36d9 |
C:\Windows\INF\oem3.PNF
| MD5 | eee517ae504ba11b520cfa3ff71e6c74 |
| SHA1 | 80904fdaf3b2244a07173e3902b648b12dca0f43 |
| SHA256 | a895b3424c5b14cb33ec83b2b7620047f07e6030ed600c8e5084bc92ab8f7cad |
| SHA512 | c258a02495f3f1e8035e2e383f945a4796d76c1455afd1d7b7008341ee4d7e73a4a01319f5205882fdf37d2acb2fbd46061bd20379c70e4368b5e49534be2b40 |
C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnetbridge.cat
| MD5 | 24236822ba4e710e9fbd3401c78131db |
| SHA1 | 83ffc5830cfcb98b6957f7802e4e7fd7816dc1ff |
| SHA256 | a58b885df4777c61b577af7569eaa5ac0202ea50f55fe141e9be0ffc77743a50 |
| SHA512 | 714f005f882ad0551fbcb74ca4fe4a0ab6f3bd998879dc51ab2911190919080a55727f4590ddb96f866a02f6ff9cfa0cab9a48a543edd35e684f28b3391171e9 |
C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\netbridge.inf
| MD5 | 76e07de9fe56a25f27a695691c9bdade |
| SHA1 | 53fef434d80383dfa266c632e6d374611c38319e |
| SHA256 | a3bbff5810e7d94a7490e06d5b420f734ec02f4fce66274930e024761e01049b |
| SHA512 | 813eb5cefc1075357dd70285e05e765ba911fbf65cf11975b1b241d2ae3bdb8520f07de9daaf29b28f979c97ef59bd079f63c297b8218072d0f405986fe4364e |
C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnetbridge.dll
| MD5 | 70d6c2e1940824e5c9deac0a2467603d |
| SHA1 | 5dd4a84bfed0eb199a228abfd1804c142e3fcbfa |
| SHA256 | 0e8d73db78847ff2956c471c009088c1754640a06f877e9dea061bf9b6c287fd |
| SHA512 | 6bc3dba5d026896f64bc2131d37f155b3dab6a3c8bac758433b8776255aabb10e24b8553c05131ee13de31b323620b4d844c141e267eabfaa9c0d62084ca8417 |
C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnet.sys
| MD5 | acc036a64af0be34d7925e24f5bbce36 |
| SHA1 | 8b9b372250219c3d08b153f630b36dfdd2823084 |
| SHA256 | 7e3af2553ce93dca2a7b2c42e1c839573ba37e393e9e7a5e200dcc2df4f7fda7 |
| SHA512 | e2190fd5e3644acd73ca86485e8d8bc1886a5ce767dfc452cc8178fb6f24ede82baecbc9e1693982307efa442ee39c19911dbe8dd19eb291595ec671979f63f6 |
C:\Windows\System32\DriverStore\Temp\{8a4c40ad-f23c-1c48-928f-830428895a13}\vmnetbridge.sys
| MD5 | 11e92a49a113d80fc43219ce21468bcd |
| SHA1 | 7401c5adec3f548195c1cf3fa85c266e476f1283 |
| SHA256 | 9237ac240f3bef26001bc33a670245d368b727fc43e031b6a48fbf698fdc1def |
| SHA512 | bd7dbe2b786a7b0de0377abfc3a7a97667750e842ab5d0e42ef898151cc8a81e615a70536753e243f5a61b727acf3a837536534e65c110a26799c9a2e3b7a7c4 |
C:\Windows\System32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vmnetuserif.sys
| MD5 | 502d7759a8ea951315b74ee12a629f3d |
| SHA1 | 0f045b7a26a8ec4e5647be4c423c7cb4327fc213 |
| SHA256 | 26b2cd990adeb32ef7e4c00c0e447c64c9a7811de2f398d6a227ccf26e33da72 |
| SHA512 | 33b270a48413e0478432ea3d1e1fec8d71d876deef63f106905dc57bbabf6aeea74f01ef539a2c17d583e4e10d9262187a6bd9531220c8278ab4a44191aa9c52 |
C:\Windows\System32\DRVSTORE\netuserif_58711DA5F5777EBD18942543251CD2F96A4E1EE5\vnetinst.dll
| MD5 | f2338bf0d8f10fdc55b712e9c5240937 |
| SHA1 | f6e0b2151d08d2316b685aa1a8fda38af9c888fc |
| SHA256 | 11e605295b184468b69d444edf35707567615d16fe5b9ba924edcb76527f9002 |
| SHA512 | d15c92ef1e438fa4313332cc57d39a9ef19584cde8c02d328983215544d823ad838d68b975b825afaff2a6549eb06331d7fa0833fdbf2fcf43d5fedaeab2434b |
C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\netadapter.inf
| MD5 | 513ea5ad5d0192b4fab604bebaeba1ca |
| SHA1 | 37cadf97b3de820bb8a9cc82da50f969bd9ee742 |
| SHA256 | 8d3180911c7397eda186969813dd6aa6447b2e247d1dddf8cf15c82f8c187c7b |
| SHA512 | 8459e0f67773be7ec6d3ef08c3c9018e78719797292e92471b7b8ba210cb5fe3946e3f99d23930d5454a223907bddf40e3d7c8cad8aa6063c1c26ae7f1744b33 |
C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.cat
| MD5 | f705d1b2884dd89de05b5be1b5f091cc |
| SHA1 | 15fda464b0e6152f20be66478e5637bac6738a44 |
| SHA256 | 2fed201cfaabf39aa9d32531759ffb01b93e890ab28137983ac0a0f1b76cf4f6 |
| SHA512 | 740331cb30d323bcd5ae0789ffbb0620baa7a485241b6c2e4064265397f40e8510fc6de9758b5f5cfd41888b29ed95392b73b3b0812a1e207e46d72e6d521eb4 |
C:\Windows\System32\DriverStore\Temp\{bf937a44-1478-6e49-a4fc-0bbfb7f3e3b2}\vmnetadapter.sys
| MD5 | 83b9f3a1bd3afd531c19b5314525eaef |
| SHA1 | f857b40f1d837ee9bbd0e33cf4795d4e8f20b1b9 |
| SHA256 | a75125186847fb0e6d4cd755ccd68431df3a64c8786125b6110589054f9c2389 |
| SHA512 | b48f3b039d8d11e25b9978eb9b38b7282793a264878258ceac12a243cbd344dbfcb9d5e071a422209a83f5330b7388caa8344cb6c11598e1fce1bc43f649384e |
C:\Windows\System32\catroot2\dberr.txt
| MD5 | 2d3597c2ae694e0f8b44b2a23db9a094 |
| SHA1 | a43b8a2ee87cc7e045e9efae08d352c5abafff93 |
| SHA256 | 8fb8829cd5b6fb48b2311e41326fa2c9745bbb502c2006fa4b1694ea12ad4d6a |
| SHA512 | df3d70b0037cf0973a24322949bc116431f1db3a9f312dea632a96418c9fba412a94f88be4cf13336bae0299f6d64365bfab9b554d6d9333bfbb219036f05191 |
C:\Windows\Temp\vminst.log
| MD5 | 422e22f07522df4987026df70486b949 |
| SHA1 | 15b7bdebd354846be987c78c7128173e22a9a6aa |
| SHA256 | acd8758047ba9ff667fbdaf07c0dca1b729f38a46c0ee41f58239657f27c98be |
| SHA512 | ef50a945c50cd18322a1d8c5eda0361ecc14e84bc595b84ad1f1fef46f4b2201c6be7691246f8c7f2e7fd25c8eb518ea7786dc22c83c93021bb64361856022e7 |
C:\Windows\System32\DRVSTORE\vmx86_0EB6D425AF13AF7EF7CCBE7DA93B4388751906C3\vmx86.sys
| MD5 | 73ebcf23e0e1ee82dedc376c1d312803 |
| SHA1 | aa6ee9d5798254b715ba1ac254ee11cbd70df864 |
| SHA256 | e8de7c03018755a37a2993b2688c5258b46919b15c5e55a85590d8ae3abf1eb3 |
| SHA512 | 03863edc55d819378ed9aaab1771a7be6acc627b3512bf7555111135b486b5bdf709bee5e32f717112397e5db4579ff496fcbd6c92e96ed8d5c7321e1315f86a |
C:\Users\Admin\AppData\Local\Temp\FKL36E5.tmp.dir\DIFXAPI.dll
| MD5 | 116eaa5c9bb2cce346a42eafde2dc152 |
| SHA1 | 13c433306ebdafcd983410482fd42685bebadeb9 |
| SHA256 | 57afba202253a7736e7296ca9ad606b9640ad6f5e9c231ee291f511dd469c783 |
| SHA512 | 57d2ce75bd4a645eda5a9a77a6e92789cc527412722b2fcdcbb271c0d6eb8014b596d16e9ed0e72c9e1153e60549d13be2241fbd13223779dd9596e52ee8f944 |
C:\Windows\System32\DriverStore\Temp\{902b461e-d928-cc47-8447-304a4efcd1ff}\vmci.sys
| MD5 | 339e79b21cd73fe1174b56d6032e40d2 |
| SHA1 | d85e6a6a585fe4eba6f2601ae97a9db171f2b5b1 |
| SHA256 | 91e68a9891339a8db757c9eceb65371db83822fa56305d61330e50194dc97131 |
| SHA512 | 10d5783d92bcdcd536abbb3650321f150f4f8a0850e99a974dc3e445dd6421b41fd9ce0da951efcc553b5bb00719e11c4c22c01f2c0882e35380a15de0076484 |
C:\Windows\System32\DriverStore\Temp\{902b461e-d928-cc47-8447-304a4efcd1ff}\vmci.inf
| MD5 | fdb3c5882438a6e996d13a7ab48cf467 |
| SHA1 | 7257251e1b43912d15defbdf01056aef80d043a2 |
| SHA256 | 1e71d0b7aa6a8835986a2d603c7218e792886fec4ea889f13200cf0fdc78a73b |
| SHA512 | 551678e245c37c61433bb06f5bbc1075b76c1b86b06907b0a8d4c1e240b62d13922a0465919f361a6584388d80333201b5b6202b3fa1c6ff7771a58ba9ea8716 |
C:\Windows\System32\DriverStore\Temp\{902b461e-d928-cc47-8447-304a4efcd1ff}\vmci.cat
| MD5 | c888f61b9b09bda1f1fc1506123753d4 |
| SHA1 | bc2be72275b899d848737bfac8e0ba1ea72af63e |
| SHA256 | b69004749d69e2d826a4341d2ac409711fb984fe2ebb4afa2b3dbc03368493cd |
| SHA512 | 9a90df4b4e4eefb48e81853d02e3f2f9b6280636322436b717f0763bf7feca79660fc860f8142b915fc475a20de4d876c1a29687061468609e9cedcb725b88d4 |
C:\Windows\System32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsocklib_x86.dll
| MD5 | f7d359d175826bf28056ae1cbe1a02d9 |
| SHA1 | 19409b176561fa710d37e04c664c837f5bf80bff |
| SHA256 | af1df28834936aef92e142c14b1439ca64d070840b2c07b87351174ec0f71d8a |
| SHA512 | e2d78cb2d6f1b2f3c410ccd5272d0b3e34f3cdf25c41605b12e9a1f408308084c28c4b427c915ed87e28f21d662846529711fa07f4357a7f7f727b96a5d0e7f7 |
C:\Windows\System32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsocklib_x64.dll
| MD5 | abe700a6459d2d6fc9774e0277350ecf |
| SHA1 | cefe9bb79520b3cadf6d1bbf44fdd771487b3d7e |
| SHA256 | 952603279b8851c3739d562247f3f0a373b5fd0eb5a9c3baf1e6b1e608ebc6c8 |
| SHA512 | c6fa33ff10523d408be2e5653100fb3aabf1cecaa810916a0cbcd32c5bc2da76ebfb73256719843700ee4d05a7adf7b18c9130dab1127b7bd8b1d089b8219349 |
C:\Windows\System32\DRVSTORE\vsock_91D4AA923191C17024EC2122FC89C72E5812E906\vsock.sys
| MD5 | 64ba085bb02e9ecf3b21f0377199289f |
| SHA1 | bf00ebb018e9b0fe63ef3af971ab395fc0ecb7f1 |
| SHA256 | dfdb2166d3010a1e7ccfdc38f0b1524fdc4b79b17b06093b7f9820b637d28343 |
| SHA512 | b2d3e43f291cfc0215c1e1df1d61b94c7e7d7780bdfa8d627edcb58b1298fcc96beb8eaff7567629e2ae1c7ae1b0ef60af6abd6fd9ec0b380c5e20ebb0a8a8f1 |
C:\Config.Msi\e582673.rbs
| MD5 | e7c8f1ef18136ec5882d4d3d02e71a25 |
| SHA1 | a1036ad48c737e7ac462cf141b96cbae2dae5267 |
| SHA256 | 8a00e80341738624c5c8d6c9d4829d8ca07757a82f2d00e4844f07fe6858f105 |
| SHA512 | 9ccacfac1952f484026633f2aab0f7d3a8c9fbe7591cea60d958e94bb010a04fda3c20c409bee331814a5ff6df1bc3ff2d60f294b0bc25a1828dff61df9c4630 |
C:\Users\Admin\AppData\Local\Temp\vmmsi.log_20240611_165144.log
| MD5 | 7b041470f992818a9de7c7f244d1aaed |
| SHA1 | 6a5f2475556d5b5df3a28528787dbf7cb05132bd |
| SHA256 | 2c04dab2cd293ac318844ba198539e58f5bf84eb22dcb0c9a67f9087688a73f4 |
| SHA512 | 3a05a0da162a5e26e8c4486b2c9e9933512970d0d2defbece329a1bddf37e234154d9e77ba3272792d5211c3f390e3f9807bc52ac6ae2e1ca7e335d5a05d4e3a |
C:\Users\Admin\AppData\Roaming\VMware\preferences.ini
| MD5 | 0ef7698b8e892b0283e1f49e20913d2e |
| SHA1 | 6545e20fe34446d867173e5b17f24b7ad14aaec7 |
| SHA256 | 932b6fdc14bab4c1ae994e2a9d9bdbd9b80634f8319bd21d0ea2eaeb4a48f5e0 |
| SHA512 | 16b8370f032c629f1a862ab2757524a347ffe2f1197178afef25769cb1d9884760c23695c4eb9b813ff6ca1d71aae9503263ab741574510c67666414b13716ed |
C:\Users\Admin\AppData\Roaming\VMware\preferences.ini
| MD5 | 6c6decaa3c88ec9ad103bac9b8a689dd |
| SHA1 | 454635a54c324ecd914cd563c602cac7b87d5c67 |
| SHA256 | 8eabfea2dd1733a2e84e09f3f7478cdfb7b9c704d15795c9da69826765965689 |
| SHA512 | da78a399ee9646851c4f409b9effee2f360b2826d0624558267506da6cdab89bd866ebf1a53da21ac71b005385de8e7dd72b026a516e39dcab05adb5a516e145 |