CVE-2019-5516
An exploitable denial-of-service vulnerability exists in VMware Workstation 15. A specially crafted vertex shader can cause denial-of-service issues. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host, leading to a vmware-vmx.exe process crash on host.
VMware Workstation 15 (15.0.2 build-10952284) with Windows 10 x64 as guestVM
6.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CWE-125: Out-of-bounds Read
This vulnerability can be triggered by supplying a malformed vertex shader (inside a VMware guest operating system). An attacker could trigger this from VMware guest usermode to cause a denial-of-service attack (through an out-of-bounds read) on vmware-vmx.exe process on host or, theoretically, through WEBGL (remote website).
Example of vertex shader:
2018-12-31T22:34:07.137+01:00| svga| W115+ vs_4_0
2018-12-31T22:34:07.137+01:00| svga| W115+ DCL_CONSTANT_BUFFER CONSTANT_BUFFER[2][1].xyzw, IMMEDIATE_INDEXED
2018-12-31T22:34:07.137+01:00| svga| W115+ DCL_INPUT_SGV INPUT[0].x, VERTEX_ID
2018-12-31T22:34:07.137+01:00| svga| W115+ DCL_OUTPUT_SIV OUTPUT[0].xyzw, POSITION
2018-12-31T22:34:07.137+01:00| svga| W115+ DCL_OUTPUT OUTPUT[1].xy
2018-12-31T22:34:07.137+01:00| svga| W115+ DCL_OUTPUT OUTPUT[1].zw
2018-12-31T22:34:07.137+01:00| svga| W115+ DCL_TEMPS 1
2018-12-31T22:34:07.137+01:00| svga| W115+ AND TEMP[0].x, INPUT[0].x, 1
2018-12-31T22:34:07.137+01:00| svga| W115+ UTOF TEMP[0].x, TEMP[0].x
2018-12-31T22:34:07.137+01:00| svga| W115+ MAD OUTPUT[0].y, TEMP[0].x, 2, -1
2018-12-31T22:34:07.137+01:00| svga| W115+ ADD TEMP[0].y, -TEMP[0].x, 1
2018-12-31T22:34:07.137+01:00| svga| W115+ MOV OUTPUT[0].zw, {0, 0, 1056964608, 1065353216}
2018-12-31T22:34:07.137+01:00| svga| W115+ USHR TEMP[0].z, INPUT[0].x, 1
2018-12-31T22:34:07.137+01:00| svga| W115+ UTOF TEMP[0].x, TEMP[0].z
2018-12-31T22:34:07.137+01:00| svga| W115+ MAD OUTPUT[0].x, TEMP[0].x, 2, -1
2018-12-31T22:34:07.137+01:00| svga| W115+ ITOF TEMP[0].zw, CONSTANT_BUFFER[2][0].xxxy
2018-12-31T22:34:07.137+01:00| svga| W115+ MUL OUTPUT[1].zw, TEMP[0].xxxy, TEMP[0].zzzw
2018-12-31T22:34:07.137+01:00| svga| W115+ MOV OUTPUT[1].xy, TEMP[0].xyxx
2018-12-31T22:34:07.137+01:00| svga| W115+ RET
By modifying the operand of “MAD OUTPUT[0].y, TEMP[0].x, 2, -1” instruction to “OUTPUT[X]” (where, for example, X=11) it is possible to trigger a read access violation in the vmware-vmx.exe process (as an invalid pointer is referenced).
The vulnerable code is:
.text:000000000037BADF call sub_379490 ; call entry rdx = index (X)
.text:000000000037BAE4 mov r9d, [rsi] ; out rax (based on index)
.text:000000000037BAE7 lea r8, [r14+4A5F4h]
.text:000000000037BAEE mov eax, eax
.text:000000000037BAF0 xor edx, edx
.text:000000000037BAF2 imul rcx, rax, 1240h ; calculating 1 (rcx = rax * 0x1240)
.text:000000000037BAF9 shr r9d, 5
.text:000000000037BAFD add r8, rcx ; final calculation
.text:000000000037BB00
.text:000000000037BB00 loc_37BB00: ; CODE XREF: sub_37B870+2A8ij
.text:000000000037BB00 mov edi, [r8] ; r8 points to invalid memory
The memory address that will be used for read purposes is calculated by the code above (mainly by instructions at 0x37BAF2 and 0x37BAFD). The most important part here is the RAX value used for IMUL operation, which is generated in the function sub_379490
. This function, in short, will calculate the output, partially based on the index value supplied by the attacker (X) (this value will be used as index of memory array). In this particular case, sub_379490
will return 0xFFFFFFFF, which in the end, will cause r8 to point to an invalid memory region, causing a denial of service of the vmware-vmx.exe process.
(vmware release mode crash dump fragment):
0:012> .ecxr
rax=00000000ffffffff rbx=000000000ebf5a40 rcx=0000123fffffedc0
rdx=0000000000000000 rsi=000000000ebf67f4 rdi=000000000ebf6910
rip=00007ff7eb96ba60 rsp=000000000ebf5720 rbp=000000000ebf5820
r8=000012400ec3fcc4 r9=0000000000000182 r10=0000000000000006
r11=000000000ebf5804 r12=000000000ebf67e8 r13=00000000130e6a00
r14=000000000ebf6910 r15=0000000000000002
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
Unable to load image C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for vmware-vmx.exe
*** ERROR: Module load completed but symbols could not be loaded for vmware-vmx.exe
vmware_vmx+0x36ba60:
00007ff7`eb96ba60 418b38 mov edi,dword ptr [r8] ds:00001240`0ec3fcc4=????????
From vmware-vmx.exe (this is not a windbg crash dump):
2019-01-02T11:51:26.182+01:00| svga| W115: ExceptionAddress 0x7ff7c228ba60 eflags 0x00010202
2019-01-02T11:51:26.182+01:00| svga| W115: rwFlags 0 badAddr 0x12400eb4fcc4
2019-01-02T11:51:26.182+01:00| svga| W115: rax 0xffffffff rbx 0xeb05a40 rcx 0x123fffffedc0
2019-01-02T11:51:26.182+01:00| svga| W115: rdx 0xffffffff rsi 0xeb067f4 rdi 0xeb06910
2019-01-02T11:51:26.182+01:00| svga| W115: r8 0x12400eb4fcc4 r9 0x2c2 r10 0x6
2019-01-02T11:51:26.182+01:00| svga| W115: r11 0xeb05804 r12 0xeb067e8 r13 0x1228ca00
2019-01-02T11:51:26.182+01:00| svga| W115: r14 0xeb06910 r15 0x2
2019-01-02T11:51:26.182+01:00| svga| W115: rip 0x7ff7c228ba60 rsp 0xeb05720 rbp 0xeb05820
2019-01-02T11:51:26.182+01:00| svga| W115: LastBranchToRip 0 LastBranchFromRip 0
2019-01-02T11:51:26.182+01:00| svga| W115: LastExceptionToRip 0 LastExceptionFromRip 0
2019-01-02T11:51:26.182+01:00| svga| W115: The following data was delivered with the exception:
2019-01-02T11:51:26.182+01:00| svga| W115: -- 0
2019-01-02T11:51:26.182+01:00| svga| W115: -- 0x12400eb4fcc4
2019-01-02T11:51:26.183+01:00| svga| I125: CoreDump: Minidump file J:\vm\Nowy folder\vmware-vmx.dmp exists. Rotating ...
2019-01-02T11:51:26.184+01:00| svga| W115: CoreDump: Writing minidump to J:\vm\Nowy folder\vmware-vmx.dmp
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff7c1f20000 size 0x0x0124d000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x00f5b2da timestamp 0x5bf5251a
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe
2019-01-02T11:51:26.535+01:00| svga| I125: file version 15.0.2.40550
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff90a130000 size 0x0x001ed000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x001f20d1 timestamp 0xe8b54827
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\ntdll.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.194
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff907f20000 size 0x0x000b3000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000b9393 timestamp 0x65614da1
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\kernel32.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff906250000 size 0x0x00293000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x002a2815 timestamp 0x1659a33b
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\KERNELBASE.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.134
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff906540000 size 0x0x000fc000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0010222e timestamp 0x309241e0
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\ucrtbase.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff907d80000 size 0x0x00197000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0019e334 timestamp 0x5960d576
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\user32.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.168
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff907340000 size 0x0x00020000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000230fc timestamp 0xff141dbb
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\win32u.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff909ca0000 size 0x0x00029000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000274e8 timestamp 0xaa866dfc
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\gdi32.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f6ad0000 size 0x0x00016000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0001b2e2 timestamp 0x5b3efc77
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\VCRUNTIME140.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 14.15.26706.0
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff9071a0000 size 0x0x0019a000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x001a04b3 timestamp 0x3513b275
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\gdi32full.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.194
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff906ea0000 size 0x0x000a0000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000aa062 timestamp 0x64bc25b9
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\msvcp_win.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff907b90000 size 0x0x00155000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x001617b3 timestamp 0x47d4d9b6
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\ole32.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.134
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff909770000 size 0x0x0032d000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x00332a84 timestamp 0x5f712695
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\combase.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.134
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff908090000 size 0x0x00122000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0012b25f timestamp 0x38cc3507
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\rpcrt4.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.194
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff907120000 size 0x0x0007e000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000897e0 timestamp 0xe29631ca
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\bcryptPrimitives.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff9096b0000 size 0x0x000a3000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000a4051 timestamp 0xb12069f9
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\advapi32.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff907920000 size 0x0x0009e000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000a6576 timestamp 0x05c26c69
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\msvcrt.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 7.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff909f90000 size 0x0x0009e000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000a9176 timestamp 0x7d59184a
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\sechost.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff9081c0000 size 0x0x014ef000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0151e360 timestamp 0xcaf2f2df
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\shell32.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.168
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff906200000 size 0x0x0004a000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0004f3eb timestamp 0xca7e64ca
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\cfgmgr32.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff907390000 size 0x0x000a8000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000a6bc1 timestamp 0x9a0e77eb
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\SHCore.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff9066f0000 size 0x0x0074a000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0075dd54 timestamp 0x275f01a7
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\windows.storage.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.168
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff9061d0000 size 0x0x00024000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0002ec08 timestamp 0x36191177
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\profapi.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff906150000 size 0x0x0005d000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0006167d timestamp 0x8941f3e3
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\powrprof.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff909dc0000 size 0x0x00052000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0005be0c timestamp 0x4392c932
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\shlwapi.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff906130000 size 0x0x00011000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0001c039 timestamp 0xbe88784d
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\kernel.appcore.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff906520000 size 0x0x00017000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0001f088 timestamp 0xfe800ac7
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\cryptsp.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff907440000 size 0x0x00475000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0048004f timestamp 0x8cfdc7f2
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\setupapi.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff9064f0000 size 0x0x00026000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0002f670 timestamp 0x4d019572
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\bcrypt.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff909b00000 size 0x0x0006d000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x0006d338 timestamp 0x4ee4fbbf
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\ws2_32.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff90a030000 size 0x0x000cb000
2019-01-02T11:51:26.535+01:00| svga| I125: checksum 0x000d5ce4 timestamp 0xd0922571
2019-01-02T11:51:26.535+01:00| svga| I125: image file C:\Windows\System32\oleaut32.dll
2019-01-02T11:51:26.535+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.535+01:00| svga| I125: CoreDump: including module base 0x0x7ff906f40000 size 0x0x001db000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x001de80e timestamp 0xb2fbbe58
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\crypt32.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff9061b0000 size 0x0x00012000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x0001b8e7 timestamp 0xac91a4b2
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\msasn1.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff8d9990000 size 0x0x00096000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x0009cb61 timestamp 0xd6d52567
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\dsound.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff904360000 size 0x0x00024000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x00029b8b timestamp 0x01dd0441
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\winmm.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff8ff290000 size 0x0x00041000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x00040f64 timestamp 0xc2c19daa
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\WinSCard.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff901010000 size 0x0x000f1000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x000f51d4 timestamp 0xa550ecc2
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\winhttp.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x53b00000 size 0x0x0001a000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x00020f59 timestamp 0x5b281fdf
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Program Files (x86)\VMware\VMware Workstation\x64\zlib1.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 1.2.11.0
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff902a60000 size 0x0x00013000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x000141f8 timestamp 0x645d63a8
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\wtsapi32.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff905f40000 size 0x0x00029000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x00035933 timestamp 0x38fddd55
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\devobj.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff9042c0000 size 0x0x0002d000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x000313bc timestamp 0x61c36296
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\winmmbase.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff907360000 size 0x0x0002e000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x000306da timestamp 0x6b207046
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\imm32.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff904760000 size 0x0x0009c000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x00098b0d timestamp 0x4b037c22
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\uxtheme.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff905200000 size 0x0x00031000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x000360d6 timestamp 0x376a9861
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\ntmarta.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x538a0000 size 0x0x00255000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x002510d2 timestamp 0x5bb436c9
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Program Files (x86)\VMware\VMware Workstation\x64\libeay32.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 1.0.2.16
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff8feba0000 size 0x0x0005f000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x000604e7 timestamp 0x5bb436d9
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Program Files (x86)\VMware\VMware Workstation\x64\ssleay32.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 1.0.2.16
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff905520000 size 0x0x00033000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x00039b84 timestamp 0xeb037b86
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\rsaenh.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff905b30000 size 0x0x0000c000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x0000d582 timestamp 0x210d2d73
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\CRYPTBASE.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff906030000 size 0x0x0002f000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x000339df timestamp 0xebd3b7f6
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\sspicli.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff905960000 size 0x0x00067000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x0006cb14 timestamp 0x714e4053
2019-01-02T11:51:26.536+01:00| svga| I125: image file C:\Windows\System32\mswsock.dll
2019-01-02T11:51:26.536+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.536+01:00| svga| I125: CoreDump: including module base 0x0x7ff905700000 size 0x0x000c6000
2019-01-02T11:51:26.536+01:00| svga| I125: checksum 0x000cc0a9 timestamp 0xa1206fe7
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\dnsapi.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff909db0000 size 0x0x00008000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0000c1ee timestamp 0x7ace72dc
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\nsi.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff9056c0000 size 0x0x0003d000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0003b254 timestamp 0x55458551
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\IPHLPAPI.DLL
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8fcf40000 size 0x0x0000a000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0000ec91 timestamp 0x389781ac
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\rasadhlp.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff907fe0000 size 0x0x000a2000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x000a9f48 timestamp 0xaaba4fa9
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\clbcatq.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 2001.12.10941.16384
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f49c0000 size 0x0x00011000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0000bb8c timestamp 0x80ed95b9
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\wbem\wbemprox.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f6660000 size 0x0x00085000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x000821c7 timestamp 0x264de62a
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\wbemcomn.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f3a10000 size 0x0x00014000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x00015c08 timestamp 0x42167f4e
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\wbem\wbemsvc.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f4350000 size 0x0x000f1000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x000f6195 timestamp 0xc27bfeee
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\wbem\fastprox.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff907d70000 size 0x0x00008000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x00009082 timestamp 0x43f78f9f
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\psapi.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f6af0000 size 0x0x001ed000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x001d72c0 timestamp 0x05f0e9a4
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\dbghelp.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff909e20000 size 0x0x0016a000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x001780ac timestamp 0x6c634a1d
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\msctf.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff905c20000 size 0x0x00058000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0005f200 timestamp 0xd1e21847
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\winsta.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8dc060000 size 0x0x00066000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x00061b53 timestamp 0x9ff9e1ff
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\SensorsApi.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.168
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff902150000 size 0x0x0001e000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x00021e5c timestamp 0xbbb5f881
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\SensorsUtilsV2.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8e7c50000 size 0x0x00024000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x00023855 timestamp 0xabdcae8a
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\SensorsNativeApi.V2.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff9026e0000 size 0x0x001a8000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x001acb40 timestamp 0x8ccb846c
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\propsys.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 7.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8dd340000 size 0x0x00030000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x00032b59 timestamp 0x91d63955
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\PortableDeviceTypes.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8e7c00000 size 0x0x00036000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0003e09f timestamp 0x2c0d51d2
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\deviceaccess.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff906e40000 size 0x0x00058000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x00063cc0 timestamp 0xefa740e2
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\wintrust.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff904a90000 size 0x0x0002e000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x000380b6 timestamp 0xb90c6519
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\dwmapi.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f3fa0000 size 0x0x00045000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x000440d7 timestamp 0xeb7bdbd0
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\bthprops.cpl
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f70b0000 size 0x0x00279000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0027a846 timestamp 0x5ee39c26
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.195_none_05b436ac07203599\comctl32.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 6.10.17763.195
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f7330000 size 0x0x000ad000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x000a8b32 timestamp 0x700dafec
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\mscms.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f7070000 size 0x0x00010000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0000eeb8 timestamp 0xb5672678
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\ColorAdapterClient.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff906060000 size 0x0x00028000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0002961f timestamp 0xbbcbf3a2
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\userenv.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8e5170000 size 0x0x00043000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0004a1f9 timestamp 0xa5d2ba3f
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\icm32.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff903330000 size 0x0x0027e000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0028c849 timestamp 0x13a31007
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\d3d11.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff904ec0000 size 0x0x000c2000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x000c506d timestamp 0x6b3e2414
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\dxgi.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8fb260000 size 0x0x0174a000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x017d34d1 timestamp 0x59e6a97c
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\DriverStore\FileRepository\ki125133.inf_amd64_7a52044300619fc7\igd10iumd64.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 22.20.16.4836
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff905c80000 size 0x0x00026000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x00027614 timestamp 0xb8fe18e6
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\ncrypt.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff905be0000 size 0x0x0003c000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0004318b timestamp 0x6f58dff3
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\ntasn1.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f8290000 size 0x0x0160c000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x01681f3f timestamp 0x59e6aab7
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\DriverStore\FileRepository\ki125133.inf_amd64_7a52044300619fc7\igc64.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 22.20.16.4836
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: including module base 0x0x7ff8f6620000 size 0x0x0002a000
2019-01-02T11:51:26.537+01:00| svga| I125: checksum 0x0003488c timestamp 0x590c013e
2019-01-02T11:51:26.537+01:00| svga| I125: image file C:\Windows\System32\dbgcore.dll
2019-01-02T11:51:26.537+01:00| svga| I125: file version 10.0.17763.1
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 8640
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 9632
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 8552
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 6672
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 7488
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 1604
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 8144
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 244
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 6772
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 5984
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 4888
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 10340
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 7268
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 2928
2019-01-02T11:51:26.537+01:00| svga| I125: CoreDump: Including thread 9224
2019-01-29 - Vendor Disclosure
2019-04-12 - Public Release
Discovered by Piotr Bania of Cisco Talos.