ploutus | fdd43450dd4fbb4401851aa82f46b392e2e6d721a456db2eedafe566de6d7c7f

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TS Setup.msi
Size

119.6MB
MD5

762693a76e48c511441139a32e1b0afe
SHA1

3d8bac6a67b71d52f4a2bf547e7140297fa61dc9
SHA256

fdd43450dd4fbb4401851aa82f46b392e2e6d721a456db2eedafe566de6d7c7f
SHA512

48d4a6c039392534f021d45e6fdca287270599ef985555add06a8b3e12cd6279d9a01b33355e87bf794561741dca585302ef70fa5ebca0a9cdfbf2bb76ada4a4
SSDEEP

3145728:n57bFe0N9sOVo+N+/k++ODv87wtE1ODuaoIZ4DwiuJou:n15yOVoiyk9Qv8MtIQuaL4Dwz

Score

10^/10

ploutus atm backdoor

Malware Config

Signatures

Detected Ploutus loader 1 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\VAULT\Transaction Server Service\TransactionServerService.exe	family_ploutus

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in System32 directory 21 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FPLib.dll	msiexec.exe
File created	C:\Windows\SysWOW64\comms.dll	msiexec.exe
File created	C:\Windows\SysWOW64\GeneralFaceQA.pdf	msiexec.exe
File created	C:\Windows\SysWOW64\zkemkeeper.dll	msiexec.exe
File created	C:\Windows\SysWOW64\WSEngine.dll	msiexec.exe
File created	C:\Windows\SysWOW64\WiegandTool.exe	msiexec.exe
File created	C:\Windows\SysWOW64\UCSAPICOM.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Interop.UCBioBSPCOMLib.dll	msiexec.exe
File created	C:\Windows\SysWOW64\FalcoNetworkLib.dll	msiexec.exe
File created	C:\Windows\SysWOW64\zkemsdk.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rscagent.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rscomm.dll	msiexec.exe
File created	C:\Windows\SysWOW64\VHMLib.dll	msiexec.exe
File created	C:\Windows\SysWOW64\UCBioBSP.dll	msiexec.exe
File created	C:\Windows\SysWOW64\commpro.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Interop.UCSAPICOMLib.dll	msiexec.exe
File created	C:\Windows\SysWOW64\UCSAPI40.dll	msiexec.exe
File created	C:\Windows\SysWOW64\FalcoNetworkLibProxy.dll	msiexec.exe
File created	C:\Windows\SysWOW64\UCBioBSPCOM.dll	msiexec.exe
File created	C:\Windows\SysWOW64\usbcomm.dll	msiexec.exe
File created	C:\Windows\SysWOW64\tcpcomm.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.RichEdit.v13.1.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCPlayBack.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\VideoOS.Utilities.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.Synchronization.Data.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Sparkline.v19.1.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\AudioIntercom.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\falconetworkLib.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCGeneralCfgMgr.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HXVA.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.DTSPipelineWrap.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\TransactionServer.exe.config	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.WebPages.Razor.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.WebPages.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Data.v13.1.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\CardDatafileformat.csv	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.ManagedConnections.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDK.lib	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\MNN.lib	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.Synchronization.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.Management.Sdk.Sfc.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.RichEdit.v19.1.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\AudioPlayerActiveXDotNet_V1.0.0.0_interop.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.Mvc.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCDisplay.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.XtraBars.v19.1.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DataMasterTable.xml	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\MQTTnet.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\zkemkeeper.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Setting.ini	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\D3DCompiler_43.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\ssleay32.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Data.v19.1.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\AppAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\AnalyzeData.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.Razor.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\NLog.config	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCGeneralCfgMgr.lib	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.Synchronization.Data.SqlServer.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\SystemTransform.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.ManagedDTS.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.XtraEditors.v19.1.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.VisualBasic.PowerPacks.Vs.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DataTableWithSiteCode.xml	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\ImageViewerDotNet_V1.3.0.0_axinterop.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\OpenAL32.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\libcurl.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.ServiceBrokerEnum.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCPreview.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\SuperRender.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\zlibwapi.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Interop.FalcoNetworkLib.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\office.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Senparc.Weixin.QY.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\swscale-2.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.WebPages.Deployment.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\AudioPlayerActiveXDotNet_V1.0.0.0_axinterop.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\SQLDMO.DLL	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.Dmf.Common.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\NPQos.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.XtraGrid.v19.1.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Utils.v19.1.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCIndustry.dll	msiexec.exe
File created	C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Web.v13.1.dll	msiexec.exe

Drops file in Windows directory 22 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\B1691AD7959547847B8E96FA50229024\5.17.5\_B6B215012A0E41469BF2BD1540D8DD16	msiexec.exe
File created	C:\Windows\Installer\e5ae1f7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ae1f5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE64C.tmp	msiexec.exe
File created	C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_7395C138669E306F5F5985.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_7395C138669E306F5F5985.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF811.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ae1f5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE272.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7DA1961B-5959-4874-B7E8-69AF05220942}	msiexec.exe
File created	C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_9B964CE24FEA621E0C73DE.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_9B964CE24FEA621E0C73DE.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF12B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\B1691AD7959547847B8E96FA50229024	msiexec.exe
File opened for modification	C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_36587E275F85BB667C7FC4.exe	msiexec.exe
File created	C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_36587E275F85BB667C7FC4.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE38C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\B1691AD7959547847B8E96FA50229024\5.17.5	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\B1691AD7959547847B8E96FA50229024\5.17.5\_B6B215012A0E41469BF2BD1540D8DD16	msiexec.exe

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid	process
2296	MsiExec.exe
2296	MsiExec.exe
4476	MsiExec.exe
4476	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b201ae15c8733f580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b201ae150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b201ae15000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db201ae15000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b201ae1500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

MsiExec.exemsiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1691AD7959547847B8E96FA50229024\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C900D106-142B-4A64-90F9-43A0E603834B}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4E001BB-9144-4543-906A-16F941DE6E11}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{892D329D-07E4-41C5-98C9-36DB42EAF1CF}\ = "IFalcoTransactionsClient"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859B6C25-EAB1-4623-8F08-A3B29DC0FE9A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE9C6076-2623-4400-9D65-84C0923EE6E3}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{56A919DC-E000-4776-A500-4A5B039D1D83}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|RestSharp.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|Microsoft.SqlServer.ManagedConnections.dll\Microsoft.SqlServer.ManagedConnections,Version="14.0.0.0",Culture="neutral",PublicKeyToken="89845DCD8 = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e00210044002800320049007000530053003700400058002c005a003800430056003f0067006400780000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{316C2FAE-B067-4B93-B53A-30D353BC69F8}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM\CLSID\ = "{00853A19-BD51-419B-9269-2DABE57EB61F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{859B6C25-EAB1-4623-8F08-A3B29DC0FE9A}\TypeLib\ = "{950238B9-9C9B-455E-923E-814B98A0761D}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A319D037-E2F7-404E-AD33-CC8B1CC2DE1E}\ = "FalcoTransactionsServer Object"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{56A919DC-E000-4776-A500-4A5B039D1D83}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4E001BB-9144-4543-906A-16F941DE6E11}\Version\ = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|DevExpress.XtraEditors.v19.1.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43C5187D-A23E-4BA0-B5BF-6316EB4195F1}\1.0\ = "FalcoNetworkLib Library"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|TransactionServerService.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDAE8E90-C19A-4163-84AA-F019448EB15D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ = "IZKEM"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\InprocServer32\ThreadingModel = "both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44BFEE57-75E3-4300-86A6-B29BFB60D849}\ = "IAccessLogData"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C317ACA1-620D-36F9-B64A-9F0152282669}\TypeLib\ = "{722784FC-83DC-4143-B8A9-54FE819E2759}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{76A80718-A0CB-4D30-9795-92A0712E0629}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{EF7D8320-7B0E-4807-8868-114BE7C3EA6F}\Version	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|n3kAdrtC.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9CC81F8-5771-4B78-8BDD-7F314E6696B1}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9CC81F8-5771-4B78-8BDD-7F314E6696B1}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|Senparc.Weixin.MP.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8C41F7C-5A15-451C-9313-A75AB8D4B7C9}\ = "IServerAuthentication"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7BB8A242-8662-40d0-A0E0-D796BF2162E7}\Programmable	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|AudioPlayerActiveXDotNet_V1.0.0.0_interop.dll\AudioPlayerActiveXDotNet_V1.0.0.0_interop,Version="1.0.0.0",Culture="neutral",PublicKeyToken="BC60 = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e004f0063002c00350070004f0027005a004a005e00380025003900380037007a0051007b004d00320000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF7D8320-7B0E-4807-8868-114BE7C3EA6F}\InprocServer32\ = "C:\\Windows\\SysWOW64\\FalcoNetworkLib.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{77896119-EEE5-4c4b-A280-E39406E3A8A9}\Control	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20E4176F-7756-4630-86AA-AB0ECD841BC3}\1.0\HELPDIR	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5985CB8-15A0-449A-9EC5-E45FFD1A94A5}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87450463-7204-4B26-90B4-5A90E38C6FE4}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7BB8A242-8662-40d0-A0E0-D796BF2162E7}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87450463-7204-4B26-90B4-5A90E38C6FE4}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{866DB752-6741-4620-847B-A7628B8D14AC}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF7D8320-7B0E-4807-8868-114BE7C3EA6F}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7EB1F1A7-7294-4882-B615-133D4FADFEDC}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C317ACA1-620D-36F9-B64A-9F0152282669}\ProxyStubClsid32	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|NetFalcoLibrary.dll\NetFalcoLibrary,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="x86" = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e0061004a0045004700570077004900570047005500400064004d0038002b002d005e0058005d00430000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1691AD7959547847B8E96FA50229024\Version = "85000197"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM.1\CLSID\ = "{00853A19-BD51-419B-9269-2DABE57EB61F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77896119-EEE5-4C4B-A280-E39406E3A8A9}\TypeLib\ = "{950238B9-9C9B-455e-923E-814B98A0761D}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{950238B9-9C9B-455E-923E-814B98A0761D}\1.0\0\win32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|DevExpress.RichEdit.v19.1.Core.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77896119-EEE5-4C4B-A280-E39406E3A8A9}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9CC81F8-5771-4B78-8BDD-7F314E6696B1}\TypeLib\ = "{20E4176F-7756-4630-86AA-AB0ECD841BC3}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46B6E82D-6010-4456-B06A-743C49B390F5}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43C5187D-A23E-4BA0-B5BF-6316EB4195F1}\1.0\0	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C900D106-142B-4A64-90F9-43A0E603834B}\TypeLib\ = "{43C5187D-A23E-4BA0-B5BF-6316EB4195F1}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|DevExpress.XtraBars.v19.1.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|DevExpress.XtraBars.v19.1.dll\DevExpress.XtraBars.v19.1,Version="19.1.4.0",Culture="neutral",PublicKeyToken="B88D1754D700E49A",ProcessorArchitec = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e00600036007d005f00330067006700690073007800680067004a002b0039006400550042006600530000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37755E72-BDEF-4789-8ABF-09E0A8F8AE57}\ = "IUCSAPIEvents"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A5985CB8-15A0-449A-9EC5-E45FFD1A94A5}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76A80718-A0CB-4D30-9795-92A0712E0629}\TypeLib	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|VAULT\|Transaction Server Service\|DevExpress.Utils.v19.1.dll\DevExpress.Utils.v19.1,Version="19.1.4.0",Culture="neutral",PublicKeyToken="B88D1754D700E49A",ProcessorArchitecture=" = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e0046004b004200740048002d005200520056006c00400056006c004b00690037006e006b003200310000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7BB8A242-8662-40D0-A0E0-D796BF2162E7}\InprocServer32\ = "C:\\Windows\\SysWOW64\\UCBioBSPCOM.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FalcoNetworkLib.FalcoCommandClient	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2888 msiexec.exe
2888 msiexec.exe

pid	process
2888	msiexec.exe
2888	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1540	msiexec.exe
Token: SeSecurityPrivilege	2888	msiexec.exe
Token: SeCreateTokenPrivilege	1540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1540	msiexec.exe
Token: SeLockMemoryPrivilege	1540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1540	msiexec.exe
Token: SeMachineAccountPrivilege	1540	msiexec.exe
Token: SeTcbPrivilege	1540	msiexec.exe
Token: SeSecurityPrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeLoadDriverPrivilege	1540	msiexec.exe
Token: SeSystemProfilePrivilege	1540	msiexec.exe
Token: SeSystemtimePrivilege	1540	msiexec.exe
Token: SeProfSingleProcessPrivilege	1540	msiexec.exe
Token: SeIncBasePriorityPrivilege	1540	msiexec.exe
Token: SeCreatePagefilePrivilege	1540	msiexec.exe
Token: SeCreatePermanentPrivilege	1540	msiexec.exe
Token: SeBackupPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeShutdownPrivilege	1540	msiexec.exe
Token: SeDebugPrivilege	1540	msiexec.exe
Token: SeAuditPrivilege	1540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1540	msiexec.exe
Token: SeChangeNotifyPrivilege	1540	msiexec.exe
Token: SeRemoteShutdownPrivilege	1540	msiexec.exe
Token: SeUndockPrivilege	1540	msiexec.exe
Token: SeSyncAgentPrivilege	1540	msiexec.exe
Token: SeEnableDelegationPrivilege	1540	msiexec.exe
Token: SeManageVolumePrivilege	1540	msiexec.exe
Token: SeImpersonatePrivilege	1540	msiexec.exe
Token: SeCreateGlobalPrivilege	1540	msiexec.exe
Token: SeCreateTokenPrivilege	1540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1540	msiexec.exe
Token: SeLockMemoryPrivilege	1540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1540	msiexec.exe
Token: SeMachineAccountPrivilege	1540	msiexec.exe
Token: SeTcbPrivilege	1540	msiexec.exe
Token: SeSecurityPrivilege	1540	msiexec.exe
Token: SeTakeOwnershipPrivilege	1540	msiexec.exe
Token: SeLoadDriverPrivilege	1540	msiexec.exe
Token: SeSystemProfilePrivilege	1540	msiexec.exe
Token: SeSystemtimePrivilege	1540	msiexec.exe
Token: SeProfSingleProcessPrivilege	1540	msiexec.exe
Token: SeIncBasePriorityPrivilege	1540	msiexec.exe
Token: SeCreatePagefilePrivilege	1540	msiexec.exe
Token: SeCreatePermanentPrivilege	1540	msiexec.exe
Token: SeBackupPrivilege	1540	msiexec.exe
Token: SeRestorePrivilege	1540	msiexec.exe
Token: SeShutdownPrivilege	1540	msiexec.exe
Token: SeDebugPrivilege	1540	msiexec.exe
Token: SeAuditPrivilege	1540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1540	msiexec.exe
Token: SeChangeNotifyPrivilege	1540	msiexec.exe
Token: SeRemoteShutdownPrivilege	1540	msiexec.exe
Token: SeUndockPrivilege	1540	msiexec.exe
Token: SeSyncAgentPrivilege	1540	msiexec.exe
Token: SeEnableDelegationPrivilege	1540	msiexec.exe
Token: SeManageVolumePrivilege	1540	msiexec.exe
Token: SeImpersonatePrivilege	1540	msiexec.exe
Token: SeCreateGlobalPrivilege	1540	msiexec.exe
Token: SeCreateTokenPrivilege	1540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1540	msiexec.exe
Token: SeLockMemoryPrivilege	1540	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1540 msiexec.exe

pid	process
1540	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2888 wrote to memory of 2296	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 2296	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 2296	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 4100	2888	msiexec.exe	srtasks.exe
PID 2888 wrote to memory of 4100	2888	msiexec.exe	srtasks.exe
PID 2888 wrote to memory of 4476	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 4476	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 4476	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 3756	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 3756	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 3756	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 3464	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 3464	2888	msiexec.exe	MsiExec.exe
PID 2888 wrote to memory of 3464	2888	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\TS Setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 121EAA8BF1997999B8E536DDCE139F56 C
2⤵
- Loads dropped DLL
PID:2296

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4100

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 04ACEA365E03CDAED8FB3B26A78B3410
2⤵
- Loads dropped DLL
PID:4476

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DC5D33CB39648BB0417B5BE44C9ACAD6 M Global\MSI0000
2⤵
- Modifies registry class
PID:3756

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3A3E397899217018779B5EA2DA754846 E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5ae1f6.rbs
Filesize
251KB

MD5
e8c4a1f4b466406d174f2526ff77dc34

SHA1
b4a0d8f966d1c7da1f757675ec9a7d7a15b5dbc6

SHA256
04ff7d1099c3fe6eeb96bd4c9c18ce08690755d4d15c983b215006bb03601259

SHA512
9c8372b66fd1c0243734ee2e63f9d09a962312656da087d183325ada3505edaa98c63c8d2ef3359fbe96c32850b33ccc55cec94899e66abfeaaec9ed0d799e70

Download Submit
C:\Program Files (x86)\VAULT\Transaction Server Service\NetFalcoLibrary.tlb
Filesize
57KB

MD5
b35ba590b82e846d05717f0beb0f2f0d

SHA1
d6d0b09a255f8445ecfbcdc6e1c48180a851543b

SHA256
13e234fb8e3d0013463184216826fd7a3be0cf277fbaf350068a4d94cd2f6105

SHA512
357216cdff0c463f69f5fceb517bbc00769557f874ac226ed00fa567c95e8dbe55332758900d9af4a236061b95bc15d7db1f0be8c073a8f932e4c4890ca1715d

Download Submit
C:\Program Files (x86)\VAULT\Transaction Server Service\RestSharp.dll
Filesize
186KB

MD5
d294a1a08de13d8f8a8be2d6cc4261ea

SHA1
8c1f67c96ebbf6f8ffe996c3df37b3cde8e790d7

SHA256
654e7245aadd65be246efe8ca8f9a85986922eb1babac10a0daa7261d60a603b

SHA512
ef56f3be6f54134d68c8ef6b88a9be221c962b33984be25e4dcebb1d7c85f316151ab109d1336697ca3382df8e839b59e9c390f52e199a32f0eb806957f40894

Download Submit
C:\Program Files (x86)\VAULT\Transaction Server Service\TransactionServerService.exe
Filesize
597KB

MD5
1d56620eef7fdd2235528a48c1645f06

SHA1
bc0f99d76bd99518e2d0af083b43c357cd252c6c

SHA256
81e9b5fba6b1a38b703e160e6a2da29d9fa4a9dc189d9e0c43e7b64d71af1635

SHA512
802442e0afbd1c48aa6ac0534da422c448a68f6e2807a7bffa25cd42425894356e5aa4ff3984d116ab5a9645aba69d989d5119fea8d3beb7de34f28b98f9f48e

Download Submit
C:\Program Files (x86)\VAULT\Transaction Server Service\VaultRemote.dll
Filesize
14KB

MD5
abdc75bcc5e89665e2d86c89423090e8

SHA1
011992c4d1a2dab7754db0b05368f4acffc4d61a

SHA256
59682ed0d1d60cecb2d21f9cf72a92350b616770c0aeb76557b7b4a1977ebcdf

SHA512
2b5dc60393311da4d73aacdc31308dd91bf45f4ca70ab9d818397e3de042d1eaaf82f598b2597dbddfe353998fd3d6e0c1157a49640ca13b4fe484ff9a445fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFGE37C.tmp
Filesize
152B

MD5
ccb860553902094f48b6d91dbae56fdd

SHA1
0a9909816f156632c0c8718725853f48a81fa0bc

SHA256
7d10aea89090852f80436f2c5eb025df6be018d8c7e27caf46131446e6abdccd

SHA512
be344e0e9567e469fcd46e5166310779e69b092cd6b55256cfc4525287f2a0f6e52463967c58c5609d81fbaec27422264f1c1c62e7327dd31ff7dd9920a3339c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4BED.tmp
Filesize
325KB

MD5
f048cf239cc583f8433634acf23cae55

SHA1
7d3a296a05267855cc637c5bf95fe687b7a765a2

SHA256
4d6efad25f62f4c34998385819e46569869b09de4d8b3f1e22dc9e8f032ed3bb

SHA512
a021d559150338ef823b8749d95ac262ec13d9c9ed80d2d0d67e0d7690ae61713219a5edf88d83832ad673f0d7a1d306b49af4f07020c98bac2cfb006bcf0c53

Download Submit
C:\Windows\Installer\MSIF12B.tmp
Filesize
66KB

MD5
b1463eaa0f849e4dd49e88c8594dd985

SHA1
c65251d8e7e0855769967238084cb282b14f7d48

SHA256
18e517c567db5a8ccbfd5db698cc5179862d002039f461656a9468dce51d1448

SHA512
ba6ed16f13246617abf8f75d3506da629e8370f2faa77caecfed1444c25d6bc2e85803b84c1214a4a4803b4cea2166043fe2819a42ac8ca28e22f04d0e1d0e23

Download Submit
C:\Windows\Installer\e5ae1f7.msi
Filesize
119.5MB

MD5
3f29169e326ae7f6dfa3163c1be89e38

SHA1
90d0b4853c72ed23a194fd4bc869c02c29cb400b

SHA256
daa3e2397b01ce09d67604a8cbf3a5e84dab41b21acc2c129497c0d99089bd2b

SHA512
7b6781db69b81b3030fe37f6b95ad0fb4fa70150e5388c93baa867ecc3f117eb9f54d46a8d6a91476b37f6481d4b5f336c8bade7f64efae546646eebb0103d1d

Download Submit
C:\Windows\SysWOW64\FalcoNetworkLib.dll
Filesize
707KB

MD5
6ac75e242be9c30da26ef13711e270f2

SHA1
ab1426e82d1cd248cb407ca0f8b2ed1f94123461

SHA256
4d46f595246b0aa9763c1b6e1a9f52bf573b632b330f940837e0677c4c8425ed

SHA512
5116245732ab80b53309f53e796ee65d30e57e9bf898f38f0629ae98a6a251aaf6ade98965db54677578bf943ae10a1b4e28fd4c211256c05dd2e4f31184bfbe

Download Submit
C:\Windows\SysWOW64\UCBioBSPCOM.dll
Filesize
230KB

MD5
df344e433d3806fcbd255d0238efcab7

SHA1
270435d936fdd2c490a0524aae6618f600f3b842

SHA256
fe9ead1e4a8911be6814d166dc82a5caa6ad6e59ef63211e07f75cf8403498c9

SHA512
004142d8abb20f683b5067cc47cd189f1b4866b7b83ce1655cf36edf1dba885d45e4b9bff10d6f38acdcdc9b7f804fe54283c6d1bc31723dd13aceda95d54fa5

Download Submit
C:\Windows\SysWOW64\UCSAPICOM.dll
Filesize
1.8MB

MD5
69a8770a7d428716d7c29a9ded61fda7

SHA1
8b99fce55dbb69950d32cc819ea1e19037d41ad2

SHA256
c857bb8cb780ad8990bb9bc86ec240d8dbec5b9567715809a4f22a72e6e3d0d8

SHA512
7bf00460b16f4c03595fce3d75df329d9dfdd41b330affc3e13323a81b520645781518e00a8adda773a5ec456acd396df960d72c5caef0aff2363c6b0d558d94

Download Submit
C:\Windows\SysWOW64\zkemkeeper.dll
Filesize
436KB

MD5
105bc87c8f0dfceb04fac8c44dfc08c0

SHA1
2edd013ae9385cd7f3dbdcd90c96de886d8c6229

SHA256
c54c9c36080537893ab7e1a58e5996c306fe4cdbaffb6096e1139941a4673551

SHA512
5f3d13dcb340a0ceeb418e19de6368a922cfde5f2a3bcfe4c254627a41d2dba52226cd0c2e7ab716dd63de7a1960ac2aecace47daefb53ba9d129478e58471ba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
0a9a05b35e05113c7617e696e480c2f1

SHA1
891b840f43cbd035310cf6b60ce42ebfb1bb0526

SHA256
4c126c7c5971697f7925f1a74b313cc54b493439e84d8b7bc012f54a924b2728

SHA512
bab4b3f464d0b1a45a40fdedc890cef106e4b4fa43f040cdc1fc073850c05f9cf9254062eb3ecf7924a26b5d0bd63fedb1bf2552f3f0940b7aa45a598d1a10a2

Download Submit
\??\Volume{15ae01b2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{569927f7-0e71-4d79-a03b-9c5cbc22535d}_OnDiskSnapshotProp
Filesize
6KB

MD5
e22559855390b60cfc824411f5352058

SHA1
51b6bf25800100feec8d156ccfdd18e1935efbd0

SHA256
b66a46a586d8f818fc294def8bfbc2989d3e8f080a603d01c34f89fef7aeedbe

SHA512
8b41d5c35e736eae2602fc1f9892b8126cc12d54bddedeb7c45a03d6f427ca99107ae542163a966883c44b5c5fbb27f863a531c00c908569935529c5cb71f190

Download Submit
memory/3464-249-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/3464-257-0x0000000005790000-0x00000000057A2000-memory.dmp

Filesize
72KB

Download
memory/3464-247-0x00000000050E0000-0x0000000005114000-memory.dmp

Filesize
208KB

Download
memory/3464-253-0x0000000005330000-0x000000000533C000-memory.dmp

Filesize
48KB

Download
memory/3464-254-0x0000000005340000-0x0000000005694000-memory.dmp

Filesize
3.3MB

Download
memory/3464-255-0x00000000064C0000-0x0000000006A64000-memory.dmp

Filesize
5.6MB

Download
memory/3464-256-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/3464-248-0x00000000058F0000-0x0000000005F08000-memory.dmp

Filesize
6.1MB

Download
memory/3464-258-0x0000000005890000-0x00000000058CC000-memory.dmp

Filesize
240KB

Download
memory/3464-243-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/3464-242-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/3464-278-0x0000000073CF0000-0x00000000744A0000-memory.dmp

Filesize
7.7MB

Download
memory/3464-238-0x0000000073CF0000-0x00000000744A0000-memory.dmp

Filesize
7.7MB

Download
memory/3464-237-0x0000000002EB0000-0x0000000002ECA000-memory.dmp

Filesize
104KB

Download