Analysis
-
max time kernel
294s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2024 04:04
Static task
static1
General
-
Target
TS Setup.msi
-
Size
119.6MB
-
MD5
762693a76e48c511441139a32e1b0afe
-
SHA1
3d8bac6a67b71d52f4a2bf547e7140297fa61dc9
-
SHA256
fdd43450dd4fbb4401851aa82f46b392e2e6d721a456db2eedafe566de6d7c7f
-
SHA512
48d4a6c039392534f021d45e6fdca287270599ef985555add06a8b3e12cd6279d9a01b33355e87bf794561741dca585302ef70fa5ebca0a9cdfbf2bb76ada4a4
-
SSDEEP
3145728:n57bFe0N9sOVo+N+/k++ODv87wtE1ODuaoIZ4DwiuJou:n15yOVoiyk9Qv8MtIQuaL4Dwz
Malware Config
Signatures
-
Detected Ploutus loader 1 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\VAULT\Transaction Server Service\TransactionServerService.exe family_ploutus -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in System32 directory 21 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\SysWOW64\FPLib.dll msiexec.exe File created C:\Windows\SysWOW64\comms.dll msiexec.exe File created C:\Windows\SysWOW64\GeneralFaceQA.pdf msiexec.exe File created C:\Windows\SysWOW64\zkemkeeper.dll msiexec.exe File created C:\Windows\SysWOW64\WSEngine.dll msiexec.exe File created C:\Windows\SysWOW64\WiegandTool.exe msiexec.exe File created C:\Windows\SysWOW64\UCSAPICOM.dll msiexec.exe File created C:\Windows\SysWOW64\Interop.UCBioBSPCOMLib.dll msiexec.exe File created C:\Windows\SysWOW64\FalcoNetworkLib.dll msiexec.exe File created C:\Windows\SysWOW64\zkemsdk.dll msiexec.exe File created C:\Windows\SysWOW64\rscagent.dll msiexec.exe File created C:\Windows\SysWOW64\rscomm.dll msiexec.exe File created C:\Windows\SysWOW64\VHMLib.dll msiexec.exe File created C:\Windows\SysWOW64\UCBioBSP.dll msiexec.exe File created C:\Windows\SysWOW64\commpro.dll msiexec.exe File created C:\Windows\SysWOW64\Interop.UCSAPICOMLib.dll msiexec.exe File created C:\Windows\SysWOW64\UCSAPI40.dll msiexec.exe File created C:\Windows\SysWOW64\FalcoNetworkLibProxy.dll msiexec.exe File created C:\Windows\SysWOW64\UCBioBSPCOM.dll msiexec.exe File created C:\Windows\SysWOW64\usbcomm.dll msiexec.exe File created C:\Windows\SysWOW64\tcpcomm.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.RichEdit.v13.1.Core.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCPlayBack.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\VideoOS.Utilities.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.Synchronization.Data.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Sparkline.v19.1.Core.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\AudioIntercom.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\falconetworkLib.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCGeneralCfgMgr.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HXVA.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.DTSPipelineWrap.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\TransactionServer.exe.config msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.WebPages.Razor.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.WebPages.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Data.v13.1.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\CardDatafileformat.csv msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.ManagedConnections.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDK.lib msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\MNN.lib msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.Synchronization.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.Management.Sdk.Sfc.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.RichEdit.v19.1.Core.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\AudioPlayerActiveXDotNet_V1.0.0.0_interop.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.Mvc.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCDisplay.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.XtraBars.v19.1.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DataMasterTable.xml msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\MQTTnet.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\zkemkeeper.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Setting.ini msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\D3DCompiler_43.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\ssleay32.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Data.v19.1.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\AppAPI.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\AnalyzeData.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.Razor.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\NLog.config msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCGeneralCfgMgr.lib msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.Synchronization.Data.SqlServer.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\SystemTransform.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.ManagedDTS.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.XtraEditors.v19.1.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.VisualBasic.PowerPacks.Vs.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DataTableWithSiteCode.xml msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\ImageViewerDotNet_V1.3.0.0_axinterop.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\OpenAL32.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\libcurl.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.ServiceBrokerEnum.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCPreview.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\SuperRender.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\zlibwapi.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Interop.FalcoNetworkLib.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\office.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Senparc.Weixin.QY.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\swscale-2.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\System.Web.WebPages.Deployment.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\AudioPlayerActiveXDotNet_V1.0.0.0_axinterop.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\SQLDMO.DLL msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\Microsoft.SqlServer.Dmf.Common.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\NPQos.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.XtraGrid.v19.1.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Utils.v19.1.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\HCNetSDKCom\HCIndustry.dll msiexec.exe File created C:\Program Files (x86)\VAULT\Transaction Server Service\DevExpress.Web.v13.1.dll msiexec.exe -
Drops file in Windows directory 22 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\B1691AD7959547847B8E96FA50229024\5.17.5\_B6B215012A0E41469BF2BD1540D8DD16 msiexec.exe File created C:\Windows\Installer\e5ae1f7.msi msiexec.exe File opened for modification C:\Windows\Installer\e5ae1f5.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE64C.tmp msiexec.exe File created C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_7395C138669E306F5F5985.exe msiexec.exe File opened for modification C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_7395C138669E306F5F5985.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIF811.tmp msiexec.exe File created C:\Windows\Installer\e5ae1f5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE272.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{7DA1961B-5959-4874-B7E8-69AF05220942} msiexec.exe File created C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_9B964CE24FEA621E0C73DE.exe msiexec.exe File opened for modification C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_9B964CE24FEA621E0C73DE.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIF12B.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\B1691AD7959547847B8E96FA50229024 msiexec.exe File opened for modification C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_36587E275F85BB667C7FC4.exe msiexec.exe File created C:\Windows\Installer\{7DA1961B-5959-4874-B7E8-69AF05220942}\_36587E275F85BB667C7FC4.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIE38C.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\B1691AD7959547847B8E96FA50229024\5.17.5 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\B1691AD7959547847B8E96FA50229024\5.17.5\_B6B215012A0E41469BF2BD1540D8DD16 msiexec.exe -
Loads dropped DLL 12 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exepid process 2296 MsiExec.exe 2296 MsiExec.exe 4476 MsiExec.exe 4476 MsiExec.exe 3464 MsiExec.exe 3464 MsiExec.exe 3464 MsiExec.exe 3464 MsiExec.exe 3464 MsiExec.exe 3464 MsiExec.exe 3464 MsiExec.exe 3464 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b201ae15c8733f580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b201ae150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b201ae15000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db201ae15000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b201ae1500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
MsiExec.exemsiexec.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1691AD7959547847B8E96FA50229024\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C900D106-142B-4A64-90F9-43A0E603834B}\TypeLib\Version = "1.0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4E001BB-9144-4543-906A-16F941DE6E11}\ProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{892D329D-07E4-41C5-98C9-36DB42EAF1CF}\ = "IFalcoTransactionsClient" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{859B6C25-EAB1-4623-8F08-A3B29DC0FE9A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE9C6076-2623-4400-9D65-84C0923EE6E3}\TypeLib\Version = "1.0" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{56A919DC-E000-4776-A500-4A5B039D1D83} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|RestSharp.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|Microsoft.SqlServer.ManagedConnections.dll\Microsoft.SqlServer.ManagedConnections,Version="14.0.0.0",Culture="neutral",PublicKeyToken="89845DCD8 = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e00210044002800320049007000530053003700400058002c005a003800430056003f0067006400780000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{316C2FAE-B067-4B93-B53A-30D353BC69F8}\TypeLib\Version = "1.0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM\CLSID\ = "{00853A19-BD51-419B-9269-2DABE57EB61F}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{859B6C25-EAB1-4623-8F08-A3B29DC0FE9A}\TypeLib\ = "{950238B9-9C9B-455E-923E-814B98A0761D}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A319D037-E2F7-404E-AD33-CC8B1CC2DE1E}\ = "FalcoTransactionsServer Object" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{56A919DC-E000-4776-A500-4A5B039D1D83}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4E001BB-9144-4543-906A-16F941DE6E11}\Version\ = "1.0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|DevExpress.XtraEditors.v19.1.dll msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43C5187D-A23E-4BA0-B5BF-6316EB4195F1}\1.0\ = "FalcoNetworkLib Library" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|TransactionServerService.exe msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDAE8E90-C19A-4163-84AA-F019448EB15D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ = "IZKEM" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\InprocServer32\ThreadingModel = "both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44BFEE57-75E3-4300-86A6-B29BFB60D849}\ = "IAccessLogData" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C317ACA1-620D-36F9-B64A-9F0152282669}\TypeLib\ = "{722784FC-83DC-4143-B8A9-54FE819E2759}" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{76A80718-A0CB-4D30-9795-92A0712E0629}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{EF7D8320-7B0E-4807-8868-114BE7C3EA6F}\Version msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|n3kAdrtC.dll msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9CC81F8-5771-4B78-8BDD-7F314E6696B1}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9CC81F8-5771-4B78-8BDD-7F314E6696B1}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|Senparc.Weixin.MP.dll msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8C41F7C-5A15-451C-9313-A75AB8D4B7C9}\ = "IServerAuthentication" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7BB8A242-8662-40d0-A0E0-D796BF2162E7}\Programmable msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|AudioPlayerActiveXDotNet_V1.0.0.0_interop.dll\AudioPlayerActiveXDotNet_V1.0.0.0_interop,Version="1.0.0.0",Culture="neutral",PublicKeyToken="BC60 = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e004f0063002c00350070004f0027005a004a005e00380025003900380037007a0051007b004d00320000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF7D8320-7B0E-4807-8868-114BE7C3EA6F}\InprocServer32\ = "C:\\Windows\\SysWOW64\\FalcoNetworkLib.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{77896119-EEE5-4c4b-A280-E39406E3A8A9}\Control msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20E4176F-7756-4630-86AA-AB0ECD841BC3}\1.0\HELPDIR MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5985CB8-15A0-449A-9EC5-E45FFD1A94A5}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87450463-7204-4B26-90B4-5A90E38C6FE4} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7BB8A242-8662-40d0-A0E0-D796BF2162E7}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87450463-7204-4B26-90B4-5A90E38C6FE4}\TypeLib\Version = "1.0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{866DB752-6741-4620-847B-A7628B8D14AC}\TypeLib\Version = "1.0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF7D8320-7B0E-4807-8868-114BE7C3EA6F}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7EB1F1A7-7294-4882-B615-133D4FADFEDC} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C317ACA1-620D-36F9-B64A-9F0152282669}\ProxyStubClsid32 MsiExec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|NetFalcoLibrary.dll\NetFalcoLibrary,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="x86" = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e0061004a0045004700570077004900570047005500400064004d0038002b002d005e0058005d00430000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1691AD7959547847B8E96FA50229024\Version = "85000197" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM.1\CLSID\ = "{00853A19-BD51-419B-9269-2DABE57EB61F}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77896119-EEE5-4C4B-A280-E39406E3A8A9}\TypeLib\ = "{950238B9-9C9B-455e-923E-814B98A0761D}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{950238B9-9C9B-455E-923E-814B98A0761D}\1.0\0\win32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|DevExpress.RichEdit.v19.1.Core.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77896119-EEE5-4C4B-A280-E39406E3A8A9} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9CC81F8-5771-4B78-8BDD-7F314E6696B1}\TypeLib\ = "{20E4176F-7756-4630-86AA-AB0ECD841BC3}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46B6E82D-6010-4456-B06A-743C49B390F5}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{43C5187D-A23E-4BA0-B5BF-6316EB4195F1}\1.0\0 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C900D106-142B-4A64-90F9-43A0E603834B}\TypeLib\ = "{43C5187D-A23E-4BA0-B5BF-6316EB4195F1}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|DevExpress.XtraBars.v19.1.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|DevExpress.XtraBars.v19.1.dll\DevExpress.XtraBars.v19.1,Version="19.1.4.0",Culture="neutral",PublicKeyToken="B88D1754D700E49A",ProcessorArchitec = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e00600036007d005f00330067006700690073007800680067004a002b0039006400550042006600530000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37755E72-BDEF-4789-8ABF-09E0A8F8AE57}\ = "IUCSAPIEvents" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A5985CB8-15A0-449A-9EC5-E45FFD1A94A5}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76A80718-A0CB-4D30-9795-92A0712E0629}\TypeLib MsiExec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|VAULT|Transaction Server Service|DevExpress.Utils.v19.1.dll\DevExpress.Utils.v19.1,Version="19.1.4.0",Culture="neutral",PublicKeyToken="B88D1754D700E49A",ProcessorArchitecture=" = 4e007a002b004800500042002100480040003f00330037002c0048006100450070002400370039003e0046004b004200740048002d005200520056006c00400056006c004b00690037006e006b003200310000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7BB8A242-8662-40D0-A0E0-D796BF2162E7}\InprocServer32\ = "C:\\Windows\\SysWOW64\\UCBioBSPCOM.dll" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FalcoNetworkLib.FalcoCommandClient msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2888 msiexec.exe 2888 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1540 msiexec.exe Token: SeIncreaseQuotaPrivilege 1540 msiexec.exe Token: SeSecurityPrivilege 2888 msiexec.exe Token: SeCreateTokenPrivilege 1540 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1540 msiexec.exe Token: SeLockMemoryPrivilege 1540 msiexec.exe Token: SeIncreaseQuotaPrivilege 1540 msiexec.exe Token: SeMachineAccountPrivilege 1540 msiexec.exe Token: SeTcbPrivilege 1540 msiexec.exe Token: SeSecurityPrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeLoadDriverPrivilege 1540 msiexec.exe Token: SeSystemProfilePrivilege 1540 msiexec.exe Token: SeSystemtimePrivilege 1540 msiexec.exe Token: SeProfSingleProcessPrivilege 1540 msiexec.exe Token: SeIncBasePriorityPrivilege 1540 msiexec.exe Token: SeCreatePagefilePrivilege 1540 msiexec.exe Token: SeCreatePermanentPrivilege 1540 msiexec.exe Token: SeBackupPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeShutdownPrivilege 1540 msiexec.exe Token: SeDebugPrivilege 1540 msiexec.exe Token: SeAuditPrivilege 1540 msiexec.exe Token: SeSystemEnvironmentPrivilege 1540 msiexec.exe Token: SeChangeNotifyPrivilege 1540 msiexec.exe Token: SeRemoteShutdownPrivilege 1540 msiexec.exe Token: SeUndockPrivilege 1540 msiexec.exe Token: SeSyncAgentPrivilege 1540 msiexec.exe Token: SeEnableDelegationPrivilege 1540 msiexec.exe Token: SeManageVolumePrivilege 1540 msiexec.exe Token: SeImpersonatePrivilege 1540 msiexec.exe Token: SeCreateGlobalPrivilege 1540 msiexec.exe Token: SeCreateTokenPrivilege 1540 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1540 msiexec.exe Token: SeLockMemoryPrivilege 1540 msiexec.exe Token: SeIncreaseQuotaPrivilege 1540 msiexec.exe Token: SeMachineAccountPrivilege 1540 msiexec.exe Token: SeTcbPrivilege 1540 msiexec.exe Token: SeSecurityPrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeLoadDriverPrivilege 1540 msiexec.exe Token: SeSystemProfilePrivilege 1540 msiexec.exe Token: SeSystemtimePrivilege 1540 msiexec.exe Token: SeProfSingleProcessPrivilege 1540 msiexec.exe Token: SeIncBasePriorityPrivilege 1540 msiexec.exe Token: SeCreatePagefilePrivilege 1540 msiexec.exe Token: SeCreatePermanentPrivilege 1540 msiexec.exe Token: SeBackupPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeShutdownPrivilege 1540 msiexec.exe Token: SeDebugPrivilege 1540 msiexec.exe Token: SeAuditPrivilege 1540 msiexec.exe Token: SeSystemEnvironmentPrivilege 1540 msiexec.exe Token: SeChangeNotifyPrivilege 1540 msiexec.exe Token: SeRemoteShutdownPrivilege 1540 msiexec.exe Token: SeUndockPrivilege 1540 msiexec.exe Token: SeSyncAgentPrivilege 1540 msiexec.exe Token: SeEnableDelegationPrivilege 1540 msiexec.exe Token: SeManageVolumePrivilege 1540 msiexec.exe Token: SeImpersonatePrivilege 1540 msiexec.exe Token: SeCreateGlobalPrivilege 1540 msiexec.exe Token: SeCreateTokenPrivilege 1540 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1540 msiexec.exe Token: SeLockMemoryPrivilege 1540 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1540 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
msiexec.exedescription pid process target process PID 2888 wrote to memory of 2296 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 2296 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 2296 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 4100 2888 msiexec.exe srtasks.exe PID 2888 wrote to memory of 4100 2888 msiexec.exe srtasks.exe PID 2888 wrote to memory of 4476 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 4476 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 4476 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 3756 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 3756 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 3756 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 3464 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 3464 2888 msiexec.exe MsiExec.exe PID 2888 wrote to memory of 3464 2888 msiexec.exe MsiExec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\TS Setup.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 121EAA8BF1997999B8E536DDCE139F56 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 04ACEA365E03CDAED8FB3B26A78B34102⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC5D33CB39648BB0417B5BE44C9ACAD6 M Global\MSI00002⤵
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3A3E397899217018779B5EA2DA754846 E Global\MSI00002⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5ae1f6.rbsFilesize
251KB
MD5e8c4a1f4b466406d174f2526ff77dc34
SHA1b4a0d8f966d1c7da1f757675ec9a7d7a15b5dbc6
SHA25604ff7d1099c3fe6eeb96bd4c9c18ce08690755d4d15c983b215006bb03601259
SHA5129c8372b66fd1c0243734ee2e63f9d09a962312656da087d183325ada3505edaa98c63c8d2ef3359fbe96c32850b33ccc55cec94899e66abfeaaec9ed0d799e70
-
C:\Program Files (x86)\VAULT\Transaction Server Service\NetFalcoLibrary.tlbFilesize
57KB
MD5b35ba590b82e846d05717f0beb0f2f0d
SHA1d6d0b09a255f8445ecfbcdc6e1c48180a851543b
SHA25613e234fb8e3d0013463184216826fd7a3be0cf277fbaf350068a4d94cd2f6105
SHA512357216cdff0c463f69f5fceb517bbc00769557f874ac226ed00fa567c95e8dbe55332758900d9af4a236061b95bc15d7db1f0be8c073a8f932e4c4890ca1715d
-
C:\Program Files (x86)\VAULT\Transaction Server Service\RestSharp.dllFilesize
186KB
MD5d294a1a08de13d8f8a8be2d6cc4261ea
SHA18c1f67c96ebbf6f8ffe996c3df37b3cde8e790d7
SHA256654e7245aadd65be246efe8ca8f9a85986922eb1babac10a0daa7261d60a603b
SHA512ef56f3be6f54134d68c8ef6b88a9be221c962b33984be25e4dcebb1d7c85f316151ab109d1336697ca3382df8e839b59e9c390f52e199a32f0eb806957f40894
-
C:\Program Files (x86)\VAULT\Transaction Server Service\TransactionServerService.exeFilesize
597KB
MD51d56620eef7fdd2235528a48c1645f06
SHA1bc0f99d76bd99518e2d0af083b43c357cd252c6c
SHA25681e9b5fba6b1a38b703e160e6a2da29d9fa4a9dc189d9e0c43e7b64d71af1635
SHA512802442e0afbd1c48aa6ac0534da422c448a68f6e2807a7bffa25cd42425894356e5aa4ff3984d116ab5a9645aba69d989d5119fea8d3beb7de34f28b98f9f48e
-
C:\Program Files (x86)\VAULT\Transaction Server Service\VaultRemote.dllFilesize
14KB
MD5abdc75bcc5e89665e2d86c89423090e8
SHA1011992c4d1a2dab7754db0b05368f4acffc4d61a
SHA25659682ed0d1d60cecb2d21f9cf72a92350b616770c0aeb76557b7b4a1977ebcdf
SHA5122b5dc60393311da4d73aacdc31308dd91bf45f4ca70ab9d818397e3de042d1eaaf82f598b2597dbddfe353998fd3d6e0c1157a49640ca13b4fe484ff9a445fa3
-
C:\Users\Admin\AppData\Local\Temp\CFGE37C.tmpFilesize
152B
MD5ccb860553902094f48b6d91dbae56fdd
SHA10a9909816f156632c0c8718725853f48a81fa0bc
SHA2567d10aea89090852f80436f2c5eb025df6be018d8c7e27caf46131446e6abdccd
SHA512be344e0e9567e469fcd46e5166310779e69b092cd6b55256cfc4525287f2a0f6e52463967c58c5609d81fbaec27422264f1c1c62e7327dd31ff7dd9920a3339c
-
C:\Users\Admin\AppData\Local\Temp\MSI4BED.tmpFilesize
325KB
MD5f048cf239cc583f8433634acf23cae55
SHA17d3a296a05267855cc637c5bf95fe687b7a765a2
SHA2564d6efad25f62f4c34998385819e46569869b09de4d8b3f1e22dc9e8f032ed3bb
SHA512a021d559150338ef823b8749d95ac262ec13d9c9ed80d2d0d67e0d7690ae61713219a5edf88d83832ad673f0d7a1d306b49af4f07020c98bac2cfb006bcf0c53
-
C:\Windows\Installer\MSIF12B.tmpFilesize
66KB
MD5b1463eaa0f849e4dd49e88c8594dd985
SHA1c65251d8e7e0855769967238084cb282b14f7d48
SHA25618e517c567db5a8ccbfd5db698cc5179862d002039f461656a9468dce51d1448
SHA512ba6ed16f13246617abf8f75d3506da629e8370f2faa77caecfed1444c25d6bc2e85803b84c1214a4a4803b4cea2166043fe2819a42ac8ca28e22f04d0e1d0e23
-
C:\Windows\Installer\e5ae1f7.msiFilesize
119.5MB
MD53f29169e326ae7f6dfa3163c1be89e38
SHA190d0b4853c72ed23a194fd4bc869c02c29cb400b
SHA256daa3e2397b01ce09d67604a8cbf3a5e84dab41b21acc2c129497c0d99089bd2b
SHA5127b6781db69b81b3030fe37f6b95ad0fb4fa70150e5388c93baa867ecc3f117eb9f54d46a8d6a91476b37f6481d4b5f336c8bade7f64efae546646eebb0103d1d
-
C:\Windows\SysWOW64\FalcoNetworkLib.dllFilesize
707KB
MD56ac75e242be9c30da26ef13711e270f2
SHA1ab1426e82d1cd248cb407ca0f8b2ed1f94123461
SHA2564d46f595246b0aa9763c1b6e1a9f52bf573b632b330f940837e0677c4c8425ed
SHA5125116245732ab80b53309f53e796ee65d30e57e9bf898f38f0629ae98a6a251aaf6ade98965db54677578bf943ae10a1b4e28fd4c211256c05dd2e4f31184bfbe
-
C:\Windows\SysWOW64\UCBioBSPCOM.dllFilesize
230KB
MD5df344e433d3806fcbd255d0238efcab7
SHA1270435d936fdd2c490a0524aae6618f600f3b842
SHA256fe9ead1e4a8911be6814d166dc82a5caa6ad6e59ef63211e07f75cf8403498c9
SHA512004142d8abb20f683b5067cc47cd189f1b4866b7b83ce1655cf36edf1dba885d45e4b9bff10d6f38acdcdc9b7f804fe54283c6d1bc31723dd13aceda95d54fa5
-
C:\Windows\SysWOW64\UCSAPICOM.dllFilesize
1.8MB
MD569a8770a7d428716d7c29a9ded61fda7
SHA18b99fce55dbb69950d32cc819ea1e19037d41ad2
SHA256c857bb8cb780ad8990bb9bc86ec240d8dbec5b9567715809a4f22a72e6e3d0d8
SHA5127bf00460b16f4c03595fce3d75df329d9dfdd41b330affc3e13323a81b520645781518e00a8adda773a5ec456acd396df960d72c5caef0aff2363c6b0d558d94
-
C:\Windows\SysWOW64\zkemkeeper.dllFilesize
436KB
MD5105bc87c8f0dfceb04fac8c44dfc08c0
SHA12edd013ae9385cd7f3dbdcd90c96de886d8c6229
SHA256c54c9c36080537893ab7e1a58e5996c306fe4cdbaffb6096e1139941a4673551
SHA5125f3d13dcb340a0ceeb418e19de6368a922cfde5f2a3bcfe4c254627a41d2dba52226cd0c2e7ab716dd63de7a1960ac2aecace47daefb53ba9d129478e58471ba
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD50a9a05b35e05113c7617e696e480c2f1
SHA1891b840f43cbd035310cf6b60ce42ebfb1bb0526
SHA2564c126c7c5971697f7925f1a74b313cc54b493439e84d8b7bc012f54a924b2728
SHA512bab4b3f464d0b1a45a40fdedc890cef106e4b4fa43f040cdc1fc073850c05f9cf9254062eb3ecf7924a26b5d0bd63fedb1bf2552f3f0940b7aa45a598d1a10a2
-
\??\Volume{15ae01b2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{569927f7-0e71-4d79-a03b-9c5cbc22535d}_OnDiskSnapshotPropFilesize
6KB
MD5e22559855390b60cfc824411f5352058
SHA151b6bf25800100feec8d156ccfdd18e1935efbd0
SHA256b66a46a586d8f818fc294def8bfbc2989d3e8f080a603d01c34f89fef7aeedbe
SHA5128b41d5c35e736eae2602fc1f9892b8126cc12d54bddedeb7c45a03d6f427ca99107ae542163a966883c44b5c5fbb27f863a531c00c908569935529c5cb71f190
-
memory/3464-249-0x00000000052D0000-0x00000000052F2000-memory.dmpFilesize
136KB
-
memory/3464-257-0x0000000005790000-0x00000000057A2000-memory.dmpFilesize
72KB
-
memory/3464-247-0x00000000050E0000-0x0000000005114000-memory.dmpFilesize
208KB
-
memory/3464-253-0x0000000005330000-0x000000000533C000-memory.dmpFilesize
48KB
-
memory/3464-254-0x0000000005340000-0x0000000005694000-memory.dmpFilesize
3.3MB
-
memory/3464-255-0x00000000064C0000-0x0000000006A64000-memory.dmpFilesize
5.6MB
-
memory/3464-256-0x00000000057F0000-0x0000000005882000-memory.dmpFilesize
584KB
-
memory/3464-248-0x00000000058F0000-0x0000000005F08000-memory.dmpFilesize
6.1MB
-
memory/3464-258-0x0000000005890000-0x00000000058CC000-memory.dmpFilesize
240KB
-
memory/3464-243-0x0000000005230000-0x00000000052CC000-memory.dmpFilesize
624KB
-
memory/3464-242-0x0000000005140000-0x00000000051DC000-memory.dmpFilesize
624KB
-
memory/3464-278-0x0000000073CF0000-0x00000000744A0000-memory.dmpFilesize
7.7MB
-
memory/3464-238-0x0000000073CF0000-0x00000000744A0000-memory.dmpFilesize
7.7MB
-
memory/3464-237-0x0000000002EB0000-0x0000000002ECA000-memory.dmpFilesize
104KB