9acec82250082db98a156292e9aebc2ba22ae177f8003fe29d7e59b220e14ebc

Analysis

max time kernel
235s
max time network
213s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SuperViewer Installer/Volume/bin/p15/niauth.msi
Size

1.1MB
MD5

303a2220c01a1cf108a1111770ae4a93
SHA1

6f3550e87be0d90b67f9e6e8aff12cd4ee2e7f7c
SHA256

6f51f1ba08404a55d034194739c91a82392a51283740529b22051fd16c7146de
SHA512

242fc98cfeddd30e12faf9ad45130f48f74d81ca55d5c90277e4fb0771e9dcf9612a289e3286c3cc97ac2cbdf55edd65e376ae51f35819988ea7c578616c9437
SSDEEP

24576:WFZtHo/3Gfm+k+TQNxshTK+63S3ZgTqGgeSZUf/:WFZtVzC2PJg6Uf

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\NI Authentication 2019 {E28CF12C-112B-4023-BBA3-C5D30CE583DC}.xml	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-auth_19.0.0.49152-0+f0_windows_all {E28CF12C-112B-4023-BBA3-C5D30CE583DC}.control	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-auth_19.0.0.49152-0+f0_windows_all {E28CF12C-112B-4023-BBA3-C5D30CE583DC}.instructions	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\niauth\niauth.dll	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\niauth\niauth_daemon.exe	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\niauth\niPortableRegistry.dll	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\_Legal Information\NI Authentication 2019 19.00.49152 {E28CF12C-112B-4023-BBA3-C5D30CE583DC}\notice.txt	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58848f.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2C83DC5CB400012D.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85E5.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5A360F61E07EEF83.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e58848d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8519.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E28CF12C-112B-4023-BBA3-C5D30CE583DC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8606.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8685.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8695.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF247717A26B58286A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8772.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF42F841C6E8176FF8.TMP	msiexec.exe
File created	C:\Windows\Installer\e58848d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8674.tmp	msiexec.exe

Loads dropped DLL 11 IoCs

pid	Process
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe
5104	MsiExec.exe
5104	MsiExec.exe
5104	MsiExec.exe
5104	MsiExec.exe
5104	MsiExec.exe
5104	MsiExec.exe
5104	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005dcbaaff1daa426e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005dcbaaff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005dcbaaff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5dcbaaff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005dcbaaff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2BB00A54D9725394E1DB75D21B1E4EC8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\SourceList\Media\2 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C21FC82EB2113204BB3A5C3DC05E38CD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\Language = "9"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2BB00A54D9725394E1DB75D21B1E4EC8\C21FC82EB2113204BB3A5C3DC05E38CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p15\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p15\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C21FC82EB2113204BB3A5C3DC05E38CD\NIMUFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\PackageCode = "5D3E80EC45F302F4E8EA290F1483700C"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\Version = "318816256"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\SourceList\PackageName = "niauth.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C21FC82EB2113204BB3A5C3DC05E38CD\niauth.NI.AUTH.2019	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C21FC82EB2113204BB3A5C3DC05E38CD\ProductName = "NI Authentication 2019"	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5776	msiexec.exe
Token: SeSecurityPrivilege	4892	msiexec.exe
Token: SeCreateTokenPrivilege	5776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5776	msiexec.exe
Token: SeLockMemoryPrivilege	5776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5776	msiexec.exe
Token: SeMachineAccountPrivilege	5776	msiexec.exe
Token: SeTcbPrivilege	5776	msiexec.exe
Token: SeSecurityPrivilege	5776	msiexec.exe
Token: SeTakeOwnershipPrivilege	5776	msiexec.exe
Token: SeLoadDriverPrivilege	5776	msiexec.exe
Token: SeSystemProfilePrivilege	5776	msiexec.exe
Token: SeSystemtimePrivilege	5776	msiexec.exe
Token: SeProfSingleProcessPrivilege	5776	msiexec.exe
Token: SeIncBasePriorityPrivilege	5776	msiexec.exe
Token: SeCreatePagefilePrivilege	5776	msiexec.exe
Token: SeCreatePermanentPrivilege	5776	msiexec.exe
Token: SeBackupPrivilege	5776	msiexec.exe
Token: SeRestorePrivilege	5776	msiexec.exe
Token: SeShutdownPrivilege	5776	msiexec.exe
Token: SeDebugPrivilege	5776	msiexec.exe
Token: SeAuditPrivilege	5776	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5776	msiexec.exe
Token: SeChangeNotifyPrivilege	5776	msiexec.exe
Token: SeRemoteShutdownPrivilege	5776	msiexec.exe
Token: SeUndockPrivilege	5776	msiexec.exe
Token: SeSyncAgentPrivilege	5776	msiexec.exe
Token: SeEnableDelegationPrivilege	5776	msiexec.exe
Token: SeManageVolumePrivilege	5776	msiexec.exe
Token: SeImpersonatePrivilege	5776	msiexec.exe
Token: SeCreateGlobalPrivilege	5776	msiexec.exe
Token: SeCreateTokenPrivilege	5776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5776	msiexec.exe
Token: SeLockMemoryPrivilege	5776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5776	msiexec.exe
Token: SeMachineAccountPrivilege	5776	msiexec.exe
Token: SeTcbPrivilege	5776	msiexec.exe
Token: SeSecurityPrivilege	5776	msiexec.exe
Token: SeTakeOwnershipPrivilege	5776	msiexec.exe
Token: SeLoadDriverPrivilege	5776	msiexec.exe
Token: SeSystemProfilePrivilege	5776	msiexec.exe
Token: SeSystemtimePrivilege	5776	msiexec.exe
Token: SeProfSingleProcessPrivilege	5776	msiexec.exe
Token: SeIncBasePriorityPrivilege	5776	msiexec.exe
Token: SeCreatePagefilePrivilege	5776	msiexec.exe
Token: SeCreatePermanentPrivilege	5776	msiexec.exe
Token: SeBackupPrivilege	5776	msiexec.exe
Token: SeRestorePrivilege	5776	msiexec.exe
Token: SeShutdownPrivilege	5776	msiexec.exe
Token: SeDebugPrivilege	5776	msiexec.exe
Token: SeAuditPrivilege	5776	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5776	msiexec.exe
Token: SeChangeNotifyPrivilege	5776	msiexec.exe
Token: SeRemoteShutdownPrivilege	5776	msiexec.exe
Token: SeUndockPrivilege	5776	msiexec.exe
Token: SeSyncAgentPrivilege	5776	msiexec.exe
Token: SeEnableDelegationPrivilege	5776	msiexec.exe
Token: SeManageVolumePrivilege	5776	msiexec.exe
Token: SeImpersonatePrivilege	5776	msiexec.exe
Token: SeCreateGlobalPrivilege	5776	msiexec.exe
Token: SeCreateTokenPrivilege	5776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5776	msiexec.exe
Token: SeLockMemoryPrivilege	5776	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5776	msiexec.exe
5776	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4296	4892	msiexec.exe	81
PID 4892 wrote to memory of 4296	4892	msiexec.exe	81
PID 4892 wrote to memory of 4296	4892	msiexec.exe	81
PID 4892 wrote to memory of 5268	4892	msiexec.exe	85
PID 4892 wrote to memory of 5268	4892	msiexec.exe	85
PID 4892 wrote to memory of 5104	4892	msiexec.exe	87
PID 4892 wrote to memory of 5104	4892	msiexec.exe	87
PID 4892 wrote to memory of 5104	4892	msiexec.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p15\niauth.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 822EDF332C380166259A964DFC3E210A C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4296
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5268
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BE96A3BE7C34A193F4D1F75C9301DF11
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58848e.rbs

Filesize
15KB

MD5
5f3728a732c80325486fb779875d304a

SHA1
085e1a81a90da29777df31c8780798920e8ab1a2

SHA256
cf93e631b8d99a8f830b7068e13cf5d0e6bae23a118f6e00c4c6b652dc307400

SHA512
bcfa03060311a6f899b72a570686c41b1b600c6f26da5542b83a561be801ca787b30ea6f39f47556fa06f9fd47992596f2f3c94baaa34058be48863e3ac72ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID542.tmp

Filesize
639KB

MD5
c6417930af8969f9f2cb431acd76ec89

SHA1
d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

SHA256
1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

SHA512
f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
60e3c47deaaff75db772693cf3af837b

SHA1
c1dcdea9b1d06d4e43e2052dfc7a2f7435d39e42

SHA256
e2dc877652ab84a1838d77072f40495422e6821f4b5148fecb9743b062eab85d

SHA512
33f103b647a8812d02cb01154dfe03fa3f842a66a6e7c91c6ad7fd7ddc7ccb1f87e7b2469280142b3ab94e3ce302c507dc318ec155a7a20c8d358cb863978a4d

Download Submit
\??\Volume{ffaacb5d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f7000674-40cc-43dd-9c38-1c404ccad95f}_OnDiskSnapshotProp

Filesize
6KB

MD5
127367b47b1d53538a39927388a13dae

SHA1
ec7fec91525d11b003a36d1ba1ea5312c63459f7

SHA256
5adaee12dc8dba2c4502680ac7aca6f990a4859cdb76a797dd4ddeffbdf756c2

SHA512
dbf9da10e556a575ca3d0d431a11ec55aaf1fcb67678039ec58c535bfd52fc645abfe5087ee25d20da8332e33a3eabcfe6c03c852743f2e42ea5097ed89c0a91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads