Overview
overview
7Static
static
3SuperViewe...th.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...TE.msi
windows11-21h2-x64
6SuperViewe...XT.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rt.msi
windows11-21h2-x64
6SuperViewe...or.exe
windows11-21h2-x64
3SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...re.msi
windows11-21h2-x64
6SuperViewe...er.exe
windows11-21h2-x64
3SuperViewe...64.exe
windows11-21h2-x64
7SuperViewe...86.exe
windows11-21h2-x64
7SuperViewe...ex.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...kl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...os.msi
windows11-21h2-x64
SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...es.msi
windows11-21h2-x64
6SuperViewe...et.msi
windows11-21h2-x64
6SuperViewe...me.msi
windows11-21h2-x64
SuperViewe...ph.msi
windows11-21h2-x64
6SuperViewe...ls.msi
windows11-21h2-x64
6SuperViewe...pp.msi
windows11-21h2-x64
6SuperViewe...rk.msi
windows11-21h2-x64
6SuperViewe...it.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...ne.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6Analysis
-
max time kernel
200s -
max time network
212s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/03/2025, 13:52
Behavioral task
behavioral1
Sample
SuperViewer Installer/Volume/bin/p15/niauth.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
SuperViewer Installer/Volume/bin/p15/niauth64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
SuperViewer Installer/Volume/bin/p16/nicurl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
SuperViewer Installer/Volume/bin/p16/nicurl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
SuperViewer Installer/Volume/bin/p17/LabVI00/NIWebServer_LVRTE.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
SuperViewer Installer/Volume/bin/p19/ni_error/ni_error_report.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
SuperViewer Installer/Volume/bin/p2/SystemRequirementsError.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-32Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-64Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
SuperViewer Installer/Volume/bin/p2/VC2015Core.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
SuperViewer Installer/Volume/bin/p2/VCRunTimeInstaller.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x64.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x86.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
SuperViewer Installer/Volume/bin/p20/activex.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
SuperViewer Installer/Volume/bin/p20/activex64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
SuperViewer Installer/Volume/bin/p25/mkl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
SuperViewer Installer/Volume/bin/p25/mkl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
SuperViewer Installer/Volume/bin/p26/logos.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
SuperViewer Installer/Volume/bin/p26/logos64.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
SuperViewer Installer/Volume/bin/p27/lvrteres/LV2019rteres.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
SuperViewer Installer/Volume/bin/p28/LV2019rtdnet.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
SuperViewer Installer/Volume/bin/p28/LV2019runtime.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
SuperViewer Installer/Volume/bin/p29/MStudioCW3DGraph.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
SuperViewer Installer/Volume/bin/p3/NISys00/NISysLogUtils.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
SuperViewer Installer/Volume/bin/p4/sslLVRTE/ssl_LVRTEsupp.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
SuperViewer Installer/Volume/bin/p5/NI_De00/dep_framework.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
SuperViewer Installer/Volume/bin/p6/KillBit.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
SuperViewer Installer/Volume/bin/p6/KillBit64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine64.msi
Resource
win11-20250314-en
windows11-21h2-x64
General
-
Target
SuperViewer Installer/Volume/bin/p2/VC2015Core.msi
-
Size
1.1MB
-
MD5
c5040d0c0052fc3afe894c738f278cd9
-
SHA1
2babd1f36bb856067600fb4da7ca0b0e132ee114
-
SHA256
bed7a3ff0dd7760a2fd5c9127bb5e7a302ff1438563164a0dcb5b2bc04ca8d53
-
SHA512
e3c71271cca693f61631494d312e8ffc4087e1d06f59ac7a8c732cdf9ed6436f51bb7a1e813f5017ee5d88204c6fe05bb2be220e14314bdc3b253b9fe55835b2
-
SSDEEP
24576:ejZ0Xo/3G5y+TQNxshTK+63S3ZgTqGgeSZUf/:ejCf7C2PJg6Uf
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\National Instruments\_Legal Information\NI Microsoft Visual C++ 2015 Run-Time 14.15.49152 {AFC999BB-F270-46EF-B748-AE755EC75322}\notice.txt msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\NI VC2015 Runtime {AFC999BB-F270-46EF-B748-AE755EC75322}.xml msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-msvcrt-2015_14.1.5.49152-0+f0_windows_all {AFC999BB-F270-46EF-B748-AE755EC75322}.control msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-msvcrt-2015_14.1.5.49152-0+f0_windows_all {AFC999BB-F270-46EF-B748-AE755EC75322}.instructions msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\SystemTemp\~DFBF9BB6DE0884D154.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIF4C6.tmp msiexec.exe File created C:\Windows\Installer\e57f1e4.msi msiexec.exe File opened for modification C:\Windows\Installer\e57f1e2.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF220.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF465.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF476.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{AFC999BB-F270-46EF-B748-AE755EC75322} msiexec.exe File created C:\Windows\SystemTemp\~DFCC1B9D8308E903D6.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIF407.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFC718E114E1766CB6.TMP msiexec.exe File created C:\Windows\Installer\e57f1e2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF3C7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF487.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF2AE9A002DCA34964.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIF534.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Loads dropped DLL 11 IoCs
pid Process 2708 MsiExec.exe 2708 MsiExec.exe 2708 MsiExec.exe 2708 MsiExec.exe 704 MsiExec.exe 704 MsiExec.exe 704 MsiExec.exe 704 MsiExec.exe 704 MsiExec.exe 704 MsiExec.exe 704 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d78eac4ea3e6401f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d78eac4e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d78eac4e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd78eac4e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d78eac4e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe -
Modifies registry class 25 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\Version = "235913216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\SourceList\PackageName = "VC2015Core.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BB999CFA072FFE647B84EA57E57C3522\NI_VC2015_Core.MIFVC2015CORE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BB999CFA072FFE647B84EA57E57C3522\NIMUFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\PackageCode = "1C14691E9012A9342AF18A67281574F9" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EAB7E24D985607546B3AE3828839297E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\ProductName = "NI Microsoft Visual C++ 2015 Run-Time" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p2\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BB999CFA072FFE647B84EA57E57C3522 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\Language = "9" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EAB7E24D985607546B3AE3828839297E\BB999CFA072FFE647B84EA57E57C3522 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\SourceList\Media\2 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB999CFA072FFE647B84EA57E57C3522\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p2\\" msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4248 msiexec.exe Token: SeIncreaseQuotaPrivilege 4248 msiexec.exe Token: SeSecurityPrivilege 5840 msiexec.exe Token: SeCreateTokenPrivilege 4248 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4248 msiexec.exe Token: SeLockMemoryPrivilege 4248 msiexec.exe Token: SeIncreaseQuotaPrivilege 4248 msiexec.exe Token: SeMachineAccountPrivilege 4248 msiexec.exe Token: SeTcbPrivilege 4248 msiexec.exe Token: SeSecurityPrivilege 4248 msiexec.exe Token: SeTakeOwnershipPrivilege 4248 msiexec.exe Token: SeLoadDriverPrivilege 4248 msiexec.exe Token: SeSystemProfilePrivilege 4248 msiexec.exe Token: SeSystemtimePrivilege 4248 msiexec.exe Token: SeProfSingleProcessPrivilege 4248 msiexec.exe Token: SeIncBasePriorityPrivilege 4248 msiexec.exe Token: SeCreatePagefilePrivilege 4248 msiexec.exe Token: SeCreatePermanentPrivilege 4248 msiexec.exe Token: SeBackupPrivilege 4248 msiexec.exe Token: SeRestorePrivilege 4248 msiexec.exe Token: SeShutdownPrivilege 4248 msiexec.exe Token: SeDebugPrivilege 4248 msiexec.exe Token: SeAuditPrivilege 4248 msiexec.exe Token: SeSystemEnvironmentPrivilege 4248 msiexec.exe Token: SeChangeNotifyPrivilege 4248 msiexec.exe Token: SeRemoteShutdownPrivilege 4248 msiexec.exe Token: SeUndockPrivilege 4248 msiexec.exe Token: SeSyncAgentPrivilege 4248 msiexec.exe Token: SeEnableDelegationPrivilege 4248 msiexec.exe Token: SeManageVolumePrivilege 4248 msiexec.exe Token: SeImpersonatePrivilege 4248 msiexec.exe Token: SeCreateGlobalPrivilege 4248 msiexec.exe Token: SeCreateTokenPrivilege 4248 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4248 msiexec.exe Token: SeLockMemoryPrivilege 4248 msiexec.exe Token: SeIncreaseQuotaPrivilege 4248 msiexec.exe Token: SeMachineAccountPrivilege 4248 msiexec.exe Token: SeTcbPrivilege 4248 msiexec.exe Token: SeSecurityPrivilege 4248 msiexec.exe Token: SeTakeOwnershipPrivilege 4248 msiexec.exe Token: SeLoadDriverPrivilege 4248 msiexec.exe Token: SeSystemProfilePrivilege 4248 msiexec.exe Token: SeSystemtimePrivilege 4248 msiexec.exe Token: SeProfSingleProcessPrivilege 4248 msiexec.exe Token: SeIncBasePriorityPrivilege 4248 msiexec.exe Token: SeCreatePagefilePrivilege 4248 msiexec.exe Token: SeCreatePermanentPrivilege 4248 msiexec.exe Token: SeBackupPrivilege 4248 msiexec.exe Token: SeRestorePrivilege 4248 msiexec.exe Token: SeShutdownPrivilege 4248 msiexec.exe Token: SeDebugPrivilege 4248 msiexec.exe Token: SeAuditPrivilege 4248 msiexec.exe Token: SeSystemEnvironmentPrivilege 4248 msiexec.exe Token: SeChangeNotifyPrivilege 4248 msiexec.exe Token: SeRemoteShutdownPrivilege 4248 msiexec.exe Token: SeUndockPrivilege 4248 msiexec.exe Token: SeSyncAgentPrivilege 4248 msiexec.exe Token: SeEnableDelegationPrivilege 4248 msiexec.exe Token: SeManageVolumePrivilege 4248 msiexec.exe Token: SeImpersonatePrivilege 4248 msiexec.exe Token: SeCreateGlobalPrivilege 4248 msiexec.exe Token: SeCreateTokenPrivilege 4248 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4248 msiexec.exe Token: SeLockMemoryPrivilege 4248 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4248 msiexec.exe 4248 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5840 wrote to memory of 2708 5840 msiexec.exe 81 PID 5840 wrote to memory of 2708 5840 msiexec.exe 81 PID 5840 wrote to memory of 2708 5840 msiexec.exe 81 PID 5840 wrote to memory of 3860 5840 msiexec.exe 85 PID 5840 wrote to memory of 3860 5840 msiexec.exe 85 PID 5840 wrote to memory of 704 5840 msiexec.exe 87 PID 5840 wrote to memory of 704 5840 msiexec.exe 87 PID 5840 wrote to memory of 704 5840 msiexec.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p2\VC2015Core.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4248
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5840 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8FC04822B8400510534FD985C1998111 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3860
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 75A73D791776CC6A4870FD2290E2F0312⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:704
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:6080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5eff936a9672efe8d7259039505b28fec
SHA1ab79f61c4f31e5bd7121bb84d05bf738c54fe4e5
SHA2568b50808f66301125f6ca76fc8d21e83eb508a1d159ccfac03ca2d73cd4617de6
SHA512ecf37cac4d40cc6b7d18bc1dd6e824258988636f1036c73def0ed2a0e0d3e98e00185aa43f5005bb504c863912aacca9b3b80ca60abf67026fcbd4edd7c2dfc7
-
Filesize
639KB
MD5c6417930af8969f9f2cb431acd76ec89
SHA1d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b
SHA2561b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b
SHA512f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b
-
Filesize
1.1MB
MD5c5040d0c0052fc3afe894c738f278cd9
SHA12babd1f36bb856067600fb4da7ca0b0e132ee114
SHA256bed7a3ff0dd7760a2fd5c9127bb5e7a302ff1438563164a0dcb5b2bc04ca8d53
SHA512e3c71271cca693f61631494d312e8ffc4087e1d06f59ac7a8c732cdf9ed6436f51bb7a1e813f5017ee5d88204c6fe05bb2be220e14314bdc3b253b9fe55835b2
-
Filesize
24.6MB
MD5f18d0f235afed7d5b94763c28b9cd42b
SHA14450ca310a2884d975484449bc334176385cd942
SHA256db2dc1c80f534ba2d462c994d4a81dbcd37147d14204ed4449267aad1ad8881e
SHA512f3349f99683355028d03f716802990f8eef40a2976db56e83e7fd7da78a7611c7ac158be34d3daaaebf8573ecf5eb64b4d8054858637af25f1dd683183c78144
-
\??\Volume{4eac8ed7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cb742c55-adb3-40c6-ba3c-b180692f142c}_OnDiskSnapshotProp
Filesize6KB
MD5115a26f00b7ab9af70cc75dd24d3bffb
SHA19794fb848c94594029f46176e6e5a4eae95f7176
SHA2563c45600fca8a650c35cdad068a55f02547c951aeffb6e8a1cd07f97787f2b4c8
SHA512263e7d6a08bc25dfb71f9495bbfbf5fe7896cad8a41cd564bb41392e6dfc3547f0285286b6b77d4dcfbc47799a3057097edd0797ad624249a8129ba24d8efd3d