9acec82250082db98a156292e9aebc2ba22ae177f8003fe29d7e59b220e14ebc

Analysis

max time kernel
220s
max time network
201s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SuperViewer Installer/Volume/bin/p25/mkl.msi
Size

1.1MB
MD5

fb9f33ec0782257bc7a3db6c1c79dd2e
SHA1

8db2e3e98514d702e2abf1c26f52f9df99c8aace
SHA256

2581e85c1a7accaf85babf7f4c8092856289a6fb90308966c7f29d94dab14a1a
SHA512

5ee439b61bf8e79199e16fce549fefc896a54c67822c302afae706a31ce0b48623ae7defc8b7450b8ac08f5557cc7c9aaf3c9fdc45d419edb2d0d604a3613ced
SSDEEP

24576:BFMt9Ro/3GNP42Is+TQNxshTK+63S3ZgTqGgeSZUf/:BFMt9VP42IlC2PJg6Uf

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-mkl-2017_17.0.1.49152-0+f0_windows_all {6A8A28A0-4568-4718-A3E7-F951C191602B}.control	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\MKL\LV170000_BLASLAPACK\LV170000_BLASLAPACK.dll	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\_Legal Information\Math Kernel Libraries 17.01.49152 {6A8A28A0-4568-4718-A3E7-F951C191602B}\notice.txt	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\Math Kernel Libraries {6A8A28A0-4568-4718-A3E7-F951C191602B}.xml	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI31E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI349D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI354A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35D7.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC5CD98E9F20156C5.TMP	msiexec.exe
File created	C:\Windows\Installer\e58317b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI345C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6A8A28A0-4568-4718-A3E7-F951C191602B}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF4960C89B54F19F0.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e58317b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI346D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA8CFDD80B5799A0E.TMP	msiexec.exe
File created	C:\Windows\Installer\e58317d.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0B3F1E21417A6EA5.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3360.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI33FE.tmp	msiexec.exe

Loads dropped DLL 11 IoCs

pid	Process
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe
572	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000016c72ef864aebe750000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000016c72ef80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090016c72ef8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d16c72ef8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000016c72ef800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A82A8A6865481743A7E9F151C1906B2\MKL.LV.MKL2017	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\Version = "285327360"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\SourceList\PackageName = "mkl.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\SourceList\Media\2 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p25\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A82A8A6865481743A7E9F151C1906B2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A82A8A6865481743A7E9F151C1906B2\NIMUFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\ProductName = "Math Kernel Libraries"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5CA1C9962FC2547469471B5963BE8A3A\0A82A8A6865481743A7E9F151C1906B2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p25\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\PackageCode = "42E7193790FFFC84BA4CC4462B55023E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A82A8A6865481743A7E9F151C1906B2\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5CA1C9962FC2547469471B5963BE8A3A	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4516	msiexec.exe
Token: SeSecurityPrivilege	4088	msiexec.exe
Token: SeCreateTokenPrivilege	4516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4516	msiexec.exe
Token: SeLockMemoryPrivilege	4516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4516	msiexec.exe
Token: SeMachineAccountPrivilege	4516	msiexec.exe
Token: SeTcbPrivilege	4516	msiexec.exe
Token: SeSecurityPrivilege	4516	msiexec.exe
Token: SeTakeOwnershipPrivilege	4516	msiexec.exe
Token: SeLoadDriverPrivilege	4516	msiexec.exe
Token: SeSystemProfilePrivilege	4516	msiexec.exe
Token: SeSystemtimePrivilege	4516	msiexec.exe
Token: SeProfSingleProcessPrivilege	4516	msiexec.exe
Token: SeIncBasePriorityPrivilege	4516	msiexec.exe
Token: SeCreatePagefilePrivilege	4516	msiexec.exe
Token: SeCreatePermanentPrivilege	4516	msiexec.exe
Token: SeBackupPrivilege	4516	msiexec.exe
Token: SeRestorePrivilege	4516	msiexec.exe
Token: SeShutdownPrivilege	4516	msiexec.exe
Token: SeDebugPrivilege	4516	msiexec.exe
Token: SeAuditPrivilege	4516	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4516	msiexec.exe
Token: SeChangeNotifyPrivilege	4516	msiexec.exe
Token: SeRemoteShutdownPrivilege	4516	msiexec.exe
Token: SeUndockPrivilege	4516	msiexec.exe
Token: SeSyncAgentPrivilege	4516	msiexec.exe
Token: SeEnableDelegationPrivilege	4516	msiexec.exe
Token: SeManageVolumePrivilege	4516	msiexec.exe
Token: SeImpersonatePrivilege	4516	msiexec.exe
Token: SeCreateGlobalPrivilege	4516	msiexec.exe
Token: SeCreateTokenPrivilege	4516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4516	msiexec.exe
Token: SeLockMemoryPrivilege	4516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4516	msiexec.exe
Token: SeMachineAccountPrivilege	4516	msiexec.exe
Token: SeTcbPrivilege	4516	msiexec.exe
Token: SeSecurityPrivilege	4516	msiexec.exe
Token: SeTakeOwnershipPrivilege	4516	msiexec.exe
Token: SeLoadDriverPrivilege	4516	msiexec.exe
Token: SeSystemProfilePrivilege	4516	msiexec.exe
Token: SeSystemtimePrivilege	4516	msiexec.exe
Token: SeProfSingleProcessPrivilege	4516	msiexec.exe
Token: SeIncBasePriorityPrivilege	4516	msiexec.exe
Token: SeCreatePagefilePrivilege	4516	msiexec.exe
Token: SeCreatePermanentPrivilege	4516	msiexec.exe
Token: SeBackupPrivilege	4516	msiexec.exe
Token: SeRestorePrivilege	4516	msiexec.exe
Token: SeShutdownPrivilege	4516	msiexec.exe
Token: SeDebugPrivilege	4516	msiexec.exe
Token: SeAuditPrivilege	4516	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4516	msiexec.exe
Token: SeChangeNotifyPrivilege	4516	msiexec.exe
Token: SeRemoteShutdownPrivilege	4516	msiexec.exe
Token: SeUndockPrivilege	4516	msiexec.exe
Token: SeSyncAgentPrivilege	4516	msiexec.exe
Token: SeEnableDelegationPrivilege	4516	msiexec.exe
Token: SeManageVolumePrivilege	4516	msiexec.exe
Token: SeImpersonatePrivilege	4516	msiexec.exe
Token: SeCreateGlobalPrivilege	4516	msiexec.exe
Token: SeCreateTokenPrivilege	4516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4516	msiexec.exe
Token: SeLockMemoryPrivilege	4516	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4516	msiexec.exe
4516	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 880	4088	msiexec.exe	84
PID 4088 wrote to memory of 880	4088	msiexec.exe	84
PID 4088 wrote to memory of 880	4088	msiexec.exe	84
PID 4088 wrote to memory of 2524	4088	msiexec.exe	88
PID 4088 wrote to memory of 2524	4088	msiexec.exe	88
PID 4088 wrote to memory of 572	4088	msiexec.exe	90
PID 4088 wrote to memory of 572	4088	msiexec.exe	90
PID 4088 wrote to memory of 572	4088	msiexec.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p25\mkl.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1DF31A56811B768A73E64C01984FE765 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:880
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 649373F8E67A0055A0F24A10667BFD82
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58317c.rbs

Filesize
13KB

MD5
8259dea6ca62158610fa06590f7a82fd

SHA1
a3ef62dc0dc126a6637defd277cc3d486b0808b4

SHA256
066aaef2e0c220ed58b4145900132bb62721507855a6a2bb995f9b0bd94a6109

SHA512
4a29801488eb33eda12a80402b4d09dc0693d9754a93baecfcc9b0c7e81fbce2745589c6fdf9cb5f5ad2ac9c49ed5e865eeb2899f28e4fdbfbc62e79cb3da574

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI97DB.tmp

Filesize
639KB

MD5
c6417930af8969f9f2cb431acd76ec89

SHA1
d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

SHA256
1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

SHA512
f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
121ed336f4cadca398eabf48e1ab7b86

SHA1
e773656cfc900709e640b8eb230b9cb5a26637e2

SHA256
450b5368bdd275fe2e0b8e9cada9ce853d0049df590567aefe136098c7786079

SHA512
545df2921158a280d2da7df4fb12d2d6889575fee658b2c405ed7ebe7483720757b1033aba65bf4e19654e849cc1bed77843214a657c771d3d8ac884b0ab390f

Download Submit
\??\Volume{f82ec716-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b3973f3f-3c6e-4b93-920d-5ee80b1b15bc}_OnDiskSnapshotProp

Filesize
6KB

MD5
c48ecceb18103e9ff44d8310986cba51

SHA1
78834945f0e61de7c40b69ac4ca22d2f89181cca

SHA256
51b0caa48f74988ad4d4d428eae8098bffc9cfee43c69280ea52440af404b9f5

SHA512
7b2c0c833f70f1e139e6ae64a1cd8517499750842e19d961ed83415e41af7168552f6844c2ad87caab0ea6926ea669c36f8a193c42f21433df515238b51b58cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads