Overview
overview
7Static
static
3SuperViewe...th.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...TE.msi
windows11-21h2-x64
6SuperViewe...XT.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rt.msi
windows11-21h2-x64
6SuperViewe...or.exe
windows11-21h2-x64
3SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...re.msi
windows11-21h2-x64
6SuperViewe...er.exe
windows11-21h2-x64
3SuperViewe...64.exe
windows11-21h2-x64
7SuperViewe...86.exe
windows11-21h2-x64
7SuperViewe...ex.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...kl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...os.msi
windows11-21h2-x64
SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...es.msi
windows11-21h2-x64
6SuperViewe...et.msi
windows11-21h2-x64
6SuperViewe...me.msi
windows11-21h2-x64
SuperViewe...ph.msi
windows11-21h2-x64
6SuperViewe...ls.msi
windows11-21h2-x64
6SuperViewe...pp.msi
windows11-21h2-x64
6SuperViewe...rk.msi
windows11-21h2-x64
6SuperViewe...it.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...ne.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6Analysis
-
max time kernel
219s -
max time network
289s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/03/2025, 13:52
Behavioral task
behavioral1
Sample
SuperViewer Installer/Volume/bin/p15/niauth.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
SuperViewer Installer/Volume/bin/p15/niauth64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
SuperViewer Installer/Volume/bin/p16/nicurl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
SuperViewer Installer/Volume/bin/p16/nicurl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
SuperViewer Installer/Volume/bin/p17/LabVI00/NIWebServer_LVRTE.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
SuperViewer Installer/Volume/bin/p19/ni_error/ni_error_report.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
SuperViewer Installer/Volume/bin/p2/SystemRequirementsError.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-32Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-64Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
SuperViewer Installer/Volume/bin/p2/VC2015Core.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
SuperViewer Installer/Volume/bin/p2/VCRunTimeInstaller.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x64.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x86.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
SuperViewer Installer/Volume/bin/p20/activex.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
SuperViewer Installer/Volume/bin/p20/activex64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
SuperViewer Installer/Volume/bin/p25/mkl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
SuperViewer Installer/Volume/bin/p25/mkl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
SuperViewer Installer/Volume/bin/p26/logos.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
SuperViewer Installer/Volume/bin/p26/logos64.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
SuperViewer Installer/Volume/bin/p27/lvrteres/LV2019rteres.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
SuperViewer Installer/Volume/bin/p28/LV2019rtdnet.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
SuperViewer Installer/Volume/bin/p28/LV2019runtime.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
SuperViewer Installer/Volume/bin/p29/MStudioCW3DGraph.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
SuperViewer Installer/Volume/bin/p3/NISys00/NISysLogUtils.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
SuperViewer Installer/Volume/bin/p4/sslLVRTE/ssl_LVRTEsupp.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
SuperViewer Installer/Volume/bin/p5/NI_De00/dep_framework.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
SuperViewer Installer/Volume/bin/p6/KillBit.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
SuperViewer Installer/Volume/bin/p6/KillBit64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine64.msi
Resource
win11-20250314-en
windows11-21h2-x64
General
-
Target
SuperViewer Installer/Volume/bin/p29/MStudioCW3DGraph.msi
-
Size
1.2MB
-
MD5
cd230033c44fdbce4ccad5b92768d72a
-
SHA1
9a203100103225d442b871eb8636f5fcd340d1aa
-
SHA256
d9b5a374295169de75dc574fa10be3214d074d8344ff1b9a5a7d9efa05a2142c
-
SHA512
9bbd32c4f964f3df83e223cb4d9a9ea5737f2e17c5f6d9924f852ac151f4ea0b29adc35bdd8f5bdaf601044cf3a9bbf0b40920faa48fa2940d4c05f9144ea84d
-
SSDEEP
24576:cao/3f1v+TQNxshTK+63S3ZgTqGgeSZUf/q:c5mC2PJg6Uf
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\cw3dgrph.dep msiexec.exe File created C:\Windows\SysWOW64\cw3dgrph.ocx msiexec.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Merge Modules\cw3dgrph.ver msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MeasurementStudio\Help\cw3dgrph.ver msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MeasurementStudio\Help\current.ver msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MeasurementStudio\cw3dgrphSaveAs.ver msiexec.exe File created C:\Program Files (x86)\National Instruments\_Legal Information\NI Measurement Studio ComponentWorks 3D Graph 8.75.49152 {A9B6FC03-1277-40DF-A475-32389FD27883}\notice.txt msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MeasurementStudio\Help\cw3dgrph.chm msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MeasurementStudio\Help\MStudioActiveX.chm msiexec.exe File created C:\Program Files (x86)\Common Files\Merge Modules\niMetaUtils_x64.msm msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MeasurementStudio\Help\NIVC3dgraph.chm msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\NI Measurement Studio ActiveX 3D Graph Control {A9B6FC03-1277-40DF-A475-32389FD27883}.xml msiexec.exe File created C:\Program Files (x86)\Common Files\Merge Modules\CW3DGraph_OCX.msm msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MeasurementStudio\Help\cw3dgrph.hlp msiexec.exe File created C:\Program Files (x86)\Common Files\Merge Modules\metautil.ver msiexec.exe File created C:\Program Files (x86)\Common Files\Merge Modules\niMetaUtils.msm msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-mstudio-cw3dgraph_8.7.5.49152-0+f0_windows_all {A9B6FC03-1277-40DF-A475-32389FD27883}.control msiexec.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIA8.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSICC5.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF309C5DFB7A2CA7A8.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIFF6E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI619.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI648.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI669.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI6A9.tmp msiexec.exe File created C:\Windows\Installer\e57ff30.msi msiexec.exe File opened for modification C:\Windows\Installer\e57ff30.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB9.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{A9B6FC03-1277-40DF-A475-32389FD27883} msiexec.exe File created C:\Windows\Installer\e57ff32.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI679.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF6A69F1A178442E3C.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF668882A5D6D58B07.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF8CD18FB04FA258B4.TMP msiexec.exe -
Loads dropped DLL 12 IoCs
pid Process 3260 MsiExec.exe 3260 MsiExec.exe 3260 MsiExec.exe 3260 MsiExec.exe 4664 MsiExec.exe 4664 MsiExec.exe 4664 MsiExec.exe 4664 MsiExec.exe 4664 MsiExec.exe 4664 MsiExec.exe 4664 MsiExec.exe 4664 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dd575b479d1d92260000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dd575b470000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900dd575b47000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ddd575b47000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dd575b4700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2AFA9F10-0B6A-11D2-A250-00A024D8324D} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2AFA9F10-0B6A-11D2-A250-00A024D8324D}\AlternateCLSID = "{819DA5E3-4623-498A-BB34-EFDB04F68713}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2AFA9F10-0B6A-11D2-A250-00A024D8324D}\Compatibility Flags = "8388608" msiexec.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5958ED07-23F0-4D45-BB5B-E91C8953219E}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{911DB943-346B-40FD-8CAC-ADEF64D70475}\ = "CWLights_CI" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46E1F5FB-D0EA-4F7E-8E51-B345043AA885}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CF6B9A7721FD044A572383F92D8738\SourceList\PackageName = "MStudioCW3DGraph.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD641000-322D-11D2-A3A3-00A024D8325C} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CF6B9A7721FD044A572383F92D8738\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C02A7541-5364-11D2-9373-00A02411EBE6}\1.6\0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6810EEF1-232D-11D2-BEC7-00A024585300}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD640FD0-322D-11D2-A3A3-00A024D8325C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D76C5891-2ABD-4A91-AE60-EAD3E6DAB1D5} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{911DB943-346B-40FD-8CAC-ADEF64D70475} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A877ABC-3F1F-4575-9DDA-6457248B2ABA}\TypeLib\ = "{C02A7541-5364-11D2-9373-00A02411EBE6}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Graph3DCtrl.Graph3DCtrlProxy msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6810EEF1-232D-11D2-BEC7-00A024585300} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD640FD0-322D-11D2-A3A3-00A024D8325C}\ = "CWPlots3D" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1AABB61-15B1-11D2-A253-00A024D8324D} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D17EA62-6CA6-478C-AAB8-E45B8394D9C6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C90E4E92-D0F3-49B1-8A9B-678EE9E3A94F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C02A7541-5364-11D2-9373-00A02411EBE6}\1.6\FLAGS\ = "2" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1707911E-094A-47DC-98DF-E83BC5AF3FF0}\TypeLib\ = "{C02A7541-5364-11D2-9373-00A02411EBE6}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA446722-595A-11D2-A3AA-00A024D8325C}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6050ED05-78AE-4C21-8723-96F6F713B431}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74362B99-2D80-4283-8BA9-AFC0DC182FCA}\ = "CWValuePairs_CI" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1707911E-094A-47DC-98DF-E83BC5AF3FF0}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CF6B9A7721FD044A572383F92D8738\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p29\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E168E231-C75C-11CE-A890-0020AF6845F6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5958ED07-23F0-4D45-BB5B-E91C8953219E} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2AFA9F11-0B6A-11D2-A250-00A024D8324D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6810EEF1-232D-11D2-BEC7-00A024585300}\ = "CWTicks3D" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FB97641-230A-11D2-A253-00A024D8324D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02613902-E39B-4FF8-AA0F-65DA263E286A}\TypeLib\Version = "1.6" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46E1F5FB-D0EA-4F7E-8E51-B345043AA885}\ = "CWCursor3D_CI" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA446722-595A-11D2-A3AA-00A024D8325C}\InprocServer32\ = "C:\\Windows\\SysWOW64\\cw3dgrph.ocx" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ADE1830-2583-11D2-A39E-00A024D8325C}\InprocServer32\ = "C:\\Windows\\SysWOW64\\cw3dgrph.ocx" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CW3DGraphLib.CWGraph3D.1\CLSID\ = "{819DA5E3-4623-498A-BB34-EFDB04F68713}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41D330-36CF-11D2-A3A3-00A024D8325C}\TypeLib\Version = "1.6" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41D330-36CF-11D2-A3A3-00A024D8325C}\TypeLib\ = "{C02A7541-5364-11D2-9373-00A02411EBE6}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4B1BF00-36CF-11D2-A3A3-00A024D8325C}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7EDD7A-46A6-4CA9-B820-C52D3AB2251F}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4FE33CC-DFB0-4C19-9D1B-90098653CC73} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2AFA9F10-0B6A-11D2-A250-00A024D8324D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C02A7541-5364-11D2-9373-00A02411EBE6}\1.6\0 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C02A7541-5364-11D2-9373-00A02411EBE6} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D17EA62-6CA6-478C-AAB8-E45B8394D9C6} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02613902-E39B-4FF8-AA0F-65DA263E286A}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{911DB943-346B-40FD-8CAC-ADEF64D70475}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FB97641-230A-11D2-A253-00A024D8324D} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4B1BF00-36CF-11D2-A3A3-00A024D8325C}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D17EA62-6CA6-478C-AAB8-E45B8394D9C6}\ = "CWAxis3D_CI" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2AFA9F12-0B6A-11D2-A250-00A024D8324D}\TypeLib\ = "{C02A7541-5364-11D2-9373-00A02411EBE6}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA446721-595A-11D2-A3AA-00A024D8325C}\InprocServer32\ = "C:\\Windows\\SysWOW64\\cw3dgrph.ocx" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41D330-36CF-11D2-A3A3-00A024D8325C}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F32E05B0-15B6-11D2-A253-00A024D8324D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD640FD0-322D-11D2-A3A3-00A024D8325C}\TypeLib\ = "{C02A7541-5364-11D2-9373-00A02411EBE6}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F32E05B0-15B6-11D2-A253-00A024D8324D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74362B99-2D80-4283-8BA9-AFC0DC182FCA} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CF6B9A7721FD044A572383F92D8738\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6050ED05-78AE-4C21-8723-96F6F713B431}\InProcServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD641000-322D-11D2-A3A3-00A024D8325C}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4B1BF00-36CF-11D2-A3A3-00A024D8325C} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD641010-322D-11D2-A3A3-00A024D8325C}\TypeLib\Version = "1.6" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD641011-322D-11D2-A3A3-00A024D8325C}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A877ABC-3F1F-4575-9DDA-6457248B2ABA}\TypeLib\Version = "1.6" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CF6B9A7721FD044A572383F92D8738\DeploymentFlags = "3" msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4808 msiexec.exe Token: SeIncreaseQuotaPrivilege 4808 msiexec.exe Token: SeSecurityPrivilege 2480 msiexec.exe Token: SeCreateTokenPrivilege 4808 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4808 msiexec.exe Token: SeLockMemoryPrivilege 4808 msiexec.exe Token: SeIncreaseQuotaPrivilege 4808 msiexec.exe Token: SeMachineAccountPrivilege 4808 msiexec.exe Token: SeTcbPrivilege 4808 msiexec.exe Token: SeSecurityPrivilege 4808 msiexec.exe Token: SeTakeOwnershipPrivilege 4808 msiexec.exe Token: SeLoadDriverPrivilege 4808 msiexec.exe Token: SeSystemProfilePrivilege 4808 msiexec.exe Token: SeSystemtimePrivilege 4808 msiexec.exe Token: SeProfSingleProcessPrivilege 4808 msiexec.exe Token: SeIncBasePriorityPrivilege 4808 msiexec.exe Token: SeCreatePagefilePrivilege 4808 msiexec.exe Token: SeCreatePermanentPrivilege 4808 msiexec.exe Token: SeBackupPrivilege 4808 msiexec.exe Token: SeRestorePrivilege 4808 msiexec.exe Token: SeShutdownPrivilege 4808 msiexec.exe Token: SeDebugPrivilege 4808 msiexec.exe Token: SeAuditPrivilege 4808 msiexec.exe Token: SeSystemEnvironmentPrivilege 4808 msiexec.exe Token: SeChangeNotifyPrivilege 4808 msiexec.exe Token: SeRemoteShutdownPrivilege 4808 msiexec.exe Token: SeUndockPrivilege 4808 msiexec.exe Token: SeSyncAgentPrivilege 4808 msiexec.exe Token: SeEnableDelegationPrivilege 4808 msiexec.exe Token: SeManageVolumePrivilege 4808 msiexec.exe Token: SeImpersonatePrivilege 4808 msiexec.exe Token: SeCreateGlobalPrivilege 4808 msiexec.exe Token: SeCreateTokenPrivilege 4808 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4808 msiexec.exe Token: SeLockMemoryPrivilege 4808 msiexec.exe Token: SeIncreaseQuotaPrivilege 4808 msiexec.exe Token: SeMachineAccountPrivilege 4808 msiexec.exe Token: SeTcbPrivilege 4808 msiexec.exe Token: SeSecurityPrivilege 4808 msiexec.exe Token: SeTakeOwnershipPrivilege 4808 msiexec.exe Token: SeLoadDriverPrivilege 4808 msiexec.exe Token: SeSystemProfilePrivilege 4808 msiexec.exe Token: SeSystemtimePrivilege 4808 msiexec.exe Token: SeProfSingleProcessPrivilege 4808 msiexec.exe Token: SeIncBasePriorityPrivilege 4808 msiexec.exe Token: SeCreatePagefilePrivilege 4808 msiexec.exe Token: SeCreatePermanentPrivilege 4808 msiexec.exe Token: SeBackupPrivilege 4808 msiexec.exe Token: SeRestorePrivilege 4808 msiexec.exe Token: SeShutdownPrivilege 4808 msiexec.exe Token: SeDebugPrivilege 4808 msiexec.exe Token: SeAuditPrivilege 4808 msiexec.exe Token: SeSystemEnvironmentPrivilege 4808 msiexec.exe Token: SeChangeNotifyPrivilege 4808 msiexec.exe Token: SeRemoteShutdownPrivilege 4808 msiexec.exe Token: SeUndockPrivilege 4808 msiexec.exe Token: SeSyncAgentPrivilege 4808 msiexec.exe Token: SeEnableDelegationPrivilege 4808 msiexec.exe Token: SeManageVolumePrivilege 4808 msiexec.exe Token: SeImpersonatePrivilege 4808 msiexec.exe Token: SeCreateGlobalPrivilege 4808 msiexec.exe Token: SeCreateTokenPrivilege 4808 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4808 msiexec.exe Token: SeLockMemoryPrivilege 4808 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4808 msiexec.exe 4808 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2480 wrote to memory of 3260 2480 msiexec.exe 85 PID 2480 wrote to memory of 3260 2480 msiexec.exe 85 PID 2480 wrote to memory of 3260 2480 msiexec.exe 85 PID 2480 wrote to memory of 4920 2480 msiexec.exe 89 PID 2480 wrote to memory of 4920 2480 msiexec.exe 89 PID 2480 wrote to memory of 4664 2480 msiexec.exe 91 PID 2480 wrote to memory of 4664 2480 msiexec.exe 91 PID 2480 wrote to memory of 4664 2480 msiexec.exe 91 PID 2480 wrote to memory of 2816 2480 msiexec.exe 92 PID 2480 wrote to memory of 2816 2480 msiexec.exe 92 PID 2480 wrote to memory of 2816 2480 msiexec.exe 92 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p29\MStudioCW3DGraph.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4808
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 54BB6992951574BC6C76CF34D582C5A9 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3260
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4920
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1D1481DBB4C3241BB30782619249826F2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4664
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 60070CCEF490038FEA1D17D341B0C313 M Global\MSI00002⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2816
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD55e49a2ebf75784ec65be8e478edacaa6
SHA1c745bc164217af4cf4c957e07d00abfb1e255f27
SHA2563817629a7b1ba493589d0f1f711bbb5a4ba8d366f6646e7ba32306c8f169127d
SHA5127dd0c0427d2b524090eb93ec54bd3ff29eb94b275a7057cb4a2c80eea0930572c58404539c95fb0cb8d442402c0aa23e447f3bad4885b4c78062cd272ae7cb7a
-
Filesize
8KB
MD5f61d93d90eb8608d35d0824f56f55145
SHA17e37b897ade888941f77829c7fbf5c3c0439dfa6
SHA25618685da958da055b282868e3d0de0d487e1d7bc83ac69449bd29e5eed6364fbe
SHA51254a572b0c396aa57289ea31f00b11dc819f88fb650a6420f934c536f86edd4244d9da43576d6d888bb70f6dcd7657fd809785854c195cca6c7f057fa0ca82d2d
-
Filesize
24KB
MD54f435082508bbe449d7fd3c746641a27
SHA101ef6a421c771e29348771d88d72cbdf92110850
SHA256b6e7dabec0a95faf2ebe98263fbda52833ccf710628be714962b671cb2625bfd
SHA5121307ea14dafd605ef63e16dee2b69851b8966d7e90d9c8f2fc0cf78f387218632c67bd84635fce4f6a47f27f0fee25e051e77b63bc85d1fcf7a7049a29a707f2
-
Filesize
639KB
MD5c6417930af8969f9f2cb431acd76ec89
SHA1d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b
SHA2561b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b
SHA512f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b
-
Filesize
40KB
MD5a12e556bc0b20db061dc0ccff84500cd
SHA1c342af2882e60fb787e41afdfd2d099d1c6e9404
SHA2561745281cb7beba6c3891b68900613c152fb0ef7c5945a469e0892cd988db6aef
SHA5128b0665359ddee311cf58ffc9a73b8a92df5fd59ff52058ce4e7009ccbdcf937d626ffd1cb21a379bc8bec581eda48309f2c57b87907183c47dd421d1ce84ea53
-
Filesize
2.2MB
MD505f0181b9f995d02dcb5c546375b8086
SHA1cdfa09197ea6a2cbee0cdd396b04dcbf08609e5a
SHA25681b74eb09f7254f213a455f3d0a80ba10a55c5b943ead9bbfcb51d3fdbcf5605
SHA512d114ced0825f6bf695e181457fec7fdd83b947bb6ab94f7c21e399a062e7adde1762404c49ade4bc68a006ff437cabe84f493d76452079d0845a6896b947ef28
-
Filesize
24.6MB
MD57241843916718853288eb6b65bc11e6e
SHA16f1c08392d6407198efa91fa64711b777c84eef0
SHA2560c32d5ef04124ce915c0504506b0cf97b5a4bfc4cb24a06b8299e3ec5cd6d0d9
SHA5122ee5c3140b864d4ff441b747ca7e36e1f3430b5a65e3b758e8193840cce59c88b90b0c4b380805bb3dd45c5b73a67a9aff6c41ba29f5a2bb02b7091ef7b171c9
-
\??\Volume{475b57dd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fc2c29ba-766d-426c-803a-cb844c5a0bbb}_OnDiskSnapshotProp
Filesize6KB
MD57e58dc8bf78e8766c423227858db5d51
SHA1d924a6f3bebf225d34b07244b399945bdfca80de
SHA256c4d65fefddf548469741a45986fb44a8301e1af43c835453fa8d268667024bfa
SHA512c43aef55d588d3b90c469b1a0bfb234e3d40ccd67229cb9cbe1ca369c391984e60532b7d38c735397600f8c970b2e4962f0ca00afc51f172895d959b052fbab1