9acec82250082db98a156292e9aebc2ba22ae177f8003fe29d7e59b220e14ebc

Analysis

max time kernel
227s
max time network
214s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SuperViewer Installer/Volume/bin/p3/NISys00/NISysLogUtils.msi
Size

1.1MB
MD5

9784a2727ad04a441611a39ab72cc86e
SHA1

44ade989d1e1bab933117686369d03b22a8ec84d
SHA256

83813e524b98672d4e7ace0d29068748aed5694dd1ee5389e908ce4f1c51d1ca
SHA512

bc10351d36528ed579c4d11a427d13bbc968f60bfeb8678d1eb84c6a3c4234d62797431f36bad245bb715dee29f868c7612c42179e3698dc9529ae0bc9f90ad6
SSDEEP

24576:dFGtbRo/3GfBDO+TQNxshTK+63S3ZgTqGgeSZUf/:dFGtbXBrC2PJg6Uf

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\National Instruments\Shared\SystemLoggingUtilities\systemLoggingMessages.dll	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\_Legal Information\NI System Logging Utilities 19.00.49152 {A8EA269D-0DB9-4EF3-A55C-D1A1698510B8}\notice.txt	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\NI System Logging Utilities {A8EA269D-0DB9-4EF3-A55C-D1A1698510B8}.xml	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-systemlogging-utils_19.0.0.49152-0+f0_windows_a {A8EA269D-0DB9-4EF3-A55C-D1A1698510B8}.control	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-systemlogging-utils_19.0.0.49152-0+f0_windows_a {A8EA269D-0DB9-4EF3-A55C-D1A1698510B8}.instructions	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e582a47.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CDC.tmp	msiexec.exe
File created	C:\Windows\Installer\e582a49.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF355D04AAAC66D545.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CAC.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF86B30F25D17C7470.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF42A3BFA10155D9EF.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A8EA269D-0DB9-4EF3-A55C-D1A1698510B8}	msiexec.exe
File opened for modification	C:\Windows\Installer\e582a47.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AA5.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF74E802E6C0FC9D2C.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DC9.tmp	msiexec.exe

Loads dropped DLL 11 IoCs

pid	Process
5792	MsiExec.exe
5792	MsiExec.exe
5792	MsiExec.exe
5792	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006ff5154e0b80d71f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006ff5154e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006ff5154e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6ff5154e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006ff5154e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\SourceList\Media\2 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D962AE8A9BD03FE45AC51D1A9658018B\NISysLogUtils.NI.SYSLOGUTILS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D962AE8A9BD03FE45AC51D1A9658018B\NIMUFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D962AE8A9BD03FE45AC51D1A9658018B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09991ADF527AA6C428C64A2F8419C7A7\D962AE8A9BD03FE45AC51D1A9658018B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p3\\NISys00\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p3\\NISys00\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\PackageCode = "DE9D0AC7FEEC836478CB9A5EAAF24E6C"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\Version = "318816256"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09991ADF527AA6C428C64A2F8419C7A7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\SourceList\PackageName = "NISysLogUtils.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\ProductName = "NI System Logging Utilities"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D962AE8A9BD03FE45AC51D1A9658018B\Language = "9"	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	4648	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeMachineAccountPrivilege	1472	msiexec.exe
Token: SeTcbPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeLoadDriverPrivilege	1472	msiexec.exe
Token: SeSystemProfilePrivilege	1472	msiexec.exe
Token: SeSystemtimePrivilege	1472	msiexec.exe
Token: SeProfSingleProcessPrivilege	1472	msiexec.exe
Token: SeIncBasePriorityPrivilege	1472	msiexec.exe
Token: SeCreatePagefilePrivilege	1472	msiexec.exe
Token: SeCreatePermanentPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeDebugPrivilege	1472	msiexec.exe
Token: SeAuditPrivilege	1472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1472	msiexec.exe
Token: SeChangeNotifyPrivilege	1472	msiexec.exe
Token: SeRemoteShutdownPrivilege	1472	msiexec.exe
Token: SeUndockPrivilege	1472	msiexec.exe
Token: SeSyncAgentPrivilege	1472	msiexec.exe
Token: SeEnableDelegationPrivilege	1472	msiexec.exe
Token: SeManageVolumePrivilege	1472	msiexec.exe
Token: SeImpersonatePrivilege	1472	msiexec.exe
Token: SeCreateGlobalPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeMachineAccountPrivilege	1472	msiexec.exe
Token: SeTcbPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeLoadDriverPrivilege	1472	msiexec.exe
Token: SeSystemProfilePrivilege	1472	msiexec.exe
Token: SeSystemtimePrivilege	1472	msiexec.exe
Token: SeProfSingleProcessPrivilege	1472	msiexec.exe
Token: SeIncBasePriorityPrivilege	1472	msiexec.exe
Token: SeCreatePagefilePrivilege	1472	msiexec.exe
Token: SeCreatePermanentPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeDebugPrivilege	1472	msiexec.exe
Token: SeAuditPrivilege	1472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1472	msiexec.exe
Token: SeChangeNotifyPrivilege	1472	msiexec.exe
Token: SeRemoteShutdownPrivilege	1472	msiexec.exe
Token: SeUndockPrivilege	1472	msiexec.exe
Token: SeSyncAgentPrivilege	1472	msiexec.exe
Token: SeEnableDelegationPrivilege	1472	msiexec.exe
Token: SeManageVolumePrivilege	1472	msiexec.exe
Token: SeImpersonatePrivilege	1472	msiexec.exe
Token: SeCreateGlobalPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1472	msiexec.exe
1472	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 5792	4648	msiexec.exe	81
PID 4648 wrote to memory of 5792	4648	msiexec.exe	81
PID 4648 wrote to memory of 5792	4648	msiexec.exe	81
PID 4648 wrote to memory of 1048	4648	msiexec.exe	85
PID 4648 wrote to memory of 1048	4648	msiexec.exe	85
PID 4648 wrote to memory of 2992	4648	msiexec.exe	87
PID 4648 wrote to memory of 2992	4648	msiexec.exe	87
PID 4648 wrote to memory of 2992	4648	msiexec.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p3\NISys00\NISysLogUtils.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 58FB7CE2509AE3A3808959C5B6A0A572 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5792
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1048
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D7FBFE8D3D6D1C2F08C056A07B835789
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582a48.rbs

Filesize
14KB

MD5
e71ecd4f5d35895acaff11b050047a6b

SHA1
29ee17771bb0ed37b62043d8d773fdc278ef6027

SHA256
20786a7101c87f108c0a32e0f63364adbaec1b99cf4ed2d80663ca546a282a7c

SHA512
3296c642bd99a2ef62750e1b02db2aa013ad21b06533bc7a36e98d8db1840a292c09ea297d5d1e0b0498cd790e1872f2d8ba146f99453f1b25156c5d0623a320

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI75CC.tmp

Filesize
639KB

MD5
c6417930af8969f9f2cb431acd76ec89

SHA1
d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

SHA256
1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

SHA512
f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
3fc828307ee6678d0c75b2b5923c03c9

SHA1
cd1a11546fbaa51fa36269cb099e755b4077d71d

SHA256
970b71a7fcdae3ad1e551813fbcf87a24637b72fd587a1b9d25a9599f234e982

SHA512
2580604939f78c257137b7a19c12d9e7da8b283ba67ba425374c3c0072209684fb5cfe9551868cddd28263c8d8b54bf924206851057f5327236630a1154acee5

Download Submit
\??\Volume{4e15f56f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a99f6060-c999-4105-bc3f-1949b2d2bbd4}_OnDiskSnapshotProp

Filesize
6KB

MD5
ba161c30a6d58aab15f764de0386f0c9

SHA1
165843116b0e69fe5fd0bf2beb5c49567beedf97

SHA256
53415ebd1212d8c773938d84321f3e705cda09eae713bb873ba2822e3d769038

SHA512
5ca0529974415bc8309654d3049d9789370f1402e7754a2f59981a7f1ccdc347a9d05e798399a13b47f724fedac33c6c0572d4d6474b33fd384599fd8cb9daff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads