9acec82250082db98a156292e9aebc2ba22ae177f8003fe29d7e59b220e14ebc

Analysis

max time kernel
217s
max time network
290s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SuperViewer Installer/Volume/bin/p7/NITraceEngine.msi
Size

1.1MB
MD5

6efea41a2c169b0290b8f96b10813d08
SHA1

1348304fcc2269afb8915e99e8828005e0c904ee
SHA256

b1c030dd1ee1e706fea8e16e0124fe69b5384259177da45ad5da03a65301fd77
SHA512

6ede8f8cf279483947da49e511d7faead42efd725f744f97056bd0ca5c49a311ebf48992a73ea97a84c74447145265882404b4d7681a3457c850079305a54744
SSDEEP

24576:AFQtgpo/3Gff+TQNxshTK+63S3ZgTqGgeSZUf/:AFQtg/WC2PJg6Uf

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\NI Trace Engine {5156FF00-C463-4A1F-9063-F7012042E7F0}.xml	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-traceengine_19.0.0.49152-0+f0_windows_all {5156FF00-C463-4A1F-9063-F7012042E7F0}.control	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-traceengine_19.0.0.49152-0+f0_windows_all {5156FF00-C463-4A1F-9063-F7012042E7F0}.instructions	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\TraceEngine\ni_traceengine.dll	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\_Legal Information\NI Trace Engine 19.00.49152 {5156FF00-C463-4A1F-9063-F7012042E7F0}\notice.txt	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFA0E86733CA046C5A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5B6.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBAE8466DC90625E2.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1A8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID4E9.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1CB62B714CE6609E.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID33F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID4C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID4D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID519.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d14a.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5156FF00-C463-4A1F-9063-F7012042E7F0}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF265AE62BE89A6A18.TMP	msiexec.exe
File created	C:\Windows\Installer\e57d14c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d14a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID39E.tmp	msiexec.exe

Loads dropped DLL 11 IoCs

pid	Process
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
3676	MsiExec.exe
3676	MsiExec.exe
3676	MsiExec.exe
3676	MsiExec.exe
3676	MsiExec.exe
3676	MsiExec.exe
3676	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c5692628b50bc7450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c56926280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c5692628000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc5692628000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c569262800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\SourceList\Media\2 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00FF6515364CF1A409367F1002247E0F\TraceEngine.LV.TRCENG.2019	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00FF6515364CF1A409367F1002247E0F\NIMUFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\Language = "9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p7\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\SourceList\PackageName = "NITraceEngine.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00FF6515364CF1A409367F1002247E0F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\PackageCode = "883B26B02DA77234EB958C0C546B5C79"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\081B99BF3F8602D43A7BACFBDEBAF795\00FF6515364CF1A409367F1002247E0F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p7\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\ProductName = "NI Trace Engine"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\Version = "318816256"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00FF6515364CF1A409367F1002247E0F\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\081B99BF3F8602D43A7BACFBDEBAF795	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4720	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4720	msiexec.exe
Token: SeSecurityPrivilege	1636	msiexec.exe
Token: SeCreateTokenPrivilege	4720	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4720	msiexec.exe
Token: SeLockMemoryPrivilege	4720	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4720	msiexec.exe
Token: SeMachineAccountPrivilege	4720	msiexec.exe
Token: SeTcbPrivilege	4720	msiexec.exe
Token: SeSecurityPrivilege	4720	msiexec.exe
Token: SeTakeOwnershipPrivilege	4720	msiexec.exe
Token: SeLoadDriverPrivilege	4720	msiexec.exe
Token: SeSystemProfilePrivilege	4720	msiexec.exe
Token: SeSystemtimePrivilege	4720	msiexec.exe
Token: SeProfSingleProcessPrivilege	4720	msiexec.exe
Token: SeIncBasePriorityPrivilege	4720	msiexec.exe
Token: SeCreatePagefilePrivilege	4720	msiexec.exe
Token: SeCreatePermanentPrivilege	4720	msiexec.exe
Token: SeBackupPrivilege	4720	msiexec.exe
Token: SeRestorePrivilege	4720	msiexec.exe
Token: SeShutdownPrivilege	4720	msiexec.exe
Token: SeDebugPrivilege	4720	msiexec.exe
Token: SeAuditPrivilege	4720	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4720	msiexec.exe
Token: SeChangeNotifyPrivilege	4720	msiexec.exe
Token: SeRemoteShutdownPrivilege	4720	msiexec.exe
Token: SeUndockPrivilege	4720	msiexec.exe
Token: SeSyncAgentPrivilege	4720	msiexec.exe
Token: SeEnableDelegationPrivilege	4720	msiexec.exe
Token: SeManageVolumePrivilege	4720	msiexec.exe
Token: SeImpersonatePrivilege	4720	msiexec.exe
Token: SeCreateGlobalPrivilege	4720	msiexec.exe
Token: SeCreateTokenPrivilege	4720	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4720	msiexec.exe
Token: SeLockMemoryPrivilege	4720	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4720	msiexec.exe
Token: SeMachineAccountPrivilege	4720	msiexec.exe
Token: SeTcbPrivilege	4720	msiexec.exe
Token: SeSecurityPrivilege	4720	msiexec.exe
Token: SeTakeOwnershipPrivilege	4720	msiexec.exe
Token: SeLoadDriverPrivilege	4720	msiexec.exe
Token: SeSystemProfilePrivilege	4720	msiexec.exe
Token: SeSystemtimePrivilege	4720	msiexec.exe
Token: SeProfSingleProcessPrivilege	4720	msiexec.exe
Token: SeIncBasePriorityPrivilege	4720	msiexec.exe
Token: SeCreatePagefilePrivilege	4720	msiexec.exe
Token: SeCreatePermanentPrivilege	4720	msiexec.exe
Token: SeBackupPrivilege	4720	msiexec.exe
Token: SeRestorePrivilege	4720	msiexec.exe
Token: SeShutdownPrivilege	4720	msiexec.exe
Token: SeDebugPrivilege	4720	msiexec.exe
Token: SeAuditPrivilege	4720	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4720	msiexec.exe
Token: SeChangeNotifyPrivilege	4720	msiexec.exe
Token: SeRemoteShutdownPrivilege	4720	msiexec.exe
Token: SeUndockPrivilege	4720	msiexec.exe
Token: SeSyncAgentPrivilege	4720	msiexec.exe
Token: SeEnableDelegationPrivilege	4720	msiexec.exe
Token: SeManageVolumePrivilege	4720	msiexec.exe
Token: SeImpersonatePrivilege	4720	msiexec.exe
Token: SeCreateGlobalPrivilege	4720	msiexec.exe
Token: SeCreateTokenPrivilege	4720	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4720	msiexec.exe
Token: SeLockMemoryPrivilege	4720	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4720	msiexec.exe
4720	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 5536	1636	msiexec.exe	81
PID 1636 wrote to memory of 5536	1636	msiexec.exe	81
PID 1636 wrote to memory of 5536	1636	msiexec.exe	81
PID 1636 wrote to memory of 3408	1636	msiexec.exe	85
PID 1636 wrote to memory of 3408	1636	msiexec.exe	85
PID 1636 wrote to memory of 3676	1636	msiexec.exe	87
PID 1636 wrote to memory of 3676	1636	msiexec.exe	87
PID 1636 wrote to memory of 3676	1636	msiexec.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p7\NITraceEngine.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4720

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C94C4D518C2D66BEE6BD89236B22FEF C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5536
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3408
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 783730E6B595DEC267F411649D5581D9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d14b.rbs

Filesize
14KB

MD5
762c7f67635e7cf6e34f24acf57719fa

SHA1
c16eda276281436308cb03ed17c7fb72c6cf54c0

SHA256
c71e37d5f2e8181ad19160c54a9b3d445b944fd4678233e4c1a94ee8220e1b2b

SHA512
ebe1b1a444f844c4a95a4492ee02f4ee9fd92391c545d3e2120b2cd966cfb7be973ec3aea8100b3c24c23ac9486856a576cec3bf86e0ea8903573b2c37ea0b32

Download Submit
C:\ProgramData\National Instruments\Trace Logs\traceengine.ini

Filesize
453B

MD5
3a6fda6210e0b4f5fd17a9d2948515bd

SHA1
9275e51c08940794667c1e0fc3608fad32768b5e

SHA256
f83976a41473986d6d6b1ddc8385fa698a300698690650d9c0eabab024c1be08

SHA512
32aa28944a0741ed597b493b6ef5c7bd2f095a678fc2839169e0466b9ff06f5e3b658c9b675a92cef6badd8d5c99281e9715e8635e70a0ece7be7caeb0f51954

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6B6C.tmp

Filesize
639KB

MD5
c6417930af8969f9f2cb431acd76ec89

SHA1
d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

SHA256
1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

SHA512
f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
37b21e7207068b312e3e4fc057e173b7

SHA1
01e1ec3a287a06287a198b9fb149ce36fc8035f5

SHA256
44a4aa5728e82bab7a71f36a3f90b2a05da45c80ed6a95a3aff08b8e19e10e31

SHA512
780390b3f9ecd322221ee028bddeb67592ed160d8be5ff3d8529caefed5d89b34117054b24bcc4394b940d6eab22cc7b568c9ab2569f0a821327076efc20ebc4

Download Submit
\??\Volume{282669c5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d39c58bb-fea9-467a-858b-d1d954b5912b}_OnDiskSnapshotProp

Filesize
6KB

MD5
41cbf621b678b940148beecc6a2dc71c

SHA1
fe4faa4ce38125280ba8dd7000d8c48d9e46521e

SHA256
3e003d95904cac1d807123d782df0456d50f43010f301b6d5921080d74919580

SHA512
b7a56064c8925d905fff4451dfd527f9ed3457a741842a67c8e4da02884e6a2db54620359df54d1e3d57533983b0128634d0d24b782865a9d59a9e5c65d39dae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads