9acec82250082db98a156292e9aebc2ba22ae177f8003fe29d7e59b220e14ebc

Analysis

max time kernel
229s
max time network
214s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SuperViewer Installer/Volume/bin/p18/LogosXT.msi
Size

1.1MB
MD5

aa4cf7bc17effff4b156d4b8baa13026
SHA1

1c0fafa4cf953dc64db810a3075bc9ee765984a8
SHA256

b2e39f59e44da061a09222d63cd52ea8de602c978f28b8b392b5b1a5d3017586
SHA512

e9420867ac9037caf5d40619c35b778c67ab0cf27b51959245dd28e855c35e93d40ef67bacc0ee6a4ff9b9064d062ea8fbd9510c9ae79cf625be537a652d553f
SSDEEP

24576:iRFTHptwzo/3Gf3+TQNxshTK+63S3ZgTqGgeSZUf/:6FLptwJOC2PJg6Uf

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\National Instruments\_Legal Information\NI Logos XT Support 19.00.49152 {52981014-740C-430E-A83A-711186DF565B}\notice.txt	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\NI Logos XT Support {52981014-740C-430E-A83A-711186DF565B}.xml	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-logos-xt_19.0.0.49152-0+f0_windows_all {52981014-740C-430E-A83A-711186DF565B}.control	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\LogosXT\nilxtcor.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Merge Modules\logosxt.msm	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\LogosXT\nipspxts.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Merge Modules\logosxt64.msm	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEFFF1087C390E671.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CF.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF939D278E1770462.TMP	msiexec.exe
File created	C:\Windows\Installer\e58055c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI978.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI702.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFC8B0B636DF0F22B.TMP	msiexec.exe
File created	C:\Windows\Installer\e58055a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{52981014-740C-430E-A83A-711186DF565B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85E.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC6C2AC7447F841CA.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e58055a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E0.tmp	msiexec.exe

Loads dropped DLL 11 IoCs

pid	Process
4404	MsiExec.exe
4404	MsiExec.exe
4404	MsiExec.exe
4404	MsiExec.exe
4768	MsiExec.exe
4768	MsiExec.exe
4768	MsiExec.exe
4768	MsiExec.exe
4768	MsiExec.exe
4768	MsiExec.exe
4768	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000863705d3f43de89a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000863705d30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900863705d3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d863705d3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000863705d300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\SourceList\Media\2 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41018925C047E0348AA3171168FD65B5\LOGOS_XT.LOGOSXT.1900	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41018925C047E0348AA3171168FD65B5\NIMUFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\ProductName = "NI Logos XT Support"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\Language = "9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\SourceList\PackageName = "LogosXT.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p18\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\Version = "318816256"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\364DE77130E0A4F47A52F5D52F7CE874\41018925C047E0348AA3171168FD65B5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\364DE77130E0A4F47A52F5D52F7CE874	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p18\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41018925C047E0348AA3171168FD65B5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41018925C047E0348AA3171168FD65B5\LogosXTMSM.LOGOSXT.1900 = "LOGOS_XT.LOGOSXT.1900"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41018925C047E0348AA3171168FD65B5\PackageCode = "580FABE27C59207419C405B3EE94242C"	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2944	msiexec.exe
Token: SeSecurityPrivilege	352	msiexec.exe
Token: SeCreateTokenPrivilege	2944	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2944	msiexec.exe
Token: SeLockMemoryPrivilege	2944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2944	msiexec.exe
Token: SeMachineAccountPrivilege	2944	msiexec.exe
Token: SeTcbPrivilege	2944	msiexec.exe
Token: SeSecurityPrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeLoadDriverPrivilege	2944	msiexec.exe
Token: SeSystemProfilePrivilege	2944	msiexec.exe
Token: SeSystemtimePrivilege	2944	msiexec.exe
Token: SeProfSingleProcessPrivilege	2944	msiexec.exe
Token: SeIncBasePriorityPrivilege	2944	msiexec.exe
Token: SeCreatePagefilePrivilege	2944	msiexec.exe
Token: SeCreatePermanentPrivilege	2944	msiexec.exe
Token: SeBackupPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeShutdownPrivilege	2944	msiexec.exe
Token: SeDebugPrivilege	2944	msiexec.exe
Token: SeAuditPrivilege	2944	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2944	msiexec.exe
Token: SeChangeNotifyPrivilege	2944	msiexec.exe
Token: SeRemoteShutdownPrivilege	2944	msiexec.exe
Token: SeUndockPrivilege	2944	msiexec.exe
Token: SeSyncAgentPrivilege	2944	msiexec.exe
Token: SeEnableDelegationPrivilege	2944	msiexec.exe
Token: SeManageVolumePrivilege	2944	msiexec.exe
Token: SeImpersonatePrivilege	2944	msiexec.exe
Token: SeCreateGlobalPrivilege	2944	msiexec.exe
Token: SeCreateTokenPrivilege	2944	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2944	msiexec.exe
Token: SeLockMemoryPrivilege	2944	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2944	msiexec.exe
Token: SeMachineAccountPrivilege	2944	msiexec.exe
Token: SeTcbPrivilege	2944	msiexec.exe
Token: SeSecurityPrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeLoadDriverPrivilege	2944	msiexec.exe
Token: SeSystemProfilePrivilege	2944	msiexec.exe
Token: SeSystemtimePrivilege	2944	msiexec.exe
Token: SeProfSingleProcessPrivilege	2944	msiexec.exe
Token: SeIncBasePriorityPrivilege	2944	msiexec.exe
Token: SeCreatePagefilePrivilege	2944	msiexec.exe
Token: SeCreatePermanentPrivilege	2944	msiexec.exe
Token: SeBackupPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeShutdownPrivilege	2944	msiexec.exe
Token: SeDebugPrivilege	2944	msiexec.exe
Token: SeAuditPrivilege	2944	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2944	msiexec.exe
Token: SeChangeNotifyPrivilege	2944	msiexec.exe
Token: SeRemoteShutdownPrivilege	2944	msiexec.exe
Token: SeUndockPrivilege	2944	msiexec.exe
Token: SeSyncAgentPrivilege	2944	msiexec.exe
Token: SeEnableDelegationPrivilege	2944	msiexec.exe
Token: SeManageVolumePrivilege	2944	msiexec.exe
Token: SeImpersonatePrivilege	2944	msiexec.exe
Token: SeCreateGlobalPrivilege	2944	msiexec.exe
Token: SeCreateTokenPrivilege	2944	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2944	msiexec.exe
Token: SeLockMemoryPrivilege	2944	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2944	msiexec.exe
2944	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 4404	352	msiexec.exe	86
PID 352 wrote to memory of 4404	352	msiexec.exe	86
PID 352 wrote to memory of 4404	352	msiexec.exe	86
PID 352 wrote to memory of 5320	352	msiexec.exe	90
PID 352 wrote to memory of 5320	352	msiexec.exe	90
PID 352 wrote to memory of 4768	352	msiexec.exe	92
PID 352 wrote to memory of 4768	352	msiexec.exe	92
PID 352 wrote to memory of 4768	352	msiexec.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p18\LogosXT.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F23736252AE33375735482529D0188AB C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4404
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 38AD242A75571B40CCA4FA7048E1DAB5
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58055b.rbs

Filesize
14KB

MD5
cb8656798bad53c75c8957f8f4e37dde

SHA1
6bb882afa65b4e86a61287aa44a694b92d28e66e

SHA256
47175fba4c0a6c381a57ea463a1c7319814a1488b8ce6ac5d10839b346d1b189

SHA512
01bd00df72b9a36a63b5dc3092bfdb1f94017cd253202aee0f8c838d959e247680e3792f67733badacee5cbbbe4825c7c23bb1dbed398a41eada5f3f44e9f138

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6E79.tmp

Filesize
639KB

MD5
c6417930af8969f9f2cb431acd76ec89

SHA1
d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

SHA256
1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

SHA512
f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
d2b5af33bf7e45be6d7da6b51a3a66f7

SHA1
e8491fcbe2842de219d9b51b4612a81c13406eac

SHA256
bb84397e4ddfa1a7ce92079217ceb0ae0a877b4b0d23e7be3c43fa62dc4a35a8

SHA512
dabcecd433eb170ecac246eccd017912cb26d16412e0fc10b94d035f0912b2ba162d96c71e9836012cffa7c3098b0265a12a569976bf6829b337af0e018c3eb0

Download Submit
\??\Volume{d3053786-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d693fc45-acb8-4c8f-887a-214bffb12648}_OnDiskSnapshotProp

Filesize
6KB

MD5
58ab0313fbc2d3212b1a32d6cd1d49cb

SHA1
8de10e90b4bf73e55b3aba19a012ad4e7d49b31e

SHA256
2749973c0d109b35f3084ef9d23ff57df40fb3047f08923cd1375fffb8413177

SHA512
f7909d5cad179e21113de53eeb7672c587480a9a962bc97f158c3544596f4cd5bea7de2e78c85290306e85440f37931d8e412d24ea0b0161d748c2b74e5905a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads