bumblebee | d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4a5383ac32d5642eaf2c7406a0f1c0f.msi
Size

4.2MB
MD5

e4a5383ac32d5642eaf2c7406a0f1c0f
SHA1

3e5637d253c40aefdb0465df15bc057ed5c26186
SHA256

d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f
SHA512

ed7ae40e2475ca2bdeefbfb3f15df6e93c8c7d7781b31c2b0c5cab99ff8fec0487f7975b406eebb8117aca2038a11a658d129c32d4147275fd7770c1bfa28da8
SSDEEP

98304:lPKnw39kiUnMUYeg8F1HWMUKFln1RiZmSZ9J1zYfWwG:4wNJUnMUYetUKFZnpSf1w

Score

10^/10

bumblebee cisc117 trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

cisc117

172.93.193.3:443

23.81.246.22:443

95.168.191.134:443

104.168.175.78:443

172.93.193.46:443

157.254.194.104:443

37.28.157.29:443

23.106.124.23:443

194.135.33.182:443

54.38.139.94:443

192.119.65.175:443

107.189.8.58:443

205.185.114.241:443

104.168.171.159:443

103.144.139.159:443

91.206.178.204:443

198.98.58.184:443

172.241.27.120:443

23.106.223.197:443

23.108.57.83:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
50	5064	powershell.exe
73	5064	powershell.exe
74	5064	powershell.exe
75	5064	powershell.exe
76	5064	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1092	CiscoSetup.exe

Loads dropped DLL 3 IoCs

pid	Process
1092	CiscoSetup.exe
3340	MsiExec.exe
3340	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5064	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e56e266.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE360.tmp	msiexec.exe
File created	C:\Windows\Installer\e56e268.msi	msiexec.exe
File created	C:\Windows\Installer\e56e266.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4652	msiexec.exe
4652	msiexec.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1352	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1352	msiexec.exe
Token: SeSecurityPrivilege	4652	msiexec.exe
Token: SeCreateTokenPrivilege	1352	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1352	msiexec.exe
Token: SeLockMemoryPrivilege	1352	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1352	msiexec.exe
Token: SeMachineAccountPrivilege	1352	msiexec.exe
Token: SeTcbPrivilege	1352	msiexec.exe
Token: SeSecurityPrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeLoadDriverPrivilege	1352	msiexec.exe
Token: SeSystemProfilePrivilege	1352	msiexec.exe
Token: SeSystemtimePrivilege	1352	msiexec.exe
Token: SeProfSingleProcessPrivilege	1352	msiexec.exe
Token: SeIncBasePriorityPrivilege	1352	msiexec.exe
Token: SeCreatePagefilePrivilege	1352	msiexec.exe
Token: SeCreatePermanentPrivilege	1352	msiexec.exe
Token: SeBackupPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeShutdownPrivilege	1352	msiexec.exe
Token: SeDebugPrivilege	1352	msiexec.exe
Token: SeAuditPrivilege	1352	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1352	msiexec.exe
Token: SeChangeNotifyPrivilege	1352	msiexec.exe
Token: SeRemoteShutdownPrivilege	1352	msiexec.exe
Token: SeUndockPrivilege	1352	msiexec.exe
Token: SeSyncAgentPrivilege	1352	msiexec.exe
Token: SeEnableDelegationPrivilege	1352	msiexec.exe
Token: SeManageVolumePrivilege	1352	msiexec.exe
Token: SeImpersonatePrivilege	1352	msiexec.exe
Token: SeCreateGlobalPrivilege	1352	msiexec.exe
Token: SeBackupPrivilege	1512	vssvc.exe
Token: SeRestorePrivilege	1512	vssvc.exe
Token: SeAuditPrivilege	1512	vssvc.exe
Token: SeBackupPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1352	msiexec.exe
1352	msiexec.exe
4932	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 4136	4652	msiexec.exe	96
PID 4652 wrote to memory of 4136	4652	msiexec.exe	96
PID 4652 wrote to memory of 5064	4652	msiexec.exe	98
PID 4652 wrote to memory of 5064	4652	msiexec.exe	98
PID 4652 wrote to memory of 1092	4652	msiexec.exe	100
PID 4652 wrote to memory of 1092	4652	msiexec.exe	100
PID 4652 wrote to memory of 1092	4652	msiexec.exe	100
PID 5064 wrote to memory of 4436	5064	powershell.exe	101
PID 5064 wrote to memory of 4436	5064	powershell.exe	101
PID 1092 wrote to memory of 4932	1092	CiscoSetup.exe	102
PID 1092 wrote to memory of 4932	1092	CiscoSetup.exe	102
PID 4436 wrote to memory of 3112	4436	csc.exe	103
PID 4436 wrote to memory of 3112	4436	csc.exe	103
PID 4652 wrote to memory of 3340	4652	msiexec.exe	104
PID 4652 wrote to memory of 3340	4652	msiexec.exe	104
PID 4652 wrote to memory of 3340	4652	msiexec.exe	104
PID 5064 wrote to memory of 1520	5064	powershell.exe	106
PID 5064 wrote to memory of 1520	5064	powershell.exe	106
PID 1520 wrote to memory of 1420	1520	csc.exe	107
PID 1520 wrote to memory of 1420	1520	csc.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e4a5383ac32d5642eaf2c7406a0f1c0f.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\cisco2.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\okcgcmyq\okcgcmyq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA16.tmp" "c:\Users\Admin\AppData\Local\Temp\okcgcmyq\CSC4A085BD47ABB481E85B5A1C452DEB4A.TMP"
      4⤵
      PID:3112
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wlzn4ntv\wlzn4ntv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF794.tmp" "c:\Users\Admin\AppData\Local\Temp\wlzn4ntv\CSCBB7DA8E4E7194EFC957B84757938B455.TMP"
      4⤵
      PID:1420
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\system32\msiexec.exe
    /i "C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\"
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:4932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1D961358287D0F0FC5E78E37C625003F C
  2⤵
  - Loads dropped DLL
  PID:3340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56e267.rbs

Filesize
7KB

MD5
eff3757ef5064fb07b45d6479147ebd9

SHA1
8632ff184d47004e697b8e37506129223e4b6a3d

SHA256
e83abb8725f7495fa6af13388f5fbc304b4d04cf256479e86bd461ac7cce66bd

SHA512
ef5dd01a7e7d731723e599e46e14eadafe795b4597c87ab1c328e7adf781b3ba052f5af628b7a55ffa40ef6715b53df3d18c45635cc78a8c15da5d43699b4ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEA65.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEA65.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC4A.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC4A.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\cisco2.ps1

Filesize
2.2MB

MD5
7708f4d0a27fcb9a315e0e2b9fa24248

SHA1
498ac3d0ddf4b19f6f7d3dacf03c4e2fbf8f993b

SHA256
0afe02415b9523c9f840be11d9561d1c07b41ac1f7b803b7112608ae8db29950

SHA512
af6b285e63c9c3db98d35492ff03ec08196c859f508834fc39d6b76283447f493bc721dfa15a2ad777c6e8547ade639f9379ac1cefa54e226096fb0aa4956f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA16.tmp

Filesize
1KB

MD5
34ee152480d6f1698f504711953dd027

SHA1
a3b8573d8e350297642b4663d46b5fcceaf2b826

SHA256
deb4e1b595523f5344309841e39d331ea97defe9e15efa370a1168b28c8ed66f

SHA512
54fa56c77bdf664cac86778a701cafae26dc81697b25a69a9ba2c1f75f3eb4499d550c38f52005ad9a2291305a5a4c6cbc719962548c1c4ea4f776bc16995685

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF794.tmp

Filesize
1KB

MD5
56fb01e3dc211b76198a17ecdd44c289

SHA1
9d246d5990dc40d33be39bfc6863ecfafc4f2014

SHA256
2183a0dbb4346d33753e22a0a129e6e1751b33ef7bb6e895a2f2d79fb649fa58

SHA512
085c7296f228cc3bedb6fe2240b67b4c1bdcfb54802b5780fad405d1b8e0c1f97e736a3d0a65103d43b3293be2b2901a4211d42c1769015c10236df0b1e84ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z5z41mwj.zhn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi

Filesize
347KB

MD5
9e81383d5c5694835ebe9c853546b856

SHA1
a115c76e85960ae9c6dc505dad92ebb4e206567e

SHA256
8058c37115d53b13d0bdccfc5b1360364e2d1476873906f924deff84c3c73e00

SHA512
0566890e88a7e70c0d3dde84acfb9e5e24023af68acb9dc00884f3dc061613afc1d6b669c48fa4d600aa2fb5f92534c117d301159e416b7ac46391d419e554a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\decoder.dll

Filesize
105KB

MD5
143da6747fff236a473bdf6007629490

SHA1
aed2e6ecbd53ce1e281cee958b3c867f14c8262d

SHA256
75f59cfba8c75d7646a697609a9baefb3388b1b6e66db37c50924e3fcba68893

SHA512
d52393c33b647ad82adfa1c66f7adb3f8d148d71675fca7df62c974ef9c1d0b25092164fe9603184370f8ecdb5d00d1dd61dd626ec7655b94e03509aaf9fddd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\okcgcmyq\okcgcmyq.dll

Filesize
3KB

MD5
6f148cb45963bc936279853de0ee7246

SHA1
804415b0beb200ac6c71f4f3e5b13b3ccdd308f5

SHA256
fb3f3d722525e4878c13c997a6c943b56f04fa031ce2b9b2d3177093eb041166

SHA512
bd0faf6f093dd1bef9afdf15ec0ec4fe8db971c4506e2909c00ff41b10f03d241c548ac4e7bf4afe950eec15e19b55ab6ba06a101c6b2a1b827aae34b4fb09d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlzn4ntv\wlzn4ntv.dll

Filesize
3KB

MD5
3d012921b801e54e5299ebd93bb92818

SHA1
461b12be925095fd0320ce40a804c6e4d534c5ad

SHA256
2df43ba159f19f7d434f7ae69eb91ca27f04dcf731f1ec55dc2a354a3c308e69

SHA512
3f58b125e9d51e1bceaa0b7955d5956d50740468c9194c66172343d75176cd48e65fb4f4ff8cbf4595d098fbc212251a968a4e4987f726f2faf43a800236858a

Download Submit
C:\Windows\Installer\e56e266.msi

Filesize
4.2MB

MD5
e4a5383ac32d5642eaf2c7406a0f1c0f

SHA1
3e5637d253c40aefdb0465df15bc057ed5c26186

SHA256
d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f

SHA512
ed7ae40e2475ca2bdeefbfb3f15df6e93c8c7d7781b31c2b0c5cab99ff8fec0487f7975b406eebb8117aca2038a11a658d129c32d4147275fd7770c1bfa28da8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
9cf3c345b6c5b5e0c3aa7d65a1866146

SHA1
355f1a9b276a0e26e2e6c037b814b1140536774b

SHA256
e6d78c7990b816bc4c0bc2c3172f08e0641b3a316203984bcb167d6dd96c5440

SHA512
852460780684456f302d9b0934bfc5345ca9f2617fc0597e9f4b4af2108cc3f83c002869929a6bdf1907b29478664cf5be3166e2a9963dfcfef2b513df2c05be

Download Submit
\??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5cf76612-0596-4811-8de6-dd02c3d730d4}_OnDiskSnapshotProp

Filesize
5KB

MD5
e8ad7c2926c65d3d1f710a783f5736d7

SHA1
0fd6426623f13f85063961a6efbb00fb2194ae5f

SHA256
4c05d25230099369a68e74f16bcb1782d904332a9c0882e7ec72255f3c4ad513

SHA512
12c69f2089612121e6c1219d6e1034b01e428615515ac308b6adb14b0c0c90dbf6e63753c9664f251efb71d7503a4fb83a35adb3fb80011a4f2ca8134719cef3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okcgcmyq\CSC4A085BD47ABB481E85B5A1C452DEB4A.TMP

Filesize
652B

MD5
21ae9bdd177d7d81b2afc17f55b4b74e

SHA1
d372c1ad686894d70e26a3d882b105e6e8c955f3

SHA256
5ff9ae87ba33e01d722a2cbc208e868baf54a43a857641a790b99810f4cae4e5

SHA512
5b6247d50705c1365790921585f4601b8293f05749999e885a814da631e8c93b77e462afe8fdb18853a754dbfb7d00e03b67c0f97e6c5f113fb4433f27ffbedf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okcgcmyq\okcgcmyq.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okcgcmyq\okcgcmyq.cmdline

Filesize
369B

MD5
7ebef4b6dc71b74dbfa88ed2512c8405

SHA1
df07683fea848862e673b93bf238dca4c0b37d9d

SHA256
fa6a6ad8c5d2ed92b1a1dedd5372a78eaf211a95e6ef2f19916f669a094b4e73

SHA512
d7630e7027070995fbf046e77115c10b2a97c865b6908a8ad1013d120ff4559905506f67a992dac58c89b530644f4e1e674f9bbef21d41cf3b39a6989011571a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wlzn4ntv\CSCBB7DA8E4E7194EFC957B84757938B455.TMP

Filesize
652B

MD5
5a41ed709abdc87cbb6e673edb219661

SHA1
8bf71f2eba8e477fea1978931e5e8c870e8742b5

SHA256
3c54a0493d02fa0559fc7e6dd4b39a2146d8282034a626994c0967af0ac191ef

SHA512
16c8ce5e68cfcfb6cca34a5846ab1770c05fabf1bbd12ad547814a4b8879d1ecd079520e13b2416c4352b46332a690611ccf42fc8e60ad8fec2f87beae64bb0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wlzn4ntv\wlzn4ntv.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wlzn4ntv\wlzn4ntv.cmdline

Filesize
369B

MD5
dbe7c4030147ff5c6ce7afab268b84fd

SHA1
939f6810f55ab104830830be7cf2f730c189d369

SHA256
69e70c6df15aacad8f63c9943758becaa93b5cda09be473fcb1e51ed0dea8596

SHA512
49eb07d484a06c17cbe5311dfeff86cdc3e44a90681790729ea369bbdae4ca2243fb046b06dd86b236161310225774d3f2cd3b82b97496144ade55cd05c63c4a

Download Submit
memory/5064-169-0x000001BDAA6E0000-0x000001BDAA6F0000-memory.dmp

Filesize
64KB

Download
memory/5064-317-0x00007FFD58730000-0x00007FFD58731000-memory.dmp

Filesize
4KB

Download
memory/5064-307-0x000001BDAAAB0000-0x000001BDAAC24000-memory.dmp

Filesize
1.5MB

Download
memory/5064-313-0x000001BDAA6E0000-0x000001BDAA6F0000-memory.dmp

Filesize
64KB

Download
memory/5064-314-0x000001BDAAC30000-0x000001BDAADA4000-memory.dmp

Filesize
1.5MB

Download
memory/5064-315-0x000001BDAAC30000-0x000001BDAADA4000-memory.dmp

Filesize
1.5MB

Download
memory/5064-316-0x000001BDAAC30000-0x000001BDAADA4000-memory.dmp

Filesize
1.5MB

Download
memory/5064-168-0x000001BDAA6A0000-0x000001BDAA6C2000-memory.dmp

Filesize
136KB

Download
memory/5064-319-0x000001BDAAC30000-0x000001BDAACEE000-memory.dmp

Filesize
760KB

Download
memory/5064-321-0x000001BDAA6E0000-0x000001BDAA6F0000-memory.dmp

Filesize
64KB

Download
memory/5064-322-0x000001BDAA6E0000-0x000001BDAA6F0000-memory.dmp

Filesize
64KB

Download
memory/5064-323-0x000001BDAA6E0000-0x000001BDAA6F0000-memory.dmp

Filesize
64KB

Download
memory/5064-175-0x000001BDAA6E0000-0x000001BDAA6F0000-memory.dmp

Filesize
64KB

Download
memory/5064-176-0x000001BDAA6E0000-0x000001BDAA6F0000-memory.dmp

Filesize
64KB

Download
memory/5064-326-0x000001BDAA6E0000-0x000001BDAA6F0000-memory.dmp

Filesize
64KB

Download