b1bae0bca6cef482524586746abfda822829edad434a164cf764eb34c15736a6

Analysis

max time kernel
61s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-03-2023 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r4.msi
Size

4.2MB
MD5

72f7a880209c875d48c153b5b8db71f9
SHA1

f861232236ddcd2df75dfe77c7ba5342b84bf777
SHA256

b1bae0bca6cef482524586746abfda822829edad434a164cf764eb34c15736a6
SHA512

fe9c4f18ac24f89aac02dcc372a65c9d611c3d4755fdd060ae50d79228192b788fca61aef6776b0aa4576d5f124de77ec2b7a790bd2d87099ac357e165ddaac9
SSDEEP

98304:PPKnw39kiUnMUYeg8F1HWMUKFln1EJCl1ZPYzrkFE:6wNJUnMUYetUKFZ+CFPY0F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1452	CiscoSetup.exe

Loads dropped DLL 3 IoCs

pid	Process
1452	CiscoSetup.exe
812	MsiExec.exe
812	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c7216.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c7216.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\6c7215.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c7215.msi	msiexec.exe
File created	C:\Windows\Installer\6c7218.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
524	msiexec.exe
524	msiexec.exe
1072	powershell.exe
1072	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	308	msiexec.exe
Token: SeIncreaseQuotaPrivilege	308	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeSecurityPrivilege	524	msiexec.exe
Token: SeCreateTokenPrivilege	308	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	308	msiexec.exe
Token: SeLockMemoryPrivilege	308	msiexec.exe
Token: SeIncreaseQuotaPrivilege	308	msiexec.exe
Token: SeMachineAccountPrivilege	308	msiexec.exe
Token: SeTcbPrivilege	308	msiexec.exe
Token: SeSecurityPrivilege	308	msiexec.exe
Token: SeTakeOwnershipPrivilege	308	msiexec.exe
Token: SeLoadDriverPrivilege	308	msiexec.exe
Token: SeSystemProfilePrivilege	308	msiexec.exe
Token: SeSystemtimePrivilege	308	msiexec.exe
Token: SeProfSingleProcessPrivilege	308	msiexec.exe
Token: SeIncBasePriorityPrivilege	308	msiexec.exe
Token: SeCreatePagefilePrivilege	308	msiexec.exe
Token: SeCreatePermanentPrivilege	308	msiexec.exe
Token: SeBackupPrivilege	308	msiexec.exe
Token: SeRestorePrivilege	308	msiexec.exe
Token: SeShutdownPrivilege	308	msiexec.exe
Token: SeDebugPrivilege	308	msiexec.exe
Token: SeAuditPrivilege	308	msiexec.exe
Token: SeSystemEnvironmentPrivilege	308	msiexec.exe
Token: SeChangeNotifyPrivilege	308	msiexec.exe
Token: SeRemoteShutdownPrivilege	308	msiexec.exe
Token: SeUndockPrivilege	308	msiexec.exe
Token: SeSyncAgentPrivilege	308	msiexec.exe
Token: SeEnableDelegationPrivilege	308	msiexec.exe
Token: SeManageVolumePrivilege	308	msiexec.exe
Token: SeImpersonatePrivilege	308	msiexec.exe
Token: SeCreateGlobalPrivilege	308	msiexec.exe
Token: SeBackupPrivilege	984	vssvc.exe
Token: SeRestorePrivilege	984	vssvc.exe
Token: SeAuditPrivilege	984	vssvc.exe
Token: SeBackupPrivilege	524	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeRestorePrivilege	1704	DrvInst.exe
Token: SeRestorePrivilege	1704	DrvInst.exe
Token: SeRestorePrivilege	1704	DrvInst.exe
Token: SeRestorePrivilege	1704	DrvInst.exe
Token: SeRestorePrivilege	1704	DrvInst.exe
Token: SeRestorePrivilege	1704	DrvInst.exe
Token: SeRestorePrivilege	1704	DrvInst.exe
Token: SeLoadDriverPrivilege	1704	DrvInst.exe
Token: SeLoadDriverPrivilege	1704	DrvInst.exe
Token: SeLoadDriverPrivilege	1704	DrvInst.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
308	msiexec.exe
308	msiexec.exe
1820	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 1072	524	msiexec.exe	31
PID 524 wrote to memory of 1072	524	msiexec.exe	31
PID 524 wrote to memory of 1072	524	msiexec.exe	31
PID 524 wrote to memory of 1452	524	msiexec.exe	33
PID 524 wrote to memory of 1452	524	msiexec.exe	33
PID 524 wrote to memory of 1452	524	msiexec.exe	33
PID 524 wrote to memory of 1452	524	msiexec.exe	33
PID 524 wrote to memory of 1452	524	msiexec.exe	33
PID 524 wrote to memory of 1452	524	msiexec.exe	33
PID 524 wrote to memory of 1452	524	msiexec.exe	33
PID 1452 wrote to memory of 1820	1452	CiscoSetup.exe	34
PID 1452 wrote to memory of 1820	1452	CiscoSetup.exe	34
PID 1452 wrote to memory of 1820	1452	CiscoSetup.exe	34
PID 1452 wrote to memory of 1820	1452	CiscoSetup.exe	34
PID 1452 wrote to memory of 1820	1452	CiscoSetup.exe	34
PID 1452 wrote to memory of 1820	1452	CiscoSetup.exe	34
PID 1452 wrote to memory of 1820	1452	CiscoSetup.exe	34
PID 524 wrote to memory of 812	524	msiexec.exe	35
PID 524 wrote to memory of 812	524	msiexec.exe	35
PID 524 wrote to memory of 812	524	msiexec.exe	35
PID 524 wrote to memory of 812	524	msiexec.exe	35
PID 524 wrote to memory of 812	524	msiexec.exe	35
PID 524 wrote to memory of 812	524	msiexec.exe	35
PID 524 wrote to memory of 812	524	msiexec.exe	35
PID 1072 wrote to memory of 820	1072	powershell.exe	36
PID 1072 wrote to memory of 820	1072	powershell.exe	36
PID 1072 wrote to memory of 820	1072	powershell.exe	36
PID 820 wrote to memory of 1256	820	csc.exe	37
PID 820 wrote to memory of 1256	820	csc.exe	37
PID 820 wrote to memory of 1256	820	csc.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\r4.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:308

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ciscoinstall.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hnastdsg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES823C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC823B.tmp"
      4⤵
      PID:1256
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\system32\msiexec.exe
    /i "C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\"
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:1820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5FA73C4929B2B20E597DD92E4DC48C56 C
  2⤵
  - Loads dropped DLL
  PID:812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A0" "00000000000005B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c7217.rbs

Filesize
7KB

MD5
cba1ec5b55051540c2aaf1f50fa5e21a

SHA1
ecaf835a9ea4103f8446e9f5547dbe1b997b65cd

SHA256
c647e98258ab16481f1c5c205763963af548ca8b1bbfd12c5505ee0971aaaa5f

SHA512
4d5ccc42654b571e7748405eba457257a2381dafcc51b9f196b8607fc56b21407d2213f6553980bc6a60e6c2fd006bcc34d6c1d0113836d056d1440b77aa3f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7B68.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI81A0.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ciscoinstall.ps1

Filesize
2.2MB

MD5
962cc61dc68b2a4a30b1b71c5e775a58

SHA1
a4f8be8adef32440dc2c4ec0139033cc080ed67a

SHA256
c45c37b7925da4793ef5b8c203fb6dd5fa31f248f0d30d1263f22559624d555d

SHA512
969c34cfa053a0db89c13840e7f56237fccb21ff1a7aed78ba10d1439f3b13c47b0083eaa4b91f6563bc4bd4080546a85f091c991f7de457e1ce7d53ca9b35f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES823C.tmp

Filesize
1KB

MD5
14427791210929947bfd7ae9895d6d1f

SHA1
e307bf2078b6be8a429f8c2124c3d5ccbbe76562

SHA256
1675c505562d9542082f3d9230689b6968aa51352413c154dca3296f949beb9b

SHA512
f0e4e7ef715cbdc1315802138e346b7f354a5ab913ecfbc5c5e665ea3d8df2401ceee1c95e7696c1804ca19682db5f06be56c8d447f9da5c8f94a069e147f87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnastdsg.dll

Filesize
3KB

MD5
f469e5dd03ff01879ce4d4248a255c0d

SHA1
f24221f27813a6d6bd331795d45a927e24af6b8f

SHA256
5d613a5fc4cbb5277d0ea1bc1296bcfbe4528924ee38f2eabe495991aa24c745

SHA512
56675024e8ab918d1adbdf82c580305bcf8f1e252e0c4fa1d0180ef3d8589d018b297de561572a50bd429781f0e19c0cf9e572eba07b50ca20125ae2517f8271

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnastdsg.pdb

Filesize
7KB

MD5
d982648bc5d338c51c932a2d1145130f

SHA1
f8669b04d5bcc9b5158a2faf87173aef0731c4a8

SHA256
360a331b9872dc71bf2e519c85c1a8882327d8ae6eec0e6e8568afad560e12a5

SHA512
c27d9d537b0bdbb4306a9a9dd49c615d7a7913b64b1969bc5274ddfba2e4595b3252a0b73f414708315578a87bbf64c253c4ff9ce83d932919fb11b714dcbd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi

Filesize
347KB

MD5
9e81383d5c5694835ebe9c853546b856

SHA1
a115c76e85960ae9c6dc505dad92ebb4e206567e

SHA256
8058c37115d53b13d0bdccfc5b1360364e2d1476873906f924deff84c3c73e00

SHA512
0566890e88a7e70c0d3dde84acfb9e5e24023af68acb9dc00884f3dc061613afc1d6b669c48fa4d600aa2fb5f92534c117d301159e416b7ac46391d419e554a2

Download Submit
C:\Windows\Installer\6c7215.msi

Filesize
4.2MB

MD5
72f7a880209c875d48c153b5b8db71f9

SHA1
f861232236ddcd2df75dfe77c7ba5342b84bf777

SHA256
b1bae0bca6cef482524586746abfda822829edad434a164cf764eb34c15736a6

SHA512
fe9c4f18ac24f89aac02dcc372a65c9d611c3d4755fdd060ae50d79228192b788fca61aef6776b0aa4576d5f124de77ec2b7a790bd2d87099ac357e165ddaac9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC823B.tmp

Filesize
652B

MD5
513365c0da90ab4f7311d3bd500bfcef

SHA1
3b201370cde718730ece637f8f796df6242d4ad1

SHA256
ae1dcbfe514526c819da51e5ed33478e594a156503fa4547f01ed343edfa86cd

SHA512
f9cc3cac83724e46cbf33f1c05680b9f241ec193d735665c991e2e4fa82ea229161cd0d8ea441a4212e4b740b04033ce5d850a2c0697c98a3c77070ad8cde0d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hnastdsg.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hnastdsg.cmdline

Filesize
309B

MD5
0c27ef6d84f04718f832d7c4daab1458

SHA1
6f62abf11767967a394650c5e56d4d19eeb7fdd4

SHA256
c9ec631848a7bae1afc8701d171d0f643a63e79ce916d58c7550c7c3e0b3a5ab

SHA512
a70416c6ef43ab3c2905c953713d8badf55d37a7d69cd149d69deab28a38cae105386823ba834709fc509aa79776751a00f4eb92bce6caff61e2198579a96cc7

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7B68.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
\Users\Admin\AppData\Local\Temp\MSI81A0.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
\Users\Admin\AppData\Local\Temp\install\decoder.dll

Filesize
105KB

MD5
143da6747fff236a473bdf6007629490

SHA1
aed2e6ecbd53ce1e281cee958b3c867f14c8262d

SHA256
75f59cfba8c75d7646a697609a9baefb3388b1b6e66db37c50924e3fcba68893

SHA512
d52393c33b647ad82adfa1c66f7adb3f8d148d71675fca7df62c974ef9c1d0b25092164fe9603184370f8ecdb5d00d1dd61dd626ec7655b94e03509aaf9fddd1

Download Submit
memory/820-207-0x0000000002190000-0x0000000002210000-memory.dmp

Filesize
512KB

Download
memory/1072-190-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/1072-189-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/1072-188-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/1072-156-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1072-152-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/1072-211-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download