bumblebee | b1bae0bca6cef482524586746abfda822829edad434a164cf764eb34c15736a6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2023, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r4.msi
Size

4.2MB
MD5

72f7a880209c875d48c153b5b8db71f9
SHA1

f861232236ddcd2df75dfe77c7ba5342b84bf777
SHA256

b1bae0bca6cef482524586746abfda822829edad434a164cf764eb34c15736a6
SHA512

fe9c4f18ac24f89aac02dcc372a65c9d611c3d4755fdd060ae50d79228192b788fca61aef6776b0aa4576d5f124de77ec2b7a790bd2d87099ac357e165ddaac9
SSDEEP

98304:PPKnw39kiUnMUYeg8F1HWMUKFln1EJCl1ZPYzrkFE:6wNJUnMUYetUKFZ+CFPY0F

Score

10^/10

bumblebee cis21503 trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

cis21503

194.135.33.90:443

45.66.248.64:443

107.189.1.219:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 7 IoCs

flow	pid	Process
44	4548	powershell.exe
49	4548	powershell.exe
67	4548	powershell.exe
68	4548	powershell.exe
73	4548	powershell.exe
74	4548	powershell.exe
75	4548	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3868	CiscoSetup.exe

Loads dropped DLL 3 IoCs

pid	Process
3868	CiscoSetup.exe
3756	MsiExec.exe
3756	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4548	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56f2a2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56f2a2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3FA.tmp	msiexec.exe
File created	C:\Windows\Installer\e56f2a4.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4740	msiexec.exe
4740	msiexec.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2396	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2396	msiexec.exe
Token: SeSecurityPrivilege	4740	msiexec.exe
Token: SeCreateTokenPrivilege	2396	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2396	msiexec.exe
Token: SeLockMemoryPrivilege	2396	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2396	msiexec.exe
Token: SeMachineAccountPrivilege	2396	msiexec.exe
Token: SeTcbPrivilege	2396	msiexec.exe
Token: SeSecurityPrivilege	2396	msiexec.exe
Token: SeTakeOwnershipPrivilege	2396	msiexec.exe
Token: SeLoadDriverPrivilege	2396	msiexec.exe
Token: SeSystemProfilePrivilege	2396	msiexec.exe
Token: SeSystemtimePrivilege	2396	msiexec.exe
Token: SeProfSingleProcessPrivilege	2396	msiexec.exe
Token: SeIncBasePriorityPrivilege	2396	msiexec.exe
Token: SeCreatePagefilePrivilege	2396	msiexec.exe
Token: SeCreatePermanentPrivilege	2396	msiexec.exe
Token: SeBackupPrivilege	2396	msiexec.exe
Token: SeRestorePrivilege	2396	msiexec.exe
Token: SeShutdownPrivilege	2396	msiexec.exe
Token: SeDebugPrivilege	2396	msiexec.exe
Token: SeAuditPrivilege	2396	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2396	msiexec.exe
Token: SeChangeNotifyPrivilege	2396	msiexec.exe
Token: SeRemoteShutdownPrivilege	2396	msiexec.exe
Token: SeUndockPrivilege	2396	msiexec.exe
Token: SeSyncAgentPrivilege	2396	msiexec.exe
Token: SeEnableDelegationPrivilege	2396	msiexec.exe
Token: SeManageVolumePrivilege	2396	msiexec.exe
Token: SeImpersonatePrivilege	2396	msiexec.exe
Token: SeCreateGlobalPrivilege	2396	msiexec.exe
Token: SeBackupPrivilege	4948	vssvc.exe
Token: SeRestorePrivilege	4948	vssvc.exe
Token: SeAuditPrivilege	4948	vssvc.exe
Token: SeBackupPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2396	msiexec.exe
2396	msiexec.exe
1528	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4952	4740	msiexec.exe	94
PID 4740 wrote to memory of 4952	4740	msiexec.exe	94
PID 4740 wrote to memory of 4548	4740	msiexec.exe	96
PID 4740 wrote to memory of 4548	4740	msiexec.exe	96
PID 4740 wrote to memory of 3868	4740	msiexec.exe	97
PID 4740 wrote to memory of 3868	4740	msiexec.exe	97
PID 4740 wrote to memory of 3868	4740	msiexec.exe	97
PID 3868 wrote to memory of 1528	3868	CiscoSetup.exe	100
PID 3868 wrote to memory of 1528	3868	CiscoSetup.exe	100
PID 4548 wrote to memory of 1080	4548	powershell.exe	99
PID 4548 wrote to memory of 1080	4548	powershell.exe	99
PID 4740 wrote to memory of 3756	4740	msiexec.exe	102
PID 4740 wrote to memory of 3756	4740	msiexec.exe	102
PID 4740 wrote to memory of 3756	4740	msiexec.exe	102
PID 1080 wrote to memory of 2220	1080	csc.exe	103
PID 1080 wrote to memory of 2220	1080	csc.exe	103
PID 4548 wrote to memory of 2072	4548	powershell.exe	104
PID 4548 wrote to memory of 2072	4548	powershell.exe	104
PID 2072 wrote to memory of 1876	2072	csc.exe	105
PID 2072 wrote to memory of 1876	2072	csc.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\r4.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ciscoinstall.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtzo3tww\gtzo3tww.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB5C.tmp" "c:\Users\Admin\AppData\Local\Temp\gtzo3tww\CSCF1745F4E42044FC99C99FE7475E2862.TMP"
      4⤵
      PID:2220
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ihlkkkq\2ihlkkkq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC93.tmp" "c:\Users\Admin\AppData\Local\Temp\2ihlkkkq\CSCAC568E094FC24E41BFE53F4433B7D3.TMP"
      4⤵
      PID:1876
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\system32\msiexec.exe
    /i "C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\"
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:1528
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2D7970B1C184D81D415BADC52AFDAE57 C
  2⤵
  - Loads dropped DLL
  PID:3756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56f2a3.rbs

Filesize
7KB

MD5
730ea1e860cb57a20d2a8f758e9bc885

SHA1
703eb6ad01669d83ac6744da5c7a931ecd1485db

SHA256
595982496bdce999e8325a9f7e04bbdcf2a1bac74ea9db85ee24cc175f26a9be

SHA512
6f0d35b22f2ae0e95911d087cb4c36d9707c28003d2b5572b1a6a76226fbc59c51b21e3dd1a0a284e798922783a3d5b6d7ffd9dc3f538cb14779fc7a3eaa3422

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ihlkkkq\2ihlkkkq.dll

Filesize
3KB

MD5
76efacf28a7bab8e481e0e2f16fcf707

SHA1
66bb77ec321c5ade4479536d65f5e2139e7adb6b

SHA256
35d0fbb1d30f536be46ddec5b220683a53f187bf24f339bcf241ae58336e9e39

SHA512
6dcf5cf322340fca3ef4a8acd0d7c4bfdd37178910ed6978411fbbbf9774bbb28d858f6eb99d79607ce453d0593c88839ec15712df750884c0e3ac293c5b6c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFAFF.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFAFF.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFCD4.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFCD4.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ciscoinstall.ps1

Filesize
2.2MB

MD5
962cc61dc68b2a4a30b1b71c5e775a58

SHA1
a4f8be8adef32440dc2c4ec0139033cc080ed67a

SHA256
c45c37b7925da4793ef5b8c203fb6dd5fa31f248f0d30d1263f22559624d555d

SHA512
969c34cfa053a0db89c13840e7f56237fccb21ff1a7aed78ba10d1439f3b13c47b0083eaa4b91f6563bc4bd4080546a85f091c991f7de457e1ce7d53ca9b35f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC93.tmp

Filesize
1KB

MD5
151f7aaa7f02af48232b7680ccc29118

SHA1
746138f2095aaea4d0a9025ec6a3f26f2085277f

SHA256
c74ee43f75b6421b8d44c694e52d5053d13cafc0687e591b722644b5fa4d4574

SHA512
8d205581585f3b9fd302cbc14f19dc8d53fa26cae4e25a8a27ec6e37ed2d76e678def8103743c7e13ac1af1a5fa60408a6d3b8b99280f0bd5c792ec2bc76d7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB5C.tmp

Filesize
1KB

MD5
7170a5b281f825981f8366babb291cbe

SHA1
06820026927c2af7b5dd83303acf25553e34ebc9

SHA256
54b55c7711b788eac2a496438d8490716e6e4241ce3e605cd0be2df2377612d7

SHA512
2bfd09e0320ae25774689b916016732e69a4428bef3239d9a76b1188fb9d259895378988383cda7ef1f10d896d304321748b8b49080edfd704224cfbce8d156a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgb1mtcl.oxj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtzo3tww\gtzo3tww.dll

Filesize
3KB

MD5
4bba1d6bf03d32156d4d59fd27d5cb28

SHA1
7fbb5022f32d649a15d907e40fcb23590c106e10

SHA256
0d2a1a68dc153a2c839ff0e273ea7a1dc882ef91d352876ecfec7baf3846ef83

SHA512
45160e7e7362d378711a4e0f53aaabef3eef30f498a034006b818bcc232537bc8aae2dc79aefeebde724ea48143f9e99d3be3e67957040af674e83516c115cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi

Filesize
347KB

MD5
9e81383d5c5694835ebe9c853546b856

SHA1
a115c76e85960ae9c6dc505dad92ebb4e206567e

SHA256
8058c37115d53b13d0bdccfc5b1360364e2d1476873906f924deff84c3c73e00

SHA512
0566890e88a7e70c0d3dde84acfb9e5e24023af68acb9dc00884f3dc061613afc1d6b669c48fa4d600aa2fb5f92534c117d301159e416b7ac46391d419e554a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\decoder.dll

Filesize
105KB

MD5
143da6747fff236a473bdf6007629490

SHA1
aed2e6ecbd53ce1e281cee958b3c867f14c8262d

SHA256
75f59cfba8c75d7646a697609a9baefb3388b1b6e66db37c50924e3fcba68893

SHA512
d52393c33b647ad82adfa1c66f7adb3f8d148d71675fca7df62c974ef9c1d0b25092164fe9603184370f8ecdb5d00d1dd61dd626ec7655b94e03509aaf9fddd1

Download Submit
C:\Windows\Installer\e56f2a2.msi

Filesize
4.2MB

MD5
72f7a880209c875d48c153b5b8db71f9

SHA1
f861232236ddcd2df75dfe77c7ba5342b84bf777

SHA256
b1bae0bca6cef482524586746abfda822829edad434a164cf764eb34c15736a6

SHA512
fe9c4f18ac24f89aac02dcc372a65c9d611c3d4755fdd060ae50d79228192b788fca61aef6776b0aa4576d5f124de77ec2b7a790bd2d87099ac357e165ddaac9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
bd8c5d70b9173875691c0f5b0ffbe75f

SHA1
6765bac9505a7e8ae274e604bc3710266f1aabd8

SHA256
9cf9cec40fd6c61b40a3333617b133440f084515402357c9ac6152d58c43b525

SHA512
675cb555c35c69c61fc79a87893654f93d161c51cee3b516b4928ec9fc67d349f981996d8095e8afdda4a28666073f09d77ddb4b5d6da1a8411f821fc67d527c

Download Submit
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1bd01df5-e9c0-4be5-a4c0-365e8f3df796}_OnDiskSnapshotProp

Filesize
5KB

MD5
f5d203351e178850aa29147704c1cf37

SHA1
909e829930133632fe594043d638069709e6280d

SHA256
f7a1b8df1a0b9471c67f6e74bcdb61b907ecb3268a6b2626b21507602e9f9de8

SHA512
d80cf5b331e750188120e5e463ee1e7b53707c6d7ccce1ae4c522d354493e3c0d7a604961f034c3a73e1b8c8d57bb21838071ab3b66d5a0e81c3706221b37fab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ihlkkkq\2ihlkkkq.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ihlkkkq\2ihlkkkq.cmdline

Filesize
369B

MD5
0ecb13ff9f1782303c3e544186f7e296

SHA1
253017bbe2bbd2694e428770c243083de2c9b19a

SHA256
902f4cafe7f64ca895c6df9d88a803ea91de3214de344e4b7cad3584c8517755

SHA512
f6c3e77a8ed377d9aa67bea56c3b70c47712a4390ec6211afcd643114b10550c94b8c1253279c0d3f70dca0fc3181a357ad3401d97622f146d93fc3d14a842bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ihlkkkq\CSCAC568E094FC24E41BFE53F4433B7D3.TMP

Filesize
652B

MD5
350625b8406600b524dcc00d348dc2fd

SHA1
64b8955471a33e1e2da44698c627558fe8d3508f

SHA256
02fef1f73ca0805ff026b6eb1fa7e48d3a081c08de7415675acaddba30ae2fb1

SHA512
7d749ea5a071ff1c7bd7d100d7fdffb1292e2f791a8b6b2db1424d68d75f9a70140c7533bd1d1264552b894116a5ffb4ca59cc4cd0e8d857fff491ddd6abe971

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtzo3tww\CSCF1745F4E42044FC99C99FE7475E2862.TMP

Filesize
652B

MD5
d0026eaf5adc7e84cfbea61772fe86ec

SHA1
44361b14efa40ec4b09d9bb8207ff2f47bad6063

SHA256
533358912ab05e25d38484c0b25110c00ad6cf7b4027c4ad4da1c8f1bc20763a

SHA512
410a881247c428b9b1b5998ce22dd234622cc3df9029dcba2c6a75a63030825c41e84209f74d1c101a53f6b176886b95b381d4cd5d6b5797ca227e793cccf52b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtzo3tww\gtzo3tww.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtzo3tww\gtzo3tww.cmdline

Filesize
369B

MD5
81ea921a03c90109666356ef410ede29

SHA1
3419f97d924c27d1f0444de1f244bb151063864b

SHA256
90d50e38def27a26c244873422afb3915e49d16fbb05da2605a1082fde8dfdd8

SHA512
666c8476a7f53174395a6068433e45ddfe6b5aef04b076ad152d460f0d5c1a7e42736b9c409c14562c3f9e342dee8c30cf960d28c505426cbb30cbe2d5c7f52a

Download Submit
memory/4548-176-0x0000022FB9F90000-0x0000022FB9FA0000-memory.dmp

Filesize
64KB

Download
memory/4548-177-0x0000022FB9F90000-0x0000022FB9FA0000-memory.dmp

Filesize
64KB

Download
memory/4548-307-0x0000022FB9F90000-0x0000022FB9FA0000-memory.dmp

Filesize
64KB

Download
memory/4548-308-0x0000022FBB910000-0x0000022FBBA84000-memory.dmp

Filesize
1.5MB

Download
memory/4548-314-0x0000022FBBA90000-0x0000022FBBC04000-memory.dmp

Filesize
1.5MB

Download
memory/4548-315-0x0000022FBBA90000-0x0000022FBBC04000-memory.dmp

Filesize
1.5MB

Download
memory/4548-316-0x0000022FBBA90000-0x0000022FBBC04000-memory.dmp

Filesize
1.5MB

Download
memory/4548-317-0x00007FFBC9AB0000-0x00007FFBC9AB1000-memory.dmp

Filesize
4KB

Download
memory/4548-175-0x0000022FB9F90000-0x0000022FB9FA0000-memory.dmp

Filesize
64KB

Download
memory/4548-160-0x0000022FBB500000-0x0000022FBB522000-memory.dmp

Filesize
136KB

Download
memory/4548-321-0x0000022FBBA90000-0x0000022FBBB4E000-memory.dmp

Filesize
760KB

Download
memory/4548-323-0x0000022FB9F90000-0x0000022FB9FA0000-memory.dmp

Filesize
64KB

Download
memory/4548-324-0x0000022FB9F90000-0x0000022FB9FA0000-memory.dmp

Filesize
64KB

Download
memory/4548-325-0x0000022FB9F90000-0x0000022FB9FA0000-memory.dmp

Filesize
64KB

Download
memory/4548-326-0x0000022FB9F90000-0x0000022FB9FA0000-memory.dmp

Filesize
64KB

Download