bumblebee | 460898029f3c7d848bdbb8d591823c5d9d3fdae7e167d8cb29b0e69eda0f7ce9

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2023 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b553b9166004e78799c5096daa412f4a01563e3b02c44d93e35b2ce63bf922c.msi
Size

4.1MB
MD5

060f773f5b91ea96cfd5a21678d2a1ba
SHA1

4de99e61485d8ddfd1dae963e17da24aa6312b86
SHA256

3b553b9166004e78799c5096daa412f4a01563e3b02c44d93e35b2ce63bf922c
SHA512

5a41f716d4ef24651e439068e57e7fe0b6ad079610bf582b53ce06c79d168350d730a059dc21fd40bc7a2ba4b0cdf71067ee7611b9681453e791debd6269e4f7
SSDEEP

98304:4PKnw39kiUnMUYeg8F1HWMUKFln1hoDCQDnMpIgqCf:FwNJUnMUYetUKFZjoDCQDnMigqCf

Score

10^/10

bumblebee cis21704 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

cis21704

149.3.170.185:443

192.254.79.106:443

103.175.16.149:443

23.108.57.117:443

209.141.58.129:443

21.253.40.63:443

199.195.249.67:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
40	5040	powershell.exe
49	5040	powershell.exe
51	5040	powershell.exe
54	5040	powershell.exe
55	5040	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
852	CiscoSetup.exe

Loads dropped DLL 3 IoCs

pid	Process
852	CiscoSetup.exe
3044	MsiExec.exe
3044	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5040	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC97.tmp	msiexec.exe
File created	C:\Windows\Installer\e56eac4.msi	msiexec.exe
File created	C:\Windows\Installer\e56eac2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56eac2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a8dca56a4fb650f70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a8dca56a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a8dca56a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4888	msiexec.exe
4888	msiexec.exe
5040	powershell.exe
5040	powershell.exe
5040	powershell.exe
5040	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	452	msiexec.exe
Token: SeSecurityPrivilege	4888	msiexec.exe
Token: SeCreateTokenPrivilege	452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	452	msiexec.exe
Token: SeLockMemoryPrivilege	452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	452	msiexec.exe
Token: SeMachineAccountPrivilege	452	msiexec.exe
Token: SeTcbPrivilege	452	msiexec.exe
Token: SeSecurityPrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeLoadDriverPrivilege	452	msiexec.exe
Token: SeSystemProfilePrivilege	452	msiexec.exe
Token: SeSystemtimePrivilege	452	msiexec.exe
Token: SeProfSingleProcessPrivilege	452	msiexec.exe
Token: SeIncBasePriorityPrivilege	452	msiexec.exe
Token: SeCreatePagefilePrivilege	452	msiexec.exe
Token: SeCreatePermanentPrivilege	452	msiexec.exe
Token: SeBackupPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeShutdownPrivilege	452	msiexec.exe
Token: SeDebugPrivilege	452	msiexec.exe
Token: SeAuditPrivilege	452	msiexec.exe
Token: SeSystemEnvironmentPrivilege	452	msiexec.exe
Token: SeChangeNotifyPrivilege	452	msiexec.exe
Token: SeRemoteShutdownPrivilege	452	msiexec.exe
Token: SeUndockPrivilege	452	msiexec.exe
Token: SeSyncAgentPrivilege	452	msiexec.exe
Token: SeEnableDelegationPrivilege	452	msiexec.exe
Token: SeManageVolumePrivilege	452	msiexec.exe
Token: SeImpersonatePrivilege	452	msiexec.exe
Token: SeCreateGlobalPrivilege	452	msiexec.exe
Token: SeBackupPrivilege	2120	vssvc.exe
Token: SeRestorePrivilege	2120	vssvc.exe
Token: SeAuditPrivilege	2120	vssvc.exe
Token: SeBackupPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
452	msiexec.exe
452	msiexec.exe
5104	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 1228	4888	msiexec.exe	94
PID 4888 wrote to memory of 1228	4888	msiexec.exe	94
PID 4888 wrote to memory of 5040	4888	msiexec.exe	97
PID 4888 wrote to memory of 5040	4888	msiexec.exe	97
PID 4888 wrote to memory of 852	4888	msiexec.exe	96
PID 4888 wrote to memory of 852	4888	msiexec.exe	96
PID 4888 wrote to memory of 852	4888	msiexec.exe	96
PID 852 wrote to memory of 5104	852	CiscoSetup.exe	99
PID 852 wrote to memory of 5104	852	CiscoSetup.exe	99
PID 5040 wrote to memory of 3404	5040	powershell.exe	100
PID 5040 wrote to memory of 3404	5040	powershell.exe	100
PID 4888 wrote to memory of 3044	4888	msiexec.exe	101
PID 4888 wrote to memory of 3044	4888	msiexec.exe	101
PID 4888 wrote to memory of 3044	4888	msiexec.exe	101
PID 3404 wrote to memory of 4196	3404	csc.exe	102
PID 3404 wrote to memory of 4196	3404	csc.exe	102
PID 5040 wrote to memory of 3944	5040	powershell.exe	103
PID 5040 wrote to memory of 3944	5040	powershell.exe	103
PID 3944 wrote to memory of 4608	3944	csc.exe	104
PID 3944 wrote to memory of 4608	3944	csc.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3b553b9166004e78799c5096daa412f4a01563e3b02c44d93e35b2ce63bf922c.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\msiexec.exe
    /i "C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\"
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\cisapp.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f5d2gvpg\f5d2gvpg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF988.tmp" "c:\Users\Admin\AppData\Local\Temp\f5d2gvpg\CSC8D4FD6A2E22A4CEC9721D7E16E44E0.TMP"
      4⤵
      PID:4196
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tj2rwo1c\tj2rwo1c.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB2.tmp" "c:\Users\Admin\AppData\Local\Temp\tj2rwo1c\CSC27584C9C51874818AECCE7AFA7E0169E.TMP"
      4⤵
      PID:4608
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 41FDB2CE3122A11E4D504DC65309A323 C
  2⤵
  - Loads dropped DLL
  PID:3044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56eac3.rbs

Filesize
8KB

MD5
7794e9022dd8fb2df7e80ab7670073a9

SHA1
c5bff0463e38801100fe1ba9bdee435f965cea74

SHA256
262165fc571153fdabdf9e51c17c88db84e4fb3aca16d3d23109a701d87b323c

SHA512
6728fe6e599d8e94d90281ba6874eb4ab4f319be528a396817d23b857e9c6ec81b097d3e02835ab5011904e5b8c2c3da40ec63552179f85cd595bf3f947f0b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF8FB.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF8FB.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFBDA.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFBDA.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\cisapp.ps1

Filesize
2.2MB

MD5
303ae282275206fde8818b3af6f1389d

SHA1
7df83cc687289effb4cf10fadb301c0e3ffea7e3

SHA256
f55f5c52da9b9518414577ec3767056090efae8b3fbbea2490eeffc6a455d024

SHA512
656328ee28c6588bed90b87a1844766671525294d3b3157183a670485b954db5faee338758690908ec47a52f7d19d40bc26c90943f7b81ef9b206464580a2ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB2.tmp

Filesize
1KB

MD5
c8b2197672b7f51c709fa1ef54ebfd33

SHA1
7f9cc94f62def060708656cba6f403f0b3eaf5ef

SHA256
ca0e9cee14fc32b93b764ef8ef5767b4a84076c7eb359a2b282f07f1484a1d43

SHA512
6d2822eb38419cfdfad7e92a7d40da006b577dea20b3bbc8c26e6a1d7c3be97bf1e63af0bf68e4b69903f223b7d1336241d6b460f0f5af3466827e91162c457c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF988.tmp

Filesize
1KB

MD5
73e5d8afa638b6e3f0fb931d308dc9e4

SHA1
086736f4380af9d5ae718d9853a67171f4b5bc9e

SHA256
416319204b2d11ce8a6eb6587e908493ba82eb8fb7f8f4df21280cc78c158f04

SHA512
3bdafe1cb13ad557d0b61cfbcc138b26c999348e7583856721cd395b8d27b60f7bc23a08a3e7fa405a406a82f788a49ff445458661428f5db7bec3fb1c677102

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4q1kafqp.zmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5d2gvpg\f5d2gvpg.dll

Filesize
3KB

MD5
f67ddb871206d27fccca0399bd78f149

SHA1
8c1cefd0d415c3185df0c8a476b2892357a65a5d

SHA256
9a88011cf5ee85b30db3b70aa7998835bd9045ec409ae22369f225f7ea778dcf

SHA512
7963611466d10cd049c148c2b7788151c31792469dc625099b7bb45a6f028df749f38b36d39753e95527dcf85c489b1a6279338e9bbcaa99aafc8e674b42e584

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi

Filesize
347KB

MD5
9e81383d5c5694835ebe9c853546b856

SHA1
a115c76e85960ae9c6dc505dad92ebb4e206567e

SHA256
8058c37115d53b13d0bdccfc5b1360364e2d1476873906f924deff84c3c73e00

SHA512
0566890e88a7e70c0d3dde84acfb9e5e24023af68acb9dc00884f3dc061613afc1d6b669c48fa4d600aa2fb5f92534c117d301159e416b7ac46391d419e554a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\decoder.dll

Filesize
105KB

MD5
143da6747fff236a473bdf6007629490

SHA1
aed2e6ecbd53ce1e281cee958b3c867f14c8262d

SHA256
75f59cfba8c75d7646a697609a9baefb3388b1b6e66db37c50924e3fcba68893

SHA512
d52393c33b647ad82adfa1c66f7adb3f8d148d71675fca7df62c974ef9c1d0b25092164fe9603184370f8ecdb5d00d1dd61dd626ec7655b94e03509aaf9fddd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tj2rwo1c\tj2rwo1c.dll

Filesize
3KB

MD5
9615bb9e73523877beab382c166558d2

SHA1
9d09ca660d64e3c49fbd0a13bca6f48e8435aba9

SHA256
38ba5011a0e185057c904318f36dbc092069f45d0b932de5a4ca00276172760c

SHA512
cdd5b52c8a49076b554a376985f6f7393f81cdb2575a4737b4743328c5f37578531f691bc04f0e52a4d86828fd1d06a7fda9cca7e6690a6b880cfc095872121d

Download Submit
C:\Windows\Installer\e56eac2.msi

Filesize
4.1MB

MD5
060f773f5b91ea96cfd5a21678d2a1ba

SHA1
4de99e61485d8ddfd1dae963e17da24aa6312b86

SHA256
3b553b9166004e78799c5096daa412f4a01563e3b02c44d93e35b2ce63bf922c

SHA512
5a41f716d4ef24651e439068e57e7fe0b6ad079610bf582b53ce06c79d168350d730a059dc21fd40bc7a2ba4b0cdf71067ee7611b9681453e791debd6269e4f7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
11.8MB

MD5
08919cd28314c06e7decaa081d1b4524

SHA1
c64bb5cbed85a46db237b3e4ea4995335f0bd6a2

SHA256
6efc2f7314c467455f4a5e78c3f5c6b634ac560a9952e06432b52553069dccc5

SHA512
6b81aa78811101649d8e86f87e536c26b0ca7bac2111068be9dce1c2d3f059f5a613fce87e4610f9d8eb3834da942518473544a7fd02198ba1faff6b5356165b

Download Submit
\??\Volume{6aa5dca8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cde647e1-cd09-44cb-a27a-8567c749b6c2}_OnDiskSnapshotProp

Filesize
5KB

MD5
b69dff646b34e429e9b55d47ab7a3307

SHA1
b7564b17b5de06403fae912be8a4cc87a6216537

SHA256
c86d794e2a48243138eb26946e3593239c06f4e227aaaebd6f035bd199f524e2

SHA512
b186e1d71f021f0d985e1a975e97274ea57c5907f4f44395e437e377f4bf6c5ef884cc00f4d5b1111ee95431cc9b1fa1f82b2d717900a67d285c9ff1b60387df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f5d2gvpg\CSC8D4FD6A2E22A4CEC9721D7E16E44E0.TMP

Filesize
652B

MD5
0bd21e406fc50f8f768c0de2d56f5446

SHA1
979336756d9becfedcf446c4ba1ebdb0be0a40c5

SHA256
3df1553088f47e53102bc57cea39656383511eecb39562bae3afb194a83a32a8

SHA512
9e383ab59f7aa41b3d66b71185e5d3736b8e9c41dda69feedae8e0ad4a2f5c18d7c3df908da06fb6056ff313093bab1579c0a88062629ca9519f46c8e3033b76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f5d2gvpg\f5d2gvpg.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f5d2gvpg\f5d2gvpg.cmdline

Filesize
369B

MD5
57020fd1d3c8abed16929b9fe7f25a9f

SHA1
74537537c472b9da0d2ce15bf19550211417e06c

SHA256
11f5cfb594f089a8b3efa148a6961ce1c429182d913d85f1e04498ca63bc539f

SHA512
84a913d63b3f19a815854238280bff205acc553cfc326ec1238621ce2c92cddd4b9e961dfa23f7e5f704fc17343b1e059b90db649234bfb9947060c554f4240c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tj2rwo1c\CSC27584C9C51874818AECCE7AFA7E0169E.TMP

Filesize
652B

MD5
4ac97e11ad7224d95868f7a9fd33082a

SHA1
4041a387cc3f34d5b3f1455f00f225fbf5ad8c73

SHA256
e9f130ff8fbfe8bc8f5ae2e07e52d820ff200f5137e6c84eb3ef0a873d02d123

SHA512
b4df7c1da6df40d22bc321d92f22efa4aacd89be9a47b26909291ec83061749b64ba163982000bf143a47e4b3daa17f2bc8db6a6122fd84c00d7290a9802c55a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tj2rwo1c\tj2rwo1c.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tj2rwo1c\tj2rwo1c.cmdline

Filesize
369B

MD5
f3373a9ef666db4df0f2e7a174a73675

SHA1
0a5ba11162805d23fafd03f63a6c235d795d8ec8

SHA256
cff6505b154ba5dee1e9f0bd66366bea7f5e83721470bd76f69b4a2951ce59c4

SHA512
d7bea64cd33c76cb55b5e4f944c0f008bc3937fc68408d46528338b5a3632f87eaf851816f9cd5945740ff3938daed90a0038ad88fe4b7e6c1fbf408df29f0ef

Download Submit
memory/5040-166-0x000002887F3F0000-0x000002887F412000-memory.dmp

Filesize
136KB

Download
memory/5040-317-0x00000288198D0000-0x00000288198E0000-memory.dmp

Filesize
64KB

Download
memory/5040-157-0x00000288198D0000-0x00000288198E0000-memory.dmp

Filesize
64KB

Download
memory/5040-178-0x00000288198D0000-0x00000288198E0000-memory.dmp

Filesize
64KB

Download
memory/5040-309-0x00000288198D0000-0x00000288198E0000-memory.dmp

Filesize
64KB

Download
memory/5040-310-0x000002881AAF0000-0x000002881AC5A000-memory.dmp

Filesize
1.4MB

Download
memory/5040-316-0x000002881AC60000-0x000002881ADCA000-memory.dmp

Filesize
1.4MB

Download
memory/5040-160-0x00000288198D0000-0x00000288198E0000-memory.dmp

Filesize
64KB

Download
memory/5040-318-0x00000288198D0000-0x00000288198E0000-memory.dmp

Filesize
64KB

Download
memory/5040-319-0x00007FFDA9010000-0x00007FFDA9011000-memory.dmp

Filesize
4KB

Download
memory/5040-320-0x000002881AC60000-0x000002881ADCA000-memory.dmp

Filesize
1.4MB

Download
memory/5040-321-0x000002881AC60000-0x000002881ADCA000-memory.dmp

Filesize
1.4MB

Download
memory/5040-322-0x00000288198D0000-0x00000288198E0000-memory.dmp

Filesize
64KB

Download
memory/5040-326-0x00000288198D0000-0x00000288198E0000-memory.dmp

Filesize
64KB

Download