bumblebee | 830975b4d460d9579f3f93a9e3cd1f98991b4a6829c6b4bc3901273c408d009b

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2023 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f.msi
Size

4.2MB
MD5

e4a5383ac32d5642eaf2c7406a0f1c0f
SHA1

3e5637d253c40aefdb0465df15bc057ed5c26186
SHA256

d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f
SHA512

ed7ae40e2475ca2bdeefbfb3f15df6e93c8c7d7781b31c2b0c5cab99ff8fec0487f7975b406eebb8117aca2038a11a658d129c32d4147275fd7770c1bfa28da8
SSDEEP

98304:lPKnw39kiUnMUYeg8F1HWMUKFln1RiZmSZ9J1zYfWwG:4wNJUnMUYetUKFZnpSf1w

Score

10^/10

bumblebee cisc117 trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

cisc117

172.93.193.3:443

23.81.246.22:443

95.168.191.134:443

104.168.175.78:443

172.93.193.46:443

157.254.194.104:443

37.28.157.29:443

23.106.124.23:443

194.135.33.182:443

54.38.139.94:443

192.119.65.175:443

107.189.8.58:443

205.185.114.241:443

104.168.171.159:443

103.144.139.159:443

91.206.178.204:443

198.98.58.184:443

172.241.27.120:443

23.106.223.197:443

23.108.57.83:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
36	2672	powershell.exe
42	2672	powershell.exe
45	2672	powershell.exe
47	2672	powershell.exe
49	2672	powershell.exe
50	2672	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1280	CiscoSetup.exe

Loads dropped DLL 3 IoCs

pid	Process
1280	CiscoSetup.exe
2280	MsiExec.exe
2280	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2672	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20A7.tmp	msiexec.exe
File created	C:\Windows\Installer\e571f13.msi	msiexec.exe
File created	C:\Windows\Installer\e571f11.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571f11.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2112	msiexec.exe
2112	msiexec.exe
2672	powershell.exe
2672	powershell.exe
2672	powershell.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	868	msiexec.exe
Token: SeSecurityPrivilege	2112	msiexec.exe
Token: SeCreateTokenPrivilege	868	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	868	msiexec.exe
Token: SeLockMemoryPrivilege	868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	868	msiexec.exe
Token: SeMachineAccountPrivilege	868	msiexec.exe
Token: SeTcbPrivilege	868	msiexec.exe
Token: SeSecurityPrivilege	868	msiexec.exe
Token: SeTakeOwnershipPrivilege	868	msiexec.exe
Token: SeLoadDriverPrivilege	868	msiexec.exe
Token: SeSystemProfilePrivilege	868	msiexec.exe
Token: SeSystemtimePrivilege	868	msiexec.exe
Token: SeProfSingleProcessPrivilege	868	msiexec.exe
Token: SeIncBasePriorityPrivilege	868	msiexec.exe
Token: SeCreatePagefilePrivilege	868	msiexec.exe
Token: SeCreatePermanentPrivilege	868	msiexec.exe
Token: SeBackupPrivilege	868	msiexec.exe
Token: SeRestorePrivilege	868	msiexec.exe
Token: SeShutdownPrivilege	868	msiexec.exe
Token: SeDebugPrivilege	868	msiexec.exe
Token: SeAuditPrivilege	868	msiexec.exe
Token: SeSystemEnvironmentPrivilege	868	msiexec.exe
Token: SeChangeNotifyPrivilege	868	msiexec.exe
Token: SeRemoteShutdownPrivilege	868	msiexec.exe
Token: SeUndockPrivilege	868	msiexec.exe
Token: SeSyncAgentPrivilege	868	msiexec.exe
Token: SeEnableDelegationPrivilege	868	msiexec.exe
Token: SeManageVolumePrivilege	868	msiexec.exe
Token: SeImpersonatePrivilege	868	msiexec.exe
Token: SeCreateGlobalPrivilege	868	msiexec.exe
Token: SeBackupPrivilege	4380	vssvc.exe
Token: SeRestorePrivilege	4380	vssvc.exe
Token: SeAuditPrivilege	4380	vssvc.exe
Token: SeBackupPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
868	msiexec.exe
868	msiexec.exe
1252	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2356	2112	msiexec.exe	93
PID 2112 wrote to memory of 2356	2112	msiexec.exe	93
PID 2112 wrote to memory of 2672	2112	msiexec.exe	95
PID 2112 wrote to memory of 2672	2112	msiexec.exe	95
PID 2112 wrote to memory of 1280	2112	msiexec.exe	97
PID 2112 wrote to memory of 1280	2112	msiexec.exe	97
PID 2112 wrote to memory of 1280	2112	msiexec.exe	97
PID 2672 wrote to memory of 1724	2672	powershell.exe	98
PID 2672 wrote to memory of 1724	2672	powershell.exe	98
PID 1280 wrote to memory of 1252	1280	CiscoSetup.exe	99
PID 1280 wrote to memory of 1252	1280	CiscoSetup.exe	99
PID 1724 wrote to memory of 3044	1724	csc.exe	100
PID 1724 wrote to memory of 3044	1724	csc.exe	100
PID 2112 wrote to memory of 2280	2112	msiexec.exe	101
PID 2112 wrote to memory of 2280	2112	msiexec.exe	101
PID 2112 wrote to memory of 2280	2112	msiexec.exe	101
PID 2672 wrote to memory of 4788	2672	powershell.exe	102
PID 2672 wrote to memory of 4788	2672	powershell.exe	102
PID 4788 wrote to memory of 2708	4788	csc.exe	103
PID 4788 wrote to memory of 2708	4788	csc.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\cisco2.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hznl3kms\hznl3kms.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2858.tmp" "c:\Users\Admin\AppData\Local\Temp\hznl3kms\CSC6927C41095184872BE46A038A0726FBD.TMP"
      4⤵
      PID:3044
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcrq233f\lcrq233f.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38F2.tmp" "c:\Users\Admin\AppData\Local\Temp\lcrq233f\CSC993AED64A9EB40A7A16C665D1C5FD646.TMP"
      4⤵
      PID:2708
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\msiexec.exe
    /i "C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\"
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:1252
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C8AA13B892AF23B094B3CA42D0D95CD4 C
  2⤵
  - Loads dropped DLL
  PID:2280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e571f12.rbs

Filesize
8KB

MD5
97580c85c6b3276588def333122afb7d

SHA1
ded4a3bf6c8ca089fe95a8879246b400d6bd69bc

SHA256
d5183c3f731a519a59973295d1baea995cabf7cec4ed626abf5b1853416982c0

SHA512
0ab47bb17448fde4db2148bd9e67086fa5cf56f9f01f5f0938a402f21be9dce1737148e63e1783a4e46c87c51943d88ff2b90fa727ad03d8f9ab9dd96a9e743c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2904.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2904.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2B57.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2B57.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\CiscoSetup.exe

Filesize
3.3MB

MD5
f58f1216150ab62f270d322930401d51

SHA1
30878587ace8ccfb0e054433fddf1d88f1e2ee90

SHA256
713c13abdc4ec1047ba2e2081c7a31f64ceac5fc6d7c6e21c56a16cd219e946c

SHA512
9aeccab1e95376d481f41faed0b19b5dce8ce993ee11b0a9e563bf10925b91ec7a0e8e2843df9cffc7409420bb62c0cf19d0596eaa9fefe1104ce3b7d9d8c9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\cisco2.ps1

Filesize
2.2MB

MD5
7708f4d0a27fcb9a315e0e2b9fa24248

SHA1
498ac3d0ddf4b19f6f7d3dacf03c4e2fbf8f993b

SHA256
0afe02415b9523c9f840be11d9561d1c07b41ac1f7b803b7112608ae8db29950

SHA512
af6b285e63c9c3db98d35492ff03ec08196c859f508834fc39d6b76283447f493bc721dfa15a2ad777c6e8547ade639f9379ac1cefa54e226096fb0aa4956f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2858.tmp

Filesize
1KB

MD5
31b03862ad2f94a8c4abd9502e7f431d

SHA1
d2623e5ee82638c8b8a962133e195644f21c66da

SHA256
e6b12db666b2cde504c0a483c9123930c60e9a6845d46bb7b385fe4c95fae58f

SHA512
df9ff4fa230a42a6683a48122c7fd94fbf184f6894a9061281f32599ca962b9dec5660eaac234f9efb406020d9222aa8d837bdd7a5a02414ccdf6d22fe69c772

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38F2.tmp

Filesize
1KB

MD5
504b77989a29dd476762c8af7049ccde

SHA1
f3e85a7a6422c45c6a7cba332ad8b3928cd6f10f

SHA256
9b673c17e0747955698b99e618364d797059c529df533851f725e2e0ded1ec58

SHA512
4bbfb9a651560743e79605c4da9c84641dad77e55c1656ef62b8ddd77daa1306289f4327621c34f335d6b8da9074ab9429d5b966f2840f0e7f09d08d87eda6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1vrfxgfk.2k3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hznl3kms\hznl3kms.dll

Filesize
3KB

MD5
c274e980521a1c3f297832701e3614ee

SHA1
58ed59af592373ea17d968853267fbb232b92d04

SHA256
9a80a4aac9394588d9a18501a17c45d6eb227cc7ef2db0362c017c47a7da9cc5

SHA512
713932e5fa163e86135d18759dcad5d4074196d34e3ca377fc896558c484cda57e96aae7e08e6556fdc1c64f62eb41ab3fadacd1cc03dc8524577c3bf273542c

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\7CD12F2\WinSetup-Release-web-deploy.msi

Filesize
347KB

MD5
9e81383d5c5694835ebe9c853546b856

SHA1
a115c76e85960ae9c6dc505dad92ebb4e206567e

SHA256
8058c37115d53b13d0bdccfc5b1360364e2d1476873906f924deff84c3c73e00

SHA512
0566890e88a7e70c0d3dde84acfb9e5e24023af68acb9dc00884f3dc061613afc1d6b669c48fa4d600aa2fb5f92534c117d301159e416b7ac46391d419e554a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\install\decoder.dll

Filesize
105KB

MD5
143da6747fff236a473bdf6007629490

SHA1
aed2e6ecbd53ce1e281cee958b3c867f14c8262d

SHA256
75f59cfba8c75d7646a697609a9baefb3388b1b6e66db37c50924e3fcba68893

SHA512
d52393c33b647ad82adfa1c66f7adb3f8d148d71675fca7df62c974ef9c1d0b25092164fe9603184370f8ecdb5d00d1dd61dd626ec7655b94e03509aaf9fddd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcrq233f\lcrq233f.dll

Filesize
3KB

MD5
ab488756ce1b63dc7e76c90b75b79d0b

SHA1
68e003df9c9ab07b263b0486da876fcb9db6289b

SHA256
53967d6fd309d130d6a8b6d7c766d02f774499b07d39958b8caa5d147146f295

SHA512
0d7bc80e562d9b27fb413c4e841c242d63909fadfc96b3a02e4e6777fb16e4017af99d992999f6d2262c9e2b655141192c15a33292c6fca6268413fc15875446

Download Submit
C:\Windows\Installer\e571f11.msi

Filesize
4.2MB

MD5
e4a5383ac32d5642eaf2c7406a0f1c0f

SHA1
3e5637d253c40aefdb0465df15bc057ed5c26186

SHA256
d99b63e1740aa4f779b91d22f508a4792f237f09413d24b51144e0694af5d34f

SHA512
ed7ae40e2475ca2bdeefbfb3f15df6e93c8c7d7781b31c2b0c5cab99ff8fec0487f7975b406eebb8117aca2038a11a658d129c32d4147275fd7770c1bfa28da8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
46ed15511d2960bad005b4e5a35dde35

SHA1
2c8a68663603db373d389846ca66ad054ef5de2c

SHA256
1ceba151c772a31b9ec1728cccf1b6b3cd025e45092abbbbf62419d235ff148e

SHA512
7fd1ec1fb2cf94b5b78c269e234e93b18d0d55c5a2671039b9256dabdade4a112f44953701927521343532a99d6ee664b339af764a9ccc242e7f9bde699a640c

Download Submit
\??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c7df3016-632e-4cc7-840e-4617b8927999}_OnDiskSnapshotProp

Filesize
5KB

MD5
a3feebf89f5d32dda75c57e2c567c646

SHA1
7b8db8fbd596c52e1fd661a2f8f7a67fb9372be3

SHA256
0d6f322daef852e752209c9cce74dae572e74b8fe961b52d1ecdb739fe105986

SHA512
36d02b2033bc384c9ae3fab97351a77173f9735fb1ae5ed881e9affba5b2e7f5ceb610949c8f2fb77ed2d841f064f5e269c8284486d5b54b72db983951b53ffc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hznl3kms\CSC6927C41095184872BE46A038A0726FBD.TMP

Filesize
652B

MD5
18ba660200411a5f462fc13f93758950

SHA1
0d06bfa1ebe8560e3c9895bdcb423abf8438f20e

SHA256
23a8dd6895d8fbf2bd150ce3f2d836244903e7856c9a85a4cf91a8368e54a023

SHA512
a58370397670d8be28f69fafad93ad21452e3e8ae9ab76b50e310fd424ffd33e1368f88198a3b114463cd43a06a83331b20d148941e5dabc8e476e9150ba3219

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hznl3kms\hznl3kms.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hznl3kms\hznl3kms.cmdline

Filesize
369B

MD5
0c9c1207213c9f95ab52b498d9c55b7a

SHA1
1f14a7e6700f39fe1926be2115a58caefaf76b99

SHA256
7054d4a1a70825a192416231a7de112fcf30ffe8d6db23b91530095dcbdbb43d

SHA512
e09a0477e4e1745163d369ec9cbefe7bd67c2e21f2d9f9478099bb349577c8d6e1e3740403ba29c1ad77bc2df7ed54ba46410b72c6373b2264bc152409588bfb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcrq233f\CSC993AED64A9EB40A7A16C665D1C5FD646.TMP

Filesize
652B

MD5
46421f2f57550773804e300c0a706b7b

SHA1
17f19a82ee76afaa6ddfd6709cbb9ba943e59c84

SHA256
1a131681772f38a51b9bf57730706500b9c12d71080ebdec1512885c31ef1960

SHA512
624d5503c5a9001197b9c584317544e6d4f7b2d8f05c1a18d7caa11548f922963c2019d6b24afc34bf5ed265858eea5db954b1dd12aa261f1244bebdaad50fe6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcrq233f\lcrq233f.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcrq233f\lcrq233f.cmdline

Filesize
369B

MD5
33ec47ada6b6b815cd2566fc1bb4573f

SHA1
5f0aaa13f9dabe69f32a5d85234ee23f7d9f6d36

SHA256
3b5f992d88d6767b3291faaacb5d5a36ef7d491821b3d974ecd7e5844427de8c

SHA512
9b5a8e206065b4dc70d7a1e098e446343e2dacd490c3a3dde3a237944fabcd9c4fa9e3d9c591e619d503be2f126f05fe4d86981a8bb7cbfdbf20bce8c5181a42

Download Submit
memory/2672-168-0x0000024A37770000-0x0000024A37792000-memory.dmp

Filesize
136KB

Download
memory/2672-317-0x00007FFB7F0B0000-0x00007FFB7F0B1000-memory.dmp

Filesize
4KB

Download
memory/2672-307-0x0000024A37E10000-0x0000024A37F84000-memory.dmp

Filesize
1.5MB

Download
memory/2672-313-0x0000024A377B0000-0x0000024A377C0000-memory.dmp

Filesize
64KB

Download
memory/2672-314-0x0000024A37F90000-0x0000024A38104000-memory.dmp

Filesize
1.5MB

Download
memory/2672-315-0x0000024A37F90000-0x0000024A38104000-memory.dmp

Filesize
1.5MB

Download
memory/2672-316-0x0000024A37F90000-0x0000024A38104000-memory.dmp

Filesize
1.5MB

Download
memory/2672-169-0x0000024A377B0000-0x0000024A377C0000-memory.dmp

Filesize
64KB

Download
memory/2672-171-0x0000024A377B0000-0x0000024A377C0000-memory.dmp

Filesize
64KB

Download
memory/2672-170-0x0000024A377B0000-0x0000024A377C0000-memory.dmp

Filesize
64KB

Download
memory/2672-321-0x0000024A37F90000-0x0000024A3804E000-memory.dmp

Filesize
760KB

Download
memory/2672-323-0x0000024A377B0000-0x0000024A377C0000-memory.dmp

Filesize
64KB

Download
memory/2672-325-0x0000024A377B0000-0x0000024A377C0000-memory.dmp

Filesize
64KB

Download
memory/2672-324-0x0000024A377B0000-0x0000024A377C0000-memory.dmp

Filesize
64KB

Download