11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Size

1.4MB
MD5

1cc74844307cf6107573ba85de10527d
SHA1

ed45d720ecb10dc22c0ae7471742f427d5760651
SHA256

11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812
SHA512

4bd56f7fe21ec565006e666e3145bbc3fe33d034122d654dc39904c33f8584e57a20fa41819b63ee47bcda89820d3a5089a8955867e643ee0362e71c5a828951
SSDEEP

24576:UAzhR80qqyFKk6VLVy0pWnUatmKfPx/Y1vxIqb+YIwQd74Z9Ruvywr0:BU161Vy0pIjtRZY1vxTaYIwlbRuvX0

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CiscoCollabHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	CiscoCollabHost.exe

Executes dropped EXE 2 IoCs

pid	Process
1548	CiscoCollabHost.exe
1196	CiscoCollabHost.exe

Loads dropped DLL 64 IoCs

pid	Process
4144	MsiExec.exe
4144	MsiExec.exe
1548	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3388-0-0x00000000007F0000-0x0000000000BDC000-memory.dmp	upx
behavioral2/memory/3388-48-0x00000000007F0000-0x0000000000BDC000-memory.dmp	upx
behavioral2/memory/3388-575-0x00000000007F0000-0x0000000000BDC000-memory.dmp	upx
behavioral2/memory/3388-785-0x00000000007F0000-0x0000000000BDC000-memory.dmp	upx
behavioral2/memory/3388-967-0x00000000007F0000-0x0000000000BDC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CiscoSpark = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Webex\\Webex.lnk /minimized /autostartedWithWindows=true"	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
23	1160	msiexec.exe
24	1160	msiexec.exe
27	1160	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI9ED1.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e579af8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3F9B1AB5-2521-521E-8703-87D71A454DD7}	msiexec.exe
File created	C:\Windows\Installer\e579afc.msi	msiexec.exe
File created	C:\Windows\Installer\e579af8.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	CiscoCollabHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	CiscoCollabHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	CiscoCollabHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	CiscoCollabHost.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3672	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ED55221F-CF41-4829-9DED-8312B04F88DE}	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\webex	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\webex\WarnOnOpen = "0"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\webex\WarnOnOpen = "0"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ED55221F-CF41-4829-9DED-8312B04F88DE}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Cisco Spark\\"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ED55221F-CF41-4829-9DED-8312B04F88DE}\Policy = "3"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\webex\	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\webex	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ED55221F-CF41-4829-9DED-8312B04F88DE}\AppName = "CiscoCollabHost.exe"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\URL Protocol	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell\open	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell\open\command	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CiscoWebexTeamsProtocol\shell\open\command	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\URL Protocol	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\.webex	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CiscoWebexTeamsProtocol\shell	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CiscoWebexTeamsProtocol\UseOriginalUrlEncoding = "1"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Cisco Spark\\CiscoCollabHost.exe"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\.webex\ = "webex"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell\open\command	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Cisco Spark\\CiscoCollabHost.exe /protocolUri=\"%1\""	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CiscoWebexTeamsProtocol\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Cisco Spark\\CiscoCollabHost.exe /protocolUri=\"%1\""	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\UseOriginalUrlEncoding = "1"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\MIME\Database\Content Type\application/webex	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CiscoWebexTeamsProtocol\shell\open	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Cisco Spark\\CiscoCollabHost.exe /protocolUri=\"%1\""	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell\open	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\shell\open	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Cisco Spark\\CiscoCollabHost.exe"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\ = "URL: webex protocol"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CiscoWebexTeamsProtocol	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\webex\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\MIME\Database\Content Type\application/webex\Extension = ".webex"	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1196	CiscoCollabHost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1160	msiexec.exe
1160	msiexec.exe
1196	CiscoCollabHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3324	msiexec.exe
Token: SeSecurityPrivilege	1160	msiexec.exe
Token: SeCreateTokenPrivilege	3324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3324	msiexec.exe
Token: SeLockMemoryPrivilege	3324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3324	msiexec.exe
Token: SeMachineAccountPrivilege	3324	msiexec.exe
Token: SeTcbPrivilege	3324	msiexec.exe
Token: SeSecurityPrivilege	3324	msiexec.exe
Token: SeTakeOwnershipPrivilege	3324	msiexec.exe
Token: SeLoadDriverPrivilege	3324	msiexec.exe
Token: SeSystemProfilePrivilege	3324	msiexec.exe
Token: SeSystemtimePrivilege	3324	msiexec.exe
Token: SeProfSingleProcessPrivilege	3324	msiexec.exe
Token: SeIncBasePriorityPrivilege	3324	msiexec.exe
Token: SeCreatePagefilePrivilege	3324	msiexec.exe
Token: SeCreatePermanentPrivilege	3324	msiexec.exe
Token: SeBackupPrivilege	3324	msiexec.exe
Token: SeRestorePrivilege	3324	msiexec.exe
Token: SeShutdownPrivilege	3324	msiexec.exe
Token: SeDebugPrivilege	3324	msiexec.exe
Token: SeAuditPrivilege	3324	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3324	msiexec.exe
Token: SeChangeNotifyPrivilege	3324	msiexec.exe
Token: SeRemoteShutdownPrivilege	3324	msiexec.exe
Token: SeUndockPrivilege	3324	msiexec.exe
Token: SeSyncAgentPrivilege	3324	msiexec.exe
Token: SeEnableDelegationPrivilege	3324	msiexec.exe
Token: SeManageVolumePrivilege	3324	msiexec.exe
Token: SeImpersonatePrivilege	3324	msiexec.exe
Token: SeCreateGlobalPrivilege	3324	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeDebugPrivilege	3672	taskkill.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1196	CiscoCollabHost.exe
1196	CiscoCollabHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3324	3388	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe	87
PID 3388 wrote to memory of 3324	3388	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe	87
PID 3388 wrote to memory of 3324	3388	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe	87
PID 1160 wrote to memory of 4144	1160	msiexec.exe	90
PID 1160 wrote to memory of 4144	1160	msiexec.exe	90
PID 1160 wrote to memory of 4144	1160	msiexec.exe	90
PID 4144 wrote to memory of 3672	4144	MsiExec.exe	91
PID 4144 wrote to memory of 3672	4144	MsiExec.exe	91
PID 4144 wrote to memory of 3672	4144	MsiExec.exe	91
PID 1160 wrote to memory of 1520	1160	msiexec.exe	96
PID 1160 wrote to memory of 1520	1160	msiexec.exe	96
PID 3388 wrote to memory of 1548	3388	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe	103
PID 3388 wrote to memory of 1548	3388	11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe	103
PID 1548 wrote to memory of 1196	1548	CiscoCollabHost.exe	104
PID 1548 wrote to memory of 1196	1548	CiscoCollabHost.exe	104

C:\Users\Admin\AppData\Local\Temp\11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe
"C:\Users\Admin\AppData\Local\Temp\11fd50497d65182202764cf5cc13a6bcbbdb77ae0cc103b98e5f43ff87c41812.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\7d0d5de1-e0c4-453e-9287-89553318312c.msi" /quiet /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe
  "C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe" /protocolUri="webex:///"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\CiscoSparkLauncher\CiscoCollabHost.exe
    "C:\Users\Admin\AppData\Local\CiscoSparkLauncher\CiscoCollabHost.exe" "C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f" spark-windows-app.dll /Hosted=true "C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe" /protocolUri="webex:///"
    3⤵
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 19E762DB5FCBB40144F8F65D679205BE
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\system32\\taskkill.exe" /F /IM CiscoCollabHost.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding F063626456BE6E9B961ABCD4CBC8E9BB
  2⤵
  PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579afb.rbs

Filesize
24KB

MD5
a65ecc71e733502893c9eed81f21f6ff

SHA1
0737fa24b796117a321921640999d1e3a460fc52

SHA256
d97d58a98ff892c81832fdab3ee31ea109aa3f549272c41591ce77cd277dead6

SHA512
1cc0f702c011b4fc84c2064d128808f72f01ea628aee6c61b1e55757b70387f76a0e0d3be2b569ad864513f03b2d708a0f54a29877db707eacc1bdbad1eedca5

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\EventBus.dll

Filesize
64KB

MD5
24185b5f403243698b02498f18f07005

SHA1
02457e0a97585acac9f67c2e41b3d9b5a8d9855e

SHA256
b2bd87c8c4129c033b9d6aa717a93325da9be6ab61de54eac8fe5c78f533428f

SHA512
35544ec6358e422b39762504d89c527a68f3c1c362b23901ee78155447c59e39cf4e11d6e59c3f3d7ccffef8428e3dfccf33c45d1768a86e6a260a89de3d8ecd

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\KF5SyntaxHighlighting.dll

Filesize
1.7MB

MD5
d8bfdec029ea1c2b9648da25b7dd3cb8

SHA1
8cfaa6aabb6a0e66221fd2461257c94844274f07

SHA256
aa9c37ed2f324f32925edfd7adf83fdb99cc0c05c2bf6239514f2ab5cb12fbf2

SHA512
5204b00003aeebcfc3982eedeadc983702de8ec12770ee9cd677729a141e77d560730137251a33d876fb10b12a72b097504e6b5ecef0a181c009dc791ed2a2d2

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\LambdaThreadSwitcher.dll

Filesize
27KB

MD5
6f51161a064257cff0d5a0459b9e83d8

SHA1
e34df9c34fda0facefe2f0efacc4519532477f91

SHA256
30700ca073e64599e4725294b175fce95dd1a78599c6121f699c76bdf533421d

SHA512
646815dcb407098f565b2740805b252e756ae10dae8786f046cad56871114fb13a5085de2df18a7b2f9b02e8409a0527d134430c2af8a9b7eea1d4aa73fd19af

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\MeetingContainerActivityStreamType.dll

Filesize
18KB

MD5
c1c6521f49f8e13710948639b44f0c47

SHA1
4c04506b92096e9b0a99f7eb439848b240ce176b

SHA256
9c5eb977efd4cc062b54b6f218fc52c6ca153ada4f2a3d4e8ddf03e6f927e144

SHA512
1b83288d92e7b0276a649739b0b41b5e3abc0d114611377158ea7b5cf90b848a2796e6b2ffd181e48f66ec8e41eaabf73fcc18a12a4710818c48d0a75c6ec3b0

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\QmlBase.dll

Filesize
106KB

MD5
769543a42b3dd011100471cf127e28c5

SHA1
dbab9b025f57ea09eaf2b952aa22b25c07b72cec

SHA256
e0ddf69bafb162ac758abf4ecafae7586c77cd4e268fca0d8df0d05ba3203dd6

SHA512
8c1db502176f0cef82c708fbb1999749e7781282472ce81a83c267453f602d2488f15d47e00c7b0149bbe639eace82687f971a42adaa3a38666ce81536817cb0

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\Qt5Core.dll

Filesize
6.2MB

MD5
a82c139b1bf661bcb71357ca088fcf11

SHA1
c798afa943f98168310333e1abf575801d962650

SHA256
60fba4ea4d8ece7291891c83cea5d55cead8d593a12fd23d1e6e0c45e602ee29

SHA512
66f448435ed9813ad95e70b81d1ea509c42c021530c45b4aa22d8a8aaa07834ea3248130573479fbff4a99482ce9293291172d74ee5ee21bb8a53a257ea3dd81

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\Qt5Gui.dll

Filesize
6.9MB

MD5
a8e9e3f4703304fd54f0f57c1e3d5d77

SHA1
a4c974ea3288fc9fea9da3bf8c9bc02684b1280f

SHA256
60b216541d8071d29de57cc427646b365ce15720537d83687d918276e30f7ad9

SHA512
892726e4340c75150e91af11378d8f5517c9d3ad1e6a7e9c9f79e53a5931f68eef3fc35f67f8f3247d1f75c01d81eaf795340aec81e21140715857caf956bcf1

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\Qt5Network.dll

Filesize
1.1MB

MD5
0826fd88c73466ff6b8cf47dab13e4b9

SHA1
b6b21643da59be03ffbb4e736077e185c39de6bb

SHA256
758beefcc5d4cbb4e5e25924458b46d6c786425ab2367b0da0f4dbd86cad459e

SHA512
9d281fa82099d778e7b1440d4adc32cb9edb97ccecd5f4a810349babd5f4c8ffd2b4c2cbe38e24ebc362f394d222b785767a0838f9ce6df92b916a2ad5d5f13a

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\Qt5Qml.dll

Filesize
3.5MB

MD5
4249e751e664faaa5e2da17c11a59f53

SHA1
90aaead901872b99402d2fdef638da7c58c9c31d

SHA256
08684bebfc18c402001f091a55ba984c1e24dababf139caa8144bc117a441d0f

SHA512
05c33756154c92f3368ab3c4b41e7b30847c9e76e8c2135ac1eaf4ad1b93f9c245b64797dfab55cc44d717a6fe2eadd9596c52f6f15595305c1c1ee5e3ddce51

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\Qt5Quick.dll

Filesize
4.1MB

MD5
1ddbb41900edfa17646ca30ac7d21500

SHA1
b8c602b04337b515e7bc5b6e05a908ea58930d73

SHA256
9d15671c3578ddd9664fbf1fadd4306478d92c83a8f2d2b5a30d1c6c52acf6af

SHA512
e378614c1805b63b99d7d6c1bdfd8baefddcb6edd5400d5e1e6ea6aae528dd9b9e6a5f9e1131dd3f0b56decd990977ba145b5b50f3e251233bbd2702bf94050e

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\Qt5QuickWidgets.dll

Filesize
91KB

MD5
ce80619faddffc43b7b8beaa1603e89d

SHA1
7fe85a899dfe64466315d12ec8ea1679931115b1

SHA256
d46d1af4d1988300863bfe09ab1d5a8754298a11d6b95b33552126eca54fef8c

SHA512
103e0035a655e1683339fb7efa2de4173f3c2d276c58da4c6b66050fd467947864aaa0cb072b5a92d2dbd5aff592dd79ba1d2d3d689914f105003001d3350625

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\Qt5Svg.dll

Filesize
332KB

MD5
25f49f9d2ccd5d93c8f7879b5f936bfb

SHA1
3492ec44bf0ec35645bd45a5a0e9b55defb1b822

SHA256
31c6dca1fdc9767149516ec7790aa24d93931cdf1d1f7065dba19cbd3e1e5fd1

SHA512
5aa3c0a8db7b3a46da13bed183a88b9e6cbee5f505e51ba8c5c4b33007fcaf474cdd6e51453e534ea5f6d24997fc6709589629fa8e214a42a5485dcb93540e73

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\Qt5Widgets.dll

Filesize
5.5MB

MD5
806ad42e12d8a725fc88e761668ffc1a

SHA1
276cee74217cd21357682310689216d9025195a1

SHA256
8b27f35a4528c45761e05c40ae428088774855ecb09218834e367dd0affea191

SHA512
97e9d0893b534d61adc4a74d847d14e2b13418fedd8396e950db3e5fd2ef1325683e9f8c8bded20f2f9f95a63cf4e2251993259fbeb0a6aa193c77e941784dd7

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\ServicesSignalEmitters.dll

Filesize
399KB

MD5
c5145e202cfe83ff491433f85b3f95e1

SHA1
5d77a74ed8fd9f6b41e1a248b2d399edb03c5310

SHA256
77603b0be9ada7b42dfe87e9e9e27a1970b8a3685ce82e1d15e15a30656504e2

SHA512
b082470398121c90eec2f524b4d9391257babb1eb0b0d4364e9beb8a23275bb714c32817333d9759dca494245eaa4490f723dbbd479b5af5f6bacfeb66e654b4

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\SparkPrtDll.dll

Filesize
1.3MB

MD5
390abd93f694837cf99d123e67117c5b

SHA1
14f2d46de934380a905b78bca6d682f2071a39cc

SHA256
62c5765c1b4245b5b95683110b1445017f5ed8ef35cdbb3c783f5278f6d39797

SHA512
9fffef25c0db7959f1ac756a689f817ddfd9c77d9aa3047d29c1baa764ecefe7f668871a39e69b5ba77fb0090d8da6b1118aceadf0e2682b647497e88559433f

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\UIToolkit.dll

Filesize
730KB

MD5
6e97791bc1c656ab064d7c3e86006d7b

SHA1
b3e991a772058a71444aba4d2a96f92fa861433f

SHA256
c7175d8c719a8c95bad91f26eb22e90b3f3e0deb27f6366591038ee0de190995

SHA512
0eeb51c06ba644ea1b23b179e645b3a08092fcc3fae0734f2b6fbc9aa83f0a503f75124bb5f7ed2ef5e94e5dcb1a9eee16c40ec1dc3d7ae7b5176d498d8759d2

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\VCRUNTIME140.dll

Filesize
96KB

MD5
9fbacc6830481b1105cb7228ed7fad69

SHA1
6c198c255d23771c164659185a4b072608385286

SHA256
1c6e3876bc85cb229bbcbf508971db218c77d3b582c7ad1ae69dc2cec13c4f6d

SHA512
e20f189554cf185603d25aef2eb4ac94e72c82e52336ae83fc4c208eaeb9decf5d1e1a49c1d8d7a3c9d1a64a6880775cc9c33eacf2793e668e20ba92d4092652

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\hunspell.dll

Filesize
416KB

MD5
159b3e31cb2b3f90dd5e9fa85ab69581

SHA1
f758d5fd252bb32a8acdc75a237f4e5e60ee74e2

SHA256
239ee3315fc85ce00323b811cb1da9b081c86fe7853f3cc3276853f0188cb3ea

SHA512
dce5ae7bb7c4ee019da663deec01dd41cd7ef25815aa80baf72ed749f2a74354c47e1d749fb024543c1e832f0f8829667de7338b189ec746e861a05199a2e8c6

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\libcrypto-1_1-x64.dll

Filesize
3.2MB

MD5
b5509d214ff178724ebb59712064f50e

SHA1
b215a837dec5ecbae21b0412122726af7c7d951f

SHA256
fece37f66d93f62b3550a1328322f342545404ab6b60655cd7082ea98c775cf3

SHA512
e674fda8bfbac252975489088de7a4a62c12410f90b65ca226b1a74873a6130c781a69ae2bb6aa9e89d3c78caac8a214efbcbe6d74533df469b61730258a0171

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\libcurl.dll

Filesize
804KB

MD5
68b222d16935e748741daceff2cf1d88

SHA1
5508d8e94a541f81d796f31aec1c081bbd340e19

SHA256
255a9bad11ae0773c54017070142e6dc84f5f4597b1dc5645fbccfa383c5fc23

SHA512
7e60919b7227211f4de28e2d9a27018e9c7ea24bcd49cddb30c8ece661d60a309ad299ff03919ba0fd701a4bd09457d294a3db122d1550e925d764ffe43cb11f

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\libssl-1_1-x64.dll

Filesize
670KB

MD5
b9cabd441d0e5bc8155e818a064fe7a7

SHA1
af24ec2327f5d306508ae15a6b8a7f536364846d

SHA256
bb59ea96f75d91873ca4364d9bfdd909bceec04d5d1fc7d26a1fd45edfb1c419

SHA512
5d818a7f27965141d090cb43ce200d77373b783d4bc497394de655bb1688f66417e8f7899c7c48384d0cb4421d697bbd9b732a15c055fe307023a215d8719193

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\spark-windows-app-impl.dll

Filesize
20KB

MD5
2b25d3b4670f3d01bce00f03f6955deb

SHA1
2b6d32febd30eba3c1d383918620449cb023fd61

SHA256
f7077b57d5adf49648d647886a1ae21375d166af91157eca71d88c1078168991

SHA512
ae62ba1a73d898176256fcde8bcf5667e139d771536740f1589e8140401dc7224a91d86c4651b2134bd4170bb6f3830d4009d3b6527b2b5e5c23c46acb55e38b

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\spark-windows-desktop-ui-rcc.dll

Filesize
21.0MB

MD5
f47d6fd47f50f0c02fb191dd6f1f2c78

SHA1
1414e747408617f2ea1d4ee25f354159a50d4aec

SHA256
a7e44684e96955187730319805d6ea49f6af1638a3f76eb27f15b2704abf13da

SHA512
ba44628e3e7a70e64565fbf36653dc6a7f7fa000766c0fa0a87c9c1914e83b3bc123145ebb26fa6e91efeb0bbce9d803c20177b10df2acbc72f6656e8c51bb68

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\dependencies\windows-os-integrations.dll

Filesize
486KB

MD5
8c775486f56d7db063cdcfbb24af6d10

SHA1
f55b74ae07472e87da5168db54025054a283ddce

SHA256
de7a2c314444f7a165a4356f22e092cdbd3066eb519d9d842190c16ae6dfdd53

SHA512
89909f3a406b50a098520438ed3294ef9d246eb90ee53f1b9c88f03fcb6bc57ea1e9c2c30aa0c4d84f715a8c20da1351d348f7a2332921372c324106db12895e

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\44.7.0.30285_e46710d9-7d78-4765-9a97-0a5bad42223f\spark-windows-app.dll

Filesize
23KB

MD5
fd76faaf7bfa561eb684e135c67bf8ed

SHA1
a3c505bb060e0e4a9b1f56ac89eb3cd6c1dbde92

SHA256
f8ec5e433a9d633920c05d67f0ebe8fba734449101292148ac60729fb5bd481b

SHA512
31826c372cdd5563dda744c35b284c2c6ba656a134bac149dacaf8509374cf37b11de559890455901604efdeb9ba9b9d1ac457427221b64fb64cb8512f339b68

Download Submit
C:\Users\Admin\AppData\Local\CiscoSparkLauncher\CiscoSparkLauncher.dll

Filesize
2.6MB

MD5
6169a4ef41c5e7d278e2e9622926fa7c

SHA1
bd3694365c7abbf227c91f0006ba1401cbf187fa

SHA256
d9f15478b12042103e8ecf26660b1d53c6522b113e6ac0a0b69475d787378cfd

SHA512
c1d50fe592246941bc630b68d0567f09f8e990f7275d4c20af4fb68657493db42c25597831144437e827991de66175c9571edfb1612f5ad7d64a950270ba9886

Download Submit
C:\Users\Admin\AppData\Local\Programs\Cisco Spark\CiscoCollabHost.exe

Filesize
119KB

MD5
f14ee7958d8796967f877f7560ab0330

SHA1
8c9139752d3668c858ef192c8f4405e1c7230e73

SHA256
d18a3a04f3381d718b3ba3d106aa1db14009b00071f378ab42707a9f173d629a

SHA512
c963c934e8d3126139fccb8aaa6d76efb0dae6826734ed62d12fd1f49b38a8fb9dcde3e8c00a4de80e18eda104ed9f620e921438f9b60c870a0061958d5df412

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d0d5de1-e0c4-453e-9287-89553318312c.msi

Filesize
1.0MB

MD5
f525cfc72cd1cc55c9c69d11cef27613

SHA1
7d9163ca81e89a69f9e8bbea05bc5d8c602a93f0

SHA256
ad8f04a096035a676448a6182915e9e0d147e05f3fac3f69899c0ef4736e2c55

SHA512
55323e17d2542e421d2de40b5d48ee8a93abea1ca78730c6c8a304a0690b53fc2a0fedfe8e0d9cea773c0580d35d48d87184ee62fc81a51e9dd7308687fbf303

Download Submit
C:\Windows\Installer\MSI9E72.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
memory/1196-944-0x00007FFA233A0000-0x00007FFA243A0000-memory.dmp

Filesize
16.0MB

Download
memory/1196-942-0x00007FFA3D810000-0x00007FFA3DC2B000-memory.dmp

Filesize
4.1MB

Download
memory/1196-943-0x00007FFA3FE80000-0x00007FFA40405000-memory.dmp

Filesize
5.5MB

Download
memory/3388-0-0x00000000007F0000-0x0000000000BDC000-memory.dmp

Filesize
3.9MB

Download
memory/3388-785-0x00000000007F0000-0x0000000000BDC000-memory.dmp

Filesize
3.9MB

Download
memory/3388-575-0x00000000007F0000-0x0000000000BDC000-memory.dmp

Filesize
3.9MB

Download
memory/3388-48-0x00000000007F0000-0x0000000000BDC000-memory.dmp

Filesize
3.9MB

Download
memory/3388-967-0x00000000007F0000-0x0000000000BDC000-memory.dmp

Filesize
3.9MB

Download