bumblebee | 9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2023 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r3.msi
Size

6.4MB
MD5

6f7e07b84897cccab30594305416d36f
SHA1

6d1d531c921a17b36e792e2843311e27b9aa77a4
SHA256

9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0
SHA512

689ba6b48065a9098ef62bc8ed0650fa0b66f403af9dc315a456d514ea61afda7cf67c3786760e4ac49adc8a60f489199e6aae08a59aa4ef8e57e064bce9e892
SSDEEP

196608:+kyJofCBPu0rDMQFVOiNRUm0TcrdJgRueb3IR6s8:DymfCBPoYOiPTacBeue7xs8

Score

10^/10

bumblebee pgchat trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

pgchat

45.61.187.225:443

91.206.178.68:443

193.109.120.252:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 9 IoCs

flow	pid	Process
4	392	msiexec.exe
7	392	msiexec.exe
9	392	msiexec.exe
60	2884	powershell.exe
62	2884	powershell.exe
85	2884	powershell.exe
87	2884	powershell.exe
90	2884	powershell.exe
91	2884	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2884	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE004.tmp	msiexec.exe
File created	C:\Windows\Installer\e56de22.msi	msiexec.exe
File created	C:\Windows\Installer\e56de20.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56de20.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
644	msiexec.exe
644	msiexec.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	392	msiexec.exe
Token: SeSecurityPrivilege	644	msiexec.exe
Token: SeCreateTokenPrivilege	392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	392	msiexec.exe
Token: SeLockMemoryPrivilege	392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	392	msiexec.exe
Token: SeMachineAccountPrivilege	392	msiexec.exe
Token: SeTcbPrivilege	392	msiexec.exe
Token: SeSecurityPrivilege	392	msiexec.exe
Token: SeTakeOwnershipPrivilege	392	msiexec.exe
Token: SeLoadDriverPrivilege	392	msiexec.exe
Token: SeSystemProfilePrivilege	392	msiexec.exe
Token: SeSystemtimePrivilege	392	msiexec.exe
Token: SeProfSingleProcessPrivilege	392	msiexec.exe
Token: SeIncBasePriorityPrivilege	392	msiexec.exe
Token: SeCreatePagefilePrivilege	392	msiexec.exe
Token: SeCreatePermanentPrivilege	392	msiexec.exe
Token: SeBackupPrivilege	392	msiexec.exe
Token: SeRestorePrivilege	392	msiexec.exe
Token: SeShutdownPrivilege	392	msiexec.exe
Token: SeDebugPrivilege	392	msiexec.exe
Token: SeAuditPrivilege	392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	392	msiexec.exe
Token: SeChangeNotifyPrivilege	392	msiexec.exe
Token: SeRemoteShutdownPrivilege	392	msiexec.exe
Token: SeUndockPrivilege	392	msiexec.exe
Token: SeSyncAgentPrivilege	392	msiexec.exe
Token: SeEnableDelegationPrivilege	392	msiexec.exe
Token: SeManageVolumePrivilege	392	msiexec.exe
Token: SeImpersonatePrivilege	392	msiexec.exe
Token: SeCreateGlobalPrivilege	392	msiexec.exe
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe
Token: SeBackupPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
392	msiexec.exe
1928	msiexec.exe
392	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 1556	644	msiexec.exe	95
PID 644 wrote to memory of 1556	644	msiexec.exe	95
PID 644 wrote to memory of 1928	644	msiexec.exe	99
PID 644 wrote to memory of 1928	644	msiexec.exe	99
PID 644 wrote to memory of 2884	644	msiexec.exe	98
PID 644 wrote to memory of 2884	644	msiexec.exe	98
PID 2884 wrote to memory of 732	2884	powershell.exe	102
PID 2884 wrote to memory of 732	2884	powershell.exe	102
PID 732 wrote to memory of 5096	732	csc.exe	103
PID 732 wrote to memory of 5096	732	csc.exe	103
PID 2884 wrote to memory of 2024	2884	powershell.exe	104
PID 2884 wrote to memory of 2024	2884	powershell.exe	104
PID 2024 wrote to memory of 4684	2024	csc.exe	105
PID 2024 wrote to memory of 4684	2024	csc.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\r3.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\chch.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\habyylvp\habyylvp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE98A.tmp" "c:\Users\Admin\AppData\Local\Temp\habyylvp\CSC26AF461FCC1457F98A111FE4F55945.TMP"
      4⤵
      PID:5096
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04r1tiyw\04r1tiyw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCD3.tmp" "c:\Users\Admin\AppData\Local\Temp\04r1tiyw\CSCA9E156AF517D410592CD6916F8A7F234.TMP"
      4⤵
      PID:4684
- C:\Windows\system32\msiexec.exe
  msiexec /i "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ChatGPT.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56de21.rbs

Filesize
7KB

MD5
97b34bb503b8169aff6f8e997e53a272

SHA1
e513e7c5b01679991f6266fd09f57eec86ed615d

SHA256
d4f517067a7f8d65d95aff35c60ccbc186e91fb07fd25a419f416b86f3e0a8d6

SHA512
dbcf14d14ea3d7b356a0d450d6afea550e0296e957c47a5eee477aef8b4b22dabc65ad7372fda329c877d68db80779b873232e74a2bb5249228c11032d342750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
80363f00b74e4d31ae90d11373f1ca03

SHA1
8b2a11b7f2cdb4605c32166d94bfaa2a3559f73a

SHA256
e5a87252918a448a50ddacbce3306d3f0ca0e101cb660bf258ce0bf12e158c0a

SHA512
25cb5bf44289d5eaba6cf015eba0f2f7a168c406e13e64bc3dbda02eb55b8b0270c5a833ddd0bb65f7cb1f3f82de629a2fbb866e7136cb5a5a9450a0f53cf5d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_378BA46A07A0483C428E7FC44C59C2CB

Filesize
638B

MD5
526a94f21c7058bcb9519f95ddf2a5d6

SHA1
9f34a3227493ffea8ed6a8cfb9d0449f3d8db0ba

SHA256
bdd0ddb7f6154c3bf6e81af11c6ee93594acf337d51359c42f56c48136e103d4

SHA512
4c6464cc6b483c0034d1e54da53235f311e749b69771bd433240f480b479a6a2812a8e5d612ada2c0e042cfa669cc89d549430800d18d16ef68c76812d41a1f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
08e04e2d6efad82e66c7e8a19bd0edcd

SHA1
f1849aff2e6c1c617656cf8255dcc0efa8621bd8

SHA256
7a663c3906f654c09b46dc935d105efa191391bbff176ebde316363efa63656c

SHA512
eb3b0faa526e2321ede9f3b65bdc6b21346397d335349c17a98298e2e1f1755616e679d0c7225697eccd04929b2b815cfbdede165efc2e3272dbe1bce8a4d2c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
19055a55445de8271d76fbf59746c7dd

SHA1
784c8669b1a57ffa0ceb7660110a0293112aedff

SHA256
37b5e8ecc01f85e0a3c49382e637bf03633ff7f857a96ab5fa173a6b77ee60bc

SHA512
3e28661b78617b36cfeb69b3cacf8d20142c13850dd89d04178ecec9a2920edeace0c22badc37bea8b84d11425f7b4094f930857fe3b556403242e65d55a6193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_378BA46A07A0483C428E7FC44C59C2CB

Filesize
484B

MD5
8e55dddf575ae08a0b709b4c7e0f76a3

SHA1
c352071d45f58e9e8f94b02c5f55751b6e837ad1

SHA256
4b5ab9b1fa39fa5c110d703a34fb842287f36e12784af0d26c9f2620340af811

SHA512
c00ffb32dae6796bef34ff09a446a539b74c7c4a80948e58257771cdef2532b4e77e67641feff79c373e3d70fd8178b54848b3f297b13e4c045363bd220cbe3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
22ec7dcf2c86283c475fd46fe44a0bbb

SHA1
20ae74707c7cf0dc57bbda245095c1b543c2a275

SHA256
6c6c6edbd7fe11f85ed944b61fa1ca3e518be2aa33569fd867c31d14ec21554b

SHA512
341384f964f5f4d56daf870299b0c24f16c1bf8ac1012f3d75a18defe673b6c134963f47098f40074ad3c2eb24605b74cfdabe1dd5c0981e0171f4899ea8396a

Download Submit
C:\Users\Admin\AppData\Local\Temp\04r1tiyw\04r1tiyw.dll

Filesize
3KB

MD5
546fedb2d1ed0f1c630276f6d77257fc

SHA1
49009174b3faf406bb465e588d5267fed4612b65

SHA256
a246d9238fbf430492f3b4b246139666c86400ede80769000ccabb96a489ad3a

SHA512
63400fb4879dbf6bab2407942dd339e474ec24978fb6c640a41cc774f6eaf2755222d47b33375fa3bcba30a9949544d47091ab7c54d40eac550e8b1deb406fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ChatGPT.msi

Filesize
5.7MB

MD5
41c305f5555c83b876ad9055d8f6d6a8

SHA1
e3d2af686f2b4b1a03bf3853790697640c94ba22

SHA256
29eef3d0b07ebf231546fdd0719b0102008310916ceda253fadb4037f484e753

SHA512
956d2004ab0a69f4bf3fea667ba64a72d70a9ac4d699b5b9cda38417f3db1fe8f8e066b46dc2bf0fbb5afc4eb08ed004c0dbd1805b71f805253ab227be26dfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\chch.ps1

Filesize
2.3MB

MD5
b4153c305f599325177fc402c696c4f9

SHA1
2832c07119d99a03cff018a56088f1e4861cd42a

SHA256
6271fd1865bed9afbc9e92f36714e97495f5b327f8cda1e02b569e9e1b9daef5

SHA512
86068967708635fc21a7702fa2ce8a32cc80b687ba80e217908e81fa5bdd3aca00400759948ed67c93f6807aa156943fc876817ccfb963a0890c1f2fa3d116b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE98A.tmp

Filesize
1KB

MD5
a26cca7d37d6ba741dc9d7a669c7c8ae

SHA1
c59aa6266a9b3c4e8505318aaf88353410d9c118

SHA256
823b0dff4b44d003c3d100bbd7c1f0fda6cff82fcf6b19e7d7c719d3b1c2609f

SHA512
a599711dd560527e0be6f45bebcf2fe3010e1157963b17c39556a8da1156b0e8379c44b1fb366e7c0dbfecbfa706631942d1e25a38e9d5035a6fe9814d5d4aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFCD3.tmp

Filesize
1KB

MD5
88e06687bc013877421c499cf913eac4

SHA1
383c1680b0203b620ac99c60aa7461de402f8a2e

SHA256
fc7564db97d0aaa9ea8d9357bc1f323a13c0da8192b26007a7e25cb8e438f499

SHA512
791de4212aa8522eebf58e5fbef0f07d06663e60f619d6f6a02bbbf73b055ad53b75745dedaa1d6f9b8e4d1350992b5ed9449bb8d8871ca9bfa62e06b266d457

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0vfeimu.v2s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\habyylvp\habyylvp.dll

Filesize
3KB

MD5
bb0eb3fe67008cb6bdc77b782f3bba4c

SHA1
a782de755278b14f1858c74b4a3d7ee3cfd779b7

SHA256
df59716a18fac4a88f886c51bd097dfbbe3ca5517696ed0c7d92fdee3e0aaec9

SHA512
b33f98a7544498adb0336cf5dbe45d70e8a0cb78bc3854235b05f52e9ae7803c259b178aa98517dbf76eb02843803e9000e315f24dc4e72fbd7b58490488496e

Download Submit
C:\Windows\Installer\e56de20.msi

Filesize
6.4MB

MD5
6f7e07b84897cccab30594305416d36f

SHA1
6d1d531c921a17b36e792e2843311e27b9aa77a4

SHA256
9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0

SHA512
689ba6b48065a9098ef62bc8ed0650fa0b66f403af9dc315a456d514ea61afda7cf67c3786760e4ac49adc8a60f489199e6aae08a59aa4ef8e57e064bce9e892

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
293b122f2a4237e49a818e329b822895

SHA1
8d1ed03f5c2f4faf22eea68c94a2df9a48c590a4

SHA256
024433c92e1ad46f70b9e7fd4b3416687b314b0225cd464bd082f61e1c3eba68

SHA512
b0949fc5947fb3b08e1394897931260d35b382d5df98a603fd900197d5e0119bd6fc647bb287973162c40c89b4cfe991c970413a2dc404af509c65e4ac64e3b1

Download Submit
\??\Volume{af0fc727-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dd0296b0-8fcc-4c2d-8176-c008617566ad}_OnDiskSnapshotProp

Filesize
5KB

MD5
bc52f9a32c1034b2ff1b0fbae290afb0

SHA1
e4de03e5fbf6d18f5181f1e0d1c27558f3f2e434

SHA256
6131931071bf9825f2b5f345fd98aa076715a48a9e74ca4dcf321063e1c59072

SHA512
46161220b980718bacf9c5f5d1fbe6cd7da0edb070d70a923e7587652e20006b0a004545343aa17eab12b01e7012bb5c1e7823548ffa8561896476c670282781

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04r1tiyw\04r1tiyw.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04r1tiyw\04r1tiyw.cmdline

Filesize
369B

MD5
e64eeaecae6cfe27e1c67999067a2370

SHA1
64cdb814b00f22426ba50063fb52b604c4f6bd8b

SHA256
8171498a0a6cd59c09770ea42656d0571f1ca50ca6f3e255a7b9ed005bed38f8

SHA512
52a4daf968c1b2a43dbc59892ace65dc2092d9497035387feaca8765c541e5eb713986dc5179d718476dcdeab5289360497d866b0d1452d0960d4574be4dd7ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\04r1tiyw\CSCA9E156AF517D410592CD6916F8A7F234.TMP

Filesize
652B

MD5
03383f4df62e0ca8ef319aec796a5498

SHA1
33c8d7d14841229c410d7ea3154226b258ff47fd

SHA256
da677218b6653da969f6d086dd0e7ac1d657c38df2645671e0eae3326d21caa5

SHA512
9e00d92bfb9e91b8c03718f9074407606cd008bcfac4da05085bd1fe4741678251601cec6ae9777d486ccd2f167363f6af0d0a1828872b01ac94aefff2895120

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\habyylvp\CSC26AF461FCC1457F98A111FE4F55945.TMP

Filesize
652B

MD5
d32058c4be2c04c2dd46d271449ff76e

SHA1
13ef09b2e0f2786883330057fa95a5b03e3d41dc

SHA256
288185dfcfe166aa5d493b4e12ad8354cf97b6ec1e6471fc6f6bf8dab4fdb5d5

SHA512
2e41acccbb5398fe2d91a5927ba226eaeab9d72007210c603132cc12dd754a7a287e695a893de0a71934fc8369e982d4571d42298e35500f2af28e3a0e2767ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\habyylvp\habyylvp.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\habyylvp\habyylvp.cmdline

Filesize
369B

MD5
2dba59ac21f4cc56f6cf1650cc5e0f87

SHA1
71574e7950d2abb6e169521a0d076e9df1f2ae0a

SHA256
de59210081cce3583c3d7035d7c4609cc9a60cff8516801ede6d9a5390ccb850

SHA512
6f521db6400846f3a656417b8ea7a988e53f62e4dbf709000e5cf82ec6e07ae8f1923450a4de26feda8031d3c0c871a57c33f1162653df2cfca2b0eb5cc4144e

Download Submit
memory/644-204-0x0000018936D90000-0x0000018937851000-memory.dmp

Filesize
10.8MB

Download
memory/732-203-0x000001AA01750000-0x000001AA02211000-memory.dmp

Filesize
10.8MB

Download
memory/2024-218-0x000001E387160000-0x000001E387C21000-memory.dmp

Filesize
10.8MB

Download
memory/2884-229-0x000002C737B10000-0x000002C737B20000-memory.dmp

Filesize
64KB

Download
memory/2884-191-0x000002C737B10000-0x000002C737B20000-memory.dmp

Filesize
64KB

Download
memory/2884-231-0x000002C7380C0000-0x000002C738234000-memory.dmp

Filesize
1.5MB

Download
memory/2884-232-0x000002C71ECA0000-0x000002C71F761000-memory.dmp

Filesize
10.8MB

Download
memory/2884-221-0x000002C737F40000-0x000002C7380B4000-memory.dmp

Filesize
1.5MB

Download
memory/2884-227-0x000002C7380C0000-0x000002C738234000-memory.dmp

Filesize
1.5MB

Download
memory/2884-228-0x000002C7380C0000-0x000002C738234000-memory.dmp

Filesize
1.5MB

Download
memory/2884-230-0x00007FFE5C930000-0x00007FFE5C931000-memory.dmp

Filesize
4KB

Download
memory/2884-254-0x000002C71ECA0000-0x000002C71F761000-memory.dmp

Filesize
10.8MB

Download
memory/2884-176-0x000002C737B20000-0x000002C737B42000-memory.dmp

Filesize
136KB

Download
memory/2884-192-0x000002C737B10000-0x000002C737B20000-memory.dmp

Filesize
64KB

Download
memory/2884-234-0x000002C7380C0000-0x000002C73817E000-memory.dmp

Filesize
760KB

Download
memory/2884-237-0x000002C737B10000-0x000002C737B20000-memory.dmp

Filesize
64KB

Download
memory/2884-238-0x000002C737B10000-0x000002C737B20000-memory.dmp

Filesize
64KB

Download
memory/2884-239-0x000002C737B10000-0x000002C737B20000-memory.dmp

Filesize
64KB

Download
memory/2884-240-0x000002C737B10000-0x000002C737B20000-memory.dmp

Filesize
64KB

Download
memory/2884-241-0x000002C71ECA0000-0x000002C71F761000-memory.dmp

Filesize
10.8MB

Download
memory/2884-194-0x000002C737B10000-0x000002C737B20000-memory.dmp

Filesize
64KB

Download