bumblebee | 9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader.msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

10^/10

bumblebee ad2404 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

ad2404

149.3.170.185:443

23.108.57.117:443

199.195.249.67:443

103.175.16.149:443

209.141.58.129:443

192.254.79.106:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
63	1964	powershell.exe
70	1964	powershell.exe
75	1964	powershell.exe
76	1964	powershell.exe
78	1964	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1964	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1C.tmp	msiexec.exe
File created	C:\Windows\Installer\e5707a3.msi	msiexec.exe
File created	C:\Windows\Installer\e5707a1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5707a1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4400	msiexec.exe
4400	msiexec.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
2796	readerdc64.exe
2796	readerdc64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4508	msiexec.exe
Token: SeSecurityPrivilege	4400	msiexec.exe
Token: SeCreateTokenPrivilege	4508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4508	msiexec.exe
Token: SeLockMemoryPrivilege	4508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4508	msiexec.exe
Token: SeMachineAccountPrivilege	4508	msiexec.exe
Token: SeTcbPrivilege	4508	msiexec.exe
Token: SeSecurityPrivilege	4508	msiexec.exe
Token: SeTakeOwnershipPrivilege	4508	msiexec.exe
Token: SeLoadDriverPrivilege	4508	msiexec.exe
Token: SeSystemProfilePrivilege	4508	msiexec.exe
Token: SeSystemtimePrivilege	4508	msiexec.exe
Token: SeProfSingleProcessPrivilege	4508	msiexec.exe
Token: SeIncBasePriorityPrivilege	4508	msiexec.exe
Token: SeCreatePagefilePrivilege	4508	msiexec.exe
Token: SeCreatePermanentPrivilege	4508	msiexec.exe
Token: SeBackupPrivilege	4508	msiexec.exe
Token: SeRestorePrivilege	4508	msiexec.exe
Token: SeShutdownPrivilege	4508	msiexec.exe
Token: SeDebugPrivilege	4508	msiexec.exe
Token: SeAuditPrivilege	4508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4508	msiexec.exe
Token: SeChangeNotifyPrivilege	4508	msiexec.exe
Token: SeRemoteShutdownPrivilege	4508	msiexec.exe
Token: SeUndockPrivilege	4508	msiexec.exe
Token: SeSyncAgentPrivilege	4508	msiexec.exe
Token: SeEnableDelegationPrivilege	4508	msiexec.exe
Token: SeManageVolumePrivilege	4508	msiexec.exe
Token: SeImpersonatePrivilege	4508	msiexec.exe
Token: SeCreateGlobalPrivilege	4508	msiexec.exe
Token: SeBackupPrivilege	3096	vssvc.exe
Token: SeRestorePrivilege	3096	vssvc.exe
Token: SeAuditPrivilege	3096	vssvc.exe
Token: SeBackupPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe
Token: SeTakeOwnershipPrivilege	4400	msiexec.exe
Token: SeRestorePrivilege	4400	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4508	msiexec.exe
4508	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2796	readerdc64.exe
2796	readerdc64.exe
2796	readerdc64.exe
2796	readerdc64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 1836	4400	msiexec.exe	90
PID 4400 wrote to memory of 1836	4400	msiexec.exe	90
PID 4400 wrote to memory of 1964	4400	msiexec.exe	92
PID 4400 wrote to memory of 1964	4400	msiexec.exe	92
PID 4400 wrote to memory of 2796	4400	msiexec.exe	94
PID 4400 wrote to memory of 2796	4400	msiexec.exe	94
PID 4400 wrote to memory of 2796	4400	msiexec.exe	94
PID 1964 wrote to memory of 1272	1964	powershell.exe	95
PID 1964 wrote to memory of 1272	1964	powershell.exe	95
PID 1272 wrote to memory of 4856	1272	csc.exe	96
PID 1272 wrote to memory of 4856	1272	csc.exe	96
PID 1964 wrote to memory of 1956	1964	powershell.exe	97
PID 1964 wrote to memory of 1956	1964	powershell.exe	97
PID 1956 wrote to memory of 1608	1956	csc.exe	98
PID 1956 wrote to memory of 1608	1956	csc.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AdobePDFReader.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gh4wz0sy\gh4wz0sy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11D2.tmp" "c:\Users\Admin\AppData\Local\Temp\gh4wz0sy\CSCC5379730A1484853B3CD8BED7A2B3E7.TMP"
      4⤵
      PID:4856
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gyq4d03o\gyq4d03o.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26E1.tmp" "c:\Users\Admin\AppData\Local\Temp\gyq4d03o\CSC97AE1CA391AF4B5BABBC4FC6F053725D.TMP"
      4⤵
      PID:1608
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5707a2.rbs

Filesize
7KB

MD5
b261f0a9a07a01e7e65a04b85bb4e196

SHA1
d43a2e0e3eb5bb7bca72a94fc2e8f6821e61410d

SHA256
d02ae52d814bac11967e2f6b671013b7fa8ab04eb2b9bdf680e16acb1d0826f9

SHA512
26d77304f68d90d557b092a5b8e0e24157e52b060bf7ce552ad8b590a5d25aaa940c29cb09b6eecfdeba0897e1ae21402c45d69b99652329f822f0d5ba5a0fbc

Download Submit
C:\Users\Admin\AppData\Local\Adobe\7A75D9E7-92A4-4A35-A587-1725BDB6F4B0\progressbar_blue_active_100.png

Filesize
14KB

MD5
bb94a177f10bf764d11f94d24a5db5aa

SHA1
6864b58952b19248f4c5ea5c8764c52e207268a7

SHA256
caafea31074ba909ec57c9dcdd1b1c0256e5626939cc768b8a041fe42762e230

SHA512
d2875eb5ad9ff76ff233ada04fa77aecdbb0c9a80bcd85b0c50087786b47e97feec189d18164e15784cd96850849ee4e1920d7d98157ca7ad317ba03e8c66111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11D2.tmp

Filesize
1KB

MD5
37ac2cd3d81276e467854cd7d8f2d3d1

SHA1
e00b75ed4e372610806453b1d906ddef962d3f47

SHA256
c94749a1ee0ac95eaebeb7820e73f0d1048c55a51504579f96af23aa60f0bc2b

SHA512
05ebe1ca6c52ce837bd1db59bdf9d210b286a91fd17cadab1cef8c7f3a86bef8aee1a7489e83814abe1cb3ca166cb9801e14888e38ffa5e6ca7b3123094b60bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES26E1.tmp

Filesize
1KB

MD5
1b1d9b569fbc56b1fbe0b60a6c8695aa

SHA1
288216ecb87628b3dbf71d16c2b133286a505427

SHA256
59d4adf0a1fa649aaa25dba7dfcb9894d6941ef1354f84797bc1d766db0b3769

SHA512
684e36143d779fc25c8df019b66f9bfdb644cd83ff3dd8dddcaa47e7e549469729c04e92757781735b7a2ba7a744ec9695cfdd685ec113fbcc4447c9f9f647a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lt20mclk.ycl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gh4wz0sy\gh4wz0sy.dll

Filesize
3KB

MD5
6f51823f74012d4367d472bb7fe8f5d8

SHA1
40931ee2eb49e6f6ac8a8661e1803e3399a22ffe

SHA256
608add48114b3cbbafd9538ca1feb6e2a7baeec3361496453ed9dcf053ba529e

SHA512
d6dd009aad1cf8c45dbe27474633fd8131a72f8f7148d6367b1d46e5a8345c794e7776bf80646f28d65ab12b8eae62c8fcfe7398d39dfad37ffa6caabe6a9ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyq4d03o\gyq4d03o.dll

Filesize
3KB

MD5
edfcbe3d3a3116b1c590033f9d6f9838

SHA1
9add3bb38b7134117b3ab3db20a226b60414c9b0

SHA256
9cb30f568e3e668015c98288106a4d87c69db9ee97a4ffa08009f7f61ed7abfc

SHA512
4719fa591b7ed6ab35774549b7db4caffc25e2d4d728bc1a4e1a70d20d3dee331ab1d90d6960a7c7947f5022593876a4ae17b81079ba0b63b98a9fdf8e98dee7

Download Submit
C:\Windows\Installer\e5707a1.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
7893e27474cccbc7a7c1e488ab063f89

SHA1
cad12819cb4d0af46e7011aa5b457bb80875c3e0

SHA256
fe25413f0670edb49f5c1f1986836ddfe6ffd79a85addb4703b5d7b7cf8a3fd6

SHA512
13748e442d9490094441b89401ddfc40635cd432ad2f4b09d3522f3c1bfa7780b6cd9bda72c88563e590cbc0bab7c50a5f611e905f2a40fe367734b1abb92eba

Download Submit
\??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bbdf41f6-e83a-439a-9335-1894c8786bdd}_OnDiskSnapshotProp

Filesize
5KB

MD5
6cb5da89dd42a372224c69e2b3da87c9

SHA1
d7f6db6892be11efd65ee3647767fe2e341aa5ff

SHA256
2a9b76cf8a143f8f31fc4c57d8d6ec628726e02d9030444e773c659f67dd06db

SHA512
215aa043b7e4f285d0cfe6f7975bb41792cefc257718001844262db7628d96c72bbf7ca636ff92075bad3c29a26db7c86484813e4acdadd2c0e669782d81ae49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gh4wz0sy\CSCC5379730A1484853B3CD8BED7A2B3E7.TMP

Filesize
652B

MD5
eab460680d39ef684afa21d1b6438292

SHA1
993db43cafe406718fadbead75e7e7a8ca75c80a

SHA256
a76dbe1ec26130834d70e08569f0404eb03c4a0739a220a283d3e078888cd0b9

SHA512
bda0ea3d9c126a65ec91cbb9b2b0e85772866b878bc689712c5789a690c723208d01fb9776a0d50aa028e285d9df031e181f2714c396ee5371a957b207f5c27a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gh4wz0sy\gh4wz0sy.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gh4wz0sy\gh4wz0sy.cmdline

Filesize
369B

MD5
926bb65e1b34d1f5528a7b9715bc4b98

SHA1
0ffbad88cba45091d5d827681d38ef0e875d943c

SHA256
cf894f38ddfb0657c1d909ffe125b43da042a3f5ac3e1ccc5eb8a2c188ae83ba

SHA512
aaf3b3fde78ddc0441da52a3a4d9d5caa816613e2297c8005f541ab76de6d02b2904de66d6893e6630d8b7b962b69c1e4e4abc9e4878ff1297c3e89e704ba7fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gyq4d03o\CSC97AE1CA391AF4B5BABBC4FC6F053725D.TMP

Filesize
652B

MD5
33a0d5977a6790edfceb2e92e23a6349

SHA1
3ed870dc69d23f32a2b567a76e09fec180f876b5

SHA256
9fddfd4d9a1aa42749ca00b41a95556150081f636583884b5e5ee6a19edd57f5

SHA512
851320c38b6d13e7140f4da5e02ad4294c189e2e50954f1854dd5010a9d47f7a2d7bdc181a035fc393b9b5cf8f46c1a12962d06126de6411df7d036ed9693969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gyq4d03o\gyq4d03o.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gyq4d03o\gyq4d03o.cmdline

Filesize
369B

MD5
8b0ba3dab36dffb8bd78c0715d4f3c75

SHA1
e0e0a4be5ed315aeb2aef2af89b0ed6133816feb

SHA256
37292ba349bb8f2bae61f5362786771a3094f79e39cf792f56c52de9815e6435

SHA512
6c7fefc435545e69e9958f100f5aa9cce029820497f88a1259713b3b29086dc4875603e9ffe2be27ddd3fb9342da710c66d9e536a02121a4fd51981be62499bc

Download Submit
memory/1964-168-0x00000272FCFD0000-0x00000272FCFF2000-memory.dmp

Filesize
136KB

Download
memory/1964-285-0x00000272E1C80000-0x00000272E1C90000-memory.dmp

Filesize
64KB

Download
memory/1964-177-0x00000272E1C80000-0x00000272E1C90000-memory.dmp

Filesize
64KB

Download
memory/1964-175-0x00000272E1C80000-0x00000272E1C90000-memory.dmp

Filesize
64KB

Download
memory/1964-266-0x00000272E1C80000-0x00000272E1C90000-memory.dmp

Filesize
64KB

Download
memory/1964-267-0x00000272FD240000-0x00000272FD3AA000-memory.dmp

Filesize
1.4MB

Download
memory/1964-273-0x00000272FD3B0000-0x00000272FD51A000-memory.dmp

Filesize
1.4MB

Download
memory/1964-274-0x00000272FD3B0000-0x00000272FD51A000-memory.dmp

Filesize
1.4MB

Download
memory/1964-275-0x00000272FD3B0000-0x00000272FD51A000-memory.dmp

Filesize
1.4MB

Download
memory/1964-280-0x00000272FD3B0000-0x00000272FD46E000-memory.dmp

Filesize
760KB

Download
memory/1964-178-0x00000272E1C80000-0x00000272E1C90000-memory.dmp

Filesize
64KB

Download
memory/1964-286-0x00000272E1C80000-0x00000272E1C90000-memory.dmp

Filesize
64KB

Download
memory/1964-276-0x00007FFBCFC10000-0x00007FFBCFC11000-memory.dmp

Filesize
4KB

Download
memory/1964-284-0x00000272E1C80000-0x00000272E1C90000-memory.dmp

Filesize
64KB

Download
memory/1964-283-0x00000272E1C80000-0x00000272E1C90000-memory.dmp

Filesize
64KB

Download
memory/2796-282-0x0000000000CC0000-0x00000000010F9000-memory.dmp

Filesize
4.2MB

Download
memory/2796-179-0x0000000000CA0000-0x0000000000CA3000-memory.dmp

Filesize
12KB

Download
memory/2796-156-0x0000000000CC0000-0x00000000010F9000-memory.dmp

Filesize
4.2MB

Download
memory/2796-297-0x0000000000CC0000-0x00000000010F9000-memory.dmp

Filesize
4.2MB

Download
memory/2796-301-0x0000000000CC0000-0x00000000010F9000-memory.dmp

Filesize
4.2MB

Download
memory/2796-305-0x0000000000CC0000-0x00000000010F9000-memory.dmp

Filesize
4.2MB

Download
memory/2796-330-0x0000000000CC0000-0x00000000010F9000-memory.dmp

Filesize
4.2MB

Download