bumblebee | 9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader.msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

10^/10

bumblebee ad2404 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

ad2404

149.3.170.185:443

23.108.57.117:443

199.195.249.67:443

103.175.16.149:443

209.141.58.129:443

192.254.79.106:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
58	1984	powershell.exe
73	1984	powershell.exe
80	1984	powershell.exe
82	1984	powershell.exe
85	1984	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3088	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1984	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF939.tmp	msiexec.exe
File created	C:\Windows\Installer\e56f813.msi	msiexec.exe
File created	C:\Windows\Installer\e56f811.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56f811.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
228	msiexec.exe
228	msiexec.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
3088	readerdc64.exe
3088	readerdc64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2084	msiexec.exe
Token: SeSecurityPrivilege	228	msiexec.exe
Token: SeCreateTokenPrivilege	2084	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2084	msiexec.exe
Token: SeLockMemoryPrivilege	2084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2084	msiexec.exe
Token: SeMachineAccountPrivilege	2084	msiexec.exe
Token: SeTcbPrivilege	2084	msiexec.exe
Token: SeSecurityPrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeLoadDriverPrivilege	2084	msiexec.exe
Token: SeSystemProfilePrivilege	2084	msiexec.exe
Token: SeSystemtimePrivilege	2084	msiexec.exe
Token: SeProfSingleProcessPrivilege	2084	msiexec.exe
Token: SeIncBasePriorityPrivilege	2084	msiexec.exe
Token: SeCreatePagefilePrivilege	2084	msiexec.exe
Token: SeCreatePermanentPrivilege	2084	msiexec.exe
Token: SeBackupPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeShutdownPrivilege	2084	msiexec.exe
Token: SeDebugPrivilege	2084	msiexec.exe
Token: SeAuditPrivilege	2084	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2084	msiexec.exe
Token: SeChangeNotifyPrivilege	2084	msiexec.exe
Token: SeRemoteShutdownPrivilege	2084	msiexec.exe
Token: SeUndockPrivilege	2084	msiexec.exe
Token: SeSyncAgentPrivilege	2084	msiexec.exe
Token: SeEnableDelegationPrivilege	2084	msiexec.exe
Token: SeManageVolumePrivilege	2084	msiexec.exe
Token: SeImpersonatePrivilege	2084	msiexec.exe
Token: SeCreateGlobalPrivilege	2084	msiexec.exe
Token: SeBackupPrivilege	4028	vssvc.exe
Token: SeRestorePrivilege	4028	vssvc.exe
Token: SeAuditPrivilege	4028	vssvc.exe
Token: SeBackupPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe
Token: SeTakeOwnershipPrivilege	228	msiexec.exe
Token: SeRestorePrivilege	228	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2084	msiexec.exe
2084	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3088	readerdc64.exe
3088	readerdc64.exe
3088	readerdc64.exe
3088	readerdc64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1256	228	msiexec.exe	96
PID 228 wrote to memory of 1256	228	msiexec.exe	96
PID 228 wrote to memory of 1984	228	msiexec.exe	98
PID 228 wrote to memory of 1984	228	msiexec.exe	98
PID 228 wrote to memory of 3088	228	msiexec.exe	100
PID 228 wrote to memory of 3088	228	msiexec.exe	100
PID 228 wrote to memory of 3088	228	msiexec.exe	100
PID 1984 wrote to memory of 1532	1984	powershell.exe	101
PID 1984 wrote to memory of 1532	1984	powershell.exe	101
PID 1532 wrote to memory of 1480	1532	csc.exe	102
PID 1532 wrote to memory of 1480	1532	csc.exe	102
PID 1984 wrote to memory of 2772	1984	powershell.exe	103
PID 1984 wrote to memory of 2772	1984	powershell.exe	103
PID 2772 wrote to memory of 4192	2772	csc.exe	104
PID 2772 wrote to memory of 4192	2772	csc.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AdobePDFReader.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqdhnzcb\jqdhnzcb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31D.tmp" "c:\Users\Admin\AppData\Local\Temp\jqdhnzcb\CSC20112B9A356B4C7DB0B5F1895DB328DD.TMP"
      4⤵
      PID:1480
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0hdbuuag\0hdbuuag.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CB0.tmp" "c:\Users\Admin\AppData\Local\Temp\0hdbuuag\CSCF1618DFBF663466A8CC33313EC95BE72.TMP"
      4⤵
      PID:4192
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56f812.rbs

Filesize
7KB

MD5
23d1b9a3e0ed73d9382c9c784ab261c3

SHA1
8f26cdbbfb8c25de80d60b510a6e2f88b3da11b6

SHA256
681e3feb43c78c5add35fb6b07eaea508385119e079406d30dfdb76868952e7a

SHA512
fab13aade5e46cdc3b8cdf492562b62912153f23f5a178e0f2c5e4973ca010334bef050886a3e1038941431cab1e5f22e9e58295bd03ab69059f02883461043b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\1831629B-D041-44CC-8CC5-2C956CC97E1C\progressbar_blue_active_100.png

Filesize
14KB

MD5
bb94a177f10bf764d11f94d24a5db5aa

SHA1
6864b58952b19248f4c5ea5c8764c52e207268a7

SHA256
caafea31074ba909ec57c9dcdd1b1c0256e5626939cc768b8a041fe42762e230

SHA512
d2875eb5ad9ff76ff233ada04fa77aecdbb0c9a80bcd85b0c50087786b47e97feec189d18164e15784cd96850849ee4e1920d7d98157ca7ad317ba03e8c66111

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hdbuuag\0hdbuuag.dll

Filesize
3KB

MD5
c8c08544e52b79883b9c152a2b11a11a

SHA1
317c4cf1f4ae6a26462e9759b105391018f563c6

SHA256
03de86586913e16b14a28b06ede22a57771b7a598ccbb77d9dbc973dee48774c

SHA512
dd775687672fec58063eb260975418eb636bb014dd18526e2c24ba8cfb2210b2a2d54cc3d0c2ab77802eb4c934129571a91a774be0f581e0e0824f0d8049f62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1CB0.tmp

Filesize
1KB

MD5
1d13b72292f60ceb2e7857f218b223ef

SHA1
1e06c3c087263fc2737881e73f225fb23d52237f

SHA256
408b1a88b3eeea487b6b13514acc94db69aeb78f0b9986fbf27a086f9f906033

SHA512
af48d18a340d66994ab43df75753dc9d3d46cbe157eee32bc089b40adc7266f28b215d02b5489157f8b763d6a148e1a68c07542f6d59d9c9cbf982ac2953cefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES31D.tmp

Filesize
1KB

MD5
8765688b2fe457c58a9498ba19f33031

SHA1
aa28f38313f01b29b603e955db03be1fad5d7a62

SHA256
8efcf78d61493f91f84830b277d0ccf99fb3be49b4358a979ceb08fa37d040b1

SHA512
d4d0159fd5e37cb2d747d57c1e6fd343049587a6aa256ccc9b8007273a42c869e3c3466edf24e445630696903c54c72256792ee560fea939e7240678129badba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s54eb32s.yd3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqdhnzcb\jqdhnzcb.dll

Filesize
3KB

MD5
2a79d45dbdb3f9642cc863fa4da36d8d

SHA1
fc0263ed1894a9ae1b1d79d4560560e5efedde8c

SHA256
4a7025a49411209a7bbb29200b49f339e2f2be57fcc184e6e8b498b97af97271

SHA512
26771846eb445dbfc7f0a470eee05fb3ae6fc81bb96358e998af25493b9be576c243b194717f478d47d64c28d970fa76c66c4533f41c023dbb214366cc47786a

Download Submit
C:\Windows\Installer\e56f811.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
d2efed7d817e54ee04fbdf08f41b8f27

SHA1
62446727f72ce0eb77e324f3f8b0d75a17bf7a41

SHA256
aa83b5d47aa44f93a9f62e89755c907786fda957bc66c9f95df76dd4ebfeddd5

SHA512
c8d5645ae2abc1095483d96a33fa71b6997e8dc3072fabe34e62a6398538a57e2536cb1be5c2af068e5120402377b7bdb6f786225e77773434d371c6766ad734

Download Submit
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{39192898-c958-4ea2-991b-f49616652b29}_OnDiskSnapshotProp

Filesize
5KB

MD5
8f9797bbe783c54f93cf6485592ba9ec

SHA1
ea94a21c40f1a9c5519d0c46fa8deb09cbb0285e

SHA256
ffd6b401004ff1f95deb7345d7a02a8b174eaf4b76d8b6248b21267e8e8a0a9a

SHA512
d0bc3f2021a47a8eb8ece0c5a2e33863401eef2179c93253eab5cdea9aa2cf05c60479651424989a0439d1b473917aa034d7e8285dab339d9a7daf982a37c3f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0hdbuuag\0hdbuuag.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0hdbuuag\0hdbuuag.cmdline

Filesize
369B

MD5
ddbb914fcaad3d451a13632e4748c5b0

SHA1
d7a7c813914882883d6a36f87d7a330580e5ed4f

SHA256
e5bcf1ec35fc1dd1a51854501faa5ededc1080bc2c86b0de3fa5f4e615ae42dc

SHA512
bb22ea74e68ef44dcd831ca8dba1bc8b60b57128f34b953a5064018a792bee7fde8c004bc17f2888415199cfdeca038c7a2fdd7bc055701c375d77e6dc530519

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0hdbuuag\CSCF1618DFBF663466A8CC33313EC95BE72.TMP

Filesize
652B

MD5
e87c96728630e140476c63ab72263f37

SHA1
a23877d5c5804c63918dd571123ed52b7cec4753

SHA256
6572c1116600276d5eed421f02e03b904aeff8c91b22bd490711d7e66af75933

SHA512
5e6e43f22b446a1a7a8d3e2cee9f3eb3e7a52d41cfcafe760fab9cbf926e7483bb69a10dd96b403cc541078bea349cbe27a86d5f56ef32c23dbff16cfef7efe7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqdhnzcb\CSC20112B9A356B4C7DB0B5F1895DB328DD.TMP

Filesize
652B

MD5
a9450ca93d56463990a61e7923048cf5

SHA1
2eb72a1f69cd81eefff61d26f33df388b9dc060e

SHA256
9df7692b7900a3ad21bedcaada49c642958f39e59476cda9fae04ae8de9e14c2

SHA512
bb4a55e7e6f86bff1ffa060836edb75924e3972ee22a569a2b47992356785214519a46ebd72ba544e690bb85392eeea492d596260ca6119a6b2e3fc0e190ae36

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqdhnzcb\jqdhnzcb.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqdhnzcb\jqdhnzcb.cmdline

Filesize
369B

MD5
124547b1be2d7dbb539a34fbf8bdcd8b

SHA1
efe81a79a6e34f47916df8f530c8780e4c85d81b

SHA256
fea3890ccfe7721c13da3b3199030f3901f780ab1c7dba0aa96f98c9d1e53850

SHA512
8ed35095a548b23004a15276411514b7e63e956dd2acbd2489a986cb92056daf8744334bc63014caae8a4d3c2c20770a95df5d08462ada01ac1bca28b8350689

Download Submit
memory/228-172-0x000001C6F66A0000-0x000001C6F7161000-memory.dmp

Filesize
10.8MB

Download
memory/1532-191-0x0000025603B90000-0x0000025604651000-memory.dmp

Filesize
10.8MB

Download
memory/1984-176-0x00000179BFE40000-0x00000179BFE50000-memory.dmp

Filesize
64KB

Download
memory/1984-275-0x00000179BFE40000-0x00000179BFE50000-memory.dmp

Filesize
64KB

Download
memory/1984-177-0x00000179BFE40000-0x00000179BFE50000-memory.dmp

Filesize
64KB

Download
memory/1984-287-0x00000179C0490000-0x00000179C05FA000-memory.dmp

Filesize
1.4MB

Download
memory/1984-304-0x00000179A6F60000-0x00000179A7A21000-memory.dmp

Filesize
10.8MB

Download
memory/1984-270-0x00000179A6F60000-0x00000179A7A21000-memory.dmp

Filesize
10.8MB

Download
memory/1984-294-0x00000179BFE40000-0x00000179BFE50000-memory.dmp

Filesize
64KB

Download
memory/1984-180-0x00000179BFE40000-0x00000179BFE50000-memory.dmp

Filesize
64KB

Download
memory/1984-163-0x00000179BFE00000-0x00000179BFE22000-memory.dmp

Filesize
136KB

Download
memory/1984-289-0x00000179A6F60000-0x00000179A7A21000-memory.dmp

Filesize
10.8MB

Download
memory/1984-276-0x00000179BFE40000-0x00000179BFE50000-memory.dmp

Filesize
64KB

Download
memory/1984-274-0x00000179BFE40000-0x00000179BFE50000-memory.dmp

Filesize
64KB

Download
memory/1984-277-0x00000179BFE40000-0x00000179BFE50000-memory.dmp

Filesize
64KB

Download
memory/1984-278-0x00000179C0320000-0x00000179C048A000-memory.dmp

Filesize
1.4MB

Download
memory/1984-284-0x00000179C0490000-0x00000179C05FA000-memory.dmp

Filesize
1.4MB

Download
memory/1984-285-0x00007FFE512D0000-0x00007FFE512D1000-memory.dmp

Filesize
4KB

Download
memory/1984-286-0x00000179C0490000-0x00000179C05FA000-memory.dmp

Filesize
1.4MB

Download
memory/2772-266-0x00000151F0100000-0x00000151F0BC1000-memory.dmp

Filesize
10.8MB

Download
memory/3088-174-0x0000000000910000-0x0000000000D49000-memory.dmp

Filesize
4.2MB

Download
memory/3088-293-0x0000000000910000-0x0000000000D49000-memory.dmp

Filesize
4.2MB

Download
memory/3088-271-0x0000000000910000-0x0000000000D49000-memory.dmp

Filesize
4.2MB

Download
memory/3088-302-0x0000000000910000-0x0000000000D49000-memory.dmp

Filesize
4.2MB

Download
memory/3088-175-0x00000000013E0000-0x00000000013E3000-memory.dmp

Filesize
12KB

Download
memory/3088-308-0x0000000000910000-0x0000000000D49000-memory.dmp

Filesize
4.2MB

Download
memory/3088-335-0x0000000000910000-0x0000000000D49000-memory.dmp

Filesize
4.2MB

Download