bumblebee | 9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2023 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader.msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

10^/10

bumblebee ad2404 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

ad2404

149.3.170.185:443

23.108.57.117:443

199.195.249.67:443

103.175.16.149:443

209.141.58.129:443

192.254.79.106:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
64	3588	powershell.exe
91	3588	powershell.exe
201	3588	powershell.exe
252	3588	powershell.exe
281	3588	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3588	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57092a.msi	msiexec.exe
File created	C:\Windows\Installer\e570928.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e570928.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4440	msiexec.exe
4440	msiexec.exe
3588	powershell.exe
3588	powershell.exe
3588	powershell.exe
3588	powershell.exe
2064	readerdc64.exe
2064	readerdc64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3148	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3148	msiexec.exe
Token: SeSecurityPrivilege	4440	msiexec.exe
Token: SeCreateTokenPrivilege	3148	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3148	msiexec.exe
Token: SeLockMemoryPrivilege	3148	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3148	msiexec.exe
Token: SeMachineAccountPrivilege	3148	msiexec.exe
Token: SeTcbPrivilege	3148	msiexec.exe
Token: SeSecurityPrivilege	3148	msiexec.exe
Token: SeTakeOwnershipPrivilege	3148	msiexec.exe
Token: SeLoadDriverPrivilege	3148	msiexec.exe
Token: SeSystemProfilePrivilege	3148	msiexec.exe
Token: SeSystemtimePrivilege	3148	msiexec.exe
Token: SeProfSingleProcessPrivilege	3148	msiexec.exe
Token: SeIncBasePriorityPrivilege	3148	msiexec.exe
Token: SeCreatePagefilePrivilege	3148	msiexec.exe
Token: SeCreatePermanentPrivilege	3148	msiexec.exe
Token: SeBackupPrivilege	3148	msiexec.exe
Token: SeRestorePrivilege	3148	msiexec.exe
Token: SeShutdownPrivilege	3148	msiexec.exe
Token: SeDebugPrivilege	3148	msiexec.exe
Token: SeAuditPrivilege	3148	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3148	msiexec.exe
Token: SeChangeNotifyPrivilege	3148	msiexec.exe
Token: SeRemoteShutdownPrivilege	3148	msiexec.exe
Token: SeUndockPrivilege	3148	msiexec.exe
Token: SeSyncAgentPrivilege	3148	msiexec.exe
Token: SeEnableDelegationPrivilege	3148	msiexec.exe
Token: SeManageVolumePrivilege	3148	msiexec.exe
Token: SeImpersonatePrivilege	3148	msiexec.exe
Token: SeCreateGlobalPrivilege	3148	msiexec.exe
Token: SeBackupPrivilege	2400	vssvc.exe
Token: SeRestorePrivilege	2400	vssvc.exe
Token: SeAuditPrivilege	2400	vssvc.exe
Token: SeBackupPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3148	msiexec.exe
3148	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2064	readerdc64.exe
2064	readerdc64.exe
2064	readerdc64.exe
2064	readerdc64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 3632	4440	msiexec.exe	94
PID 4440 wrote to memory of 3632	4440	msiexec.exe	94
PID 4440 wrote to memory of 3588	4440	msiexec.exe	96
PID 4440 wrote to memory of 3588	4440	msiexec.exe	96
PID 4440 wrote to memory of 2064	4440	msiexec.exe	97
PID 4440 wrote to memory of 2064	4440	msiexec.exe	97
PID 4440 wrote to memory of 2064	4440	msiexec.exe	97
PID 3588 wrote to memory of 720	3588	powershell.exe	100
PID 3588 wrote to memory of 720	3588	powershell.exe	100
PID 720 wrote to memory of 3856	720	csc.exe	101
PID 720 wrote to memory of 3856	720	csc.exe	101
PID 3588 wrote to memory of 2176	3588	powershell.exe	102
PID 3588 wrote to memory of 2176	3588	powershell.exe	102
PID 2176 wrote to memory of 3132	2176	csc.exe	103
PID 2176 wrote to memory of 3132	2176	csc.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AdobePDFReader.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3148

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vuxs5z44\vuxs5z44.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11E2.tmp" "c:\Users\Admin\AppData\Local\Temp\vuxs5z44\CSC5125F2D786CF4D84873DF09FE6C654CB.TMP"
      4⤵
      PID:3856
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gbm525by\gbm525by.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23B4.tmp" "c:\Users\Admin\AppData\Local\Temp\gbm525by\CSCF7E131B1113A4946B8F28A38FCADD27.TMP"
      4⤵
      PID:3132
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e570929.rbs

Filesize
7KB

MD5
489a2971d82d10253d17d39fae52ba38

SHA1
8c476d4f2b7ddf16b337b70108e481614d1c9373

SHA256
86ac08673e8feaff49efd2abebee6f1e80ae9611daa04deb822f914773aeb4dd

SHA512
eff17235648e7ba91734cbc22701920968ff437d4a90f1c818df5515e43f2b5be59a043213a006d81d3e91f8afbf892f641cbd498d50e67ddee4c11f0b7968ea

Download Submit
C:\Users\Admin\AppData\Local\Adobe\F77592F6-7CE4-451B-B7CE-70506D338F8A\progressbar_blue_active_100.png

Filesize
14KB

MD5
bb94a177f10bf764d11f94d24a5db5aa

SHA1
6864b58952b19248f4c5ea5c8764c52e207268a7

SHA256
caafea31074ba909ec57c9dcdd1b1c0256e5626939cc768b8a041fe42762e230

SHA512
d2875eb5ad9ff76ff233ada04fa77aecdbb0c9a80bcd85b0c50087786b47e97feec189d18164e15784cd96850849ee4e1920d7d98157ca7ad317ba03e8c66111

Download Submit
C:\Users\Admin\AppData\Local\Adobe\F77592F6-7CE4-451B-B7CE-70506D338F8A\status_icon_caution_100.png

Filesize
15KB

MD5
784abea138d9f1e5a1026162af5bf2cd

SHA1
111f835763a39ec7b8f697b1d90b22bfd3666a57

SHA256
5c7b6b5456caabc9d5a928ac892d9903836693960517c4e534a5de1acd6ae428

SHA512
01be96b4a05768641113679e96778b44a2ea22ee127349deac80a90bf5540518ff352054884ac51a3719a882be1676c85515efc66d8641f3f0e82336366cb612

Download Submit
C:\Users\Admin\AppData\Local\Adobe\F77592F6-7CE4-451B-B7CE-70506D338F8A\status_icon_x_100.png

Filesize
1KB

MD5
bd94c635b00cc2ea4872591ae3dac517

SHA1
bee4e084c00b4366d950d6411836fdfbe8429940

SHA256
aaca1b27a5186df31e60ab0bcfe35d411e03fd7cd069fafb92314947fd92f256

SHA512
dccffff2ec7f6a42da6d8366a7b3021df114e66d00183fcbd1db0ebd99dcf0605f10ba5733d2e449dda0d6395931bcac0febae27c2fc2f9c1089f1f941d2e89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11E2.tmp

Filesize
1KB

MD5
2d070f19d632419140df58caf38838fe

SHA1
4e619c9495fe795e8241557132f454891761650f

SHA256
b00b0331a7d302f29ca027bbc2b038bca562f656897e979a398d0fb14439f5a2

SHA512
a6ebd01582e7be86ae3488d2bae8f3d60224bc8a76841e5588660e47ecfc8c2914ccbe96c6b4ab875fe1c66df830facb295f07eab046ebb71c61ecb9381b7604

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES23B4.tmp

Filesize
1KB

MD5
37e047836a0f3b7d0ab3063bea64d634

SHA1
1a89fc78448beb357baff0f561468c390cac88c0

SHA256
d5e111712e63c0091103e1a4c76ac40d764df993591e13a1cd96b44b8f4e83e8

SHA512
80fd98eee13215b2805c358283453f3d048c99d380985a6e453f974dcf02b6b5f972ecf756857a1c2fa291ce45085f183510949177a60340cf038175c1d667b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mo1arfx.2de.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbm525by\gbm525by.dll

Filesize
3KB

MD5
d18adbd6bee865bdd493fc69a0915ba3

SHA1
6d6fbc679c003bdf3b43e765059cef67e63e7183

SHA256
0f78a1d8687cb38330aa18a78f1528a1b25a41ad339ce0a9f2b8215c3b53c118

SHA512
0bac0970c09b119c26caaa6386ead8426980135fa55ef667552faee768419b24ad6cf410bc743e74fb293e9d8394aa8b94ae3d2916da40d97def908220463103

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuxs5z44\vuxs5z44.dll

Filesize
3KB

MD5
4752f65be0b18839dafbacda8b8711a3

SHA1
4a6394db284ec7b30c031d6ff72b804ab717978e

SHA256
77317674aa90b55c424106cb9d9347e2fe24970c0fd5cad3cfccb99aa01de24a

SHA512
42fc4257c1357f032c6f1f5ccd5b21cae974a779c0048ee9fa649c010c89d3bbd3f4608b987fd8cf668fec04199b548c681d004790c4f7a6156b07b4dc545463

Download Submit
C:\Windows\Installer\e570928.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
a33c36e63c18d297458fc7deea431f44

SHA1
39e738f3bd1649969dfb91e658025fe6beb5adf8

SHA256
160ea6fb15ac9e219686099347b3d5e518253eceeabc1f8d39416c8225240ec2

SHA512
1cc306b4724542827ce51e70722899df7b638dfdbee2d2c5a50f836521ea32747384984ab788ccd2a068da088d512adc9cdf5819ce2066870d656fa2d421d9dc

Download Submit
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ddb6bde0-576b-44f5-834a-869f60168fd8}_OnDiskSnapshotProp

Filesize
5KB

MD5
36b08f540fe3c15ba7d7e4e4989a6e20

SHA1
20af1966e33b89d552e0c7bf677f18944a72024a

SHA256
f76f9437fa1e48823b7b6a09148b088a5418314f9cc938c64629ffc6314ec071

SHA512
58d4673c4715ff240c19af0a5e03193d8e2b798c4bbd6d03907e590a3e55950547d498e4577d0a08e6859f23627d65df4e3b5284fc1a437983369a2d66a570e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gbm525by\CSCF7E131B1113A4946B8F28A38FCADD27.TMP

Filesize
652B

MD5
68ee02725acab456ba3437cca28954c5

SHA1
1995dab16bd984c0969d2998dceb1f2c138373e0

SHA256
d48bf0785587013d59f720164ed6d84b971a6657b0cc5354e63d527f8e2b4779

SHA512
304d84a3afd41c4eea3f408121d29c575c0088491e4a021ab00ca3a2d0c68ddff66697bf04000f7dff8a3c63d8d28f83dbed1f6c0d6d18995bf81a30965a5386

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gbm525by\gbm525by.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gbm525by\gbm525by.cmdline

Filesize
369B

MD5
271494934d62faffd489f388f78cf1dd

SHA1
f0fed84bc8ac0e286d60de0a0b62280a53ec8235

SHA256
7e9075899c3a90b18f280075c8f64a5c779f34a05610e5a35b8edc17d187e945

SHA512
3a33de790bf8bbb400ee5055694a5e0519acdeda3af959d8f1e88f25feed7b35b6f693101ba2f4a64369a236288ea21fa1f66d4a2a956a3f845a04e1f44935c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vuxs5z44\CSC5125F2D786CF4D84873DF09FE6C654CB.TMP

Filesize
652B

MD5
e909da08aa260b1cfd1e58f19e6d5187

SHA1
777f0b797f2e4f393e2e4f760dea4d02976cb024

SHA256
0a7a72cce2653c1b79c294bcad711e41e9e00e677a3e495a86969aa3a197104c

SHA512
5667779b6649206b9482bddcd04a3acfc6f40ad1f071502aac0db4619f87ba68c265658ecfca4ddfb261179ebcf0c1909180a422a4a2647803cb163419dd399f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vuxs5z44\vuxs5z44.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vuxs5z44\vuxs5z44.cmdline

Filesize
369B

MD5
61d64b0b3f7796290e389ce8a85c7101

SHA1
0ebd4df62f152ed4b12948f557fffcfe4f465b17

SHA256
735408498b862d02806ec87e107eadfd2f2f4140630d0d29022cf63a9deffc8c

SHA512
ae4d986c3604b7195bb0e09d169d1533704e138de717e6838f387255cb37e1d79d9d0e2546c6394f1f2731e295b43623e3186d841ceac86673d69a09ec0d7c33

Download Submit
memory/2064-334-0x0000000000CA0000-0x00000000010D9000-memory.dmp

Filesize
4.2MB

Download
memory/2064-330-0x0000000000CA0000-0x00000000010D9000-memory.dmp

Filesize
4.2MB

Download
memory/2064-296-0x0000000000CA0000-0x00000000010D9000-memory.dmp

Filesize
4.2MB

Download
memory/2064-169-0x0000000000CA0000-0x00000000010D9000-memory.dmp

Filesize
4.2MB

Download
memory/2064-174-0x00000000011F0000-0x00000000011F3000-memory.dmp

Filesize
12KB

Download
memory/2064-279-0x0000000000CA0000-0x00000000010D9000-memory.dmp

Filesize
4.2MB

Download
memory/3588-275-0x000001FC54A30000-0x000001FC54B9A000-memory.dmp

Filesize
1.4MB

Download
memory/3588-284-0x000001FC54460000-0x000001FC54470000-memory.dmp

Filesize
64KB

Download
memory/3588-273-0x000001FC54A30000-0x000001FC54B9A000-memory.dmp

Filesize
1.4MB

Download
memory/3588-274-0x00007FF9D11F0000-0x00007FF9D11F1000-memory.dmp

Filesize
4KB

Download
memory/3588-272-0x000001FC54A30000-0x000001FC54B9A000-memory.dmp

Filesize
1.4MB

Download
memory/3588-282-0x000001FC54460000-0x000001FC54470000-memory.dmp

Filesize
64KB

Download
memory/3588-283-0x000001FC54460000-0x000001FC54470000-memory.dmp

Filesize
64KB

Download
memory/3588-277-0x000001FC54A30000-0x000001FC54AEE000-memory.dmp

Filesize
760KB

Download
memory/3588-170-0x000001FC54460000-0x000001FC54470000-memory.dmp

Filesize
64KB

Download
memory/3588-292-0x000001FC54460000-0x000001FC54470000-memory.dmp

Filesize
64KB

Download
memory/3588-271-0x000001FC54460000-0x000001FC54470000-memory.dmp

Filesize
64KB

Download
memory/3588-160-0x000001FC543E0000-0x000001FC54402000-memory.dmp

Filesize
136KB

Download
memory/3588-265-0x000001FC548C0000-0x000001FC54A2A000-memory.dmp

Filesize
1.4MB

Download
memory/3588-175-0x000001FC54460000-0x000001FC54470000-memory.dmp

Filesize
64KB

Download