bumblebee | 9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2023 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader (10).msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

10^/10

bumblebee ad2404 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

ad2404

149.3.170.185:443

23.108.57.117:443

199.195.249.67:443

103.175.16.149:443

209.141.58.129:443

192.254.79.106:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
50	4020	powershell.exe
67	4020	powershell.exe
69	4020	powershell.exe
70	4020	powershell.exe
72	4020	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4640	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4020	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFD5.tmp	msiexec.exe
File created	C:\Windows\Installer\e56debe.msi	msiexec.exe
File created	C:\Windows\Installer\e56debc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56debc.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4100	msiexec.exe
4100	msiexec.exe
4020	powershell.exe
4020	powershell.exe
4020	powershell.exe
4020	powershell.exe
4640	readerdc64.exe
4640	readerdc64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3116	msiexec.exe
Token: SeSecurityPrivilege	4100	msiexec.exe
Token: SeCreateTokenPrivilege	3116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3116	msiexec.exe
Token: SeLockMemoryPrivilege	3116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3116	msiexec.exe
Token: SeMachineAccountPrivilege	3116	msiexec.exe
Token: SeTcbPrivilege	3116	msiexec.exe
Token: SeSecurityPrivilege	3116	msiexec.exe
Token: SeTakeOwnershipPrivilege	3116	msiexec.exe
Token: SeLoadDriverPrivilege	3116	msiexec.exe
Token: SeSystemProfilePrivilege	3116	msiexec.exe
Token: SeSystemtimePrivilege	3116	msiexec.exe
Token: SeProfSingleProcessPrivilege	3116	msiexec.exe
Token: SeIncBasePriorityPrivilege	3116	msiexec.exe
Token: SeCreatePagefilePrivilege	3116	msiexec.exe
Token: SeCreatePermanentPrivilege	3116	msiexec.exe
Token: SeBackupPrivilege	3116	msiexec.exe
Token: SeRestorePrivilege	3116	msiexec.exe
Token: SeShutdownPrivilege	3116	msiexec.exe
Token: SeDebugPrivilege	3116	msiexec.exe
Token: SeAuditPrivilege	3116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3116	msiexec.exe
Token: SeChangeNotifyPrivilege	3116	msiexec.exe
Token: SeRemoteShutdownPrivilege	3116	msiexec.exe
Token: SeUndockPrivilege	3116	msiexec.exe
Token: SeSyncAgentPrivilege	3116	msiexec.exe
Token: SeEnableDelegationPrivilege	3116	msiexec.exe
Token: SeManageVolumePrivilege	3116	msiexec.exe
Token: SeImpersonatePrivilege	3116	msiexec.exe
Token: SeCreateGlobalPrivilege	3116	msiexec.exe
Token: SeBackupPrivilege	816	vssvc.exe
Token: SeRestorePrivilege	816	vssvc.exe
Token: SeAuditPrivilege	816	vssvc.exe
Token: SeBackupPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe
Token: SeTakeOwnershipPrivilege	4100	msiexec.exe
Token: SeRestorePrivilege	4100	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3116	msiexec.exe
3116	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4640	readerdc64.exe
4640	readerdc64.exe
4640	readerdc64.exe
4640	readerdc64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 2028	4100	msiexec.exe	95
PID 4100 wrote to memory of 2028	4100	msiexec.exe	95
PID 4100 wrote to memory of 4020	4100	msiexec.exe	98
PID 4100 wrote to memory of 4020	4100	msiexec.exe	98
PID 4100 wrote to memory of 4640	4100	msiexec.exe	100
PID 4100 wrote to memory of 4640	4100	msiexec.exe	100
PID 4100 wrote to memory of 4640	4100	msiexec.exe	100
PID 4020 wrote to memory of 2452	4020	powershell.exe	101
PID 4020 wrote to memory of 2452	4020	powershell.exe	101
PID 2452 wrote to memory of 4132	2452	csc.exe	102
PID 2452 wrote to memory of 4132	2452	csc.exe	102
PID 4020 wrote to memory of 748	4020	powershell.exe	103
PID 4020 wrote to memory of 748	4020	powershell.exe	103
PID 748 wrote to memory of 4432	748	csc.exe	104
PID 748 wrote to memory of 4432	748	csc.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\AdobePDFReader (10).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e3zpl5yj\e3zpl5yj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8FD.tmp" "c:\Users\Admin\AppData\Local\Temp\e3zpl5yj\CSC49737C59AC9E47488D49DAA3DC805039.TMP"
      4⤵
      PID:4132
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xz2fpkwn\xz2fpkwn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDCD.tmp" "c:\Users\Admin\AppData\Local\Temp\xz2fpkwn\CSC71BDE75F7FF94D499DD293D03CACB64E.TMP"
      4⤵
      PID:4432
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56debd.rbs

Filesize
7KB

MD5
c74eedf784588acd0b746f0a856fcdba

SHA1
129ee078af107b3e4085dd7d566c97737392a51c

SHA256
f85bab69ff11bdc190141d5566132a88b084286ec2a70607501999445a8ab322

SHA512
4d78f5b251763df1c97bf24c87b50139821472b1e106d4b8b5e4fd1fb74fb882256782c4d74e3737580c6ad5a9c24d62ebdccbbf270728a8a74e3df5befa1fa3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\942E5FED-684A-4DB2-A84B-1D0942B29B93\progressbar_blue_active_100.png

Filesize
14KB

MD5
bb94a177f10bf764d11f94d24a5db5aa

SHA1
6864b58952b19248f4c5ea5c8764c52e207268a7

SHA256
caafea31074ba909ec57c9dcdd1b1c0256e5626939cc768b8a041fe42762e230

SHA512
d2875eb5ad9ff76ff233ada04fa77aecdbb0c9a80bcd85b0c50087786b47e97feec189d18164e15784cd96850849ee4e1920d7d98157ca7ad317ba03e8c66111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE8FD.tmp

Filesize
1KB

MD5
7a8caf816f1a2ffbd8c58bfd4745eda9

SHA1
9a8ff607cbb957a0db446f94e28cce32023c2a81

SHA256
4b6d41500e278a701864f0c284dc0428147a5c15ce4a896f79af9f0e5a5a6407

SHA512
37680a03bd44e818bb18c179a1207b0235e789b79860edb31434a89f2890553cda6b0a5100a46bbb6ecc97d0d6075320b2384f401163c045eb79be59bbb38c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFDCD.tmp

Filesize
1KB

MD5
180486921bca31f736c9f7f9097cfe8b

SHA1
7310c097373beb37b96fc1abea4c1c4aeb087d4d

SHA256
06afdb64d5eab34749ac93e87e2ea3a643253d737fdd862f1ad1ad5d6370f50a

SHA512
9b856627db2ee40b12016897a09267c2adbb861b7afc20e42be5237c30730e35c2ae5c979ef7b2b972568642107126dab7ce14a71e87847354b68b68535156cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0mpof03h.owu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3zpl5yj\e3zpl5yj.dll

Filesize
3KB

MD5
34a07cb6f6612b85811c22e9aa1d46e0

SHA1
31bae9c3e224647f51f8b9de7a95854de3dbdef4

SHA256
af732eb522cb265b53577f5b0b2c3166ea8d430b28061457fbb28780dc03a4aa

SHA512
c8dbd60e0fab80bb9b0f35da2345b32804427ee696b839af73cd56d40b9c99136a4eb4845c5423df7bda13d4edf235a3620a447c7d98fb2d046703e45cb457bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xz2fpkwn\xz2fpkwn.dll

Filesize
3KB

MD5
b3d0bdfae0011ceca68684fd49865a51

SHA1
99e8085799712edfd87973fc609c319bc4e171b6

SHA256
82b72e68da0c64e3e9cab62d93e7fc8c1f209108380def14ea22576cbc7fc65f

SHA512
8146b804dfba2b34721ce85528ce6529af093cbdbabba56c1e7421f142ebd0c448e55e717aff844630d18758fc3d7f9cbd62b8dbea58caee5e02a28a60585c65

Download Submit
C:\Windows\Installer\e56debc.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
946dc6f45da4a5d735f4b48ef4dc6d90

SHA1
d6a41c65b8a50b3f6bb76dc68ae65c730003c907

SHA256
9cf8bd78471a5aa40f62b1fc80b332d2c07146c24f4bdd8eb8e208e836260953

SHA512
6fe59dee70103b95367841e0272ec6fde64f6667c38906f554d198a23b5a4148708613f01ce8f13f7225725f4085ec6f2b621963fc5cf40115a0741879cb599f

Download Submit
\??\Volume{af0fc727-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c469f506-355b-486e-b70a-27b24ac31851}_OnDiskSnapshotProp

Filesize
5KB

MD5
1b3c9a849ad6726a89fe54fd397b6501

SHA1
e19eb4ac33eab3514bce2ee35bdd13b3288a697b

SHA256
e830fcf1f49306e50e3ea02185650d05283a7aa265a6607ed554bdb28b68648c

SHA512
87a9b2ebe823bedc31587d72b8eb9003f83c82b79c43d26ed5266951fc7c74b3ffdf9146e7dddbb24658d41a4688d925ce88d5f75113eef2a21ea30eb39325a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3zpl5yj\CSC49737C59AC9E47488D49DAA3DC805039.TMP

Filesize
652B

MD5
cfc775f3b5caeb2518e79f04557f1140

SHA1
db37593009427fbc6cc241c2702be74ed980d180

SHA256
39629978fcda227eb89373964458c871558fbf7d58915bea722957c153ec5b31

SHA512
6a126fb6361b829f3144a80c33bc889354a5226f5ab33eb29568db3aa34c4e7793910adab3baea846430f0c005f1b63119b6587e98763e3b14e35ceef2be7d25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3zpl5yj\e3zpl5yj.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3zpl5yj\e3zpl5yj.cmdline

Filesize
369B

MD5
0dd62cf14ca4a5a077d5f62093e1c4e8

SHA1
70a77d9945b872fbfe6cc33f44e6964f9dde763e

SHA256
0d831abeed310b097e751b5067a42385a93f8c394c14526bcc21dc7a1d2eef75

SHA512
9032450893167116af8aa673d1dd2cc9c35b7d23f604f16923c44fe5aae630b4f100747e1f084b630fd8ffad9cea26d9881a08acf03a20e4fdd1f40c36c75e44

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xz2fpkwn\CSC71BDE75F7FF94D499DD293D03CACB64E.TMP

Filesize
652B

MD5
451648ebdabda1618e7213881f2d839c

SHA1
95a625f854bab90c875117dcabb7e54d160e778e

SHA256
917cc98959236d4558f11627919d030e3fa48f423941600d639b5762eafaf919

SHA512
c467ff4bfa97f79e3652e47eb1ce89c435d6041dd2749c975f4bcdf3fee1ea2c5dcf20aaff81653d089b4c549d1a4faa8c2d65c19f111dbaba997bf1f3765345

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xz2fpkwn\xz2fpkwn.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xz2fpkwn\xz2fpkwn.cmdline

Filesize
369B

MD5
d93bbdafa2469b2d70538358a324c2dc

SHA1
082c5ba2d1fd632e1ffe4ab5d4b84a79c6689923

SHA256
37dba4873a96f51dc79500a486d62d6237136576bad4d143a6f525758419c921

SHA512
bb07b461a4c6ff29ed72c7be8297f6506879d795ebd28e2c91b8819b35cb95db0093f80fc0a137e3c64f3425d2a80edbf679739aadcba5209ebcbefe02a4401b

Download Submit
memory/4020-284-0x00007FFB2AC10000-0x00007FFB2AC11000-memory.dmp

Filesize
4KB

Download
memory/4020-159-0x0000023C56FE0000-0x0000023C56FF0000-memory.dmp

Filesize
64KB

Download
memory/4020-279-0x0000023C57690000-0x0000023C5774E000-memory.dmp

Filesize
760KB

Download
memory/4020-158-0x0000023C56FE0000-0x0000023C56FF0000-memory.dmp

Filesize
64KB

Download
memory/4020-277-0x0000023C57690000-0x0000023C577FA000-memory.dmp

Filesize
1.4MB

Download
memory/4020-290-0x0000023C56FE0000-0x0000023C56FF0000-memory.dmp

Filesize
64KB

Download
memory/4020-268-0x0000023C57520000-0x0000023C5768A000-memory.dmp

Filesize
1.4MB

Download
memory/4020-272-0x0000023C56FE0000-0x0000023C56FF0000-memory.dmp

Filesize
64KB

Download
memory/4020-285-0x0000023C56FE0000-0x0000023C56FF0000-memory.dmp

Filesize
64KB

Download
memory/4020-276-0x0000023C57690000-0x0000023C577FA000-memory.dmp

Filesize
1.4MB

Download
memory/4020-179-0x0000023C56FE0000-0x0000023C56FF0000-memory.dmp

Filesize
64KB

Download
memory/4020-171-0x0000023C56F60000-0x0000023C56F82000-memory.dmp

Filesize
136KB

Download
memory/4020-275-0x0000023C57690000-0x0000023C577FA000-memory.dmp

Filesize
1.4MB

Download
memory/4020-282-0x0000023C56FE0000-0x0000023C56FF0000-memory.dmp

Filesize
64KB

Download
memory/4020-283-0x0000023C56FE0000-0x0000023C56FF0000-memory.dmp

Filesize
64KB

Download
memory/4640-330-0x0000000000D30000-0x0000000001169000-memory.dmp

Filesize
4.2MB

Download
memory/4640-281-0x0000000000D30000-0x0000000001169000-memory.dmp

Filesize
4.2MB

Download
memory/4640-289-0x0000000000D30000-0x0000000001169000-memory.dmp

Filesize
4.2MB

Download
memory/4640-156-0x0000000000D30000-0x0000000001169000-memory.dmp

Filesize
4.2MB

Download
memory/4640-296-0x0000000000D30000-0x0000000001169000-memory.dmp

Filesize
4.2MB

Download
memory/4640-305-0x0000000000D30000-0x0000000001169000-memory.dmp

Filesize
4.2MB

Download
memory/4640-157-0x0000000000C90000-0x0000000000C93000-memory.dmp

Filesize
12KB

Download