bumblebee | 9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2023 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader (7).msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

10^/10

bumblebee ad2404 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

ad2404

149.3.170.185:443

23.108.57.117:443

199.195.249.67:443

103.175.16.149:443

209.141.58.129:443

192.254.79.106:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
51	4740	powershell.exe
56	4740	powershell.exe
57	4740	powershell.exe
62	4740	powershell.exe
64	4740	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4740	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID064.tmp	msiexec.exe
File created	C:\Windows\Installer\e56cf3d.msi	msiexec.exe
File created	C:\Windows\Installer\e56cf3b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56cf3b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3096	msiexec.exe
3096	msiexec.exe
4740	powershell.exe
4740	powershell.exe
4740	powershell.exe
2216	readerdc64.exe
2216	readerdc64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	3096	msiexec.exe
Token: SeCreateTokenPrivilege	1224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1224	msiexec.exe
Token: SeLockMemoryPrivilege	1224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1224	msiexec.exe
Token: SeMachineAccountPrivilege	1224	msiexec.exe
Token: SeTcbPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	1224	msiexec.exe
Token: SeTakeOwnershipPrivilege	1224	msiexec.exe
Token: SeLoadDriverPrivilege	1224	msiexec.exe
Token: SeSystemProfilePrivilege	1224	msiexec.exe
Token: SeSystemtimePrivilege	1224	msiexec.exe
Token: SeProfSingleProcessPrivilege	1224	msiexec.exe
Token: SeIncBasePriorityPrivilege	1224	msiexec.exe
Token: SeCreatePagefilePrivilege	1224	msiexec.exe
Token: SeCreatePermanentPrivilege	1224	msiexec.exe
Token: SeBackupPrivilege	1224	msiexec.exe
Token: SeRestorePrivilege	1224	msiexec.exe
Token: SeShutdownPrivilege	1224	msiexec.exe
Token: SeDebugPrivilege	1224	msiexec.exe
Token: SeAuditPrivilege	1224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1224	msiexec.exe
Token: SeChangeNotifyPrivilege	1224	msiexec.exe
Token: SeRemoteShutdownPrivilege	1224	msiexec.exe
Token: SeUndockPrivilege	1224	msiexec.exe
Token: SeSyncAgentPrivilege	1224	msiexec.exe
Token: SeEnableDelegationPrivilege	1224	msiexec.exe
Token: SeManageVolumePrivilege	1224	msiexec.exe
Token: SeImpersonatePrivilege	1224	msiexec.exe
Token: SeCreateGlobalPrivilege	1224	msiexec.exe
Token: SeBackupPrivilege	4704	vssvc.exe
Token: SeRestorePrivilege	4704	vssvc.exe
Token: SeAuditPrivilege	4704	vssvc.exe
Token: SeBackupPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1224	msiexec.exe
1224	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2216	readerdc64.exe
2216	readerdc64.exe
2216	readerdc64.exe
2216	readerdc64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 1172	3096	msiexec.exe	89
PID 3096 wrote to memory of 1172	3096	msiexec.exe	89
PID 3096 wrote to memory of 4740	3096	msiexec.exe	91
PID 3096 wrote to memory of 4740	3096	msiexec.exe	91
PID 3096 wrote to memory of 2216	3096	msiexec.exe	92
PID 3096 wrote to memory of 2216	3096	msiexec.exe	92
PID 3096 wrote to memory of 2216	3096	msiexec.exe	92
PID 4740 wrote to memory of 4080	4740	powershell.exe	94
PID 4740 wrote to memory of 4080	4740	powershell.exe	94
PID 4080 wrote to memory of 4468	4080	csc.exe	95
PID 4080 wrote to memory of 4468	4080	csc.exe	95
PID 4740 wrote to memory of 4044	4740	powershell.exe	96
PID 4740 wrote to memory of 4044	4740	powershell.exe	96
PID 4044 wrote to memory of 312	4044	csc.exe	97
PID 4044 wrote to memory of 312	4044	csc.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\AdobePDFReader (7).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nn1wb4g2\nn1wb4g2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD798.tmp" "c:\Users\Admin\AppData\Local\Temp\nn1wb4g2\CSC25F39642BCC45ECBAB43A2E20A0A2E3.TMP"
      4⤵
      PID:4468
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oegjiten\oegjiten.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC0A.tmp" "c:\Users\Admin\AppData\Local\Temp\oegjiten\CSC45BB3A2EF93F4B30A616B2C15F4BAD85.TMP"
      4⤵
      PID:312
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56cf3c.rbs

Filesize
7KB

MD5
e7f3747579ad603b120c76703be329b2

SHA1
f6f64b29d84db332571af8355cca83d0a3c5ed6a

SHA256
ada46c071c2fa1684dee9b89fdef0e6a50ac75bc4209c83d9bc88f2b95ceddca

SHA512
6e840ee6e030f790eff5225bef2799ef9241081efa991d42692f30d6351dda5a078cb186777546bc7a243e80f3afa2145acf1eb3d4fe76f1fcac02dcc7b16ce2

Download Submit
C:\Users\Admin\AppData\Local\Adobe\622EA505-3CD3-4E2C-BD9B-D8D0C562419D\progressbar_blue_active_100.png

Filesize
14KB

MD5
bb94a177f10bf764d11f94d24a5db5aa

SHA1
6864b58952b19248f4c5ea5c8764c52e207268a7

SHA256
caafea31074ba909ec57c9dcdd1b1c0256e5626939cc768b8a041fe42762e230

SHA512
d2875eb5ad9ff76ff233ada04fa77aecdbb0c9a80bcd85b0c50087786b47e97feec189d18164e15784cd96850849ee4e1920d7d98157ca7ad317ba03e8c66111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD798.tmp

Filesize
1KB

MD5
96ae5716d8497539d19400cf4996ae75

SHA1
419103c0b1bed15791dddd4ab7e35a3293162a0b

SHA256
09dce0a1937369745c2a81d15c43e21646a965e3c2ed437cd96ad49fbf3af3cf

SHA512
5d34848e14d3a86430241cdf04146e0ee6d5e5315f077e11bfbf1867cc9ae7e42237e9adc1e0b63da6b32c20fb512d4657b2f50081e02e79ca92330708e587e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC0A.tmp

Filesize
1KB

MD5
8bd62b4d66a692eed87c32c583b61681

SHA1
d126f7973e21ee146ea8d89469ba2ac21364f897

SHA256
56a4bc35abacebfacc3f49150d01fc983deed4f75139121f9114618d0778396f

SHA512
6a84fcbeebdf985cea32c8eda56ed025aed236248329e8d5753d000782ba7093e37bb5ebd49919ff8f0016f0d4ee7555b0202afc26059167c1d673cf85d74769

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0402tql.mup.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nn1wb4g2\nn1wb4g2.dll

Filesize
3KB

MD5
0f1b7418f6fc5cac95e0a912e29bebc9

SHA1
407eb7711ddb0de759b8f1c5708ca66d828ff1fa

SHA256
4ac3a2e70c3cfb850cb8b5cd04d2037e36b21fb65baeec73718ce449251b7380

SHA512
5af8466673f871fe95966926dc7518c73c9fe35cbc4dce796a1fec2684c3cc804d4a542a89e1a0e173043cabf77269e9943cafb1e705cd041666941179570b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\oegjiten\oegjiten.dll

Filesize
3KB

MD5
cf754ac27ab66b06c07f29968504b866

SHA1
7b16462d8439585af8eaa62e98720173a724683b

SHA256
dc32842d1a1f115b94f4bf7bffb9757a733a1e7a8d812269be91ca0fa1f581f9

SHA512
3682dfc30e0c0eb160e542e6e83db70631164ae7028cb0375ce740a63ceb6218ed3668745297518e13760e0d78b9db820922f254e797d7e5599a68b760b173fa

Download Submit
C:\Windows\Installer\e56cf3b.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
1c99cf62bf8b80aabdcb20622a4a8f36

SHA1
56be57b15581400f0d936ef63d80de6779eea644

SHA256
e0846957b67c1f90deea119085ca04ae60d257e74e901c1da8237bc3b375fd0c

SHA512
2fd664e7a1aedcded475b5ae3eb20c59fc495be6729bafcc00282bb2a4f72f6b554ae5cef90314579bde8db08c481a7295806aca5bc74830efa3937f553dd4b8

Download Submit
\??\Volume{af0fc727-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f07b0dc1-bb1f-43a3-bd24-1fb92f9be2b4}_OnDiskSnapshotProp

Filesize
5KB

MD5
6e63601d52e2a81b9ef8584ed8b58943

SHA1
f8ea51aafabee2e9c261684265fe2f699fceb1c5

SHA256
0a04e411e7f65b0f4566bf78d3160923ab998020debf69e02d0206f52d7ee983

SHA512
3282cf37b4a62c04cb9ab7169a9cc3dd5eae46a552355b3bca05b1dbe6e010d2286c8c7671a2d239da61a2229b6f2b31f19c9d75af2e217d3c61fd52728fa141

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nn1wb4g2\CSC25F39642BCC45ECBAB43A2E20A0A2E3.TMP

Filesize
652B

MD5
87b09284f3c298c906b35a5dcfe754b6

SHA1
9aa8f35dad78f193bcedfe64cb70620ca69f7a73

SHA256
91dc07a2cb7c18a5578d02dfb9558f2e7f6c9e2fbbed5bee302c390458c921ea

SHA512
7bee10b4293427e8db9008650dc26a2e78bb567f62592dcc4041eddab6a0284e1f2a4512a5756f8e18b865df29a34cc0c18a90aa62cb44c59295ff2cfa18dc54

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nn1wb4g2\nn1wb4g2.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nn1wb4g2\nn1wb4g2.cmdline

Filesize
369B

MD5
ebff5b4a44567b70d1c29e15a8e159e1

SHA1
3bfca44314e149585ff7f6de2eeec9bc178b9696

SHA256
dbc3530592b059843aa7d64e46a1bc6a4043992c2d2fd3d882630f86563dcd59

SHA512
7128b4543ec55cfd3c13b63d4c7eef8be9f82a0f581e7074f555983f79a1372543987fcd37b22f8ee039a3da2b68935bc1392f4b8fea27b172156f4d4f073356

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oegjiten\CSC45BB3A2EF93F4B30A616B2C15F4BAD85.TMP

Filesize
652B

MD5
e78e890a6ca3302b551bcaae9538d76b

SHA1
2e03675d7bab2c19e62bf3a0d1b4b0fe0fc2efa8

SHA256
ffb7d7f2684315585a8176dcbcd81b4a8b7eb1e568ffa933a836197467d80acc

SHA512
f15a5c7d24638e7bb254704d5d8827369f1de728242939aa82d8f150a2f96507f10e896bf8eb4c1bc422fa593f4fca10a8eb62f65dae96d2dc72490460e593ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oegjiten\oegjiten.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oegjiten\oegjiten.cmdline

Filesize
369B

MD5
c914fac1b619c3c21bca8f57e08c33f8

SHA1
38657462981721b6a44bb0a0302e1e342e712587

SHA256
a177f2f087910f5423bce1b1031cfbd78d805da85cadf96ac94a4a69242a94cc

SHA512
3edbc36c9eb2ed1ddfcaa355b1d8d8904c405ac33d96e1045a1cd0210bd1215b5f95c144e38ace83047ec395a5bac5725e8b7fbe1d1e09ff5243f2793a76b450

Download Submit
memory/2216-283-0x00000000006F0000-0x0000000000B29000-memory.dmp

Filesize
4.2MB

Download
memory/2216-176-0x0000000001040000-0x0000000001043000-memory.dmp

Filesize
12KB

Download
memory/2216-336-0x00000000006F0000-0x0000000000B29000-memory.dmp

Filesize
4.2MB

Download
memory/2216-169-0x00000000006F0000-0x0000000000B29000-memory.dmp

Filesize
4.2MB

Download
memory/2216-311-0x00000000006F0000-0x0000000000B29000-memory.dmp

Filesize
4.2MB

Download
memory/2216-303-0x00000000006F0000-0x0000000000B29000-memory.dmp

Filesize
4.2MB

Download
memory/4740-170-0x0000025D83C20000-0x0000025D83C30000-memory.dmp

Filesize
64KB

Download
memory/4740-281-0x0000025D9EC70000-0x0000025D9ED2E000-memory.dmp

Filesize
760KB

Download
memory/4740-275-0x0000025D9EC70000-0x0000025D9EDDA000-memory.dmp

Filesize
1.4MB

Download
memory/4740-276-0x0000025D9EC70000-0x0000025D9EDDA000-memory.dmp

Filesize
1.4MB

Download
memory/4740-175-0x0000025D83C20000-0x0000025D83C30000-memory.dmp

Filesize
64KB

Download
memory/4740-159-0x0000025D84100000-0x0000025D84122000-memory.dmp

Filesize
136KB

Download
memory/4740-279-0x0000025D9E560000-0x0000025D9E77C000-memory.dmp

Filesize
2.1MB

Download
memory/4740-274-0x00007FF9E8910000-0x00007FF9E8911000-memory.dmp

Filesize
4KB

Download
memory/4740-273-0x0000025D83C20000-0x0000025D83C30000-memory.dmp

Filesize
64KB

Download
memory/4740-284-0x0000025D83C20000-0x0000025D83C30000-memory.dmp

Filesize
64KB

Download
memory/4740-285-0x0000025D83C20000-0x0000025D83C30000-memory.dmp

Filesize
64KB

Download
memory/4740-286-0x0000025D83C20000-0x0000025D83C30000-memory.dmp

Filesize
64KB

Download
memory/4740-292-0x0000025D83C20000-0x0000025D83C30000-memory.dmp

Filesize
64KB

Download
memory/4740-272-0x0000025D9EC70000-0x0000025D9EDDA000-memory.dmp

Filesize
1.4MB

Download
memory/4740-266-0x0000025D9E8B0000-0x0000025D9EA1A000-memory.dmp

Filesize
1.4MB

Download
memory/4740-171-0x0000025D83C20000-0x0000025D83C30000-memory.dmp

Filesize
64KB

Download