bumblebee | 9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2023, 02:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fadc9824c68402143239f764c99bb82d.msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

10^/10

bumblebee ad2404 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

ad2404

149.3.170.185:443

23.108.57.117:443

199.195.249.67:443

103.175.16.149:443

209.141.58.129:443

192.254.79.106:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
71	3304	powershell.exe
76	3304	powershell.exe
82	3304	powershell.exe
84	3304	powershell.exe
86	3304	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1968	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3304	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA53.tmp	msiexec.exe
File created	C:\Windows\Installer\e56f94b.msi	msiexec.exe
File created	C:\Windows\Installer\e56f949.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56f949.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1456	msiexec.exe
1456	msiexec.exe
3304	powershell.exe
3304	powershell.exe
3304	powershell.exe
3304	powershell.exe
1968	readerdc64.exe
1968	readerdc64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3444	msiexec.exe
Token: SeSecurityPrivilege	1456	msiexec.exe
Token: SeCreateTokenPrivilege	3444	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3444	msiexec.exe
Token: SeLockMemoryPrivilege	3444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3444	msiexec.exe
Token: SeMachineAccountPrivilege	3444	msiexec.exe
Token: SeTcbPrivilege	3444	msiexec.exe
Token: SeSecurityPrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeLoadDriverPrivilege	3444	msiexec.exe
Token: SeSystemProfilePrivilege	3444	msiexec.exe
Token: SeSystemtimePrivilege	3444	msiexec.exe
Token: SeProfSingleProcessPrivilege	3444	msiexec.exe
Token: SeIncBasePriorityPrivilege	3444	msiexec.exe
Token: SeCreatePagefilePrivilege	3444	msiexec.exe
Token: SeCreatePermanentPrivilege	3444	msiexec.exe
Token: SeBackupPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe
Token: SeShutdownPrivilege	3444	msiexec.exe
Token: SeDebugPrivilege	3444	msiexec.exe
Token: SeAuditPrivilege	3444	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3444	msiexec.exe
Token: SeChangeNotifyPrivilege	3444	msiexec.exe
Token: SeRemoteShutdownPrivilege	3444	msiexec.exe
Token: SeUndockPrivilege	3444	msiexec.exe
Token: SeSyncAgentPrivilege	3444	msiexec.exe
Token: SeEnableDelegationPrivilege	3444	msiexec.exe
Token: SeManageVolumePrivilege	3444	msiexec.exe
Token: SeImpersonatePrivilege	3444	msiexec.exe
Token: SeCreateGlobalPrivilege	3444	msiexec.exe
Token: SeBackupPrivilege	4064	vssvc.exe
Token: SeRestorePrivilege	4064	vssvc.exe
Token: SeAuditPrivilege	4064	vssvc.exe
Token: SeBackupPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3444	msiexec.exe
3444	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1968	readerdc64.exe
1968	readerdc64.exe
1968	readerdc64.exe
1968	readerdc64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 5048	1456	msiexec.exe	97
PID 1456 wrote to memory of 5048	1456	msiexec.exe	97
PID 1456 wrote to memory of 3304	1456	msiexec.exe	99
PID 1456 wrote to memory of 3304	1456	msiexec.exe	99
PID 1456 wrote to memory of 1968	1456	msiexec.exe	101
PID 1456 wrote to memory of 1968	1456	msiexec.exe	101
PID 1456 wrote to memory of 1968	1456	msiexec.exe	101
PID 3304 wrote to memory of 4896	3304	powershell.exe	102
PID 3304 wrote to memory of 4896	3304	powershell.exe	102
PID 4896 wrote to memory of 3832	4896	csc.exe	103
PID 4896 wrote to memory of 3832	4896	csc.exe	103
PID 3304 wrote to memory of 4180	3304	powershell.exe	104
PID 3304 wrote to memory of 4180	3304	powershell.exe	104
PID 4180 wrote to memory of 5072	4180	csc.exe	105
PID 4180 wrote to memory of 5072	4180	csc.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fadc9824c68402143239f764c99bb82d.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3444

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yv2bj1wl\yv2bj1wl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB.tmp" "c:\Users\Admin\AppData\Local\Temp\yv2bj1wl\CSC95312053DD85424087407F6611333B43.TMP"
      4⤵
      PID:3832
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yxigenyw\yxigenyw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1359.tmp" "c:\Users\Admin\AppData\Local\Temp\yxigenyw\CSC6D64A8C2FEE74E9BB2856DB9F8FF2F4.TMP"
      4⤵
      PID:5072
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56f94a.rbs

Filesize
7KB

MD5
e5b4a9f35f123d9be33b8d07bc99006c

SHA1
af047ce3c5a5cd42b8af323213b1d13f59a68431

SHA256
54e21143e88f53bd4f5a052391f70cdf3d89aebae54caa69d0361e57d7db0de5

SHA512
0e043d5567b9b693086286b7a6719646cf34e68070c364e6518ca469d4687a093ba903db83abfc1961e46c452f4a78726b09bb59f48a106603fc805136257d60

Download Submit
C:\Users\Admin\AppData\Local\Adobe\0D57F598-FFB1-4D70-86D3-51E3A2E0B354\progressbar_blue_active_100.png

Filesize
14KB

MD5
bb94a177f10bf764d11f94d24a5db5aa

SHA1
6864b58952b19248f4c5ea5c8764c52e207268a7

SHA256
caafea31074ba909ec57c9dcdd1b1c0256e5626939cc768b8a041fe42762e230

SHA512
d2875eb5ad9ff76ff233ada04fa77aecdbb0c9a80bcd85b0c50087786b47e97feec189d18164e15784cd96850849ee4e1920d7d98157ca7ad317ba03e8c66111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1359.tmp

Filesize
1KB

MD5
0cc03b37003186f5f074afd694ab2352

SHA1
c2fc4e7062d8613272aa512509bf64a5fee9b589

SHA256
50c0549880bf53f5e3ea8f852cd7204448fb2e6ce991837eae72dd331f1f59c7

SHA512
e651a2442f10dc85b50b3b78a3eaa7c6d0fd7a75bfd8262c18be49e280e59240d8524f5979a571066e5015a21927cb594bb664aa1eb092b948c05eb5fd997fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDB.tmp

Filesize
1KB

MD5
8505a23f619102ab45a56c148cd906b7

SHA1
70feadc178b38481e954c61ac54fa5705a703194

SHA256
6251713b8580eeacf5f9ce14de6ed9cbc49c8bf0eb7b053919561bb515ed8aa3

SHA512
32862fcf02d195006bee54bc5182f238734824770febf9998f4894cba8ce8f464b794974ade5e96ea2dc76a3e29da69f0df01d80ddcd50ed44a472f92717f316

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lujeeud4.zvv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yv2bj1wl\yv2bj1wl.dll

Filesize
3KB

MD5
c2997586615aa20df3808dc38c22ce3a

SHA1
015ced9d4a705e28159d972e5146842afd5a4381

SHA256
fd81456dd1d41769f49918be1487c3b3c729833bb402849bdc96c813c8bcbd45

SHA512
c13e0366e2a8ff1c4697dc9de7840d41acfbe52059ce998dc8610dd1c2dcafffaab203840c095ad36a1844118d9e36b566a2e05b78ad4de9b49693b1336f8e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxigenyw\yxigenyw.dll

Filesize
3KB

MD5
aa8e9a576ab5dd1ebbd895061cc405fe

SHA1
13de7f52ff786b003a433dbfbac68e3afda9709e

SHA256
4b3526f5e4b8e1e58e4f3cf87c6419e588973d19f18acf7aa57381b840cfde8a

SHA512
81b9fac06c08903caee7ce02d83a2e52ec35f35d39a4ea7501eeb8dffaf3445153f550eb9c467fafb131d4d50ff87d02e8705a7f6046589bfa71fa61a4bbc562

Download Submit
C:\Windows\Installer\e56f949.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
8f6ca66834d2ab30c6a84e1e1a87d330

SHA1
50d353d7ddd89475b71dd4b32699853c68019892

SHA256
1891720c7296070aef4888e8b6c59ea9d7d81112be6ed069781967a5f4a6da4f

SHA512
58e0e7b46460632ac2d69de33cc9aa97a101ddf6538b38d2ed449709a2f60c654fdd0574aeb6f8bea83ad30f0fd9234ad5ded5395b20f5a52bab57d9f99d73fb

Download Submit
\??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{64912de0-e1c4-481b-8173-09c77c81948c}_OnDiskSnapshotProp

Filesize
5KB

MD5
f59dab303d1227ec6f814d40cfecd86e

SHA1
89369c19d66ac665c7a9ac53292bd8f71e5c7f35

SHA256
7354f871aa16b008092117bec3514996ff9b1947bdd256892ff69f21ab8496d5

SHA512
1335d8c86ae1987c360c54c05ea6b096a49d922703a68dec0a4f667d4577770fd8f7a2fe4dc9872877f409ba7af7b8169a3f9f1e7e2b766ab79f781227b14183

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv2bj1wl\CSC95312053DD85424087407F6611333B43.TMP

Filesize
652B

MD5
2ddfe25c39a12268e31769616b90b5e9

SHA1
b43d39ca205c4627afbaa030a12eb3cc66d925e9

SHA256
6e7463847a36aeb0ebb76019b3f770fc56112c0cabc49c3668e86816a0ecab2c

SHA512
6d127f083c1af546b294751a579885474d61a82cd7372781bc087d9462a5cd234aa131ae8e68f0765374d301be2fa71f17203fc761bd4fd736205bccbbd56eda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv2bj1wl\yv2bj1wl.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yv2bj1wl\yv2bj1wl.cmdline

Filesize
369B

MD5
60154bfe16e06f962b31c7fbaae93d2f

SHA1
c403e97079fe4b4936df49671aaca4e780139246

SHA256
98af3ba6187f3ee83ff57c83019349d9539bb51915c02fd8a2831b53725ef315

SHA512
2c016fcd0caa9a8b6628da8ccd0f827cd782af38b8aba20ffe2ecb229c74190d44611b86be7e27c7d4d636d0bc79aa2b5467217ecb35aecf92cd6fd6ae21a09c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yxigenyw\CSC6D64A8C2FEE74E9BB2856DB9F8FF2F4.TMP

Filesize
652B

MD5
b8e50e8c1dd1920b96dd2a629e85b6e8

SHA1
2abcde07251abe92eeb15e0516261a48372bb2d8

SHA256
86d8ba7a5946de59f96e77f002f4e47e1dabf4b9cfef3d0dc3a6bd2792ac723c

SHA512
280078874f2909c7aa63fff2f5fbd46b181ef3b2defc454e4e930ec491770f9f11792141ff7e757c44b60fed5fadb21e9118ea3fa3daaf974a30090fefe3c1c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yxigenyw\yxigenyw.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yxigenyw\yxigenyw.cmdline

Filesize
369B

MD5
532bb8a9ec6d9c1fd7d959366bb49377

SHA1
3524dc7899d889ef1d5c9c66509977cba81edbce

SHA256
bfb0bc8521f05999ad2be906b6d7592ea82c0801c99001d18f2262523bb51d91

SHA512
1c2db17dc63bd5f24a3c83eac52a5c8947c12c46925d21b08795182348437113eefbd8266fe1bd38540157eaee1f7cd570d795e4e4b2c7fb8c00ac1c8efcdb28

Download Submit
memory/1968-280-0x00000000004A0000-0x00000000008D9000-memory.dmp

Filesize
4.2MB

Download
memory/1968-183-0x0000000000DE0000-0x0000000000DE3000-memory.dmp

Filesize
12KB

Download
memory/1968-320-0x00000000004A0000-0x00000000008D9000-memory.dmp

Filesize
4.2MB

Download
memory/1968-307-0x00000000004A0000-0x00000000008D9000-memory.dmp

Filesize
4.2MB

Download
memory/1968-303-0x00000000004A0000-0x00000000008D9000-memory.dmp

Filesize
4.2MB

Download
memory/1968-299-0x00000000004A0000-0x00000000008D9000-memory.dmp

Filesize
4.2MB

Download
memory/1968-288-0x00000000004A0000-0x00000000008D9000-memory.dmp

Filesize
4.2MB

Download
memory/1968-165-0x00000000004A0000-0x00000000008D9000-memory.dmp

Filesize
4.2MB

Download
memory/3304-275-0x0000015DCEC10000-0x0000015DCED7A000-memory.dmp

Filesize
1.4MB

Download
memory/3304-276-0x0000015DCEC10000-0x0000015DCED7A000-memory.dmp

Filesize
1.4MB

Download
memory/3304-278-0x0000015DCEC10000-0x0000015DCECCE000-memory.dmp

Filesize
760KB

Download
memory/3304-186-0x0000015DCE600000-0x0000015DCE610000-memory.dmp

Filesize
64KB

Download
memory/3304-281-0x0000015DCE600000-0x0000015DCE610000-memory.dmp

Filesize
64KB

Download
memory/3304-167-0x0000015DCE600000-0x0000015DCE610000-memory.dmp

Filesize
64KB

Download
memory/3304-274-0x00007FFD43210000-0x00007FFD43211000-memory.dmp

Filesize
4KB

Download
memory/3304-284-0x0000015DCE600000-0x0000015DCE610000-memory.dmp

Filesize
64KB

Download
memory/3304-273-0x0000015DCE600000-0x0000015DCE610000-memory.dmp

Filesize
64KB

Download
memory/3304-272-0x0000015DCEC10000-0x0000015DCED7A000-memory.dmp

Filesize
1.4MB

Download
memory/3304-266-0x0000015DCEAA0000-0x0000015DCEC0A000-memory.dmp

Filesize
1.4MB

Download
memory/3304-166-0x0000015DCE600000-0x0000015DCE610000-memory.dmp

Filesize
64KB

Download
memory/3304-168-0x0000015DCE710000-0x0000015DCE732000-memory.dmp

Filesize
136KB

Download