bumblebee | 9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2023, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader7.msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

10^/10

bumblebee ad2404 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

ad2404

149.3.170.185:443

23.108.57.117:443

199.195.249.67:443

103.175.16.149:443

209.141.58.129:443

192.254.79.106:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 5 IoCs

flow	pid	Process
53	492	powershell.exe
61	492	powershell.exe
66	492	powershell.exe
70	492	powershell.exe
73	492	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4812	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
492	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A62.tmp	msiexec.exe
File created	C:\Windows\Installer\e5768be.msi	msiexec.exe
File created	C:\Windows\Installer\e5768bc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5768bc.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a8dca56a4fb650f70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a8dca56a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a8dca56a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2248	msiexec.exe
2248	msiexec.exe
492	powershell.exe
492	powershell.exe
492	powershell.exe
492	powershell.exe
4812	readerdc64.exe
4812	readerdc64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeSecurityPrivilege	2248	msiexec.exe
Token: SeCreateTokenPrivilege	2820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2820	msiexec.exe
Token: SeLockMemoryPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeMachineAccountPrivilege	2820	msiexec.exe
Token: SeTcbPrivilege	2820	msiexec.exe
Token: SeSecurityPrivilege	2820	msiexec.exe
Token: SeTakeOwnershipPrivilege	2820	msiexec.exe
Token: SeLoadDriverPrivilege	2820	msiexec.exe
Token: SeSystemProfilePrivilege	2820	msiexec.exe
Token: SeSystemtimePrivilege	2820	msiexec.exe
Token: SeProfSingleProcessPrivilege	2820	msiexec.exe
Token: SeIncBasePriorityPrivilege	2820	msiexec.exe
Token: SeCreatePagefilePrivilege	2820	msiexec.exe
Token: SeCreatePermanentPrivilege	2820	msiexec.exe
Token: SeBackupPrivilege	2820	msiexec.exe
Token: SeRestorePrivilege	2820	msiexec.exe
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeDebugPrivilege	2820	msiexec.exe
Token: SeAuditPrivilege	2820	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2820	msiexec.exe
Token: SeChangeNotifyPrivilege	2820	msiexec.exe
Token: SeRemoteShutdownPrivilege	2820	msiexec.exe
Token: SeUndockPrivilege	2820	msiexec.exe
Token: SeSyncAgentPrivilege	2820	msiexec.exe
Token: SeEnableDelegationPrivilege	2820	msiexec.exe
Token: SeManageVolumePrivilege	2820	msiexec.exe
Token: SeImpersonatePrivilege	2820	msiexec.exe
Token: SeCreateGlobalPrivilege	2820	msiexec.exe
Token: SeBackupPrivilege	2156	vssvc.exe
Token: SeRestorePrivilege	2156	vssvc.exe
Token: SeAuditPrivilege	2156	vssvc.exe
Token: SeBackupPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2820	msiexec.exe
2820	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4812	readerdc64.exe
4812	readerdc64.exe
4812	readerdc64.exe
4812	readerdc64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1312	2248	msiexec.exe	97
PID 2248 wrote to memory of 1312	2248	msiexec.exe	97
PID 2248 wrote to memory of 492	2248	msiexec.exe	99
PID 2248 wrote to memory of 492	2248	msiexec.exe	99
PID 2248 wrote to memory of 4812	2248	msiexec.exe	100
PID 2248 wrote to memory of 4812	2248	msiexec.exe	100
PID 2248 wrote to memory of 4812	2248	msiexec.exe	100
PID 492 wrote to memory of 4828	492	powershell.exe	102
PID 492 wrote to memory of 4828	492	powershell.exe	102
PID 4828 wrote to memory of 2784	4828	csc.exe	103
PID 4828 wrote to memory of 2784	4828	csc.exe	103
PID 492 wrote to memory of 236	492	powershell.exe	104
PID 492 wrote to memory of 236	492	powershell.exe	104
PID 236 wrote to memory of 4156	236	csc.exe	105
PID 236 wrote to memory of 4156	236	csc.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AdobePDFReader7.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kb1khfxy\kb1khfxy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES731D.tmp" "c:\Users\Admin\AppData\Local\Temp\kb1khfxy\CSC411E999C4F724E81AC21CBF177638D2.TMP"
      4⤵
      PID:2784
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\txe4joz1\txe4joz1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88B8.tmp" "c:\Users\Admin\AppData\Local\Temp\txe4joz1\CSC4D385894DA8C4A09BE134CC82A7D857D.TMP"
      4⤵
      PID:4156
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5768bd.rbs

Filesize
7KB

MD5
55b1634fc9b815376331b226708d1f63

SHA1
4e974cea22e208eec7e85e63534ba17a43bdf509

SHA256
8637db2999f0df297846693258efba7706d1200423b4937e477186596e5bf045

SHA512
7a3b2289f4d9656a6576983ea52258805e7aa5607dc7c15001d0188e6035775d3ae1a7af8e0ff7004ad4c7dca2bb55749336b1a5d0203b573d33d885ecf40ffa

Download Submit
C:\Users\Admin\AppData\Local\Adobe\873CF2C9-CE76-400C-BF7E-89E81417168A\progressbar_blue_active_100.png

Filesize
14KB

MD5
bb94a177f10bf764d11f94d24a5db5aa

SHA1
6864b58952b19248f4c5ea5c8764c52e207268a7

SHA256
caafea31074ba909ec57c9dcdd1b1c0256e5626939cc768b8a041fe42762e230

SHA512
d2875eb5ad9ff76ff233ada04fa77aecdbb0c9a80bcd85b0c50087786b47e97feec189d18164e15784cd96850849ee4e1920d7d98157ca7ad317ba03e8c66111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES731D.tmp

Filesize
1KB

MD5
14e2b99cda1794e29c49cb15ad8b7510

SHA1
ef119c8faba8bfc6b1a2660d0206e9fcbee7ba3c

SHA256
319523c19fa193dc8481caaa4446386f99b0e1822abe62081be77d2bfc6f80c4

SHA512
70c0e77c9ac069efd3208fe349328be0e7b77a8cd666aa049707769cf4b77e504ac863869cb016eeba057a793bd486653b770c5268cf19abfb2fd417cc631d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88B8.tmp

Filesize
1KB

MD5
52598811fde8bc9c92b26f323dafe9a1

SHA1
b312283cc23c5b452cdbb29bc65c6804b9873071

SHA256
3d04456e49e3e6fb1919aab8c4b4c70a7f2d425c205ca7533b537ec5ed863eb6

SHA512
3c66dfec0d551531e3169cfdc2af42a5ff4223f82bee0cc85f623d608a0c4a17bbd9ec188ae777b7860f8e27beb498119bfc59724db28626ae616bc38846853d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_015zkusc.yml.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kb1khfxy\kb1khfxy.dll

Filesize
3KB

MD5
79a42a9a5919582bc335b147bb7122c4

SHA1
6dd523c7db7bbc16a4cce88fb749f37b0071f16e

SHA256
d7161a8a262aea17846f3e3c3c25d2b2f0038520ccb066fdeb54fd5bb225eb78

SHA512
def55a1711595b2f94444130c879e14a872dc3727d91fc846f1c257a5affe7101429089e53a0b1c51d403967359b3a92a8f7b0290ebb7f40421f6c251ac443c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\txe4joz1\txe4joz1.dll

Filesize
3KB

MD5
aa836e1ca0e2731d4f930a7784acded7

SHA1
8df2a4a61c8f4334b45e58db87312e9ff1e91730

SHA256
cbd3fd8b7e18a96a922b247d42f473088ae8d07d8a3115e6b1f4de29da309472

SHA512
c03fff761db778a9f8bb72a6980d79c00aa5284d69ec1fddafa1eaa72e1113a66fdc2d828e4a6f11e47bdee2aa2dedad088e144d1b91e20cff41422a39a73b9c

Download Submit
C:\Windows\Installer\e5768bc.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
11.8MB

MD5
a87672996bae60a3841de4fd6cd736ef

SHA1
75d4839cfd24a58463a9d85573a0d5c5e3377e75

SHA256
491d758fd49544d6da2c0dbdb89380b2cc170fe69287fe872672fe4d60439e74

SHA512
c780b86183d4be2202afde12fd0f4c27190d1ca119efe8ff75680dd404d401dd0c7968c0899fb85b17e64cec1ae9e4a0bc92b186c09d4c17140047c35991688a

Download Submit
\??\Volume{6aa5dca8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2e6eefc3-8d3a-4de7-b4a9-7c2f8dd8c66a}_OnDiskSnapshotProp

Filesize
5KB

MD5
43e00a23b0edeae8280573be7b8d936e

SHA1
2f5582b67a2a5c6577855f2cc4c50b1011c06124

SHA256
d4907153e304bfef93509245252a2fceec250c169fea200fa63be21265652a10

SHA512
857609fc2d5c98a0c7188a0ba68822e78b6081d7306a2569b2c5df6a41dbcc4bb88b9330289fe2a344a88636a96167616682b09c66e818bf655ad73d04466cd6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kb1khfxy\CSC411E999C4F724E81AC21CBF177638D2.TMP

Filesize
652B

MD5
d235e820fbd53f4f585aaa02b878e8eb

SHA1
6c0008081064978406c3167d70aae74b80d7293a

SHA256
0abdaae4de60e691bc61ce41479b490440e2a4b831f5ceac845b4ebe3853cc15

SHA512
a0fabc19f636ae094b5fa828d4621e7e087b5cc5ac774988f257f06fd181c1c695602c78722a57e228a4b8dbf4fe1de8d6409ac1e1564596798625b8607f839c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kb1khfxy\kb1khfxy.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kb1khfxy\kb1khfxy.cmdline

Filesize
369B

MD5
165086c43073ce9bddec2fcfb7e500bd

SHA1
d479f8c26f6b91c33a2d4be8bac872621c3b8a6d

SHA256
08af771c4258c83d2555d1b4d9b9d59626cc95a1af51da5ac6befce4b6ad56c4

SHA512
26511515a7bb9b5339035b9977ae41056b668b8de7ca426f73aa4a257a440be9991ecc16178888a475f067c9a4a6e550b121174afdd1ece517f3a6bffc09853d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txe4joz1\CSC4D385894DA8C4A09BE134CC82A7D857D.TMP

Filesize
652B

MD5
def47f110070e2ff0fc36c0ea157d3c8

SHA1
6c28fdb376b20fb47095cff8c0d095bc28cb0462

SHA256
f47025fc7beacf268281f0fb756fa78ed7b451b3cfc3221642d6f723615741f1

SHA512
79ec3d0bafaee09734dbe9414a724ca9c6fe532c2e0de22db76f7c10c4ff14c1df43876ca954eb80c5adbffcb9e127658b6c3809f9bf59c1e752955b915feb40

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txe4joz1\txe4joz1.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txe4joz1\txe4joz1.cmdline

Filesize
369B

MD5
1bc1b601f6c6c94117abb83fc5a4365c

SHA1
b0161e6644b7a0d68509db2f66bee95cc8df2084

SHA256
3bbed28ea1d6d53f8d5c610eb04111b4d34920bb1cb6246d4b786e6275fbf6d7

SHA512
15b7581340a774a8715754c907567145e2eee1cd8cb99575bafc1561d6e357e60fef91018fd32bd63970307c7c4edd8d14a68db16c2acdc790472c7808b979b5

Download Submit
memory/492-268-0x00000197A3A90000-0x00000197A3AA0000-memory.dmp

Filesize
64KB

Download
memory/492-180-0x00000197A3A90000-0x00000197A3AA0000-memory.dmp

Filesize
64KB

Download
memory/492-170-0x00000197A3BA0000-0x00000197A3BC2000-memory.dmp

Filesize
136KB

Download
memory/492-169-0x00000197A3A90000-0x00000197A3AA0000-memory.dmp

Filesize
64KB

Download
memory/492-286-0x00000197A3A90000-0x00000197A3AA0000-memory.dmp

Filesize
64KB

Download
memory/492-168-0x00000197A3A90000-0x00000197A3AA0000-memory.dmp

Filesize
64KB

Download
memory/492-281-0x00000197A3F90000-0x00000197A40FA000-memory.dmp

Filesize
1.4MB

Download
memory/492-269-0x00000197A3A90000-0x00000197A3AA0000-memory.dmp

Filesize
64KB

Download
memory/492-283-0x00000197A3F90000-0x00000197A404E000-memory.dmp

Filesize
760KB

Download
memory/492-271-0x00000197A3E20000-0x00000197A3F8A000-memory.dmp

Filesize
1.4MB

Download
memory/492-277-0x00000197A3A90000-0x00000197A3AA0000-memory.dmp

Filesize
64KB

Download
memory/492-278-0x00000197A3F90000-0x00000197A40FA000-memory.dmp

Filesize
1.4MB

Download
memory/492-279-0x00007FF9753F0000-0x00007FF9753F1000-memory.dmp

Filesize
4KB

Download
memory/492-280-0x00000197A3F90000-0x00000197A40FA000-memory.dmp

Filesize
1.4MB

Download
memory/4812-266-0x0000000000560000-0x0000000000999000-memory.dmp

Filesize
4.2MB

Download
memory/4812-158-0x0000000000560000-0x0000000000999000-memory.dmp

Filesize
4.2MB

Download
memory/4812-285-0x0000000000560000-0x0000000000999000-memory.dmp

Filesize
4.2MB

Download
memory/4812-181-0x0000000002B70000-0x0000000002B73000-memory.dmp

Filesize
12KB

Download
memory/4812-290-0x0000000000560000-0x0000000000999000-memory.dmp

Filesize
4.2MB

Download
memory/4812-297-0x0000000000560000-0x0000000000999000-memory.dmp

Filesize
4.2MB

Download
memory/4812-301-0x0000000000560000-0x0000000000999000-memory.dmp

Filesize
4.2MB

Download
memory/4812-314-0x0000000000560000-0x0000000000999000-memory.dmp

Filesize
4.2MB

Download
memory/4812-318-0x0000000000560000-0x0000000000999000-memory.dmp

Filesize
4.2MB

Download
memory/4812-326-0x0000000000560000-0x0000000000999000-memory.dmp

Filesize
4.2MB

Download