bumblebee | 6fed6902e05e825c5c600df452de46736263d58920d32a9346b50c6248384211

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.msi
Size

3.5MB
MD5

e1abe0b693e8ee3df8367caf14f8565c
SHA1

14867c8c4bbcc57efe63a71bfcde4cf832be9b2a
SHA256

6fed6902e05e825c5c600df452de46736263d58920d32a9346b50c6248384211
SHA512

f51b5d36761d9e8443809056c508e43ff668a858c02c81bb95d10cf333af1eac587cbb14e6a3b98b23845aee6d6afa35999cb2540a13846ba0864bc90f2e9be6
SSDEEP

98304:OnokaJXwylk5q30yI43EDhKgn8owQTJK/gQm5z/K:nH753iYgdOTmFK

Score

10^/10

bumblebee kp2704 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

kp2704

103.175.16.119:443

146.19.173.76:443

172.93.201.2:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
31	4544	powershell.exe
35	4544	powershell.exe
53	4544	powershell.exe
56	4544	powershell.exe
57	4544	powershell.exe
59	4544	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2536	KeePass-Setup.exe
896	KeePass-Setup.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4544	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCE7.tmp	msiexec.exe
File created	C:\Windows\Installer\e56db72.msi	msiexec.exe
File created	C:\Windows\Installer\e56db70.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56db70.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f9d6c693febb2fce0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f9d6c6930000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900f9d6c693000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1208	msiexec.exe
1208	msiexec.exe
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5032	msiexec.exe
Token: SeSecurityPrivilege	1208	msiexec.exe
Token: SeCreateTokenPrivilege	5032	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5032	msiexec.exe
Token: SeLockMemoryPrivilege	5032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5032	msiexec.exe
Token: SeMachineAccountPrivilege	5032	msiexec.exe
Token: SeTcbPrivilege	5032	msiexec.exe
Token: SeSecurityPrivilege	5032	msiexec.exe
Token: SeTakeOwnershipPrivilege	5032	msiexec.exe
Token: SeLoadDriverPrivilege	5032	msiexec.exe
Token: SeSystemProfilePrivilege	5032	msiexec.exe
Token: SeSystemtimePrivilege	5032	msiexec.exe
Token: SeProfSingleProcessPrivilege	5032	msiexec.exe
Token: SeIncBasePriorityPrivilege	5032	msiexec.exe
Token: SeCreatePagefilePrivilege	5032	msiexec.exe
Token: SeCreatePermanentPrivilege	5032	msiexec.exe
Token: SeBackupPrivilege	5032	msiexec.exe
Token: SeRestorePrivilege	5032	msiexec.exe
Token: SeShutdownPrivilege	5032	msiexec.exe
Token: SeDebugPrivilege	5032	msiexec.exe
Token: SeAuditPrivilege	5032	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5032	msiexec.exe
Token: SeChangeNotifyPrivilege	5032	msiexec.exe
Token: SeRemoteShutdownPrivilege	5032	msiexec.exe
Token: SeUndockPrivilege	5032	msiexec.exe
Token: SeSyncAgentPrivilege	5032	msiexec.exe
Token: SeEnableDelegationPrivilege	5032	msiexec.exe
Token: SeManageVolumePrivilege	5032	msiexec.exe
Token: SeImpersonatePrivilege	5032	msiexec.exe
Token: SeCreateGlobalPrivilege	5032	msiexec.exe
Token: SeBackupPrivilege	3512	vssvc.exe
Token: SeRestorePrivilege	3512	vssvc.exe
Token: SeAuditPrivilege	3512	vssvc.exe
Token: SeBackupPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5032	msiexec.exe
5032	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1628	1208	msiexec.exe	95
PID 1208 wrote to memory of 1628	1208	msiexec.exe	95
PID 1208 wrote to memory of 4544	1208	msiexec.exe	97
PID 1208 wrote to memory of 4544	1208	msiexec.exe	97
PID 1208 wrote to memory of 2536	1208	msiexec.exe	99
PID 1208 wrote to memory of 2536	1208	msiexec.exe	99
PID 1208 wrote to memory of 2536	1208	msiexec.exe	99
PID 2536 wrote to memory of 896	2536	KeePass-Setup.exe	100
PID 2536 wrote to memory of 896	2536	KeePass-Setup.exe	100
PID 2536 wrote to memory of 896	2536	KeePass-Setup.exe	100
PID 4544 wrote to memory of 3580	4544	powershell.exe	101
PID 4544 wrote to memory of 3580	4544	powershell.exe	101
PID 3580 wrote to memory of 4228	3580	csc.exe	102
PID 3580 wrote to memory of 4228	3580	csc.exe	102
PID 4544 wrote to memory of 3540	4544	powershell.exe	103
PID 4544 wrote to memory of 3540	4544	powershell.exe	103
PID 3540 wrote to memory of 3484	3540	csc.exe	104
PID 3540 wrote to memory of 3484	3540	csc.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\pass.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hjwrpsks\hjwrpsks.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4B7.tmp" "c:\Users\Admin\AppData\Local\Temp\hjwrpsks\CSC13CA4CA846A450FB7E25BF439B1415F.TMP"
      4⤵
      PID:4228
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dhmval0x\dhmval0x.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1F6.tmp" "c:\Users\Admin\AppData\Local\Temp\dhmval0x\CSCBC3729C7D0954E7F941E23D5B6468869.TMP"
      4⤵
      PID:3484
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\KeePass-Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\KeePass-Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\is-UVMKG.tmp\KeePass-Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UVMKG.tmp\KeePass-Setup.tmp" /SL5="$60176,2170270,781312,C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\KeePass-Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56db71.rbs

Filesize
7KB

MD5
540770c35d4a55fb73a255f075b41a9a

SHA1
7f40552725dfa73664488a610662c0bc43006a53

SHA256
788508ba6e6ef3547756d03d55b884798a4ca1c83669351093c3fc107bd24e80

SHA512
96c2edaadd56f14adb47fc3ecf86379e231407e014100951f537bd14f35560a2cd6a74101462d29eff4ff467e56424640173efedd3a3854c623a11e2fe54226a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\KeePass-Setup.exe

Filesize
2.9MB

MD5
52afb5fab6660c027f505186d1e9ddca

SHA1
a57780208cc7ee4026494b077d8114152347f6b4

SHA256
d5cf432ac514cb5239a879a22cc3e0eef6cbc089aa40146a6a1e38c090ac79ba

SHA512
81e16e3f628861eb6a058bb6b4a7e41b343c09e14d230dfeaacd58135fcb1feed87cd2ee6c394f319e863c249059a69e7eff1696588b012a6bd00547cca7d54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\KeePass-Setup.exe

Filesize
2.9MB

MD5
52afb5fab6660c027f505186d1e9ddca

SHA1
a57780208cc7ee4026494b077d8114152347f6b4

SHA256
d5cf432ac514cb5239a879a22cc3e0eef6cbc089aa40146a6a1e38c090ac79ba

SHA512
81e16e3f628861eb6a058bb6b4a7e41b343c09e14d230dfeaacd58135fcb1feed87cd2ee6c394f319e863c249059a69e7eff1696588b012a6bd00547cca7d54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\pass.ps1

Filesize
2.2MB

MD5
4d16bd7cc13c4ac89c59d2825fc9a3c3

SHA1
7cc9b7bdf9a7577d2a2d592be2f2db61a118cc2b

SHA256
9b6125e1aa889f2027111106ee406d08a21c894a83975b785a2b82aab3e2ac52

SHA512
71e3c7c85866a39ecda4278762633a8dfd313779c3f3d8494453f9dd4bf92e96fa94b7880fd45444673cb84f74dc0ecd0006b7a693a2cb7f5fc776a6157cf922

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE4B7.tmp

Filesize
1KB

MD5
14e682051de19a421fac42ae749e101d

SHA1
71ea3ff385907809b2119b2f1bfed23e8ecfc85c

SHA256
ec7717311e501468442e389f1fb96b1da6b3b4891ec5df7888f50288b02663eb

SHA512
82b8b195c183d5950ca4a6cf77f822497cf5f7cee77f1a84aaff9def68f1b7d3edd70dd90a48452e85aa91cd6b8d5b66d082981c26456e2b32cfcea8499674ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF1F6.tmp

Filesize
1KB

MD5
409564157e7b60c81aa443aebd7403e0

SHA1
d13bec13be8aeaf7a2d16bb5a35a3e72c618a3fc

SHA256
289e3d01aaefb0bbe5244e99e7ce0806571dc1fb9bf71108d06ac205f9ec3e2b

SHA512
2c0f364657985ba4980aacf3790dafd47e2544818c736ab8d31124df9491a30bf2e304c613cbc043ff84d25f537504b69f5d27f76663ed29e117e924e69318f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4ikpgto.ehs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhmval0x\dhmval0x.dll

Filesize
3KB

MD5
18d0269d45195fbf028b04f36127c5cd

SHA1
676d409981ee0ede038f42e24e15b5792d85e2f3

SHA256
3152114fc3e3f0bdba38d1d874f4e73621cc266ad25a8e7fc4f35f90863fddcf

SHA512
d2ea60dbb052bc5a2c9097e0f103cbd5356935894aee937005af83ddcba8082528f5e191c158220ae1313320274dcfeadc08ba990d7d216a484286cea9f001a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjwrpsks\hjwrpsks.dll

Filesize
3KB

MD5
0059cf519ac265290c7eb77b37f898d3

SHA1
84158d1a5ca0a2917efb4a2033704355eb8e7e34

SHA256
c62a04484b7b0697534d80b659f0e127b6d1a605b597bc68718de9eab14c626d

SHA512
3e2dcba79a993a6d6686f4fbead36f0cd7eebeddbd4b312557662a09774a21de97ab7867db536c41e118732509bb14569cd72f3d37c384f145aab061c5166e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UVMKG.tmp\KeePass-Setup.tmp

Filesize
3.0MB

MD5
d1ef2c4a186f83eac96f90a68c706498

SHA1
e1ee6eb95a042f7094d628e1e8e26b7484cecea8

SHA256
8746ed5498199546babaa5d65a24f777227f3045a15ded568bbfd450f69a6861

SHA512
fabe2a2a3ead7f83e22dc5a12b5ea9853ef4af6b24417fe901b185eb003c2e52da22d9da9a6a295a08d16dafe82b2f3e6b716ae9438e6fcfbbca7af40e1d30fc

Download Submit
C:\Windows\Installer\e56db70.msi

Filesize
3.5MB

MD5
e1abe0b693e8ee3df8367caf14f8565c

SHA1
14867c8c4bbcc57efe63a71bfcde4cf832be9b2a

SHA256
6fed6902e05e825c5c600df452de46736263d58920d32a9346b50c6248384211

SHA512
f51b5d36761d9e8443809056c508e43ff668a858c02c81bb95d10cf333af1eac587cbb14e6a3b98b23845aee6d6afa35999cb2540a13846ba0864bc90f2e9be6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
b58cb04ff1f23d76381e3c4ae6a7b089

SHA1
645e62ce31c15636a78b846b8e54806bed1dbadd

SHA256
71f00bb5d699f6cb62b8b83ca23f465c9c012f337d766e4283a03831093ea232

SHA512
d5147dfdfa04c2df7d89920e3cb83d463b4fa11241f35d82a11404ef126360cd06ab7fc6ea9f7ca3a51a40509200547bdf9f84dbc9e0ddf18dd5e1c5c9b3610a

Download Submit
\??\Volume{93c6d6f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7ef633b9-3bce-4377-bc9e-e9be88b06977}_OnDiskSnapshotProp

Filesize
5KB

MD5
e923a031bdada16d2deda7542c090c6e

SHA1
c5f79ce62c6ffc9590bb98622feb20fa4ada015d

SHA256
9188934789b9859ca9945451066b98f19cecdacbd68cad7a2ac0363405b9ce4c

SHA512
72d1a3afe3ce22779ef0da07111cfd4ba8052a2ffce94aefa608500f265482b92228fcbff1fb0533d717d29aab1fb930d4f0dba1d6120be953d73710291ac8cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dhmval0x\CSCBC3729C7D0954E7F941E23D5B6468869.TMP

Filesize
652B

MD5
523f8bd827cdb881148166c69cb23922

SHA1
602ae6ad8c3b29d88f30409e75fe337ef0b73849

SHA256
5c5ca62819b448f2cbbbba9b9fb6a21abd5c7a933e38e2556ec78e1341cf3a36

SHA512
f2a810be12327621d19f48c9280d889925be13393520a9d0e3e906cf8fb0421bf071ce541911e10ee641499b5088ac45fa8e91276254d93f9a062624ecf0b589

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dhmval0x\dhmval0x.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dhmval0x\dhmval0x.cmdline

Filesize
369B

MD5
91d11f91886f51d1a8bf4e81a56e566b

SHA1
86973644b3f0886833b836d2a10bc91c5b42ed01

SHA256
59ab7de0d63298d079a0a72da4930a8ed72745cdb64a99b3b5620f81725344a8

SHA512
a26cd54ae5ec91fd11eb26c992ca64ea4e2e70310c9a52fe620c13c061c7ad3c3e85b57018a38e14fd537b99f4a2df89f00874981f3263f69e14ed538b802bc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hjwrpsks\CSC13CA4CA846A450FB7E25BF439B1415F.TMP

Filesize
652B

MD5
2ace5599306c45cfd957247ed76251b0

SHA1
11a0b47cc0de351c8b7fd30f78b6a158ab7f328c

SHA256
b3b0e969e2dc360e343b6222d4bbe5366b1b5878c55cbb50c535cb100a98f7b3

SHA512
e1af746a40929dc7dbf6617ad7969c2dbfbbe0218eb8e7679c8e7c5951ffeafbaa84e806f254870a126244c813075df0060482e5860ea6fa4b1833658e137a77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hjwrpsks\hjwrpsks.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hjwrpsks\hjwrpsks.cmdline

Filesize
369B

MD5
c7bfa9d7bce6c4b113ad0e5e3256f606

SHA1
591e4d7b3521014c743d2562298fd725e32e25c9

SHA256
16389d70430b09ad77e810c1fb91a4fe5a45b31b9333d0844b6cffc134dd7f4e

SHA512
28876f454dddde0e264f2c5ba18bd92670c0755dac568b17f6df660bae866b0b9e17e1e5e8844d6a5bdd7123080c8f10e72e1b4a376e272c9f618aa61c6532b7

Download Submit
memory/896-187-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/896-223-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/896-227-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2536-222-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2536-168-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4544-174-0x0000020149A30000-0x0000020149A40000-memory.dmp

Filesize
64KB

Download
memory/4544-213-0x0000020149F50000-0x000002014A0BA000-memory.dmp

Filesize
1.4MB

Download
memory/4544-214-0x0000020149F50000-0x000002014A0BA000-memory.dmp

Filesize
1.4MB

Download
memory/4544-215-0x0000020149F50000-0x000002014A0BA000-memory.dmp

Filesize
1.4MB

Download
memory/4544-216-0x00007FFB54D50000-0x00007FFB54D51000-memory.dmp

Filesize
4KB

Download
memory/4544-212-0x0000020149A30000-0x0000020149A40000-memory.dmp

Filesize
64KB

Download
memory/4544-205-0x0000020149DE0000-0x0000020149F4A000-memory.dmp

Filesize
1.4MB

Download
memory/4544-220-0x0000020149F50000-0x000002014A00E000-memory.dmp

Filesize
760KB

Download
memory/4544-176-0x0000020149A30000-0x0000020149A40000-memory.dmp

Filesize
64KB

Download
memory/4544-173-0x0000020149A30000-0x0000020149A40000-memory.dmp

Filesize
64KB

Download
memory/4544-224-0x0000020149A30000-0x0000020149A40000-memory.dmp

Filesize
64KB

Download
memory/4544-225-0x0000020149A30000-0x0000020149A40000-memory.dmp

Filesize
64KB

Download
memory/4544-226-0x0000020149A30000-0x0000020149A40000-memory.dmp

Filesize
64KB

Download
memory/4544-165-0x00000201499C0000-0x00000201499E2000-memory.dmp

Filesize
136KB

Download
memory/4544-228-0x0000020149A30000-0x0000020149A40000-memory.dmp

Filesize
64KB

Download