bumblebee | b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
submitted
04-12-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e63911bf851f892bab6d3933349a987e.msi
Size

4.7MB
MD5

e63911bf851f892bab6d3933349a987e
SHA1

c3f5bd1aca61bd086f1aea3e4b86419a836888ce
SHA256

b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8
SHA512

f00874b37580152bbb563b29763212de0452e8117f54e4199150cb8cebf3f4d8d1c31ed28d896b7b0cbb63c17e8847019ed76b53f7c0ae07021527705e1af17c
SSDEEP

49152:37Vh102T9dhkuqES58NtvUoBV0Sccd2b5+pnQ2fP1r8+/J4OV7AEqj7D4Uv6ZCOX:37VTVkufFN0ScaruSmHR9vaXZTUa3vg

Score

10^/10

bumblebee 1 discovery loader persistence privilege_escalation

Malware Config

Extracted

Family

bumblebee

Botnet

Attributes

dga
45urhm0ldgxb.live

gx6xly9rp6vl.live

zv46ga4ntybq.live

7n1hfolmrnbl.live

vivh2xlt9i6q.live

97t3nh4kk510.live

kbkdtwucfl40.live

qk6a1ahb63uz.live

whko7loy7h5z.live

dad1zg44n0bn.live

7xwz4hw8dts9.live

ovekd5n3gklq.live

amwnef8mjo4v.live

e7ivqfhnss0x.live

rjql4nicl6bg.live

4mo318kk29i4.live

zpo18lm8vg1x.live

jc51pt290y0n.live

rg26t2dc4hf4.live

qw9a58vunuja.live

ugm94zjzl5nl.live

mckag832orba.live

pdw0v9voxlxr.live

m4tx2apfmoxo.live

n2uc737ef71m.live

hkk3112645hz.live

ugko9g5ipa4o.live

8wgq2x4dybx9.live

h81fx7sj8srr.live

a4tgoqi1cm8x.live

kse2q7uxyrwp.live

mfwnbxvt9qme.live

x99ahfftf28l.live

9n6bmko47gxe.live

6l96lk6edlyf.live

st5j8zqdrppf.live

dxjeucbj4p0j.live

bnpuxnov7lhr.live

a8bxv8lqe1m0.live

yczi2ujcyyro.live

sbeo0cztn1kh.live

o337yf9fh4bf.live

zoki7ma89z7b.live

x2r9bglz76r7.live

wi1w9yu1vush.live

mtqdvzkai700.live

r6o2sj70m85m.live

ut6qohwra5lm.live

9yi98fh7usy1.live

kkpjp9jzbzba.live

whvffwd7zphw.live

uztmazsno4y5.live

i3iubj73c21c.live

b72o02l2ilc6.live

wom4o4cutfx6.live

fek3qya20lid.live

nhkvd56j82xw.live

midyxlu6b22f.live

vp9c9rziba2a.live

rkffupb7i1gv.live

8u7r35mu2e4g.live

3c2xflq8mztc.live

wswis3sptby1.live

9rib57u1zu3c.live

sv3pldc5gkdl.live

bmdcn5celetq.live

y3mpywhmem7t.live

avwtkc23ffmw.live

nvgirtryox1z.live

3rlfa7w0bz37.live

vy9u47oyzltu.live

ysdwk0l8xass.live

tbt0aqol3sp2.live

xqqoo0a8zk0w.live

nevkq7lku38l.live

5u42wjin0vfz.live

y626kbnryktm.live

5k9b8nmc0x8r.live

i18t3jshekua.live

4hk1bcnxbse0.live

si00bu9fv5he.live

g3in90m5caz2.live

f6s4n6w41oov.live

sgl7og2qswmm.live

vrrbk7ykz8h1.live

zl7bmlfq8n9w.live

qydstwmw2imy.live

y9s73mnvurxr.live

7zggkh833im1.live

cvnsiogvl3kt.live

enf3gev34gis.live

doj6z5i9g803.live

zsm954jr5ek4.live

6z96z4mk84dc.live

e0et68offggh.live

au97foecnlrm.live

3ibjpmls5x46.live

mmmpa1byo300.live

3e60zvd64d8y.live

zt3nnzr70hn0.live
dga_seed
7834006444057268685
domain_length
12
num_dga_domains
300
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
77	4292	MsiExec.exe
80	4292	MsiExec.exe
82	4292	MsiExec.exe
88	4292	MsiExec.exe
96	4292	MsiExec.exe
97	4292	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
79	api.ipify.org
80	api.ipify.org

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	AnyConnect Installer.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{5B2892F8-A2A6-49F8-BA11-A5C777D0FEE1}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI182C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58150a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI176F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1644.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16A3.tmp	msiexec.exe
File created	C:\Windows\Installer\e58150a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1577.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1614.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	AnyConnect Installer.exe

Loads dropped DLL 17 IoCs

pid	Process
2128	MsiExec.exe
2128	MsiExec.exe
2128	MsiExec.exe
2128	MsiExec.exe
2128	MsiExec.exe
2128	MsiExec.exe
2128	MsiExec.exe
2128	MsiExec.exe
2128	MsiExec.exe
2128	MsiExec.exe
2128	MsiExec.exe
6108	MsiExec.exe
6108	MsiExec.exe
6108	MsiExec.exe
6108	MsiExec.exe
6108	MsiExec.exe
4292	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2760	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1872	msedge.exe
1872	msedge.exe
2992	identity_helper.exe
2992	identity_helper.exe
2116	msiexec.exe
2116	msiexec.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2760	msiexec.exe
Token: SeSecurityPrivilege	2116	msiexec.exe
Token: SeCreateTokenPrivilege	2760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2760	msiexec.exe
Token: SeLockMemoryPrivilege	2760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2760	msiexec.exe
Token: SeMachineAccountPrivilege	2760	msiexec.exe
Token: SeTcbPrivilege	2760	msiexec.exe
Token: SeSecurityPrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeLoadDriverPrivilege	2760	msiexec.exe
Token: SeSystemProfilePrivilege	2760	msiexec.exe
Token: SeSystemtimePrivilege	2760	msiexec.exe
Token: SeProfSingleProcessPrivilege	2760	msiexec.exe
Token: SeIncBasePriorityPrivilege	2760	msiexec.exe
Token: SeCreatePagefilePrivilege	2760	msiexec.exe
Token: SeCreatePermanentPrivilege	2760	msiexec.exe
Token: SeBackupPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeShutdownPrivilege	2760	msiexec.exe
Token: SeDebugPrivilege	2760	msiexec.exe
Token: SeAuditPrivilege	2760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2760	msiexec.exe
Token: SeChangeNotifyPrivilege	2760	msiexec.exe
Token: SeRemoteShutdownPrivilege	2760	msiexec.exe
Token: SeUndockPrivilege	2760	msiexec.exe
Token: SeSyncAgentPrivilege	2760	msiexec.exe
Token: SeEnableDelegationPrivilege	2760	msiexec.exe
Token: SeManageVolumePrivilege	2760	msiexec.exe
Token: SeImpersonatePrivilege	2760	msiexec.exe
Token: SeCreateGlobalPrivilege	2760	msiexec.exe
Token: SeCreateTokenPrivilege	2760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2760	msiexec.exe
Token: SeLockMemoryPrivilege	2760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2760	msiexec.exe
Token: SeMachineAccountPrivilege	2760	msiexec.exe
Token: SeTcbPrivilege	2760	msiexec.exe
Token: SeSecurityPrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeLoadDriverPrivilege	2760	msiexec.exe
Token: SeSystemProfilePrivilege	2760	msiexec.exe
Token: SeSystemtimePrivilege	2760	msiexec.exe
Token: SeProfSingleProcessPrivilege	2760	msiexec.exe
Token: SeIncBasePriorityPrivilege	2760	msiexec.exe
Token: SeCreatePagefilePrivilege	2760	msiexec.exe
Token: SeCreatePermanentPrivilege	2760	msiexec.exe
Token: SeBackupPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeShutdownPrivilege	2760	msiexec.exe
Token: SeDebugPrivilege	2760	msiexec.exe
Token: SeAuditPrivilege	2760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2760	msiexec.exe
Token: SeChangeNotifyPrivilege	2760	msiexec.exe
Token: SeRemoteShutdownPrivilege	2760	msiexec.exe
Token: SeUndockPrivilege	2760	msiexec.exe
Token: SeSyncAgentPrivilege	2760	msiexec.exe
Token: SeEnableDelegationPrivilege	2760	msiexec.exe
Token: SeManageVolumePrivilege	2760	msiexec.exe
Token: SeImpersonatePrivilege	2760	msiexec.exe
Token: SeCreateGlobalPrivilege	2760	msiexec.exe
Token: SeCreateTokenPrivilege	2760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2760	msiexec.exe
Token: SeLockMemoryPrivilege	2760	msiexec.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2760	msiexec.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2128	2116	msiexec.exe	87
PID 2116 wrote to memory of 2128	2116	msiexec.exe	87
PID 2116 wrote to memory of 2128	2116	msiexec.exe	87
PID 2128 wrote to memory of 2276	2128	MsiExec.exe	101
PID 2128 wrote to memory of 2276	2128	MsiExec.exe	101
PID 2276 wrote to memory of 1872	2276	AnyConnect Installer.exe	103
PID 2276 wrote to memory of 1872	2276	AnyConnect Installer.exe	103
PID 1872 wrote to memory of 3400	1872	msedge.exe	104
PID 1872 wrote to memory of 3400	1872	msedge.exe	104
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 3108	1872	msedge.exe	108
PID 1872 wrote to memory of 1216	1872	msedge.exe	109
PID 1872 wrote to memory of 1216	1872	msedge.exe	109
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110
PID 1872 wrote to memory of 4664	1872	msedge.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e63911bf851f892bab6d3933349a987e.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7C958A0AB1CAEE90D6DB4CD3E3E86E4F C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe
    "C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9WZDNCRDJ8LH?ocid=&referrer=psi
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffb6ebe46f8,0x7ffb6ebe4708,0x7ffb6ebe4718
        5⤵
        
        PID:3400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        5⤵
        
        PID:3108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
        5⤵
        
        PID:4664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        5⤵
        
        PID:208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        
        PID:1088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
        5⤵
        
        PID:404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
        5⤵
        
        PID:1532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
        5⤵
        
        PID:2068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
        5⤵
        
        PID:1444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        5⤵
        
        PID:316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12349483652832610993,9312662202699074263,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4708 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6064
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:6024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D44E6B131970231AA6E082F36F29CA37
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6108
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4292

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
a8f8763665bd0cd213ba22eb76367a75

SHA1
aa478d9ff9dd818be305a3eb4167eb68abf3a4c7

SHA256
a428365d82058eb187e9e326aa32b6acb95d014a50f2700d4b7bbeb76b65fa61

SHA512
19d2f25c63c41598c704f86d201b2706e94a052736e0cc4f339cf57bf313290231e995f07dcc486cf3480bbd348a745bb2c7520a926ea2a381b4492536a18e3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
2c611a5e0570b35e3a86dbfb8a943254

SHA1
831b31fcc2ede459f33bffe011b16da64b593355

SHA256
ff8900bdf7180809bc7a96e48d2b2144cebc5b7a07bf28fba808d5f14a40d993

SHA512
cf36a01f8959acb6a74db5510717c12c9b17f67620a261590164c0e7b59e1dfc0602d05de4e80cd1a543829b7e01e863c54eec6a7f49acab7a707c085848254b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a2287f5b890d25e39ce7dbd43d39260

SHA1
dfebf05a94b5f08e00faf13f02b3bbc17a5c8d96

SHA256
302a3400ed4365e11089044c68e734e9e842a1b90f02864a71e2a84fbba62603

SHA512
6f6c7ea9d02b9daad184bbe1f1e94f7cd4d751c9e0ec31b697d5131d2874ac4c526921c2a2475682e124de3a49560948e398bd132b74b3954bd65b6fdafbc828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f45a68a0d976a5d2d1e7c0751b404611

SHA1
1d42c315312f51fe7a980ed85ffe64fcd9e30039

SHA256
c3fbcbfc97793c536e4d27a92cca8cf3e5bf1ad47d46c89d34916f4ea36af045

SHA512
eaf7f215038bec58744db9dbfd0856a90c35ac49a7fdfbf9b8980d7d09bf9fc308a4aa3616370241ca0942b451a9475e19da377a48c611950e2a83ac8155bcc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\36856110-1730-4e3d-82b3-5695488c2a1d\index-dir\the-real-index

Filesize
1KB

MD5
a100c7bc5a709cc58d9c2887cfddf33c

SHA1
f809fbbc04e8a9cac4e1a8d429a3d6ead7d24077

SHA256
fd8642b02517901d111452ecd1dc07a8e0f89c5946be3e202f0473d83cfe3d15

SHA512
64ee2708a6f0c8e7941dd6b8a6f4ca05968c4c8d4a2e38e0a43995b7b022b31a811bcbef2d4e44b8b9dcb8a23ff1dd041357eb87bf9ebc9153f29fdcbd569f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\36856110-1730-4e3d-82b3-5695488c2a1d\index-dir\the-real-index~RFe584e4a.TMP

Filesize
48B

MD5
83c7a9adb25c0729dfbbbe9635e0a73e

SHA1
258bec20bc3a2b2427524d05fa7b372b82bbfa73

SHA256
613ec9967aedc56a72ec66701551967f8076f0cd0ef41f4c7a4990607647592c

SHA512
5905c6a99893fff4aa8c66206aab7225c11a4a8374a9a8fdbf9f9a29f54662aa05ddf68d83f73b8d1843a22696e432eb1aff32d00b354db4c87db97069238a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\e72dd2db-df7a-454f-90a5-4d00fbee42f3\index-dir\the-real-index

Filesize
72B

MD5
89e312c8590d5d825fde3f79d5ef64d4

SHA1
7a5c78b14d61aca1daf44ad6356ce291c7ff62e7

SHA256
815eeeb3481251e5c751a82e00ddc7f1e2f58f040b31312052c490881e29df96

SHA512
4b6617c875145e0db6550684a49ef5c02436fa91dfb56f3821ab23ff3f1b31b1b7edd2282f10f95fbd12e2e2e179cc10a4a59810ba10acffd85c3c0321f2fcfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\e72dd2db-df7a-454f-90a5-4d00fbee42f3\index-dir\the-real-index~RFe583767.TMP

Filesize
48B

MD5
b030a70d4fc1cfc898bdfde240d3ce4d

SHA1
86439741ee010c08a853fc1e308599edeb0bc915

SHA256
14ff3756eacfc79dc810f614b932d9203912caeb86651c759f0fe60d34c29dff

SHA512
0dcddd4c4632f131d281ac2f12d033c6797d3afe28afdd1a091d6a42b33d5b97a53edae6497d0f9ab993e4e2781640955b5508693c48b6d133976b23683cee27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
109B

MD5
e305b998588bab3dc150fc1ed160e8ca

SHA1
4dc61964788dd04f491d2ab839fa38f31d08f5f6

SHA256
5d865273df339dd7d6162ddf5a2c4d4f5f2536fabb7edb072482325373f728e5

SHA512
1822de7efb5b5e4d4d1b5513cb7a1383f800713c6696451ce37a59b7a9aa1517c6fdab95f08d2f8a61fa7ff8ee00039ed0e19e1576e17b671bbfb31ff48547f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
204B

MD5
a74df19d55b2764c0b1a1894c1838733

SHA1
16404b4f6b91f7f53469c6b79fc06377aa3d75f4

SHA256
80994fd87217b53e8a505baf77d4651d5677912e3bbac309e09b5c15ef4c825e

SHA512
b735b45670310db0131a298bd91c91b20de9a0e38310e1e0dd565dd6d5aec03e7b7e15e7e6cd7a86f6ef8f8ba7210afe9aecc6fa7b340f1f49fbba71129885f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt.tmp

Filesize
201B

MD5
459402ecc692ac2912c3ce9dafae8616

SHA1
a863eafbd0ffca9d5a0b407bbf3b67d15da48f6b

SHA256
8936ac99666923f5edf0c23b836dd89ecfc88dfec3cd6fbf7a94bc6d5343d211

SHA512
76f9be1318862f49ebd3b6e8911ff3308f3b2eeb8f39e2847171b063727a2b33ad3dd3d036165fa6c7bc645de9d316977406018502257fbb4bc6573fa4f9499d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
04b6356225acdcf36a23c2e26397ff52

SHA1
6e670f80b97a4ef2c78498fe41491941b51b8baf

SHA256
34b2ce86e605afebef26959640e0d1aa4b37831e72136fc79042d60224dfa5cd

SHA512
e437c87e8cbf0a8ce0bc8c40bdf9c7affc65a7ab4e940824db31a1343fefe4915cfaff517f8f9de62e7b1bfa07e91f5f020efe23c867a0aa782cc0bd40a6aa4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583709.TMP

Filesize
48B

MD5
1df2e35d430eacbde2a847abb68162c3

SHA1
3bedd1fb87e51a5dd736273a08a220c32ad15b6f

SHA256
50bc84d3d46c35b3a5b20f4e5b026bb39fcb133c1e25476b93f925fd066a63c5

SHA512
1b474f8d276adb5bd0973bcb48608b481fd9d8c792f05eabeeb704eca7f8ad1ba12f307d9b161974e64c37c471bc5ffdb318e0de12d2c5a053a88a81e6ebca63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ed947cfb9d06e8b2a54063eef0055b8

SHA1
0b48a120440e9005d6e0d47309ec8bdecc25472e

SHA256
ebb44709e9764f5b0f901c3183b85544a217ab0a22edff671e6c6971af0af235

SHA512
5e75ee929f94b61e699c79c17d9b0c1705d9f0d70821968927d0d31384a8615f212808a7ea281affa4571db03230857eea3d96e7f6b63ca920e388acbf0c466a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8146.tmp

Filesize
816KB

MD5
aa88d8f40a286b6d40de0f3abc836cfa

SHA1
c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

SHA256
8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

SHA512
6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8487.tmp

Filesize
877KB

MD5
6a639b68fe7f4e67b7510af13403772b

SHA1
255ba543d6fdd8f037823ff321ec00abe3575c54

SHA256
7118cd0d6956c84dc8ede10db84491d7884bfb0baa4a0ab96afc7eea47f46dd0

SHA512
43cfa4cdf669df71d7da59669ec9653c4facba4c2e6fe52deada469116b5c8b63a927a9ddc2f240ca9e1a2cc4335c12936007662bf47cd11c7e61392af219cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD021.tmp

Filesize
1KB

MD5
a10f31fa140f2608ff150125f3687920

SHA1
ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

SHA256
28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

SHA512
cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

Download Submit
C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll

Filesize
2.1MB

MD5
29e117e9f0ce89cb29a3b14f39a2624b

SHA1
1c1060ef434826f6785ea248b647da569e83cd6a

SHA256
3844008c0697a64633357ba8d7088ee41e36ac321969bb442b97eb31e530e4a6

SHA512
757ac09a94ac4b434daeaf19509183e778208c5b82865e877ee25027080fb367a0e6a177a2ebb0e10dff1307975efb0d45b81568866bec478beca59bd822ab45

Download Submit
C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe

Filesize
1.0MB

MD5
5e9965bc72df9f663ca049d40b1fa3af

SHA1
3fb8de364e3e67f093c1a6c73dc0cac1fd9b2202

SHA256
ffa9df9f2ee9b98a9c9d2edf1521d2e8b952f58e1382cc1d84964d0054564091

SHA512
418abf3447f885a8fee31cf367a83264eaedfa8a90cd30684f9291d9c37c402595e5f782aa8335bc081adf8f2b18b45171a52d846b48c372a00013da64b61339

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
daa5766c7163bc8cbfb296e2c02344f1

SHA1
2cdb5aca65ebf19fe026481796b2c73619590830

SHA256
d41cbb320ff3fce803aa1edd1ca599a2cbf0e04ca8c49533b2d462dd82299817

SHA512
6acc3d68e210fd6cd18a52a56e441812572193fa125d10fb8fb534dc4615677bb93d496eab617598e463d2a4e3e6c0029bdd202424746420f3a60206a5cb8ac0

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0248d3ca-0226-4acf-826b-fbd361112772}_OnDiskSnapshotProp

Filesize
6KB

MD5
0d3bbf590511b01ebca571e8b141f389

SHA1
6b5538a02294734c96dcd8f4190a223eb834da2f

SHA256
cd064dd8b5662c26a9e7090da6973406dbed97edc5f0575719292315b2f5bbea

SHA512
9620e21b6fa005e0d228278a0ceef32aa5ce3c0e836fcf4e07bf153a26428765c77525b9c68439d00c7db1d1cf5c315454f635365871b0bd41e195d824cc01a1

Download Submit
memory/2276-75-0x0000023A7E7B0000-0x0000023A7E7E8000-memory.dmp

Filesize
224KB

Download
memory/2276-76-0x0000023A64E10000-0x0000023A64E1E000-memory.dmp

Filesize
56KB

Download
memory/2276-78-0x0000023A7E7F0000-0x0000023A7E816000-memory.dmp

Filesize
152KB

Download
memory/2276-77-0x0000023A7EFA0000-0x0000023A7F126000-memory.dmp

Filesize
1.5MB

Download
memory/2276-74-0x0000023A63500000-0x0000023A63508000-memory.dmp

Filesize
32KB

Download
memory/2276-73-0x0000023A7D6A0000-0x0000023A7D6DC000-memory.dmp

Filesize
240KB

Download
memory/2276-72-0x0000023A64E20000-0x0000023A64E32000-memory.dmp

Filesize
72KB

Download
memory/2276-55-0x0000023A62F30000-0x0000023A63032000-memory.dmp

Filesize
1.0MB

Download
memory/2276-57-0x0000023A7EC80000-0x0000023A7ED3A000-memory.dmp

Filesize
744KB

Download
memory/2276-56-0x0000023A634F0000-0x0000023A634FA000-memory.dmp

Filesize
40KB

Download
memory/4292-406-0x000001C0D5680000-0x000001C0D589E000-memory.dmp

Filesize
2.1MB

Download
memory/4292-404-0x000001C0D5680000-0x000001C0D589E000-memory.dmp

Filesize
2.1MB

Download
memory/4292-405-0x000001C0D5680000-0x000001C0D589E000-memory.dmp

Filesize
2.1MB

Download
memory/4292-407-0x000001C0D5680000-0x000001C0D589E000-memory.dmp

Filesize
2.1MB

Download
memory/4292-403-0x000001C0D5680000-0x000001C0D589E000-memory.dmp

Filesize
2.1MB

Download