bumblebee | b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
submitted
04-12-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e63911bf851f892bab6d3933349a987e.msi
Size

4.7MB
MD5

e63911bf851f892bab6d3933349a987e
SHA1

c3f5bd1aca61bd086f1aea3e4b86419a836888ce
SHA256

b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8
SHA512

f00874b37580152bbb563b29763212de0452e8117f54e4199150cb8cebf3f4d8d1c31ed28d896b7b0cbb63c17e8847019ed76b53f7c0ae07021527705e1af17c
SSDEEP

49152:37Vh102T9dhkuqES58NtvUoBV0Sccd2b5+pnQ2fP1r8+/J4OV7AEqj7D4Uv6ZCOX:37VTVkufFN0ScaruSmHR9vaXZTUa3vg

Score

10^/10

bumblebee 1 discovery loader persistence privilege_escalation

Malware Config

Extracted

Family

bumblebee

Botnet

Attributes

dga
45urhm0ldgxb.live

gx6xly9rp6vl.live

zv46ga4ntybq.live

7n1hfolmrnbl.live

vivh2xlt9i6q.live

97t3nh4kk510.live

kbkdtwucfl40.live

qk6a1ahb63uz.live

whko7loy7h5z.live

dad1zg44n0bn.live

7xwz4hw8dts9.live

ovekd5n3gklq.live

amwnef8mjo4v.live

e7ivqfhnss0x.live

rjql4nicl6bg.live

4mo318kk29i4.live

zpo18lm8vg1x.live

jc51pt290y0n.live

rg26t2dc4hf4.live

qw9a58vunuja.live

ugm94zjzl5nl.live

mckag832orba.live

pdw0v9voxlxr.live

m4tx2apfmoxo.live

n2uc737ef71m.live

hkk3112645hz.live

ugko9g5ipa4o.live

8wgq2x4dybx9.live

h81fx7sj8srr.live

a4tgoqi1cm8x.live

kse2q7uxyrwp.live

mfwnbxvt9qme.live

x99ahfftf28l.live

9n6bmko47gxe.live

6l96lk6edlyf.live

st5j8zqdrppf.live

dxjeucbj4p0j.live

bnpuxnov7lhr.live

a8bxv8lqe1m0.live

yczi2ujcyyro.live

sbeo0cztn1kh.live

o337yf9fh4bf.live

zoki7ma89z7b.live

x2r9bglz76r7.live

wi1w9yu1vush.live

mtqdvzkai700.live

r6o2sj70m85m.live

ut6qohwra5lm.live

9yi98fh7usy1.live

kkpjp9jzbzba.live

whvffwd7zphw.live

uztmazsno4y5.live

i3iubj73c21c.live

b72o02l2ilc6.live

wom4o4cutfx6.live

fek3qya20lid.live

nhkvd56j82xw.live

midyxlu6b22f.live

vp9c9rziba2a.live

rkffupb7i1gv.live

8u7r35mu2e4g.live

3c2xflq8mztc.live

wswis3sptby1.live

9rib57u1zu3c.live

sv3pldc5gkdl.live

bmdcn5celetq.live

y3mpywhmem7t.live

avwtkc23ffmw.live

nvgirtryox1z.live

3rlfa7w0bz37.live

vy9u47oyzltu.live

ysdwk0l8xass.live

tbt0aqol3sp2.live

xqqoo0a8zk0w.live

nevkq7lku38l.live

5u42wjin0vfz.live

y626kbnryktm.live

5k9b8nmc0x8r.live

i18t3jshekua.live

4hk1bcnxbse0.live

si00bu9fv5he.live

g3in90m5caz2.live

f6s4n6w41oov.live

sgl7og2qswmm.live

vrrbk7ykz8h1.live

zl7bmlfq8n9w.live

qydstwmw2imy.live

y9s73mnvurxr.live

7zggkh833im1.live

cvnsiogvl3kt.live

enf3gev34gis.live

doj6z5i9g803.live

zsm954jr5ek4.live

6z96z4mk84dc.live

e0et68offggh.live

au97foecnlrm.live

3ibjpmls5x46.live

mmmpa1byo300.live

3e60zvd64d8y.live

zt3nnzr70hn0.live
dga_seed
7834006444057268685
domain_length
12
num_dga_domains
300
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
80	948	MsiExec.exe
82	948	MsiExec.exe
84	948	MsiExec.exe
91	948	MsiExec.exe
100	948	MsiExec.exe
101	948	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	api.ipify.org
82	api.ipify.org

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	AnyConnect Installer.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI704C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e586de8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E65.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FBE.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B2892F8-A2A6-49F8-BA11-A5C777D0FEE1}	msiexec.exe
File opened for modification	C:\Windows\Installer\e586de8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI72CF.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3824	AnyConnect Installer.exe

Loads dropped DLL 17 IoCs

pid	Process
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
4792	MsiExec.exe
4792	MsiExec.exe
4792	MsiExec.exe
4792	MsiExec.exe
4792	MsiExec.exe
948	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1624	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
3680	msedge.exe
3680	msedge.exe
3028	identity_helper.exe
3028	identity_helper.exe
2316	msiexec.exe
2316	msiexec.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1624	msiexec.exe
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeCreateTokenPrivilege	1624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1624	msiexec.exe
Token: SeLockMemoryPrivilege	1624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1624	msiexec.exe
Token: SeMachineAccountPrivilege	1624	msiexec.exe
Token: SeTcbPrivilege	1624	msiexec.exe
Token: SeSecurityPrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeLoadDriverPrivilege	1624	msiexec.exe
Token: SeSystemProfilePrivilege	1624	msiexec.exe
Token: SeSystemtimePrivilege	1624	msiexec.exe
Token: SeProfSingleProcessPrivilege	1624	msiexec.exe
Token: SeIncBasePriorityPrivilege	1624	msiexec.exe
Token: SeCreatePagefilePrivilege	1624	msiexec.exe
Token: SeCreatePermanentPrivilege	1624	msiexec.exe
Token: SeBackupPrivilege	1624	msiexec.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeShutdownPrivilege	1624	msiexec.exe
Token: SeDebugPrivilege	1624	msiexec.exe
Token: SeAuditPrivilege	1624	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1624	msiexec.exe
Token: SeChangeNotifyPrivilege	1624	msiexec.exe
Token: SeRemoteShutdownPrivilege	1624	msiexec.exe
Token: SeUndockPrivilege	1624	msiexec.exe
Token: SeSyncAgentPrivilege	1624	msiexec.exe
Token: SeEnableDelegationPrivilege	1624	msiexec.exe
Token: SeManageVolumePrivilege	1624	msiexec.exe
Token: SeImpersonatePrivilege	1624	msiexec.exe
Token: SeCreateGlobalPrivilege	1624	msiexec.exe
Token: SeCreateTokenPrivilege	1624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1624	msiexec.exe
Token: SeLockMemoryPrivilege	1624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1624	msiexec.exe
Token: SeMachineAccountPrivilege	1624	msiexec.exe
Token: SeTcbPrivilege	1624	msiexec.exe
Token: SeSecurityPrivilege	1624	msiexec.exe
Token: SeTakeOwnershipPrivilege	1624	msiexec.exe
Token: SeLoadDriverPrivilege	1624	msiexec.exe
Token: SeSystemProfilePrivilege	1624	msiexec.exe
Token: SeSystemtimePrivilege	1624	msiexec.exe
Token: SeProfSingleProcessPrivilege	1624	msiexec.exe
Token: SeIncBasePriorityPrivilege	1624	msiexec.exe
Token: SeCreatePagefilePrivilege	1624	msiexec.exe
Token: SeCreatePermanentPrivilege	1624	msiexec.exe
Token: SeBackupPrivilege	1624	msiexec.exe
Token: SeRestorePrivilege	1624	msiexec.exe
Token: SeShutdownPrivilege	1624	msiexec.exe
Token: SeDebugPrivilege	1624	msiexec.exe
Token: SeAuditPrivilege	1624	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1624	msiexec.exe
Token: SeChangeNotifyPrivilege	1624	msiexec.exe
Token: SeRemoteShutdownPrivilege	1624	msiexec.exe
Token: SeUndockPrivilege	1624	msiexec.exe
Token: SeSyncAgentPrivilege	1624	msiexec.exe
Token: SeEnableDelegationPrivilege	1624	msiexec.exe
Token: SeManageVolumePrivilege	1624	msiexec.exe
Token: SeImpersonatePrivilege	1624	msiexec.exe
Token: SeCreateGlobalPrivilege	1624	msiexec.exe
Token: SeCreateTokenPrivilege	1624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1624	msiexec.exe
Token: SeLockMemoryPrivilege	1624	msiexec.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1624	msiexec.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2640	2316	msiexec.exe	85
PID 2316 wrote to memory of 2640	2316	msiexec.exe	85
PID 2316 wrote to memory of 2640	2316	msiexec.exe	85
PID 2640 wrote to memory of 3824	2640	MsiExec.exe	99
PID 2640 wrote to memory of 3824	2640	MsiExec.exe	99
PID 3824 wrote to memory of 3680	3824	AnyConnect Installer.exe	101
PID 3824 wrote to memory of 3680	3824	AnyConnect Installer.exe	101
PID 3680 wrote to memory of 820	3680	msedge.exe	102
PID 3680 wrote to memory of 820	3680	msedge.exe	102
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 2808	3680	msedge.exe	106
PID 3680 wrote to memory of 4732	3680	msedge.exe	107
PID 3680 wrote to memory of 4732	3680	msedge.exe	107
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108
PID 3680 wrote to memory of 1948	3680	msedge.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e63911bf851f892bab6d3933349a987e.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1624

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DD24BC90F334662DB69845CA30255582 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe
    "C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9WZDNCRDJ8LH?ocid=&referrer=psi
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff953db46f8,0x7ff953db4708,0x7ff953db4718
        5⤵
        
        PID:820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
        5⤵
        
        PID:2808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
        5⤵
        
        PID:1948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:4944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        5⤵
        
        PID:4968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        5⤵
        
        PID:2212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
        5⤵
        
        PID:5084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
        5⤵
        
        PID:4260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
        5⤵
        
        PID:4424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        5⤵
        
        PID:4924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,15050016706836484318,18138055219317283328,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5684
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5184
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4481678212F697BDD4E003AA0D2D5417
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4792
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
200e5a6373d674c8aa4368e3d13fb774

SHA1
05b0cde542361b7133553dde353a5fbe50e7d6ba

SHA256
f60f188494c381f0de1a2c2c0eedd50baf9f3dd66a6bbe6f8600602eef0d2c6e

SHA512
b0a7fd6b23c37e931f2801bc783dbf82a30390615a78b5729e675de5b190864830656e10e4982c7027bdade57ed167ba8135fdb0212a7a6700825e291d21e06f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
2c611a5e0570b35e3a86dbfb8a943254

SHA1
831b31fcc2ede459f33bffe011b16da64b593355

SHA256
ff8900bdf7180809bc7a96e48d2b2144cebc5b7a07bf28fba808d5f14a40d993

SHA512
cf36a01f8959acb6a74db5510717c12c9b17f67620a261590164c0e7b59e1dfc0602d05de4e80cd1a543829b7e01e863c54eec6a7f49acab7a707c085848254b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4803c0e3f534fa7a071e5fb72fe1dba

SHA1
912974b2b7c04ec1d1ad89cf404211ba8f0d8b88

SHA256
27e980cfee2409c25ffba15166dd5acb4c8e3eb0d50fcd6a5f8cdec3996836cd

SHA512
87a29fc043a2da4f1a22fd0c7d8884d0f89ae36b516686ffad4d317f5f6200cb4c5fa8868959dda319856edec3633216fa02319a03a506279197f8c41ab7f709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63d8a09b9380632726ba6d46a1adeb2e

SHA1
1df0231c534aac189cda1b8b67918a0ed5ce6815

SHA256
bc5548d402bb9edd6c2ef646a773a1dfb6dc35d60920b6fe33b1479b317f0aad

SHA512
0abc7bb05bdd47d4490e6025d9e4ecc37fdb34705e38fe3d435435a94a8a33c770462e84b4f26b9276a3508d69241a7c102fb9ceb56d8aeddd90490ab48a398f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\3e431b09-ce09-492e-8244-2d60cfb6ea19\index-dir\the-real-index

Filesize
1KB

MD5
55cd34b455a00f50e8824c84539b2dcf

SHA1
a94a286b09f3bbccef33a8b06a0c1de197fdac1b

SHA256
3f7d1f2095916bbf93bcdfdae6a31b76ffc1053b196d09ac6203684c66ecac3f

SHA512
f21ab03edabeed8ba6f48fa7377fce2d745ba4ff0129a40366295cbc497385eea07877ffeb020a6910c805d3e2800464b546fe0519a99dcb2b21404895b530e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\3e431b09-ce09-492e-8244-2d60cfb6ea19\index-dir\the-real-index~RFe588f4b.TMP

Filesize
48B

MD5
95a183b707d4317b1dfe2830cbc8e291

SHA1
51427b128a20fbe11ab57c3ca67984f92ef42334

SHA256
d6b826d4cbaeda82745d5fdd82bc206414275020017ad9e3c8b9ebf702ff4998

SHA512
c040c93377a0830433c151bdb1ce6a1dd9a3370daabc8cf54110459a51df89926015a8bfe8ac96770357352b253aaf6fa7f05f9cb12079568fedc84941298346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\57585c65-2bd4-4172-ba69-7050dacdfb8a\index-dir\the-real-index

Filesize
72B

MD5
0380943db56aaa18afa650ad5aef62c5

SHA1
d45cc1095279f9a8f7615fea9197288790b1c7ae

SHA256
860e6a66274f901076bc51aeeaebe905c5c9f16ca8add4d2961712cb7de91710

SHA512
7bbe07160ff6ce0207f1b9e1819d36bf64d3b30f6427c579e83a88b0f19bee5f929fb1d667dcf0f45fb51f50aec66ef4082033318f409907b2a1f1e41c6b097a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\57585c65-2bd4-4172-ba69-7050dacdfb8a\index-dir\the-real-index~RFe58779c.TMP

Filesize
48B

MD5
b8775bbf33b44278ad17179ee61392c9

SHA1
04e9446e006d57e3da72815541d1323ac4033b75

SHA256
a6f1e1b9b678fb77ed28038d663d121f2aa76ba707702ea766f0f9ecd3c53da6

SHA512
9f9b3800ff79d52da2fbe71785ea8fb2f55be7046916391ca9a157d61847f8c144f5f32116fba6008646cd4ba4bcc7af64054e8087c38e8f516eb75ba95d11b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
109B

MD5
3a56ca2d57078746658d1b433bdeef92

SHA1
5f049f67965d6cbf283b18fb0c4fdc6dcf4e40e7

SHA256
bfe6e4562d945fef8c47113a5e22659ed2e29f65751c5f04edfe3a1545561485

SHA512
fb452ed2d9cf3a1291f769e3f3669d4cada6511d506e9605acdc79439dc1f478b7f57b16e3e38ced7adee4209f6764ab7ba028450d3e27630cbf031c82ddf9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
204B

MD5
4382f83144a2415d75c7dd90e2bee08b

SHA1
f2c0397e8d2025e09e02a4669576313d6dfd8933

SHA256
0ca7ab61af4cbbd395c9b6bd2c87a3bab2198754f685dd1d6ddca1afbec7ca8b

SHA512
ef2ca673ff18bb471f95f08095d08489c8ca1ec5b4f1d4e34e1ef676ab66ee1d02df30ac571bdb9c63b9cab0e89cd0b62105dbf43845e7722bc2b88441adbd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
201B

MD5
92f9fb77de3c154def1590d5c5918fa0

SHA1
930c32f5775e4914e25b4eaffe6bcfc33fa948c0

SHA256
53e6d6461ce0aa039e776b513a0b3cbbf2ba027a197404a801f8a93418e7ee88

SHA512
d4a74b2ba1f8d5fd2984518ec99b56d240c21f3da14f37aa359d5069121bdaacffbc263c81c4b53a37aa511a58ab61ef72ecd0025621a68319ef5a3e7c484410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
91d170916ed020ac92ea30c65622461e

SHA1
0b1a539a8862731c9bee7908394da790d00ff7a1

SHA256
4c3c4ec07a781c4f6ae3ffc028b0da98f7250da9b92c7e61415cbbc7ff6bc0ea

SHA512
b304f95c28b27906c0c86cb64582703479615c0d834d8f3c6eee5dcba883c2b8c4f1d9886eb7c51deb21a3144fddac571763f192d8b76833165b83056a2b4b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58774e.TMP

Filesize
48B

MD5
e9be36eb71eec60f863bfb8d19040571

SHA1
16b76dc6fe74c417745e1cbc29edc486f1f675ea

SHA256
f22f7ef5b3ffb39a1f3f7a162fa764552dadf708a9c3f785ac855554b2269de0

SHA512
279170a3d4fff66b215a35a3c854e2e1f6f4cf8d666c2813131d2a24e78a32a477384bae0c013bf42eed542325e8361881c82aeb5d0bca331cecdffddd781f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
45aaaa0e25c977c2c90d172b1c4967f7

SHA1
2bf44fa51c89467fb84505c9713443702d4bac50

SHA256
62bbadb050b2862da35eeeabc90ae0210d0a2af6d4c93fbdcc72dceb841ad782

SHA512
da988e7db08e773a2a7042d174608bd434cacb5d2fd9e3add5a732ce79a2e9d647c9b94ef164c0ad4ba763d0867de95b72c150c8536f8d7c3cccdd3c6de22c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBF58.tmp

Filesize
816KB

MD5
aa88d8f40a286b6d40de0f3abc836cfa

SHA1
c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

SHA256
8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

SHA512
6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC410.tmp

Filesize
877KB

MD5
6a639b68fe7f4e67b7510af13403772b

SHA1
255ba543d6fdd8f037823ff321ec00abe3575c54

SHA256
7118cd0d6956c84dc8ede10db84491d7884bfb0baa4a0ab96afc7eea47f46dd0

SHA512
43cfa4cdf669df71d7da59669ec9653c4facba4c2e6fe52deada469116b5c8b63a927a9ddc2f240ca9e1a2cc4335c12936007662bf47cd11c7e61392af219cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp117F.tmp

Filesize
1KB

MD5
a10f31fa140f2608ff150125f3687920

SHA1
ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

SHA256
28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

SHA512
cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

Download Submit
C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll

Filesize
2.1MB

MD5
29e117e9f0ce89cb29a3b14f39a2624b

SHA1
1c1060ef434826f6785ea248b647da569e83cd6a

SHA256
3844008c0697a64633357ba8d7088ee41e36ac321969bb442b97eb31e530e4a6

SHA512
757ac09a94ac4b434daeaf19509183e778208c5b82865e877ee25027080fb367a0e6a177a2ebb0e10dff1307975efb0d45b81568866bec478beca59bd822ab45

Download Submit
C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe

Filesize
1.0MB

MD5
5e9965bc72df9f663ca049d40b1fa3af

SHA1
3fb8de364e3e67f093c1a6c73dc0cac1fd9b2202

SHA256
ffa9df9f2ee9b98a9c9d2edf1521d2e8b952f58e1382cc1d84964d0054564091

SHA512
418abf3447f885a8fee31cf367a83264eaedfa8a90cd30684f9291d9c37c402595e5f782aa8335bc081adf8f2b18b45171a52d846b48c372a00013da64b61339

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
b3a75c87338f9a6e6771183495af7d07

SHA1
1f22645fc8436ea059b1c79e2b5848780b716568

SHA256
17380c0c16c4db37c0c2f2d1abd8f6911389dd4ac8c90a0b154ef927d499e9f1

SHA512
571e2d70b44f32c96f8a507d925051003b97c6088be0c25f2e7f1f05030e41a72b0ff875608b129d1a805b7a320096d9fe98c7c345db1e00754d32f245f7e3e8

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{528cc258-7252-4d83-b102-e635b4368586}_OnDiskSnapshotProp

Filesize
6KB

MD5
3f79c0f0db836af0d0c8a712457907c4

SHA1
8779fe98d2da7e5980bf06c68524259d479bd6b9

SHA256
4a88e80f2d1417f6fb6e892f71f01812f2fd3e801dcebc26705c1109cdc4e228

SHA512
21a92b030494dceed7c9fb6bda0f361e9ad2ff9d0693dcf3132ceccc08d4e61fea695276bad179876294c0738822d309f0fda38c68b9bad4cf8e7c721b89bb14

Download Submit
memory/948-428-0x000001677C340000-0x000001677C55E000-memory.dmp

Filesize
2.1MB

Download
memory/948-426-0x000001677C340000-0x000001677C55E000-memory.dmp

Filesize
2.1MB

Download
memory/948-430-0x000001677C340000-0x000001677C55E000-memory.dmp

Filesize
2.1MB

Download
memory/948-429-0x000001677C340000-0x000001677C55E000-memory.dmp

Filesize
2.1MB

Download
memory/948-427-0x000001677C340000-0x000001677C55E000-memory.dmp

Filesize
2.1MB

Download
memory/3824-75-0x00000261AE1C0000-0x00000261AE1F8000-memory.dmp

Filesize
224KB

Download
memory/3824-76-0x00000261AE190000-0x00000261AE19E000-memory.dmp

Filesize
56KB

Download
memory/3824-78-0x00000261AF450000-0x00000261AF476000-memory.dmp

Filesize
152KB

Download
memory/3824-77-0x00000261AF270000-0x00000261AF3F6000-memory.dmp

Filesize
1.5MB

Download
memory/3824-74-0x00000261ABF70000-0x00000261ABF78000-memory.dmp

Filesize
32KB

Download
memory/3824-73-0x00000261AB590000-0x00000261AB5CC000-memory.dmp

Filesize
240KB

Download
memory/3824-72-0x0000026191B90000-0x0000026191BA2000-memory.dmp

Filesize
72KB

Download
memory/3824-57-0x00000261ABC50000-0x00000261ABD0A000-memory.dmp

Filesize
744KB

Download
memory/3824-56-0x0000026191AC0000-0x0000026191ACA000-memory.dmp

Filesize
40KB

Download
memory/3824-55-0x000002618FDC0000-0x000002618FEC2000-memory.dmp

Filesize
1.0MB

Download