bumblebee | 5768a1fa69dfa1c36c5e196d070eda5a257a4e1ba91440ef773af04f88771535

Analysis

max time kernel
296s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
submitted
05-12-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi

Score

10^/10

bumblebee 1 discovery loader persistence privilege_escalation

Malware Config

Extracted

Family

bumblebee

Botnet

Attributes

dga
45urhm0ldgxb.live

gx6xly9rp6vl.live

zv46ga4ntybq.live

7n1hfolmrnbl.live

vivh2xlt9i6q.live

97t3nh4kk510.live

kbkdtwucfl40.live

qk6a1ahb63uz.live

whko7loy7h5z.live

dad1zg44n0bn.live

7xwz4hw8dts9.live

ovekd5n3gklq.live

amwnef8mjo4v.live

e7ivqfhnss0x.live

rjql4nicl6bg.live

4mo318kk29i4.live

zpo18lm8vg1x.live

jc51pt290y0n.live

rg26t2dc4hf4.live

qw9a58vunuja.live

ugm94zjzl5nl.live

mckag832orba.live

pdw0v9voxlxr.live

m4tx2apfmoxo.live

n2uc737ef71m.live

hkk3112645hz.live

ugko9g5ipa4o.live

8wgq2x4dybx9.live

h81fx7sj8srr.live

a4tgoqi1cm8x.live

kse2q7uxyrwp.live

mfwnbxvt9qme.live

x99ahfftf28l.live

9n6bmko47gxe.live

6l96lk6edlyf.live

st5j8zqdrppf.live

dxjeucbj4p0j.live

bnpuxnov7lhr.live

a8bxv8lqe1m0.live

yczi2ujcyyro.live

sbeo0cztn1kh.live

o337yf9fh4bf.live

zoki7ma89z7b.live

x2r9bglz76r7.live

wi1w9yu1vush.live

mtqdvzkai700.live

r6o2sj70m85m.live

ut6qohwra5lm.live

9yi98fh7usy1.live

kkpjp9jzbzba.live

whvffwd7zphw.live

uztmazsno4y5.live

i3iubj73c21c.live

b72o02l2ilc6.live

wom4o4cutfx6.live

fek3qya20lid.live

nhkvd56j82xw.live

midyxlu6b22f.live

vp9c9rziba2a.live

rkffupb7i1gv.live

8u7r35mu2e4g.live

3c2xflq8mztc.live

wswis3sptby1.live

9rib57u1zu3c.live

sv3pldc5gkdl.live

bmdcn5celetq.live

y3mpywhmem7t.live

avwtkc23ffmw.live

nvgirtryox1z.live

3rlfa7w0bz37.live

vy9u47oyzltu.live

ysdwk0l8xass.live

tbt0aqol3sp2.live

xqqoo0a8zk0w.live

nevkq7lku38l.live

5u42wjin0vfz.live

y626kbnryktm.live

5k9b8nmc0x8r.live

i18t3jshekua.live

4hk1bcnxbse0.live

si00bu9fv5he.live

g3in90m5caz2.live

f6s4n6w41oov.live

sgl7og2qswmm.live

vrrbk7ykz8h1.live

zl7bmlfq8n9w.live

qydstwmw2imy.live

y9s73mnvurxr.live

7zggkh833im1.live

cvnsiogvl3kt.live

enf3gev34gis.live

doj6z5i9g803.live

zsm954jr5ek4.live

6z96z4mk84dc.live

e0et68offggh.live

au97foecnlrm.live

3ibjpmls5x46.live

mmmpa1byo300.live

3e60zvd64d8y.live

zt3nnzr70hn0.live
dga_seed
7834006444057268685
domain_length
12
num_dga_domains
300
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Blocklisted process makes network request 10 IoCs

flow	pid	Process
78	6032	MsiExec.exe
80	6032	MsiExec.exe
82	6032	MsiExec.exe
89	6032	MsiExec.exe
98	6032	MsiExec.exe
106	6032	MsiExec.exe
107	6032	MsiExec.exe
110	6032	MsiExec.exe
111	6032	MsiExec.exe
113	6032	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
79	api.ipify.org
80	api.ipify.org

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	AnyConnect Installer.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6751.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6685.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6810.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B2892F8-A2A6-49F8-BA11-A5C777D0FEE1}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI688E.tmp	msiexec.exe
File created	C:\Windows\Installer\e586618.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e586618.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	AnyConnect Installer.exe

Loads dropped DLL 17 IoCs

pid	Process
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
4176	MsiExec.exe
5852	MsiExec.exe
5852	MsiExec.exe
5852	MsiExec.exe
5852	MsiExec.exe
5852	MsiExec.exe
6032	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3096	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
2296	msedge.exe
2296	msedge.exe
548	identity_helper.exe
548	identity_helper.exe
4828	msiexec.exe
4828	msiexec.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3096	msiexec.exe
Token: SeSecurityPrivilege	4828	msiexec.exe
Token: SeCreateTokenPrivilege	3096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3096	msiexec.exe
Token: SeLockMemoryPrivilege	3096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3096	msiexec.exe
Token: SeMachineAccountPrivilege	3096	msiexec.exe
Token: SeTcbPrivilege	3096	msiexec.exe
Token: SeSecurityPrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeLoadDriverPrivilege	3096	msiexec.exe
Token: SeSystemProfilePrivilege	3096	msiexec.exe
Token: SeSystemtimePrivilege	3096	msiexec.exe
Token: SeProfSingleProcessPrivilege	3096	msiexec.exe
Token: SeIncBasePriorityPrivilege	3096	msiexec.exe
Token: SeCreatePagefilePrivilege	3096	msiexec.exe
Token: SeCreatePermanentPrivilege	3096	msiexec.exe
Token: SeBackupPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeShutdownPrivilege	3096	msiexec.exe
Token: SeDebugPrivilege	3096	msiexec.exe
Token: SeAuditPrivilege	3096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3096	msiexec.exe
Token: SeChangeNotifyPrivilege	3096	msiexec.exe
Token: SeRemoteShutdownPrivilege	3096	msiexec.exe
Token: SeUndockPrivilege	3096	msiexec.exe
Token: SeSyncAgentPrivilege	3096	msiexec.exe
Token: SeEnableDelegationPrivilege	3096	msiexec.exe
Token: SeManageVolumePrivilege	3096	msiexec.exe
Token: SeImpersonatePrivilege	3096	msiexec.exe
Token: SeCreateGlobalPrivilege	3096	msiexec.exe
Token: SeCreateTokenPrivilege	3096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3096	msiexec.exe
Token: SeLockMemoryPrivilege	3096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3096	msiexec.exe
Token: SeMachineAccountPrivilege	3096	msiexec.exe
Token: SeTcbPrivilege	3096	msiexec.exe
Token: SeSecurityPrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeLoadDriverPrivilege	3096	msiexec.exe
Token: SeSystemProfilePrivilege	3096	msiexec.exe
Token: SeSystemtimePrivilege	3096	msiexec.exe
Token: SeProfSingleProcessPrivilege	3096	msiexec.exe
Token: SeIncBasePriorityPrivilege	3096	msiexec.exe
Token: SeCreatePagefilePrivilege	3096	msiexec.exe
Token: SeCreatePermanentPrivilege	3096	msiexec.exe
Token: SeBackupPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeShutdownPrivilege	3096	msiexec.exe
Token: SeDebugPrivilege	3096	msiexec.exe
Token: SeAuditPrivilege	3096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3096	msiexec.exe
Token: SeChangeNotifyPrivilege	3096	msiexec.exe
Token: SeRemoteShutdownPrivilege	3096	msiexec.exe
Token: SeUndockPrivilege	3096	msiexec.exe
Token: SeSyncAgentPrivilege	3096	msiexec.exe
Token: SeEnableDelegationPrivilege	3096	msiexec.exe
Token: SeManageVolumePrivilege	3096	msiexec.exe
Token: SeImpersonatePrivilege	3096	msiexec.exe
Token: SeCreateGlobalPrivilege	3096	msiexec.exe
Token: SeCreateTokenPrivilege	3096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3096	msiexec.exe
Token: SeLockMemoryPrivilege	3096	msiexec.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3096	msiexec.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4176	4828	msiexec.exe	85
PID 4828 wrote to memory of 4176	4828	msiexec.exe	85
PID 4828 wrote to memory of 4176	4828	msiexec.exe	85
PID 4176 wrote to memory of 3016	4176	MsiExec.exe	99
PID 4176 wrote to memory of 3016	4176	MsiExec.exe	99
PID 3016 wrote to memory of 2296	3016	AnyConnect Installer.exe	101
PID 3016 wrote to memory of 2296	3016	AnyConnect Installer.exe	101
PID 2296 wrote to memory of 520	2296	msedge.exe	102
PID 2296 wrote to memory of 520	2296	msedge.exe	102
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1164	2296	msedge.exe	105
PID 2296 wrote to memory of 1360	2296	msedge.exe	106
PID 2296 wrote to memory of 1360	2296	msedge.exe	106
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107
PID 2296 wrote to memory of 728	2296	msedge.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3EF4BE4C4324F37E0EB409BAE7C0CE78 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe
    "C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9WZDNCRDJ8LH?ocid=&referrer=psi
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff953db46f8,0x7ff953db4708,0x7ff953db4718
        5⤵
        
        PID:520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
        5⤵
        
        PID:1164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
        5⤵
        
        PID:728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        5⤵
        
        PID:2336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:1628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
        5⤵
        
        PID:3156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
        5⤵
        
        PID:684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
        5⤵
        
        PID:1724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
        5⤵
        
        PID:844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
        5⤵
        
        PID:4592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5012154997984685111,12716110906519427971,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5220
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5764
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D693442A25FA7F048E00220134080ED8
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5852
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:6032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
dadb6aeaf526e2dce97dc6f702aa8513

SHA1
f55333ebe5b23bc4ba810cda9de9cb8e4d15e846

SHA256
603801b68e17e5c8e5af1c465124d999a9e06f4b7dea2e45e9bcdd331e861936

SHA512
51c3aba1a14a25610cb986df8d66b2b40e9170b9d101cb53e9b24136f86b081ca31d37451567469aeb740778b0b4a038080915fa667858cc07395e418faa2345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
2c611a5e0570b35e3a86dbfb8a943254

SHA1
831b31fcc2ede459f33bffe011b16da64b593355

SHA256
ff8900bdf7180809bc7a96e48d2b2144cebc5b7a07bf28fba808d5f14a40d993

SHA512
cf36a01f8959acb6a74db5510717c12c9b17f67620a261590164c0e7b59e1dfc0602d05de4e80cd1a543829b7e01e863c54eec6a7f49acab7a707c085848254b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2327b5855bd448387a40f1751848dafa

SHA1
a53a4c7e9ca820ff6da69c1f4d5e21c0332d062e

SHA256
c0550613c51c62c90dfa7ca079817e79f3776a315bb1642c43b7ba76372e4169

SHA512
7d8d163719baf03ed87b918831a662a33024ac62a893e5767cdd41f1a6c91aeda8d5c51d7bc2551af5c3d7e9072e57b8e79db3a473d3fd684c99a5206daa516e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a225ea8588df7eb8bc22673eda39ed7a

SHA1
f7f7ffd8ff8be9d01b42eb55558a305e455487fd

SHA256
df3c980e2b5df1952018909dc27463919d905b7f3b33143d4552d67bff132e05

SHA512
5c5ee198e25260391e318e2baf00ddb7e3921c84ca8770a28a2aed0fc947fb43bb6114a1587d3c77622342a7985c1c7a0b7eec8c316bb46720b911b83bca8322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\285bcce3-43ff-46d9-849b-104d4de4f4b1\index-dir\the-real-index

Filesize
72B

MD5
566f119ddec47f5c1b3d767fea20ce19

SHA1
bc16957434c3110b22e4fa8765c1081ede43cba6

SHA256
b3003746042829cebbecb25caf84556cf154f0368756b8eefda331db50e3b58b

SHA512
b129a5a72abe0d9214558bf74fcb9fe27cf4c9aa599bcaf6a71cb7be139b050bd20d240bf9278feb208a066a2ddccdd2017109f39e308716cbcfc65e9e6fb1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\285bcce3-43ff-46d9-849b-104d4de4f4b1\index-dir\the-real-index~RFe587829.TMP

Filesize
48B

MD5
8263e0c09859f65d1846ca5b8f37522e

SHA1
fa095949b5476ee120610cd35c031d2d5b33c634

SHA256
2f578e4512b2f7ce6579347413f755be186db208a5072c46f052329b5d1e96ad

SHA512
afae3efead0ba5e46ebc8613c367f516051b613a3d8350696dcc9dd95c67acae842fe154e2316692467441f7860d739a1c3e523ef642f0e3aa02656fa14e6d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\28971cf4-fa7b-4ca3-967a-425d9cee56e3\index-dir\the-real-index

Filesize
1KB

MD5
d3a099637059236fdbaeff3bb6c0b8b7

SHA1
2144a971fa6bf454d16049ba2a0fe4681817fdd4

SHA256
0a5c30bf1c0be997d4a61bed1a722d1ed0f74a73e7e618d571c5d650ecc616cf

SHA512
68ccf4f3903f48a8c8288f113a32403864540ddab621ad01ff13be0a507d0e49dbc7b97d71361d26ef49e6611f93d5a4c7ff8b85208c679c31992c08a5c3be07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\28971cf4-fa7b-4ca3-967a-425d9cee56e3\index-dir\the-real-index~RFe588e12.TMP

Filesize
48B

MD5
98640288bb9a439dc0142c128d1c147d

SHA1
c9d3c5fd0af83dfca72ac1b214de038d2a228d90

SHA256
376378e5a453f9cd5b03a9ca1a21bd6de1134a5c57c5cbf16f1191151c123e49

SHA512
24c3ca99bffa8387543434e27c8ed49e50bee1f44ec046b0614fe20cc986d2c7b36e40a4fa4f696f882efaa4e5578ac00b24197ef3b19ce6a02f7d77fe000694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
109B

MD5
464b60b18adba8b4e690f75f0d3ccfba

SHA1
4b7d693aa1cdc35b1424647e9bdd3af1b9d719ab

SHA256
db06879c4179539aec0a675f42b415065f41eb3a2227df7f45ffbfd3cb910cd9

SHA512
e95bb463c6a0ff6d66926edeba01deb256a3788d69e0ecca976be78c25f5d6b62079437ec59e7429758c40a1a402d4b83ca922584f4a687a17630d443eced569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
205B

MD5
353fb95084b8c7aca97dd7e6394d4644

SHA1
f6d68618861e1252a83da1e6592fe970d1c3dd25

SHA256
55b6ca6831d1bba22e9d35807066b8e7e9f2903e278b38d3960fd3b6a58aad67

SHA512
11cbbe9b99c578820de7160a4499f302dc570f812bbb43d3513f6f805b4371a7f337427da3a9f47368302e3286f7a4a514d1a4a151a4e54922745cfb8e893315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
201B

MD5
2846769dcaff5232818fad4ce2c20729

SHA1
0059032cc645e11be55cf31332f1d1676d09731d

SHA256
b19053de82cacba7b7269aef914ddecbade6766a192ac7f81db793819e85ad41

SHA512
77e68028ca90548bc13ba9e37818030774af951730e6c72d70aafc2ff433eed0231e7849c32cacfd051896881937f386e1af4477067b63aa246e887b361f0e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1433e36e7b4ae8a2da67d2436acb79de

SHA1
0e82a800a1d28a11a85299898d5f456bab182746

SHA256
fdef88238f4e216782dcf28e53e4dcdd48ddb8943399022d443c372186f0f2a0

SHA512
9df660c1a3a1022dfc7f9b3b936ffc9f561fbd67855cc2c68b13ed688645169db2ee21728ba79d2c1547603e5e0caf7c11497c6bf6d3ddd40882d7b5017dcf92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5877db.TMP

Filesize
48B

MD5
a802a2f1dc325362af195b75ed1067e8

SHA1
6acd78e288f5485290d78150b8cbfcc54dcb7614

SHA256
0aa048d46da12f95fbb9c671da3d6e99a6621925ac55d1c63e0a234fa4d74366

SHA512
f1e2e0dfab8e954711e7c82fbe653b15139e0f3ac860f583afade84412c797e7d29968d828803ddcf61c760ea35518c781c91c1d895bdbda1499af82eff6a7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2660cf48caaa15cecf27b28be2db822d

SHA1
5e9f7c981f075bfd9c1c4369c8377f0fe9177553

SHA256
03ad82bd2ab0cefa912f3bf7ad4974a28d9f686bd73e884d4c492977d252e1d0

SHA512
45cfef8a18d0be54c8c5e65ab86e974973c0acf95f93669eda1a314552e70ce4eca443a0dd184263db6e9e6ed30dc4054728bd1c43d4eae26661fd0360a26bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBE9D.tmp

Filesize
816KB

MD5
aa88d8f40a286b6d40de0f3abc836cfa

SHA1
c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

SHA256
8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

SHA512
6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC20D.tmp

Filesize
877KB

MD5
6a639b68fe7f4e67b7510af13403772b

SHA1
255ba543d6fdd8f037823ff321ec00abe3575c54

SHA256
7118cd0d6956c84dc8ede10db84491d7884bfb0baa4a0ab96afc7eea47f46dd0

SHA512
43cfa4cdf669df71d7da59669ec9653c4facba4c2e6fe52deada469116b5c8b63a927a9ddc2f240ca9e1a2cc4335c12936007662bf47cd11c7e61392af219cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp10B4.tmp

Filesize
1KB

MD5
a10f31fa140f2608ff150125f3687920

SHA1
ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

SHA256
28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

SHA512
cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

Download Submit
C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll

Filesize
2.1MB

MD5
29e117e9f0ce89cb29a3b14f39a2624b

SHA1
1c1060ef434826f6785ea248b647da569e83cd6a

SHA256
3844008c0697a64633357ba8d7088ee41e36ac321969bb442b97eb31e530e4a6

SHA512
757ac09a94ac4b434daeaf19509183e778208c5b82865e877ee25027080fb367a0e6a177a2ebb0e10dff1307975efb0d45b81568866bec478beca59bd822ab45

Download Submit
C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe

Filesize
1.0MB

MD5
5e9965bc72df9f663ca049d40b1fa3af

SHA1
3fb8de364e3e67f093c1a6c73dc0cac1fd9b2202

SHA256
ffa9df9f2ee9b98a9c9d2edf1521d2e8b952f58e1382cc1d84964d0054564091

SHA512
418abf3447f885a8fee31cf367a83264eaedfa8a90cd30684f9291d9c37c402595e5f782aa8335bc081adf8f2b18b45171a52d846b48c372a00013da64b61339

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
3ee7b57c2955f2b75de9754e6cb9b0a9

SHA1
f06da390c37f67a0b4839516ca5b3ecb6c9ea1ac

SHA256
11ef2880982548a39a9b28cb50265eeea66ad0829456e5955e8185cfe97c0fec

SHA512
598431489f9f6671f112ab6a80eb8d8e52c2958e85ba49320453bed8bb219274dcc6ca1f9a6a31a48f1c7da73986dad24562f57dd630a49b694efe2ff449bc59

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b6b82d0e-c42a-4556-b18a-6aa2848f5f8b}_OnDiskSnapshotProp

Filesize
6KB

MD5
6ca878bcdee930faf5b7fb07bb487db0

SHA1
302157d3a7073d59ca4bb2cdf88daf2b83f6edef

SHA256
b61fb7e52bab03d426920fa8675d3e2527fdcbb24b2f3deb23607ea27be5678f

SHA512
e89ed5504466e0db9125e535f4b69a0427459a6e23a95c60cbc920f323aeca3b21f5466dd0e630d400cc66c5eb5a3aa08abdb8d3b5202a098dcc1012bb4767a7

Download Submit
memory/3016-56-0x0000020D58ED0000-0x0000020D58EDA000-memory.dmp

Filesize
40KB

Download
memory/3016-55-0x0000020D57130000-0x0000020D57232000-memory.dmp

Filesize
1.0MB

Download
memory/3016-78-0x0000020D767B0000-0x0000020D767D6000-memory.dmp

Filesize
152KB

Download
memory/3016-77-0x0000020D765F0000-0x0000020D76776000-memory.dmp

Filesize
1.5MB

Download
memory/3016-74-0x0000020D73280000-0x0000020D73288000-memory.dmp

Filesize
32KB

Download
memory/3016-73-0x0000020D728B0000-0x0000020D728EC000-memory.dmp

Filesize
240KB

Download
memory/3016-72-0x0000020D72850000-0x0000020D72862000-memory.dmp

Filesize
72KB

Download
memory/3016-76-0x0000020D75500000-0x0000020D7550E000-memory.dmp

Filesize
56KB

Download
memory/3016-57-0x0000020D72F50000-0x0000020D7300A000-memory.dmp

Filesize
744KB

Download
memory/3016-75-0x0000020D75540000-0x0000020D75578000-memory.dmp

Filesize
224KB

Download
memory/6032-406-0x0000020C4CC20000-0x0000020C4CE3E000-memory.dmp

Filesize
2.1MB

Download
memory/6032-403-0x0000020C4CC20000-0x0000020C4CE3E000-memory.dmp

Filesize
2.1MB

Download
memory/6032-405-0x0000020C4CC20000-0x0000020C4CE3E000-memory.dmp

Filesize
2.1MB

Download
memory/6032-407-0x0000020C4CC20000-0x0000020C4CE3E000-memory.dmp

Filesize
2.1MB

Download
memory/6032-404-0x0000020C4CC20000-0x0000020C4CE3E000-memory.dmp

Filesize
2.1MB

Download