bumblebee | 5768a1fa69dfa1c36c5e196d070eda5a257a4e1ba91440ef773af04f88771535

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
submitted
05-12-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi

Score

10^/10

bumblebee 1 discovery loader persistence privilege_escalation

Malware Config

Extracted

Family

bumblebee

Botnet

Attributes

dga
45urhm0ldgxb.live

gx6xly9rp6vl.live

zv46ga4ntybq.live

7n1hfolmrnbl.live

vivh2xlt9i6q.live

97t3nh4kk510.live

kbkdtwucfl40.live

qk6a1ahb63uz.live

whko7loy7h5z.live

dad1zg44n0bn.live

7xwz4hw8dts9.live

ovekd5n3gklq.live

amwnef8mjo4v.live

e7ivqfhnss0x.live

rjql4nicl6bg.live

4mo318kk29i4.live

zpo18lm8vg1x.live

jc51pt290y0n.live

rg26t2dc4hf4.live

qw9a58vunuja.live

ugm94zjzl5nl.live

mckag832orba.live

pdw0v9voxlxr.live

m4tx2apfmoxo.live

n2uc737ef71m.live

hkk3112645hz.live

ugko9g5ipa4o.live

8wgq2x4dybx9.live

h81fx7sj8srr.live

a4tgoqi1cm8x.live

kse2q7uxyrwp.live

mfwnbxvt9qme.live

x99ahfftf28l.live

9n6bmko47gxe.live

6l96lk6edlyf.live

st5j8zqdrppf.live

dxjeucbj4p0j.live

bnpuxnov7lhr.live

a8bxv8lqe1m0.live

yczi2ujcyyro.live

sbeo0cztn1kh.live

o337yf9fh4bf.live

zoki7ma89z7b.live

x2r9bglz76r7.live

wi1w9yu1vush.live

mtqdvzkai700.live

r6o2sj70m85m.live

ut6qohwra5lm.live

9yi98fh7usy1.live

kkpjp9jzbzba.live

whvffwd7zphw.live

uztmazsno4y5.live

i3iubj73c21c.live

b72o02l2ilc6.live

wom4o4cutfx6.live

fek3qya20lid.live

nhkvd56j82xw.live

midyxlu6b22f.live

vp9c9rziba2a.live

rkffupb7i1gv.live

8u7r35mu2e4g.live

3c2xflq8mztc.live

wswis3sptby1.live

9rib57u1zu3c.live

sv3pldc5gkdl.live

bmdcn5celetq.live

y3mpywhmem7t.live

avwtkc23ffmw.live

nvgirtryox1z.live

3rlfa7w0bz37.live

vy9u47oyzltu.live

ysdwk0l8xass.live

tbt0aqol3sp2.live

xqqoo0a8zk0w.live

nevkq7lku38l.live

5u42wjin0vfz.live

y626kbnryktm.live

5k9b8nmc0x8r.live

i18t3jshekua.live

4hk1bcnxbse0.live

si00bu9fv5he.live

g3in90m5caz2.live

f6s4n6w41oov.live

sgl7og2qswmm.live

vrrbk7ykz8h1.live

zl7bmlfq8n9w.live

qydstwmw2imy.live

y9s73mnvurxr.live

7zggkh833im1.live

cvnsiogvl3kt.live

enf3gev34gis.live

doj6z5i9g803.live

zsm954jr5ek4.live

6z96z4mk84dc.live

e0et68offggh.live

au97foecnlrm.live

3ibjpmls5x46.live

mmmpa1byo300.live

3e60zvd64d8y.live

zt3nnzr70hn0.live
dga_seed
7834006444057268685
domain_length
12
num_dga_domains
300
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
82	4272	MsiExec.exe
84	4272	MsiExec.exe
86	4272	MsiExec.exe
92	4272	MsiExec.exe
99	4272	MsiExec.exe
105	4272	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
83	api.ipify.org
84	api.ipify.org

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyConnect Installer.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e586bc5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D6C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DBB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DEB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E1B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F44.tmp	msiexec.exe
File created	C:\Windows\Installer\e586bc5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B2892F8-A2A6-49F8-BA11-A5C777D0FEE1}	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3112	AnyConnect Installer.exe

Loads dropped DLL 17 IoCs

pid	Process
3908	MsiExec.exe
3908	MsiExec.exe
3908	MsiExec.exe
3908	MsiExec.exe
3908	MsiExec.exe
3908	MsiExec.exe
3908	MsiExec.exe
3908	MsiExec.exe
3908	MsiExec.exe
3908	MsiExec.exe
3908	MsiExec.exe
6108	MsiExec.exe
6108	MsiExec.exe
6108	MsiExec.exe
6108	MsiExec.exe
6108	MsiExec.exe
4272	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
452	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
3104	identity_helper.exe
3104	identity_helper.exe
4940	msiexec.exe
4940	msiexec.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	452	msiexec.exe
Token: SeSecurityPrivilege	4940	msiexec.exe
Token: SeCreateTokenPrivilege	452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	452	msiexec.exe
Token: SeLockMemoryPrivilege	452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	452	msiexec.exe
Token: SeMachineAccountPrivilege	452	msiexec.exe
Token: SeTcbPrivilege	452	msiexec.exe
Token: SeSecurityPrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeLoadDriverPrivilege	452	msiexec.exe
Token: SeSystemProfilePrivilege	452	msiexec.exe
Token: SeSystemtimePrivilege	452	msiexec.exe
Token: SeProfSingleProcessPrivilege	452	msiexec.exe
Token: SeIncBasePriorityPrivilege	452	msiexec.exe
Token: SeCreatePagefilePrivilege	452	msiexec.exe
Token: SeCreatePermanentPrivilege	452	msiexec.exe
Token: SeBackupPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeShutdownPrivilege	452	msiexec.exe
Token: SeDebugPrivilege	452	msiexec.exe
Token: SeAuditPrivilege	452	msiexec.exe
Token: SeSystemEnvironmentPrivilege	452	msiexec.exe
Token: SeChangeNotifyPrivilege	452	msiexec.exe
Token: SeRemoteShutdownPrivilege	452	msiexec.exe
Token: SeUndockPrivilege	452	msiexec.exe
Token: SeSyncAgentPrivilege	452	msiexec.exe
Token: SeEnableDelegationPrivilege	452	msiexec.exe
Token: SeManageVolumePrivilege	452	msiexec.exe
Token: SeImpersonatePrivilege	452	msiexec.exe
Token: SeCreateGlobalPrivilege	452	msiexec.exe
Token: SeCreateTokenPrivilege	452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	452	msiexec.exe
Token: SeLockMemoryPrivilege	452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	452	msiexec.exe
Token: SeMachineAccountPrivilege	452	msiexec.exe
Token: SeTcbPrivilege	452	msiexec.exe
Token: SeSecurityPrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeLoadDriverPrivilege	452	msiexec.exe
Token: SeSystemProfilePrivilege	452	msiexec.exe
Token: SeSystemtimePrivilege	452	msiexec.exe
Token: SeProfSingleProcessPrivilege	452	msiexec.exe
Token: SeIncBasePriorityPrivilege	452	msiexec.exe
Token: SeCreatePagefilePrivilege	452	msiexec.exe
Token: SeCreatePermanentPrivilege	452	msiexec.exe
Token: SeBackupPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeShutdownPrivilege	452	msiexec.exe
Token: SeDebugPrivilege	452	msiexec.exe
Token: SeAuditPrivilege	452	msiexec.exe
Token: SeSystemEnvironmentPrivilege	452	msiexec.exe
Token: SeChangeNotifyPrivilege	452	msiexec.exe
Token: SeRemoteShutdownPrivilege	452	msiexec.exe
Token: SeUndockPrivilege	452	msiexec.exe
Token: SeSyncAgentPrivilege	452	msiexec.exe
Token: SeEnableDelegationPrivilege	452	msiexec.exe
Token: SeManageVolumePrivilege	452	msiexec.exe
Token: SeImpersonatePrivilege	452	msiexec.exe
Token: SeCreateGlobalPrivilege	452	msiexec.exe
Token: SeCreateTokenPrivilege	452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	452	msiexec.exe
Token: SeLockMemoryPrivilege	452	msiexec.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
452	msiexec.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3908	4940	msiexec.exe	85
PID 4940 wrote to memory of 3908	4940	msiexec.exe	85
PID 4940 wrote to memory of 3908	4940	msiexec.exe	85
PID 3908 wrote to memory of 3112	3908	MsiExec.exe	99
PID 3908 wrote to memory of 3112	3908	MsiExec.exe	99
PID 3112 wrote to memory of 1444	3112	AnyConnect Installer.exe	101
PID 3112 wrote to memory of 1444	3112	AnyConnect Installer.exe	101
PID 1444 wrote to memory of 4924	1444	msedge.exe	102
PID 1444 wrote to memory of 4924	1444	msedge.exe	102
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 980	1444	msedge.exe	105
PID 1444 wrote to memory of 628	1444	msedge.exe	106
PID 1444 wrote to memory of 628	1444	msedge.exe	106
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107
PID 1444 wrote to memory of 1588	1444	msedge.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DA07382511121169D18723447899B758 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe
    "C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9WZDNCRDJ8LH?ocid=&referrer=psi
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0x100,0xfc,0x7fffcf2846f8,0x7fffcf284708,0x7fffcf284718
        5⤵
        
        PID:4924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        5⤵
        
        PID:980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
        5⤵
        
        PID:1588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        5⤵
        
        PID:4504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        5⤵
        
        PID:2816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
        5⤵
        
        PID:2340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
        5⤵
        
        PID:2432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
        5⤵
        
        PID:4952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
        5⤵
        
        PID:5344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
        5⤵
        
        PID:5352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10523209619654644864,5965342557004622954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:6016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1A612C23A47DB14807BDD412C46B62A0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6108
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
a20ece713887dc0f133b3a6dafbc6081

SHA1
e3c3ad96fdfeb5c95b468aee3c12c2236818dc32

SHA256
952dbc31b27b1b7d1d8a63f2a48b2a15c92def2dc3060e521bcb8c34f1f71e08

SHA512
da13e234ccf542facc44786c8fd17ab293e64a210c86faa78057110a81098d8546ee1bae31e18fb905c5f35aa16720168bfbc9e27646186922878a15b71e2c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
2c611a5e0570b35e3a86dbfb8a943254

SHA1
831b31fcc2ede459f33bffe011b16da64b593355

SHA256
ff8900bdf7180809bc7a96e48d2b2144cebc5b7a07bf28fba808d5f14a40d993

SHA512
cf36a01f8959acb6a74db5510717c12c9b17f67620a261590164c0e7b59e1dfc0602d05de4e80cd1a543829b7e01e863c54eec6a7f49acab7a707c085848254b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d5c35cfa81ad07b09e35bd74ef44fb75

SHA1
88d88f797f20eacbc3c9ebf133c190fa64d0ca54

SHA256
76c13870e67c27e102cba155514d7c17b22b030427ed6e097798b4349fc00a48

SHA512
c2ca651cb7bbb9ed633cb5e821365bfd5aa99f9cd1cd703c0d45bcb7a0f217a8b5b65ccf86f588d09e0427a127e7ee776431653285ba23851c3ee1febd65b919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
969258190a8f4df775c3e30ba2a51e20

SHA1
9e04478c94cd9c60f5483f166bb44654f516faf1

SHA256
e2424e572e43fa5c044f2a7587dd45d9a3fcd8cadb3569180666b0ea082bca3c

SHA512
9165484ef8adfb29c3251955a78e436030842aa8fdabce3730f70facdb56bd012676ac779b6efa51fe383a27b7478b29e1fbeaf04c3292234dd355387a57bd7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\1d1b115b-193f-4618-9ec0-ea2a996c3403\index-dir\the-real-index

Filesize
72B

MD5
43d9480ded094d88179e6f8685fa91c4

SHA1
e6fa998f3cdafbba01dffda68ca2d7170ea24f93

SHA256
39d3b43f175f69720d6a7f4febd4bc63fa685a3be82a0936ecb4fcfdd3f0eb86

SHA512
832ce5724bdeed2bbf60bae482d1f3fb752060dd220f59e2a0067a6517983f004c7e01d0fdb646d4ba2104c0f817c2bdaf092b19a3dbb6edc37d01bc26bd14e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\1d1b115b-193f-4618-9ec0-ea2a996c3403\index-dir\the-real-index~RFe58822b.TMP

Filesize
48B

MD5
18894d9263e5624a85f11f185f95ece0

SHA1
e03068c304933dd5f52a6663608f4212b4ff08e4

SHA256
a7c3e35eae5b7622a628b156e9642365cbcceb7beb088ab7e158205d6ecb960b

SHA512
f682aa0c297d2ae8555f5a02c781b3b73d596787c1b4cb6785075ee2cd6932d71861b8888c06229d44b475c83374d9dbbf1b928286b2fc8f6938ec64e2212d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\52363974-679e-4f15-9648-bf9d4b86cb99\index-dir\the-real-index

Filesize
1KB

MD5
9a8ad7e25d0025203660e44bfd1ec694

SHA1
8b9a7bf0e98465d95c934ee063afd2051f56d1f9

SHA256
4619efcdad0116e85f0a9365a4904b9a5903448869098a685086f218d073c306

SHA512
3b3cbd585cffd27eff83a397ee077926319b8dcd0889cc5d8747d80411d6108f4cc9b3f4116bd5c76113da61bf3939ec108d74bbf0f9eac931d59426b36695d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\52363974-679e-4f15-9648-bf9d4b86cb99\index-dir\the-real-index~RFe589064.TMP

Filesize
48B

MD5
ba6e32470ffecf161adfeb04d266939e

SHA1
dee97cd0790605efb185c1d397fcf485ae2fb9fe

SHA256
951f76331e8382ac87664368b62202428dc7d143d3e41b9b4e9eddfcc664df96

SHA512
3ef8455041790f4d6158819eb017744e6eec36e4933e29e57667cd075671a2bf0fb95ddfa67b54303eded36a186f48b6112809b0c97b3d961652e26cca20881f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
109B

MD5
c1303a531281c2aeff55cc1ffb4024c2

SHA1
459581912507edcf35028e8c99a96c255931ce92

SHA256
d96706fe083b5f7a642d2795113bd35b9784a926f26d2c9f02f55d63a679385a

SHA512
3e79f0627cc41e47bd59c494c61c3b0b8b1e2f79faca11624799b0a9dd325d6c68b71ddf4fbaa3858040ac07b8cad80f4b36d1a3a7405def166773b24649ad3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
204B

MD5
1ae2694c47030836a3463ab55ab088e1

SHA1
ba9a1129f6c928c1a2898ab9092e6aa043c7a313

SHA256
8bc02d4bb57b20de0fd4450da53a5184ec3f297c976c8a27084b23f23903e1c5

SHA512
7a77e3f74dea07833064eb24adaa42d10980a4560f52c227715cedea21c485090ccce06a7ea1c1f1bb7a7f9b6d4916e03bc74e26939eebd3fb9d9c4dbd15b3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
201B

MD5
d9137f40927c7888b38ff0dcd0e38947

SHA1
83275287b20797b450e2283cf20f6ad44a64b0a2

SHA256
3368365305106021771b8ab03750632bea308fea3be5f240bd705c1561961781

SHA512
c780013507f936dbc09acf677541bbd8744eba1c045e8fc78f9a696f47981cdbfe947e1800922cce7831735f0445f685d152b77223baf23ef74328333347102b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
262d6cc5793b729d15ac606d69b93140

SHA1
c95332f00b179775dcef7701509d39f7563e8fa0

SHA256
3b8445697323fe15703bfc2cb9c97e50b1f19b42ca31e7f5c1aa86812f258f2c

SHA512
4a715174df45f969dc94d44377828a30b656f466d6678574df57e413bd34fa55c645e81f9c6e4d678a0ff03ed6384fecd02a54cdf3d7f5082da7921ce25489a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5881ed.TMP

Filesize
48B

MD5
c816fa1bb43af33f15c49be384271432

SHA1
50309938c8d714d621f276c85b10266955233ec7

SHA256
872e2d35a03b31a700fd1f0c6eaa3b5dafb6fb6ded7506053752e2462ebc083e

SHA512
3e96bc8bf91ee185757ed362476a8177cd6a3f45e7b93677b87679f105a517f3d79dd73b18f8465d6f95ecc483fe627215ccd0cabd5b38759aa9d6c7306f109d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c71e0a4f3a957f227d8bb0a5e49b5e6d

SHA1
621452461515492bec98f71e23e3bd636a129a61

SHA256
ae572f50ad4d3f6e97d44c2860bb74e6432ed76d586adb1dcbac7905ce794edd

SHA512
0e52fa4ad9761a1129b854e3259530510ab4f3e0e4672167d0c30e7143e107de1bfd41201a41227e26fcb85ec42b6885e56b4ae4d60ec413c61d59583789be34

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICED9.tmp

Filesize
816KB

MD5
aa88d8f40a286b6d40de0f3abc836cfa

SHA1
c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

SHA256
8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

SHA512
6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID2F5.tmp

Filesize
877KB

MD5
6a639b68fe7f4e67b7510af13403772b

SHA1
255ba543d6fdd8f037823ff321ec00abe3575c54

SHA256
7118cd0d6956c84dc8ede10db84491d7884bfb0baa4a0ab96afc7eea47f46dd0

SHA512
43cfa4cdf669df71d7da59669ec9653c4facba4c2e6fe52deada469116b5c8b63a927a9ddc2f240ca9e1a2cc4335c12936007662bf47cd11c7e61392af219cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1F2B.tmp

Filesize
1KB

MD5
a10f31fa140f2608ff150125f3687920

SHA1
ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

SHA256
28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

SHA512
cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

Download Submit
C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll

Filesize
2.1MB

MD5
29e117e9f0ce89cb29a3b14f39a2624b

SHA1
1c1060ef434826f6785ea248b647da569e83cd6a

SHA256
3844008c0697a64633357ba8d7088ee41e36ac321969bb442b97eb31e530e4a6

SHA512
757ac09a94ac4b434daeaf19509183e778208c5b82865e877ee25027080fb367a0e6a177a2ebb0e10dff1307975efb0d45b81568866bec478beca59bd822ab45

Download Submit
C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe

Filesize
1.0MB

MD5
5e9965bc72df9f663ca049d40b1fa3af

SHA1
3fb8de364e3e67f093c1a6c73dc0cac1fd9b2202

SHA256
ffa9df9f2ee9b98a9c9d2edf1521d2e8b952f58e1382cc1d84964d0054564091

SHA512
418abf3447f885a8fee31cf367a83264eaedfa8a90cd30684f9291d9c37c402595e5f782aa8335bc081adf8f2b18b45171a52d846b48c372a00013da64b61339

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
6accafa22e036d49f9f2fcee38d2f938

SHA1
f49107ac87145635a511e9f95a82ec06bbf03ba6

SHA256
ced438d271fe414f1fd133787fdd3bfa8cd611a6b23c950c18581271143f40c8

SHA512
76f17f76a39b41a1d2a59650f001d63281c48517d2e4ec2eab3f89b195c7b08b42be04973c4d762a1d5477f4c920135624af8440db087a2b5d242810770cbf7c

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d4d35373-5f71-466a-8c95-29febdffe6ce}_OnDiskSnapshotProp

Filesize
6KB

MD5
05f1ad25e30c8af6e51ca435348046a0

SHA1
f7d312487dc11da61068d0e6e20dcbf913468f05

SHA256
aa25ab04e39886e40f3cd06556fa547bfc49af013e9be502bfae049a50042017

SHA512
363dded64fd8b1fa3df23b063966e3c95c1a3348197ded904c139e307bbb0ce4bf52d0fce303fde60a5a794094b4f1e8db0e1fb1a17b0f3e8ba8b9a460d2fdb5

Download Submit
memory/3112-56-0x000001AD150C0000-0x000001AD150CA000-memory.dmp

Filesize
40KB

Download
memory/3112-55-0x000001AD13350000-0x000001AD13452000-memory.dmp

Filesize
1.0MB

Download
memory/3112-78-0x000001AD329E0000-0x000001AD32A06000-memory.dmp

Filesize
152KB

Download
memory/3112-77-0x000001AD32800000-0x000001AD32986000-memory.dmp

Filesize
1.5MB

Download
memory/3112-74-0x000001AD2ECC0000-0x000001AD2ECC8000-memory.dmp

Filesize
32KB

Download
memory/3112-73-0x000001AD151A0000-0x000001AD151DC000-memory.dmp

Filesize
240KB

Download
memory/3112-72-0x000001AD15140000-0x000001AD15152000-memory.dmp

Filesize
72KB

Download
memory/3112-76-0x000001AD2F550000-0x000001AD2F55E000-memory.dmp

Filesize
56KB

Download
memory/3112-57-0x000001AD2EBE0000-0x000001AD2EC9A000-memory.dmp

Filesize
744KB

Download
memory/3112-75-0x000001AD32440000-0x000001AD32478000-memory.dmp

Filesize
224KB

Download
memory/4272-407-0x000001E9CFBA0000-0x000001E9CFDBE000-memory.dmp

Filesize
2.1MB

Download
memory/4272-404-0x000001E9CFBA0000-0x000001E9CFDBE000-memory.dmp

Filesize
2.1MB

Download
memory/4272-406-0x000001E9CFBA0000-0x000001E9CFDBE000-memory.dmp

Filesize
2.1MB

Download
memory/4272-408-0x000001E9CFBA0000-0x000001E9CFDBE000-memory.dmp

Filesize
2.1MB

Download
memory/4272-405-0x000001E9CFBA0000-0x000001E9CFDBE000-memory.dmp

Filesize
2.1MB

Download