bumblebee | b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
submitted
05-12-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi
Size

4.7MB
MD5

e63911bf851f892bab6d3933349a987e
SHA1

c3f5bd1aca61bd086f1aea3e4b86419a836888ce
SHA256

b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8
SHA512

f00874b37580152bbb563b29763212de0452e8117f54e4199150cb8cebf3f4d8d1c31ed28d896b7b0cbb63c17e8847019ed76b53f7c0ae07021527705e1af17c
SSDEEP

49152:37Vh102T9dhkuqES58NtvUoBV0Sccd2b5+pnQ2fP1r8+/J4OV7AEqj7D4Uv6ZCOX:37VTVkufFN0ScaruSmHR9vaXZTUa3vg

Score

10^/10

bumblebee 1 discovery loader persistence privilege_escalation

Malware Config

Extracted

Family

bumblebee

Botnet

Attributes

dga
45urhm0ldgxb.live

gx6xly9rp6vl.live

zv46ga4ntybq.live

7n1hfolmrnbl.live

vivh2xlt9i6q.live

97t3nh4kk510.live

kbkdtwucfl40.live

qk6a1ahb63uz.live

whko7loy7h5z.live

dad1zg44n0bn.live

7xwz4hw8dts9.live

ovekd5n3gklq.live

amwnef8mjo4v.live

e7ivqfhnss0x.live

rjql4nicl6bg.live

4mo318kk29i4.live

zpo18lm8vg1x.live

jc51pt290y0n.live

rg26t2dc4hf4.live

qw9a58vunuja.live

ugm94zjzl5nl.live

mckag832orba.live

pdw0v9voxlxr.live

m4tx2apfmoxo.live

n2uc737ef71m.live

hkk3112645hz.live

ugko9g5ipa4o.live

8wgq2x4dybx9.live

h81fx7sj8srr.live

a4tgoqi1cm8x.live

kse2q7uxyrwp.live

mfwnbxvt9qme.live

x99ahfftf28l.live

9n6bmko47gxe.live

6l96lk6edlyf.live

st5j8zqdrppf.live

dxjeucbj4p0j.live

bnpuxnov7lhr.live

a8bxv8lqe1m0.live

yczi2ujcyyro.live

sbeo0cztn1kh.live

o337yf9fh4bf.live

zoki7ma89z7b.live

x2r9bglz76r7.live

wi1w9yu1vush.live

mtqdvzkai700.live

r6o2sj70m85m.live

ut6qohwra5lm.live

9yi98fh7usy1.live

kkpjp9jzbzba.live

whvffwd7zphw.live

uztmazsno4y5.live

i3iubj73c21c.live

b72o02l2ilc6.live

wom4o4cutfx6.live

fek3qya20lid.live

nhkvd56j82xw.live

midyxlu6b22f.live

vp9c9rziba2a.live

rkffupb7i1gv.live

8u7r35mu2e4g.live

3c2xflq8mztc.live

wswis3sptby1.live

9rib57u1zu3c.live

sv3pldc5gkdl.live

bmdcn5celetq.live

y3mpywhmem7t.live

avwtkc23ffmw.live

nvgirtryox1z.live

3rlfa7w0bz37.live

vy9u47oyzltu.live

ysdwk0l8xass.live

tbt0aqol3sp2.live

xqqoo0a8zk0w.live

nevkq7lku38l.live

5u42wjin0vfz.live

y626kbnryktm.live

5k9b8nmc0x8r.live

i18t3jshekua.live

4hk1bcnxbse0.live

si00bu9fv5he.live

g3in90m5caz2.live

f6s4n6w41oov.live

sgl7og2qswmm.live

vrrbk7ykz8h1.live

zl7bmlfq8n9w.live

qydstwmw2imy.live

y9s73mnvurxr.live

7zggkh833im1.live

cvnsiogvl3kt.live

enf3gev34gis.live

doj6z5i9g803.live

zsm954jr5ek4.live

6z96z4mk84dc.live

e0et68offggh.live

au97foecnlrm.live

3ibjpmls5x46.live

mmmpa1byo300.live

3e60zvd64d8y.live

zt3nnzr70hn0.live
dga_seed
7834006444057268685
domain_length
12
num_dga_domains
300
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
77	5316	MsiExec.exe
79	5316	MsiExec.exe
81	5316	MsiExec.exe
88	5316	MsiExec.exe
96	5316	MsiExec.exe
97	5316	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
78	api.ipify.org
79	api.ipify.org

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	AnyConnect Installer.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1EA4.tmp	msiexec.exe
File created	C:\Windows\Installer\e581b92.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C9C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B2892F8-A2A6-49F8-BA11-A5C777D0FEE1}	msiexec.exe
File opened for modification	C:\Windows\Installer\e581b92.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CAD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D99.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3744	AnyConnect Installer.exe

Loads dropped DLL 17 IoCs

pid	Process
1904	MsiExec.exe
1904	MsiExec.exe
1904	MsiExec.exe
1904	MsiExec.exe
1904	MsiExec.exe
1904	MsiExec.exe
1904	MsiExec.exe
1904	MsiExec.exe
1904	MsiExec.exe
1904	MsiExec.exe
1904	MsiExec.exe
996	MsiExec.exe
996	MsiExec.exe
996	MsiExec.exe
996	MsiExec.exe
996	MsiExec.exe
5316	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3556	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1476	msedge.exe
1476	msedge.exe
4348	msedge.exe
4348	msedge.exe
3156	identity_helper.exe
3156	identity_helper.exe
2144	msiexec.exe
2144	msiexec.exe
5692	msedge.exe
5692	msedge.exe
5692	msedge.exe
5692	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3556	msiexec.exe
Token: SeSecurityPrivilege	2144	msiexec.exe
Token: SeCreateTokenPrivilege	3556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3556	msiexec.exe
Token: SeLockMemoryPrivilege	3556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3556	msiexec.exe
Token: SeMachineAccountPrivilege	3556	msiexec.exe
Token: SeTcbPrivilege	3556	msiexec.exe
Token: SeSecurityPrivilege	3556	msiexec.exe
Token: SeTakeOwnershipPrivilege	3556	msiexec.exe
Token: SeLoadDriverPrivilege	3556	msiexec.exe
Token: SeSystemProfilePrivilege	3556	msiexec.exe
Token: SeSystemtimePrivilege	3556	msiexec.exe
Token: SeProfSingleProcessPrivilege	3556	msiexec.exe
Token: SeIncBasePriorityPrivilege	3556	msiexec.exe
Token: SeCreatePagefilePrivilege	3556	msiexec.exe
Token: SeCreatePermanentPrivilege	3556	msiexec.exe
Token: SeBackupPrivilege	3556	msiexec.exe
Token: SeRestorePrivilege	3556	msiexec.exe
Token: SeShutdownPrivilege	3556	msiexec.exe
Token: SeDebugPrivilege	3556	msiexec.exe
Token: SeAuditPrivilege	3556	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3556	msiexec.exe
Token: SeChangeNotifyPrivilege	3556	msiexec.exe
Token: SeRemoteShutdownPrivilege	3556	msiexec.exe
Token: SeUndockPrivilege	3556	msiexec.exe
Token: SeSyncAgentPrivilege	3556	msiexec.exe
Token: SeEnableDelegationPrivilege	3556	msiexec.exe
Token: SeManageVolumePrivilege	3556	msiexec.exe
Token: SeImpersonatePrivilege	3556	msiexec.exe
Token: SeCreateGlobalPrivilege	3556	msiexec.exe
Token: SeCreateTokenPrivilege	3556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3556	msiexec.exe
Token: SeLockMemoryPrivilege	3556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3556	msiexec.exe
Token: SeMachineAccountPrivilege	3556	msiexec.exe
Token: SeTcbPrivilege	3556	msiexec.exe
Token: SeSecurityPrivilege	3556	msiexec.exe
Token: SeTakeOwnershipPrivilege	3556	msiexec.exe
Token: SeLoadDriverPrivilege	3556	msiexec.exe
Token: SeSystemProfilePrivilege	3556	msiexec.exe
Token: SeSystemtimePrivilege	3556	msiexec.exe
Token: SeProfSingleProcessPrivilege	3556	msiexec.exe
Token: SeIncBasePriorityPrivilege	3556	msiexec.exe
Token: SeCreatePagefilePrivilege	3556	msiexec.exe
Token: SeCreatePermanentPrivilege	3556	msiexec.exe
Token: SeBackupPrivilege	3556	msiexec.exe
Token: SeRestorePrivilege	3556	msiexec.exe
Token: SeShutdownPrivilege	3556	msiexec.exe
Token: SeDebugPrivilege	3556	msiexec.exe
Token: SeAuditPrivilege	3556	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3556	msiexec.exe
Token: SeChangeNotifyPrivilege	3556	msiexec.exe
Token: SeRemoteShutdownPrivilege	3556	msiexec.exe
Token: SeUndockPrivilege	3556	msiexec.exe
Token: SeSyncAgentPrivilege	3556	msiexec.exe
Token: SeEnableDelegationPrivilege	3556	msiexec.exe
Token: SeManageVolumePrivilege	3556	msiexec.exe
Token: SeImpersonatePrivilege	3556	msiexec.exe
Token: SeCreateGlobalPrivilege	3556	msiexec.exe
Token: SeCreateTokenPrivilege	3556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3556	msiexec.exe
Token: SeLockMemoryPrivilege	3556	msiexec.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3556	msiexec.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe
4348	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1904	2144	msiexec.exe	85
PID 2144 wrote to memory of 1904	2144	msiexec.exe	85
PID 2144 wrote to memory of 1904	2144	msiexec.exe	85
PID 1904 wrote to memory of 3744	1904	MsiExec.exe	99
PID 1904 wrote to memory of 3744	1904	MsiExec.exe	99
PID 3744 wrote to memory of 4348	3744	AnyConnect Installer.exe	101
PID 3744 wrote to memory of 4348	3744	AnyConnect Installer.exe	101
PID 4348 wrote to memory of 2704	4348	msedge.exe	102
PID 4348 wrote to memory of 2704	4348	msedge.exe	102
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 784	4348	msedge.exe	105
PID 4348 wrote to memory of 1476	4348	msedge.exe	106
PID 4348 wrote to memory of 1476	4348	msedge.exe	106
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107
PID 4348 wrote to memory of 4592	4348	msedge.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9FD120F893FE918F49A605BC2062BFF2 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe
    "C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9WZDNCRDJ8LH?ocid=&referrer=psi
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccec246f8,0x7ffccec24708,0x7ffccec24718
        5⤵
        
        PID:2704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
        5⤵
        
        PID:784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
        5⤵
        
        PID:4592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
        5⤵
        
        PID:5100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:1444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
        5⤵
        
        PID:996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
        5⤵
        
        PID:3432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
        5⤵
        
        PID:3484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        5⤵
        
        PID:4376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
        5⤵
        
        PID:5076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,894819749139751453,9419126197874251247,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5692
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3648
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6F9F37C8113DDEEA2C5C1D2E570835DD
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:996
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\08bf12d5-15c9-4c91-a7b1-85f4992a48c5.tmp

Filesize
5KB

MD5
6e1d7512cce1d85dc0206ba95441b3d2

SHA1
77277af5790fafba02234519eaafa6d07ce146f0

SHA256
cfaf88c732645cda83ea270674458702c7565460b99c9b82c5603684d575fa0e

SHA512
e5df02ef2078eae40d37dcde95d71b2ecbfb1e3defacd7747cabf1b93c15fe21cb3ccf87878a0f8310926040e07a330dbc280781d44ba8e58c5779578df955fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
d3885836c8f8a0cd14a91cf008181eb7

SHA1
b860bad28f7a836b0d8df263f9aa0a1964660922

SHA256
0dc3ee5a920b43ae5bf9436f6c1a9561f8d5d7dd405c6f5c96d0434d355325d5

SHA512
9446d7cffb113031235d64e852358c7baa9c86549f5e58f380403f9ff88fea44f7109501f581e9dd42528b88f21968003afec24a4e1d8e75cc34a7a49d45f767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
2c611a5e0570b35e3a86dbfb8a943254

SHA1
831b31fcc2ede459f33bffe011b16da64b593355

SHA256
ff8900bdf7180809bc7a96e48d2b2144cebc5b7a07bf28fba808d5f14a40d993

SHA512
cf36a01f8959acb6a74db5510717c12c9b17f67620a261590164c0e7b59e1dfc0602d05de4e80cd1a543829b7e01e863c54eec6a7f49acab7a707c085848254b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8d7cbf689f4adac2318ce5a241b43dc9

SHA1
3ebba08e21b9e218d9dfd5128ad4ef3db30e9304

SHA256
60c656585d9ad7dd4af5ee0a988b0bf1ce42174caa22d6639aa476feca8038bd

SHA512
38e97c91e215ff817c36b8bfd10adcfb6fef02efe117c674bdc1f517644ced2004155879bb99abe724a86808ca0789d2698cf2169a81cc523bef65e044cd1dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\4b8210c9-014b-4a16-898b-d561cb959b76\index-dir\the-real-index

Filesize
72B

MD5
50b084742ca84c377de8176dc99925ea

SHA1
a080b6ed4dddfc2a3e443869fb23f6cd88ac19af

SHA256
5ffcd340818517c4e72c0cd9827f030f6fd1a2d2f4929096d5804735f986cb44

SHA512
db4bacbec0c6592bcfa3864b3386d526b88f9b40fd1d73bacd53883408acf89f396c79687ca79d86f28230ee59e40e4bf0b3861a580e02ea7aab245e10ac4087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\4b8210c9-014b-4a16-898b-d561cb959b76\index-dir\the-real-index~RFe583841.TMP

Filesize
48B

MD5
0f52df35fae88f52290bc3185f6d627b

SHA1
daa2c83cc5ca2a1f3a23d2ea3119960ac7ff683d

SHA256
6ccfd275d58847d2b78a99ede9a523a386e74375e9922359741e3c197d62ba5c

SHA512
36fdcbff9471e8d6dbc82a1b427c0696ba381ad1e25fee3e0fcbd9c5bd60f8d8a41df41a64e6e7da93f6e6445417930085db01dbf8102119712e607ecdcf6a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\908bccfe-db4d-48bb-aa8f-c7f3c030c173\index-dir\the-real-index

Filesize
1KB

MD5
a7d59150d4bd9e35005b0d13d3f473e3

SHA1
450c799d25c47ec734efbb3a067c60b7009cbf73

SHA256
ef64af4ae8da28547274347442b53467ccd310275d43ba78fa7b4b42a30d190a

SHA512
15c0fef4bede837fe3a28c5493d94604b5663180125487ae86768f8954b5029665f9a8c40ef4e69f819ff9d71a5836dce29ed3e6f2e3bb9b9f9979e0448caf94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\908bccfe-db4d-48bb-aa8f-c7f3c030c173\index-dir\the-real-index~RFe584c66.TMP

Filesize
48B

MD5
82ab3e092acde11f6bc169bc821d87e2

SHA1
9c7ecdfba471d185f812db2ce112fa2341900a2f

SHA256
cc2d2ce5c3c2526b55f75f21c5177e81f6e7c80314c074d459402eeac027c6bf

SHA512
ef8ae2d1ba422ebe63d2982258592eb9957e20b25ae29049bccd2af4ac1b63b00ce0ecf2a6afc259aa689a12adbde6707a3af04de48940cb157b1fe467628440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
109B

MD5
f98cdd63ad8526458cae9594356f0403

SHA1
b0e5fb0eb9df1dbd3da30c9408aba12cbee70bfa

SHA256
d96ad15d3625aa3e748addab99db0eeed4847ac6ce0ba424eb003e93b1890eb3

SHA512
9769803f95c4c37d7cf0666af195cba489be55e248ddeafb7244e6be3fbcd4193969becc9a614f334296330f372e3ebba87ffc98619909952dd33e4ec851603b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
201B

MD5
ac8838235ce8151376e1f05e71f2209e

SHA1
5b9b2af93490336412d6a6391ed853595570426a

SHA256
c128f9c6dc156a17f7b4e90682cd96be8faebfefba734c9e62d248e466610518

SHA512
e52538b501468f91b39ab836f7e3e17142e5665d57491117e3f72571d7ff87da40acac15e182855cc23135ab15939b75197fc3e4e2fec5d585c98699baa19061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt.tmp

Filesize
204B

MD5
adc520dbfb7cce011f07fdc87adc7dc0

SHA1
f08ad0c3226879e98c47ea4dbd81e7df34ef471d

SHA256
aab0c2a38212f089c7267622f78de4154d9193c10f672ab3e87376695e300c0c

SHA512
7e21a99b42eed57857873b2e56a779464cacb0a5b66a98ccd0c7046e891ba205996acb2644da8452735597484dfd2728d4ac1d817f3115643482150605ff5934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
13158b7d47374a2740887bdf4e15f975

SHA1
2dba7e6e521c246b293da321729073211d6379ea

SHA256
c96053b390f66fcc4a721b635f827a9514b43fb92f43f42f894e05befd4be04a

SHA512
b9e99ec58d20d76642401d939c828f6b5031e35827ed130e8228cc78ab265d00e3c755fb3abde30b398bf0bad424f693585bd2277c4f6b4125f8ea3889051a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5837e4.TMP

Filesize
48B

MD5
d0a7608c9183f79fcf7035d0bc18484f

SHA1
3ed1d423cc050e2ae287122fcaf2334c2af8eff8

SHA256
60ae2024d26fe41ff4052e9ab35bf79cea9562d409d8e855044049aafd75f58d

SHA512
1be6926a05a3809c98c61a06fddd42d5147e5ef7bfd840d884beabcbfa6ebbbd1481d04c5e3c74cbbfc8d7757c4f1b70b1931263fd95efba9ac1c9bf9940463a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd94418761f1af61941828baefda8e8e

SHA1
28632f630c399df87e86b634b6a5e5a42db05da7

SHA256
1a14d50e464467ff78dee1302cc4b7f4db15ff5236bbf25caa5e7771b90d9c67

SHA512
cf3b086fd968a972010a89aded41ba4cc01614a25025adcc5928c55082dd08d51e741aabc79d26db74642e11bf4400fc0d77deda6049df900131b92043d028fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8482.tmp

Filesize
816KB

MD5
aa88d8f40a286b6d40de0f3abc836cfa

SHA1
c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

SHA256
8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

SHA512
6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI87E2.tmp

Filesize
877KB

MD5
6a639b68fe7f4e67b7510af13403772b

SHA1
255ba543d6fdd8f037823ff321ec00abe3575c54

SHA256
7118cd0d6956c84dc8ede10db84491d7884bfb0baa4a0ab96afc7eea47f46dd0

SHA512
43cfa4cdf669df71d7da59669ec9653c4facba4c2e6fe52deada469116b5c8b63a927a9ddc2f240ca9e1a2cc4335c12936007662bf47cd11c7e61392af219cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD428.tmp

Filesize
1KB

MD5
a10f31fa140f2608ff150125f3687920

SHA1
ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

SHA256
28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

SHA512
cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

Download Submit
C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll

Filesize
2.1MB

MD5
29e117e9f0ce89cb29a3b14f39a2624b

SHA1
1c1060ef434826f6785ea248b647da569e83cd6a

SHA256
3844008c0697a64633357ba8d7088ee41e36ac321969bb442b97eb31e530e4a6

SHA512
757ac09a94ac4b434daeaf19509183e778208c5b82865e877ee25027080fb367a0e6a177a2ebb0e10dff1307975efb0d45b81568866bec478beca59bd822ab45

Download Submit
C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe

Filesize
1.0MB

MD5
5e9965bc72df9f663ca049d40b1fa3af

SHA1
3fb8de364e3e67f093c1a6c73dc0cac1fd9b2202

SHA256
ffa9df9f2ee9b98a9c9d2edf1521d2e8b952f58e1382cc1d84964d0054564091

SHA512
418abf3447f885a8fee31cf367a83264eaedfa8a90cd30684f9291d9c37c402595e5f782aa8335bc081adf8f2b18b45171a52d846b48c372a00013da64b61339

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
b8ab61597653f47bba1812be2f2f7f9b

SHA1
1ea220cc11e2253d599ea309543ada98ef466120

SHA256
9eaae9591b795ca8330ffcb5b1f2ef9ecc701bec7c48bafb341f4360e20c3a23

SHA512
553e2116733f301831be439aafd3c3dbfe968f6c63a5cf833908a3855979e516bc50db73b882cbbe43e0965d9c0142d4ea64f849dd0246c7ff66366c7e5eb9e7

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{35ce84ec-5ab6-4cf7-849a-1be41c7affea}_OnDiskSnapshotProp

Filesize
6KB

MD5
ceb0caf14ad7b6188a5f287f81dd8ca0

SHA1
0d462d8828c84fad6469a60cfb57c8259a9ec02a

SHA256
b2663ec67509460ed670735e485653c987dd225f0521ce90769bd70af7a2f121

SHA512
47f60911324c7e50f5be422002db84f743af9669649da5a63a135c0e1f6058a5061c216db5be9293443d3c45f5f1d5ce1907614b73000eb1dd4c8d52e759ded3

Download Submit
memory/3744-76-0x00000212DAE40000-0x00000212DAE4E000-memory.dmp

Filesize
56KB

Download
memory/3744-75-0x00000212DB290000-0x00000212DB2C8000-memory.dmp

Filesize
224KB

Download
memory/3744-78-0x00000212DC100000-0x00000212DC126000-memory.dmp

Filesize
152KB

Download
memory/3744-77-0x00000212DBF20000-0x00000212DC0A6000-memory.dmp

Filesize
1.5MB

Download
memory/3744-74-0x00000212D8C40000-0x00000212D8C48000-memory.dmp

Filesize
32KB

Download
memory/3744-73-0x00000212D8260000-0x00000212D829C000-memory.dmp

Filesize
240KB

Download
memory/3744-72-0x00000212D7030000-0x00000212D7042000-memory.dmp

Filesize
72KB

Download
memory/3744-55-0x00000212BCA70000-0x00000212BCB72000-memory.dmp

Filesize
1.0MB

Download
memory/3744-57-0x00000212D8960000-0x00000212D8A1A000-memory.dmp

Filesize
744KB

Download
memory/3744-56-0x00000212D6FD0000-0x00000212D6FDA000-memory.dmp

Filesize
40KB

Download
memory/5316-407-0x0000021857180000-0x000002185739E000-memory.dmp

Filesize
2.1MB

Download
memory/5316-404-0x0000021857180000-0x000002185739E000-memory.dmp

Filesize
2.1MB

Download
memory/5316-406-0x0000021857180000-0x000002185739E000-memory.dmp

Filesize
2.1MB

Download
memory/5316-408-0x0000021857180000-0x000002185739E000-memory.dmp

Filesize
2.1MB

Download
memory/5316-405-0x0000021857180000-0x000002185739E000-memory.dmp

Filesize
2.1MB

Download