Overview
overview
10Static
static
7trojan-lea...V).exe
windows7-x64
10trojan-lea...V).exe
windows10-2004-x64
10trojan-lea...23.exe
windows7-x64
1trojan-lea...23.exe
windows10-2004-x64
1trojan-lea...ue.exe
windows7-x64
1trojan-lea...ue.exe
windows10-2004-x64
1trojan-lea...v2.exe
windows7-x64
1trojan-lea...v2.exe
windows10-2004-x64
1trojan-lea...rg.exe
windows7-x64
1trojan-lea...rg.exe
windows10-2004-x64
1trojan-lea...rd.exe
windows7-x64
7trojan-lea...rd.exe
windows10-2004-x64
7trojan-lea...ck.exe
windows7-x64
1trojan-lea...ck.exe
windows10-2004-x64
1trojan-lea...as.exe
windows7-x64
6trojan-lea...as.exe
windows10-2004-x64
6trojan-lea...ic.exe
windows7-x64
6trojan-lea...ic.exe
windows10-2004-x64
6trojan-lea...um.exe
windows7-x64
1trojan-lea...um.exe
windows10-2004-x64
1trojan-lea...um.exe
windows7-x64
8trojan-lea...um.exe
windows10-2004-x64
8trojan-lea...28.bat
windows7-x64
8trojan-lea...28.bat
windows10-2004-x64
8trojan-lea...28.exe
windows7-x64
8trojan-lea...28.exe
windows10-2004-x64
8trojan-lea...na.exe
windows7-x64
5trojan-lea...na.exe
windows10-2004-x64
5trojan-lea...um.exe
windows7-x64
8trojan-lea...um.exe
windows10-2004-x64
8trojan-lea...ty.exe
windows7-x64
1trojan-lea...ty.exe
windows10-2004-x64
1Resubmissions
09-05-2023 19:22
230509-x3fn4adg58 1009-05-2023 19:14
230509-xxsrgaff7x 1009-05-2023 19:14
230509-xxr5yadg42 709-05-2023 19:14
230509-xxrt6sff7w 809-05-2023 19:14
230509-xxrjeaff7v 809-05-2023 19:14
230509-xxqxwadg39 709-05-2023 19:14
230509-xxql4sff7t 1009-05-2023 19:14
230509-xxqbcadg38 709-05-2023 19:10
230509-xvl6xadf64 10Analysis
-
max time kernel
178s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-05-2023 19:10
Behavioral task
behavioral1
Sample
trojan-leaks-main/Halloware (BerkayV).exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
trojan-leaks-main/Halloware (BerkayV).exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
trojan-leaks-main/HorrorTrojan123.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
trojan-leaks-main/HorrorTrojan123.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
trojan-leaks-main/InfiniteBlue.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
trojan-leaks-main/InfiniteBlue.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
trojan-leaks-main/Kirurg v2.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
trojan-leaks-main/Kirurg v2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
trojan-leaks-main/Kirurg.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
trojan-leaks-main/Kirurg.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
trojan-leaks-main/Kirurg_remsaterd.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
trojan-leaks-main/Kirurg_remsaterd.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
trojan-leaks-main/LogonFuck.exe
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
trojan-leaks-main/LogonFuck.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
trojan-leaks-main/Mythlas.exe
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
trojan-leaks-main/Mythlas.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
trojan-leaks-main/Phsyletric.exe
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
trojan-leaks-main/Phsyletric.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
trojan-leaks-main/Potassium.exe
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
trojan-leaks-main/Potassium.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
trojan-leaks-main/Protactinium.exe
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
trojan-leaks-main/Protactinium.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
trojan-leaks-main/QSO J1228+3128.bat
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
trojan-leaks-main/QSO J1228+3128.bat
Resource
win10v2004-20230221-en
Behavioral task
behavioral25
Sample
trojan-leaks-main/QSO J1228+3128.exe
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
trojan-leaks-main/QSO J1228+3128.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
trojan-leaks-main/Rebcoana.exe
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
trojan-leaks-main/Rebcoana.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
trojan-leaks-main/Ruthenium/Ruthenium.exe
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
trojan-leaks-main/Ruthenium/Ruthenium.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral31
Sample
trojan-leaks-main/Suffocate-safety.exe
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
trojan-leaks-main/Suffocate-safety.exe
Resource
win10v2004-20230220-en
General
-
Target
trojan-leaks-main/Halloware (BerkayV).exe
-
Size
23.1MB
-
MD5
2701cf0c52d8d8d961f21f9952af15e7
-
SHA1
d8b9de327f95ba090e5606862003419388fc3dc7
-
SHA256
616830e93c33240ff157b4eeeab1d1a3e9891d6410139afdbd4d01f075da0933
-
SHA512
b4798cd526b116e943f3cba6f58175185898e374efd4ab7afe012495858c7997fb1fba1dac284ae4aa484dfc5f70b6240ad1281d90c9a3642e49edd95ab39110
-
SSDEEP
196608:puv1iLrYSZWLN0dLeGyI8bMU+Ns3tlHO8:UdiHZZWLN1cu3tlHF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\Halloware\\permaban.vbs\"" wscript.exe -
Processes:
wscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 20 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 364 icacls.exe 692 takeown.exe 1616 icacls.exe 1608 icacls.exe 2012 icacls.exe 1968 takeown.exe 1072 icacls.exe 1980 takeown.exe 1436 takeown.exe 384 icacls.exe 1008 icacls.exe 844 icacls.exe 588 takeown.exe 1524 takeown.exe 1144 icacls.exe 1060 icacls.exe 1220 takeown.exe 556 takeown.exe 1416 takeown.exe 820 takeown.exe -
Executes dropped EXE 10 IoCs
Processes:
LogonUI.exekosuyorum.exeHware.exeLogonUI.exekosuyorum.exeHware.exeLogonUI.exekosuyorum.exeHware.exeLogonUI.exepid process 432 LogonUI.exe 1924 kosuyorum.exe 1976 Hware.exe 1248 LogonUI.exe 1760 kosuyorum.exe 1176 Hware.exe 1784 LogonUI.exe 864 kosuyorum.exe 1608 Hware.exe 1176 LogonUI.exe -
Modifies file permissions 1 TTPs 20 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 556 takeown.exe 1072 icacls.exe 1436 takeown.exe 844 icacls.exe 1524 takeown.exe 1968 takeown.exe 2012 icacls.exe 1008 icacls.exe 1416 takeown.exe 1220 takeown.exe 364 icacls.exe 1616 icacls.exe 820 takeown.exe 588 takeown.exe 1980 takeown.exe 692 takeown.exe 1608 icacls.exe 1060 icacls.exe 1144 icacls.exe 384 icacls.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe -
Drops file in System32 directory 6 IoCs
Processes:
Hware.exeHware.execmd.exeHware.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT Hware.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT Hware.exe File opened for modification C:\Windows\System32\logonUI.exe cmd.exe File opened for modification C:\Windows\System32\taskmgr.exe cmd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT Hware.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT Hware.exe -
Drops file in Program Files directory 38 IoCs
Processes:
wscript.execmd.exedescription ioc process File created C:\Program Files\Halloware\data\fakelogon.exe wscript.exe File created C:\Program Files\Halloware\delc.bat wscript.exe File created C:\Program Files\Halloware\template.vbs wscript.exe File created C:\Program Files\Halloware\bin\pumpcur.cur wscript.exe File created C:\Program Files\Halloware\permaban.vbs wscript.exe File opened for modification C:\Program Files\Halloware\backup\sethc.bak cmd.exe File created C:\Program Files\Halloware\backup\csrss.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\notepad.bak cmd.exe File created C:\Program Files\Halloware\inyer.wav wscript.exe File opened for modification C:\Program Files\Halloware\backup\winload.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\logonUI.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\taskmgr.bak cmd.exe File created C:\Program Files\Halloware\takeact.vbs wscript.exe File created C:\Program Files\Halloware\findit.bat wscript.exe File created C:\Program Files\Halloware\backup\sethc.bak cmd.exe File created C:\Program Files\Halloware\backup\explorer.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\explorer.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\regedit.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\rundll32.bak cmd.exe File created C:\Program Files\Halloware\bin\pump.ico wscript.exe File created C:\Program Files\Halloware\backup\winload.bak cmd.exe File created C:\Program Files\Halloware\backup\bcdedit.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\bcdedit.bak cmd.exe File created C:\Program Files\Halloware\backup\regedit.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\csrss.bak cmd.exe File created C:\Program Files\Halloware\iQShell.vbs wscript.exe File created C:\Program Files\Halloware\takeown.bat wscript.exe File created C:\Program Files\Halloware\backup\notepad.bak cmd.exe File opened for modification C:\Program Files\Halloware\bin\@tile@@.jpg wscript.exe File created C:\Program Files\Halloware\Hware.exe wscript.exe File created C:\Program Files\Halloware\intf.wav wscript.exe File created C:\Program Files\Halloware\kosuyorum.exe wscript.exe File created C:\Program Files\Halloware\fakelogon.vbs wscript.exe File created C:\Program Files\Halloware\screwup.vbs wscript.exe File created C:\Program Files\Halloware\backup\logonUI.bak cmd.exe File created C:\Program Files\Halloware\backup\taskmgr.bak cmd.exe File created C:\Program Files\Halloware\backup\rundll32.bak cmd.exe File created C:\Program Files\Halloware\bin\@tile@@.jpg wscript.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\explorer.exe cmd.exe File created C:\Windows\notepad.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 5 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 1552 tasklist.exe 1188 tasklist.exe 2016 tasklist.exe 1920 tasklist.exe 2024 tasklist.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Cursors wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur" wscript.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
wscript.exeHware.exeHware.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exeHware.exekosuyorum.exeLogonUI.exekosuyorum.exeLogonUI.exekosuyorum.exeLogonUI.exeLogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties Hware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus Hware.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" kosuyorum.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" kosuyorum.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" kosuyorum.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" kosuyorum.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" kosuyorum.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus Hware.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kosuyorum.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet Hware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\System Hware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" Hware.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Hware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kosuyorum.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" Hware.exe -
Modifies registry class 11 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
Processes:
kosuyorum.exekosuyorum.exekosuyorum.exepid process 1924 kosuyorum.exe 1760 kosuyorum.exe 864 kosuyorum.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
takeown.exetasklist.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeshutdown.exetasklist.exeAUDIODG.EXEtasklist.exetasklist.exetasklist.exedescription pid process Token: SeTakeOwnershipPrivilege 1220 takeown.exe Token: SeDebugPrivilege 2016 tasklist.exe Token: SeTakeOwnershipPrivilege 1968 takeown.exe Token: SeTakeOwnershipPrivilege 556 takeown.exe Token: SeTakeOwnershipPrivilege 588 takeown.exe Token: SeTakeOwnershipPrivilege 1980 takeown.exe Token: SeTakeOwnershipPrivilege 692 takeown.exe Token: SeTakeOwnershipPrivilege 1416 takeown.exe Token: SeTakeOwnershipPrivilege 1436 takeown.exe Token: SeTakeOwnershipPrivilege 820 takeown.exe Token: SeTakeOwnershipPrivilege 1524 takeown.exe Token: SeShutdownPrivilege 1224 shutdown.exe Token: SeRemoteShutdownPrivilege 1224 shutdown.exe Token: SeDebugPrivilege 1920 tasklist.exe Token: 33 1348 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1348 AUDIODG.EXE Token: 33 1348 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1348 AUDIODG.EXE Token: SeDebugPrivilege 2024 tasklist.exe Token: SeDebugPrivilege 1552 tasklist.exe Token: SeDebugPrivilege 1188 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Halloware (BerkayV).exewscript.execmd.exewscript.execmd.execmd.exedescription pid process target process PID 916 wrote to memory of 280 916 Halloware (BerkayV).exe wscript.exe PID 916 wrote to memory of 280 916 Halloware (BerkayV).exe wscript.exe PID 916 wrote to memory of 280 916 Halloware (BerkayV).exe wscript.exe PID 916 wrote to memory of 280 916 Halloware (BerkayV).exe wscript.exe PID 280 wrote to memory of 1568 280 wscript.exe cmd.exe PID 280 wrote to memory of 1568 280 wscript.exe cmd.exe PID 280 wrote to memory of 1568 280 wscript.exe cmd.exe PID 1568 wrote to memory of 1092 1568 cmd.exe wscript.exe PID 1568 wrote to memory of 1092 1568 cmd.exe wscript.exe PID 1568 wrote to memory of 1092 1568 cmd.exe wscript.exe PID 280 wrote to memory of 1404 280 wscript.exe wscript.exe PID 280 wrote to memory of 1404 280 wscript.exe wscript.exe PID 280 wrote to memory of 1404 280 wscript.exe wscript.exe PID 1404 wrote to memory of 824 1404 wscript.exe cmd.exe PID 1404 wrote to memory of 824 1404 wscript.exe cmd.exe PID 1404 wrote to memory of 824 1404 wscript.exe cmd.exe PID 1404 wrote to memory of 1888 1404 wscript.exe cmd.exe PID 1404 wrote to memory of 1888 1404 wscript.exe cmd.exe PID 1404 wrote to memory of 1888 1404 wscript.exe cmd.exe PID 824 wrote to memory of 1220 824 cmd.exe takeown.exe PID 824 wrote to memory of 1220 824 cmd.exe takeown.exe PID 824 wrote to memory of 1220 824 cmd.exe takeown.exe PID 1888 wrote to memory of 2016 1888 cmd.exe tasklist.exe PID 1888 wrote to memory of 2016 1888 cmd.exe tasklist.exe PID 1888 wrote to memory of 2016 1888 cmd.exe tasklist.exe PID 824 wrote to memory of 2012 824 cmd.exe icacls.exe PID 824 wrote to memory of 2012 824 cmd.exe icacls.exe PID 824 wrote to memory of 2012 824 cmd.exe icacls.exe PID 824 wrote to memory of 1968 824 cmd.exe takeown.exe PID 824 wrote to memory of 1968 824 cmd.exe takeown.exe PID 824 wrote to memory of 1968 824 cmd.exe takeown.exe PID 824 wrote to memory of 384 824 cmd.exe icacls.exe PID 824 wrote to memory of 384 824 cmd.exe icacls.exe PID 824 wrote to memory of 384 824 cmd.exe icacls.exe PID 824 wrote to memory of 556 824 cmd.exe takeown.exe PID 824 wrote to memory of 556 824 cmd.exe takeown.exe PID 824 wrote to memory of 556 824 cmd.exe takeown.exe PID 824 wrote to memory of 1008 824 cmd.exe icacls.exe PID 824 wrote to memory of 1008 824 cmd.exe icacls.exe PID 824 wrote to memory of 1008 824 cmd.exe icacls.exe PID 824 wrote to memory of 588 824 cmd.exe takeown.exe PID 824 wrote to memory of 588 824 cmd.exe takeown.exe PID 824 wrote to memory of 588 824 cmd.exe takeown.exe PID 824 wrote to memory of 1072 824 cmd.exe icacls.exe PID 824 wrote to memory of 1072 824 cmd.exe icacls.exe PID 824 wrote to memory of 1072 824 cmd.exe icacls.exe PID 824 wrote to memory of 1980 824 cmd.exe takeown.exe PID 824 wrote to memory of 1980 824 cmd.exe takeown.exe PID 824 wrote to memory of 1980 824 cmd.exe takeown.exe PID 824 wrote to memory of 364 824 cmd.exe icacls.exe PID 824 wrote to memory of 364 824 cmd.exe icacls.exe PID 824 wrote to memory of 364 824 cmd.exe icacls.exe PID 824 wrote to memory of 692 824 cmd.exe takeown.exe PID 824 wrote to memory of 692 824 cmd.exe takeown.exe PID 824 wrote to memory of 692 824 cmd.exe takeown.exe PID 824 wrote to memory of 1616 824 cmd.exe icacls.exe PID 824 wrote to memory of 1616 824 cmd.exe icacls.exe PID 824 wrote to memory of 1616 824 cmd.exe icacls.exe PID 824 wrote to memory of 1416 824 cmd.exe takeown.exe PID 824 wrote to memory of 1416 824 cmd.exe takeown.exe PID 824 wrote to memory of 1416 824 cmd.exe takeown.exe PID 824 wrote to memory of 1608 824 cmd.exe icacls.exe PID 824 wrote to memory of 1608 824 cmd.exe icacls.exe PID 824 wrote to memory of 1608 824 cmd.exe icacls.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FA28.tmp\FA29.vbs2⤵
- UAC bypass
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo msgbox"Please wait while halloware infecting your computer",1+48,"Alert" > "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs" & wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"4⤵PID:1092
-
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Program files\halloware\takeact.vbs" RunAsAdministrator3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files\Halloware\takeown.bat"4⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\System32\takeown.exetakeown /f sethc.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\System32\icacls.exeicacls sethc.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2012
-
-
C:\Windows\System32\takeown.exetakeown /f csrss.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\System32\icacls.exeicacls csrss.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:384
-
-
C:\Windows\System32\takeown.exetakeown /f winload.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\System32\icacls.exeicacls winload.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1008
-
-
C:\Windows\System32\takeown.exetakeown /f logonUI.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\System32\icacls.exeicacls logonUI.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1072
-
-
C:\Windows\System32\takeown.exetakeown /f bcdedit.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\icacls.exeicacls bcdedit.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:364
-
-
C:\Windows\system32\takeown.exetakeown /f explorer.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\system32\icacls.exeicacls explorer.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1616
-
-
C:\Windows\system32\takeown.exetakeown /f notepad.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\system32\icacls.exeicacls sethc.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1608
-
-
C:\Windows\system32\takeown.exetakeown /f regedit.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Windows\system32\icacls.exeicacls regedit.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:844
-
-
C:\Windows\System32\takeown.exetakeown /f taskmgr.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\System32\icacls.exeicacls taskmgr.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1060
-
-
C:\Windows\System32\takeown.exetakeown /f rundll32.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\icacls.exeicacls rundll32.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1144
-
-
-
C:\Windows\System32\cmd.execmd /c ""C:\Program Files\halloware\findit.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 004⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:432 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\3B4D.tmp\3B5D.vbs /flags:0x02⤵
- Modifies data under HKEY_USERS
PID:1208 -
C:\Windows\system32\cmd.execmd /c ""C:\Program Files\halloware\findit.bat" "3⤵PID:1168
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe3⤵PID:1096
-
C:\Program Files\Halloware\kosuyorum.exeKosuyorum.exe4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1924 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\475D.tmp\475E.vbs5⤵
- Modifies data under HKEY_USERS
PID:1328 -
C:\Program Files\halloware\Hware.exe"C:\Program Files\halloware\Hware.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1976
-
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1e81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1248 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\BA99.tmp\BA9A.vbs /flags:0x02⤵
- Modifies data under HKEY_USERS
PID:1908 -
C:\Windows\system32\cmd.execmd /c ""C:\Program Files\halloware\findit.bat" "3⤵PID:1404
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe3⤵PID:904
-
C:\Program Files\Halloware\kosuyorum.exeKosuyorum.exe4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1760 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\C820.tmp\C831.vbs5⤵
- Modifies data under HKEY_USERS
PID:632 -
C:\Program Files\halloware\Hware.exe"C:\Program Files\halloware\Hware.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1176
-
-
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1784 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\3969.tmp\396A.vbs /flags:0x02⤵
- Modifies data under HKEY_USERS
PID:1340 -
C:\Windows\system32\cmd.execmd /c ""C:\Program Files\halloware\findit.bat" "3⤵PID:1916
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe3⤵PID:1224
-
C:\Program Files\Halloware\kosuyorum.exeKosuyorum.exe4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:864 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\4606.tmp\4607.vbs5⤵
- Modifies data under HKEY_USERS
PID:1976 -
C:\Program Files\halloware\Hware.exe"C:\Program Files\halloware\Hware.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1608
-
-
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1176 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\B0F8.tmp\B0F9.vbs /flags:0x12⤵
- Modifies data under HKEY_USERS
PID:1104 -
C:\Windows\system32\cmd.execmd /c ""C:\Program Files\halloware\findit.bat" "3⤵PID:1760
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
7.5MB
MD5c1c8536e675d25027c962abe0d3faf43
SHA113e6375da0162b19db7f8ad74640ce80b8aa73c4
SHA256f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3
SHA512c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
1KB
MD5d477e71d1d7080cf90aba3100b9c761a
SHA17642aa8aeabd847519cfd20ae7d7f2d8edb83914
SHA2563482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710
SHA512cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
85B
MD554de83a183d4520fad36ad02d9747e63
SHA115caddac8a52ae3632510292e6eb6bf9a728ae45
SHA256165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e
SHA512fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e
-
Filesize
2KB
MD5cfad575eb56b1059f428ed81fc4194d5
SHA1ff91f34a63f7fa01090643191b39d5742ef8ffe0
SHA25643f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70
SHA512c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f
-
Filesize
1KB
MD5889a8f5bb195b72c33c48448fd516a1c
SHA1744b4c40d2527a98e589cc8a04735cfdb92f5079
SHA25645ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a
SHA5123251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
17KB
MD5bfd5ee0327c8d108bd8e2d851a9ed06a
SHA155221d5e1d383cdff5bf0d7694d57bcde09d2faf
SHA25625f194995cf4073a0c2e6625c3ad0514848cc5e4224f5c726e5d73bc81b694d1
SHA5121c456da1da57c0711a2277ffd02e7136d2c1b3d16a3d36dfc66ac67e3f4e9c1d3ca7b536e057da7cd4c37a59c0ded2ea9d5d2ac6cf729d1ccd50d91017ede219
-
Filesize
178KB
MD55df1f3790dd3b9df63f12a6f13277338
SHA17de32dc31c5360aea9024cd02bd4643e11fe2119
SHA256c1d88f290da08027adc76649f54db6b352b76149dc2b3d9cddb7cf50d8af0cff
SHA512fe858c60c3312a40a88cb5aa9a8ee9483d38973cecb356f55ab6dfa422eed25820dbe75bb40301849c9931e0ab8571af5b8102c082b518116343e50ff40c3d27
-
Filesize
4KB
MD5d7197b2f55db9bd83c859a5e8b46a0d7
SHA1598af4d8bcc14c411c48454dfb0caa2e79c1728d
SHA2566cee1cb2cf41b5c0fd969ed062b9d4e2c1f7c921cd886d1df1b0725a301074f0
SHA5127f55208ee395bf6d063ab0af26b0a8e64e3d4fcacf4958db8577183c7588e7be51b6a7144e28f067d8bab7fca34e1100b0e37750bb8b16b5c02492f4d315a366
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
258B
MD540e381411edd280ece4372ff39f721c5
SHA16d90aada218e0cdeadf0fa4c83f90dbcfe2258cd
SHA2561e6eeb8f777e1ecf1fa728e64134f979f9451ada735dc03d42c6fdf55de987bc
SHA512195b9df9fd49af3b9aa355589219cfa2161c363d979f3b4a6ea9c20e3849f48dbee731f7cde76ca5c4c910f25f89499b4363740897b708acc09b9871b8494d3c
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
85B
MD554de83a183d4520fad36ad02d9747e63
SHA115caddac8a52ae3632510292e6eb6bf9a728ae45
SHA256165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e
SHA512fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e
-
Filesize
1KB
MD5889a8f5bb195b72c33c48448fd516a1c
SHA1744b4c40d2527a98e589cc8a04735cfdb92f5079
SHA25645ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a
SHA5123251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367
-
Filesize
7.5MB
MD55794a32dfeb072f764ab82fffa4d309d
SHA136d2dbdddd3b5ebc7d7bbd04d5fe3c46e4be39d0
SHA2561eeee51a2b501f8b2f77d4f75fb415b7d0b99355fd80e8b4740a4e768996e400
SHA512c2a2602257b86af9729a64c362b8e8711867e6cf2c0bb02d44711ccdac1514d4d80baefc7f16e595390bfe04d66a2aada88dab2d5442e390633123db6e4104f7
-
Filesize
7.5MB
MD5c1c8536e675d25027c962abe0d3faf43
SHA113e6375da0162b19db7f8ad74640ce80b8aa73c4
SHA256f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3
SHA512c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
357B
MD5b343125051c1c6e3089b4820446bafab
SHA1ee1d90b463d9f911d032a520df6b5066aca7fa50
SHA256a78161a3b89248d65ae00630eb33d3c934b6c7c3086f373fdd52d58756b20a8a
SHA512ecc6f407892dfa438eab22a67c004760599b8b5fea747ac5c7274180424d2ea95e1e13b10dd8026d641537ef666b74ca5251428eb567cd55241d6334ae64d881
-
Filesize
61B
MD56a51becc27363870d2e17a43a9bb4bf0
SHA1201a12e580cfa5bfac8cbc0c6936fd9cd60a349a
SHA256778cb71c42d697f365084ba1c0f499324bfdcdd67054644d8ff336af9c3e7f80
SHA512ca843d2b3072a7c3b939207c60069e5f4a0fd7a17d7bfb513b9739d9d25fd24148f17540867037e5793aab067dbbcf760df22d865fc5e511d7617f1f56c4efc4
-
Filesize
2KB
MD5cfad575eb56b1059f428ed81fc4194d5
SHA1ff91f34a63f7fa01090643191b39d5742ef8ffe0
SHA25643f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70
SHA512c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f
-
Filesize
1KB
MD5d477e71d1d7080cf90aba3100b9c761a
SHA17642aa8aeabd847519cfd20ae7d7f2d8edb83914
SHA2563482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710
SHA512cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d
-
Filesize
402B
MD51c04a184e8ba8025bb98cd1734a93b68
SHA155f09dde9ae0cebdbe23893c6dbc42549a23a912
SHA25698ddf649d3cafb5130069be87e569082d9dc780ce11f0dc0208348acff0baa55
SHA51260bbfe5cab8e10589a6e24a46d86138f5161579b207b9b8349a8680a84996d94430ef65afdc1bfa124b8b8c93ae68b932a3dfc6a45a418a89453d784670fd296
-
Filesize
76B
MD5f1fbb313731d2b699a48c588486e7f0d
SHA1d70c472a451b074ebd1cf55a42bc8843fa9cfd2f
SHA256c1430e747ddc860d216c77a7445dbc8cf5fc4bee4bca47521333148dd93a3e6a
SHA51212d10b8ac14327b2874dd68b9b0b3d29add7fc96cd371e7ab74e25cb69b42b7a79a16b4ac489cb51214014035baf6ba0c48ec1a123b265c57b57d25939e6bf2e
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
117B
MD543ce46af5d7f1ffe2c3914ad9c654fa3
SHA1a98dce4efa618334d57a808d766f821d83d2a75d
SHA2560f3f6a34bbfe0bf01ef189a50402f560d212a3e74a8867a8a76b70b4f6a25f61
SHA512d1c59cf92412684bae18b497a5c9dd823073210150e0a18e69649910bc9f9c192298e242e89c04ccd88550e2f0b21881fbc13879d5c07a0e727c13e8d7186942
-
Filesize
117B
MD543ce46af5d7f1ffe2c3914ad9c654fa3
SHA1a98dce4efa618334d57a808d766f821d83d2a75d
SHA2560f3f6a34bbfe0bf01ef189a50402f560d212a3e74a8867a8a76b70b4f6a25f61
SHA512d1c59cf92412684bae18b497a5c9dd823073210150e0a18e69649910bc9f9c192298e242e89c04ccd88550e2f0b21881fbc13879d5c07a0e727c13e8d7186942
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
117B
MD543ce46af5d7f1ffe2c3914ad9c654fa3
SHA1a98dce4efa618334d57a808d766f821d83d2a75d
SHA2560f3f6a34bbfe0bf01ef189a50402f560d212a3e74a8867a8a76b70b4f6a25f61
SHA512d1c59cf92412684bae18b497a5c9dd823073210150e0a18e69649910bc9f9c192298e242e89c04ccd88550e2f0b21881fbc13879d5c07a0e727c13e8d7186942
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64B
MD5dea052a2ad11945b1960577c0192f2eb
SHA11d02626a05a546a90c05902b2551f32c20eb3708
SHA256943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA5125496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917
-
Filesize
64B
MD5dea052a2ad11945b1960577c0192f2eb
SHA11d02626a05a546a90c05902b2551f32c20eb3708
SHA256943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA5125496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917
-
Filesize
64B
MD5dea052a2ad11945b1960577c0192f2eb
SHA11d02626a05a546a90c05902b2551f32c20eb3708
SHA256943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA5125496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917
-
Filesize
236B
MD5d6806f02080ee77c1d66a915ff0662e6
SHA151d42c0b2fc04445d3d8c1e96268a4c11de1b2f2
SHA256f7f6fdb16690ad83a1cc28ef592e094220ae2c641cbd68b6a08bd978ce0f41fe
SHA512fae15439092419e5a357e77d49cd0612761113a7168793b02b2d83437c1386f3bf469a92099e442e35c98453b3ea3873396929ef3a92f92128e48ed157d49b46