Overview
overview
10Static
static
7trojan-lea...V).exe
windows7-x64
10trojan-lea...V).exe
windows10-2004-x64
10trojan-lea...23.exe
windows7-x64
1trojan-lea...23.exe
windows10-2004-x64
1trojan-lea...ue.exe
windows7-x64
1trojan-lea...ue.exe
windows10-2004-x64
1trojan-lea...v2.exe
windows7-x64
1trojan-lea...v2.exe
windows10-2004-x64
1trojan-lea...rg.exe
windows7-x64
1trojan-lea...rg.exe
windows10-2004-x64
1trojan-lea...rd.exe
windows7-x64
7trojan-lea...rd.exe
windows10-2004-x64
7trojan-lea...ck.exe
windows7-x64
1trojan-lea...ck.exe
windows10-2004-x64
1trojan-lea...as.exe
windows7-x64
6trojan-lea...as.exe
windows10-2004-x64
6trojan-lea...ic.exe
windows7-x64
6trojan-lea...ic.exe
windows10-2004-x64
6trojan-lea...um.exe
windows7-x64
1trojan-lea...um.exe
windows10-2004-x64
1trojan-lea...um.exe
windows7-x64
8trojan-lea...um.exe
windows10-2004-x64
8trojan-lea...28.bat
windows7-x64
8trojan-lea...28.bat
windows10-2004-x64
8trojan-lea...28.exe
windows7-x64
8trojan-lea...28.exe
windows10-2004-x64
8trojan-lea...na.exe
windows7-x64
5trojan-lea...na.exe
windows10-2004-x64
5trojan-lea...um.exe
windows7-x64
8trojan-lea...um.exe
windows10-2004-x64
8trojan-lea...ty.exe
windows7-x64
1trojan-lea...ty.exe
windows10-2004-x64
1Resubmissions
09-05-2023 19:22
230509-x3fn4adg58 1009-05-2023 19:14
230509-xxsrgaff7x 1009-05-2023 19:14
230509-xxr5yadg42 709-05-2023 19:14
230509-xxrt6sff7w 809-05-2023 19:14
230509-xxrjeaff7v 809-05-2023 19:14
230509-xxqxwadg39 709-05-2023 19:14
230509-xxql4sff7t 1009-05-2023 19:14
230509-xxqbcadg38 709-05-2023 19:10
230509-xvl6xadf64 10Analysis
-
max time kernel
148s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2023 19:10
Behavioral task
behavioral1
Sample
trojan-leaks-main/Halloware (BerkayV).exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
trojan-leaks-main/Halloware (BerkayV).exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
trojan-leaks-main/HorrorTrojan123.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
trojan-leaks-main/HorrorTrojan123.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
trojan-leaks-main/InfiniteBlue.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
trojan-leaks-main/InfiniteBlue.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
trojan-leaks-main/Kirurg v2.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
trojan-leaks-main/Kirurg v2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
trojan-leaks-main/Kirurg.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
trojan-leaks-main/Kirurg.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
trojan-leaks-main/Kirurg_remsaterd.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
trojan-leaks-main/Kirurg_remsaterd.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
trojan-leaks-main/LogonFuck.exe
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
trojan-leaks-main/LogonFuck.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
trojan-leaks-main/Mythlas.exe
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
trojan-leaks-main/Mythlas.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
trojan-leaks-main/Phsyletric.exe
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
trojan-leaks-main/Phsyletric.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
trojan-leaks-main/Potassium.exe
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
trojan-leaks-main/Potassium.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
trojan-leaks-main/Protactinium.exe
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
trojan-leaks-main/Protactinium.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
trojan-leaks-main/QSO J1228+3128.bat
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
trojan-leaks-main/QSO J1228+3128.bat
Resource
win10v2004-20230221-en
Behavioral task
behavioral25
Sample
trojan-leaks-main/QSO J1228+3128.exe
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
trojan-leaks-main/QSO J1228+3128.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
trojan-leaks-main/Rebcoana.exe
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
trojan-leaks-main/Rebcoana.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
trojan-leaks-main/Ruthenium/Ruthenium.exe
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
trojan-leaks-main/Ruthenium/Ruthenium.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral31
Sample
trojan-leaks-main/Suffocate-safety.exe
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
trojan-leaks-main/Suffocate-safety.exe
Resource
win10v2004-20230220-en
General
-
Target
trojan-leaks-main/Halloware (BerkayV).exe
-
Size
23.1MB
-
MD5
2701cf0c52d8d8d961f21f9952af15e7
-
SHA1
d8b9de327f95ba090e5606862003419388fc3dc7
-
SHA256
616830e93c33240ff157b4eeeab1d1a3e9891d6410139afdbd4d01f075da0933
-
SHA512
b4798cd526b116e943f3cba6f58175185898e374efd4ab7afe012495858c7997fb1fba1dac284ae4aa484dfc5f70b6240ad1281d90c9a3642e49edd95ab39110
-
SSDEEP
196608:puv1iLrYSZWLN0dLeGyI8bMU+Ns3tlHO8:UdiHZZWLN1cu3tlHF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\Halloware\\permaban.vbs\"" wscript.exe -
Processes:
wscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 20 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 4872 takeown.exe 4488 icacls.exe 1344 icacls.exe 1920 takeown.exe 2816 icacls.exe 3332 icacls.exe 264 icacls.exe 4756 takeown.exe 3972 takeown.exe 3856 icacls.exe 3940 takeown.exe 2964 icacls.exe 4584 takeown.exe 4412 takeown.exe 2116 takeown.exe 4524 takeown.exe 1864 icacls.exe 1620 takeown.exe 1768 icacls.exe 4052 icacls.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Halloware (BerkayV).exewscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Halloware (BerkayV).exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 5 IoCs
Processes:
LogonUI.exekosuyorum.exeHware.exeLogonUI.exeLogonUI.exepid process 4836 LogonUI.exe 4628 kosuyorum.exe 3372 Hware.exe 948 LogonUI.exe 3364 LogonUI.exe -
Modifies file permissions 1 TTPs 20 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 264 icacls.exe 3856 icacls.exe 4488 icacls.exe 1620 takeown.exe 2116 takeown.exe 1920 takeown.exe 2816 icacls.exe 1344 icacls.exe 1864 icacls.exe 4584 takeown.exe 4756 takeown.exe 4052 icacls.exe 4872 takeown.exe 3940 takeown.exe 2964 icacls.exe 3332 icacls.exe 3972 takeown.exe 1768 icacls.exe 4412 takeown.exe 4524 takeown.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\logonUI.exe cmd.exe File opened for modification C:\Windows\System32\taskmgr.exe cmd.exe -
Drops file in Program Files directory 38 IoCs
Processes:
wscript.execmd.exedescription ioc process File created C:\Program Files\Halloware\permaban.vbs wscript.exe File opened for modification C:\Program Files\Halloware\backup\sethc.bak cmd.exe File created C:\Program Files\Halloware\backup\logonUI.bak cmd.exe File created C:\Program Files\Halloware\backup\explorer.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\explorer.bak cmd.exe File created C:\Program Files\Halloware\backup\rundll32.bak cmd.exe File created C:\Program Files\Halloware\bin\pump.ico wscript.exe File created C:\Program Files\Halloware\takeown.bat wscript.exe File created C:\Program Files\Halloware\backup\bcdedit.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\notepad.bak cmd.exe File created C:\Program Files\Halloware\intf.wav wscript.exe File created C:\Program Files\Halloware\Hware.exe wscript.exe File created C:\Program Files\Halloware\backup\regedit.bak cmd.exe File created C:\Program Files\Halloware\data\fakelogon.exe wscript.exe File created C:\Program Files\Halloware\fakelogon.vbs wscript.exe File created C:\Program Files\Halloware\backup\notepad.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\regedit.bak cmd.exe File opened for modification C:\Program Files\Halloware\bin\@tile@@.jpg wscript.exe File created C:\Program Files\Halloware\findit.bat wscript.exe File created C:\Program Files\Halloware\inyer.wav wscript.exe File created C:\Program Files\Halloware\takeact.vbs wscript.exe File opened for modification C:\Program Files\Halloware\backup\rundll32.bak cmd.exe File created C:\Program Files\Halloware\bin\@tile@@.jpg wscript.exe File created C:\Program Files\Halloware\kosuyorum.exe wscript.exe File opened for modification C:\Program Files\Halloware\backup\csrss.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\logonUI.bak cmd.exe File created C:\Program Files\Halloware\delc.bat wscript.exe File created C:\Program Files\Halloware\screwup.vbs wscript.exe File created C:\Program Files\Halloware\backup\sethc.bak cmd.exe File created C:\Program Files\Halloware\backup\csrss.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\taskmgr.bak cmd.exe File created C:\Program Files\Halloware\iQShell.vbs wscript.exe File created C:\Program Files\Halloware\template.vbs wscript.exe File created C:\Program Files\Halloware\backup\winload.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\winload.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\bcdedit.bak cmd.exe File created C:\Program Files\Halloware\backup\taskmgr.bak cmd.exe File created C:\Program Files\Halloware\bin\pumpcur.cur wscript.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\explorer.exe cmd.exe File created C:\Windows\notepad.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 3340 tasklist.exe 924 tasklist.exe 3940 tasklist.exe 464 tasklist.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Cursors wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur" wscript.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
LogonUI.exewscript.exeLogonUI.exewscript.exeLogonUI.exewscript.exewscript.exekosuyorum.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kosuyorum.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kosuyorum.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kosuyorum.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kosuyorum.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kosuyorum.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wscript.exe -
Modifies registry class 12 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
takeown.exetasklist.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeshutdown.exetasklist.exeAUDIODG.EXEtasklist.exetasklist.exedescription pid process Token: SeTakeOwnershipPrivilege 4584 takeown.exe Token: SeDebugPrivilege 3340 tasklist.exe Token: SeTakeOwnershipPrivilege 4756 takeown.exe Token: SeTakeOwnershipPrivilege 3972 takeown.exe Token: SeTakeOwnershipPrivilege 4412 takeown.exe Token: SeTakeOwnershipPrivilege 4872 takeown.exe Token: SeTakeOwnershipPrivilege 3940 takeown.exe Token: SeTakeOwnershipPrivilege 2116 takeown.exe Token: SeTakeOwnershipPrivilege 1920 takeown.exe Token: SeTakeOwnershipPrivilege 4524 takeown.exe Token: SeTakeOwnershipPrivilege 1620 takeown.exe Token: SeShutdownPrivilege 3436 shutdown.exe Token: SeRemoteShutdownPrivilege 3436 shutdown.exe Token: SeDebugPrivilege 924 tasklist.exe Token: 33 1080 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1080 AUDIODG.EXE Token: SeDebugPrivilege 3940 tasklist.exe Token: SeDebugPrivilege 464 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Halloware (BerkayV).exewscript.execmd.exewscript.execmd.execmd.exeLogonUI.exewscript.execmd.exedescription pid process target process PID 3744 wrote to memory of 4984 3744 Halloware (BerkayV).exe wscript.exe PID 3744 wrote to memory of 4984 3744 Halloware (BerkayV).exe wscript.exe PID 4984 wrote to memory of 960 4984 wscript.exe cmd.exe PID 4984 wrote to memory of 960 4984 wscript.exe cmd.exe PID 960 wrote to memory of 4108 960 cmd.exe wscript.exe PID 960 wrote to memory of 4108 960 cmd.exe wscript.exe PID 4984 wrote to memory of 1668 4984 wscript.exe wscript.exe PID 4984 wrote to memory of 1668 4984 wscript.exe wscript.exe PID 1668 wrote to memory of 2244 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 2244 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 2056 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 2056 1668 wscript.exe cmd.exe PID 2244 wrote to memory of 4584 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 4584 2244 cmd.exe takeown.exe PID 2056 wrote to memory of 3340 2056 cmd.exe tasklist.exe PID 2056 wrote to memory of 3340 2056 cmd.exe tasklist.exe PID 2244 wrote to memory of 3332 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 3332 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 4756 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 4756 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 264 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 264 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 3972 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 3972 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 1768 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 1768 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 4412 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 4412 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 4052 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 4052 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 4872 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 4872 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 3856 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 3856 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 3940 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 3940 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 4488 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 4488 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 2116 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 2116 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 1344 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 1344 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 1920 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 1920 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 2816 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 2816 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 4524 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 4524 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 1864 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 1864 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 1620 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 1620 2244 cmd.exe takeown.exe PID 2244 wrote to memory of 2964 2244 cmd.exe icacls.exe PID 2244 wrote to memory of 2964 2244 cmd.exe icacls.exe PID 1668 wrote to memory of 3436 1668 wscript.exe shutdown.exe PID 1668 wrote to memory of 3436 1668 wscript.exe shutdown.exe PID 4836 wrote to memory of 2080 4836 LogonUI.exe wscript.exe PID 4836 wrote to memory of 2080 4836 LogonUI.exe wscript.exe PID 2080 wrote to memory of 1888 2080 wscript.exe cmd.exe PID 2080 wrote to memory of 1888 2080 wscript.exe cmd.exe PID 1888 wrote to memory of 924 1888 cmd.exe tasklist.exe PID 1888 wrote to memory of 924 1888 cmd.exe tasklist.exe PID 2080 wrote to memory of 1724 2080 wscript.exe cmd.exe PID 2080 wrote to memory of 1724 2080 wscript.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\EBAE.vbs2⤵
- UAC bypass
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo msgbox"Please wait while halloware infecting your computer",1+48,"Alert" > "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs" & wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"4⤵PID:4108
-
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Program files\halloware\takeact.vbs" RunAsAdministrator3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files\Halloware\takeown.bat"4⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\System32\takeown.exetakeown /f sethc.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\System32\icacls.exeicacls sethc.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3332
-
-
C:\Windows\System32\takeown.exetakeown /f csrss.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Windows\System32\icacls.exeicacls csrss.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:264
-
-
C:\Windows\System32\takeown.exetakeown /f winload.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\icacls.exeicacls winload.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1768
-
-
C:\Windows\System32\takeown.exetakeown /f logonUI.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\System32\icacls.exeicacls logonUI.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4052
-
-
C:\Windows\System32\takeown.exetakeown /f bcdedit.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
C:\Windows\System32\icacls.exeicacls bcdedit.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3856
-
-
C:\Windows\system32\takeown.exetakeown /f explorer.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\system32\icacls.exeicacls explorer.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4488
-
-
C:\Windows\system32\takeown.exetakeown /f notepad.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\system32\icacls.exeicacls sethc.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1344
-
-
C:\Windows\system32\takeown.exetakeown /f regedit.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\system32\icacls.exeicacls regedit.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2816
-
-
C:\Windows\System32\takeown.exetakeown /f taskmgr.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\System32\icacls.exeicacls taskmgr.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1864
-
-
C:\Windows\System32\takeown.exetakeown /f rundll32.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\icacls.exeicacls rundll32.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 004⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3981055 /state1:0x41c64e6d1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\2F6C.tmp\2F6D.vbs /flags:0x4 /state0:0xa3981055 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe3⤵PID:1724
-
C:\Program Files\Halloware\kosuyorum.exeKosuyorum.exe4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4628 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\3A2A.tmp\3A2B.vbs5⤵
- Modifies data under HKEY_USERS
PID:1104 -
C:\Program Files\halloware\Hware.exe"C:\Program Files\halloware\Hware.exe"6⤵
- Executes dropped EXE
PID:3372
-
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ec 0x4e81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa39a9055 /state1:0x41c64e6d1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:948 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\1930.tmp\1931.vbs /flags:0x0 /state0:0xa39a9055 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
PID:3824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "3⤵PID:4760
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa394a055 /state1:0x41c64e6d1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3364 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\381.tmp\382.vbs /flags:0x0 /state0:0xa394a055 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
PID:4668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "3⤵PID:3392
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
7.5MB
MD5c1c8536e675d25027c962abe0d3faf43
SHA113e6375da0162b19db7f8ad74640ce80b8aa73c4
SHA256f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3
SHA512c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
1KB
MD5d477e71d1d7080cf90aba3100b9c761a
SHA17642aa8aeabd847519cfd20ae7d7f2d8edb83914
SHA2563482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710
SHA512cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
85B
MD554de83a183d4520fad36ad02d9747e63
SHA115caddac8a52ae3632510292e6eb6bf9a728ae45
SHA256165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e
SHA512fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e
-
Filesize
2KB
MD5cfad575eb56b1059f428ed81fc4194d5
SHA1ff91f34a63f7fa01090643191b39d5742ef8ffe0
SHA25643f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70
SHA512c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f
-
Filesize
1KB
MD5889a8f5bb195b72c33c48448fd516a1c
SHA1744b4c40d2527a98e589cc8a04735cfdb92f5079
SHA25645ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a
SHA5123251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
17KB
MD5bfd5ee0327c8d108bd8e2d851a9ed06a
SHA155221d5e1d383cdff5bf0d7694d57bcde09d2faf
SHA25625f194995cf4073a0c2e6625c3ad0514848cc5e4224f5c726e5d73bc81b694d1
SHA5121c456da1da57c0711a2277ffd02e7136d2c1b3d16a3d36dfc66ac67e3f4e9c1d3ca7b536e057da7cd4c37a59c0ded2ea9d5d2ac6cf729d1ccd50d91017ede219
-
Filesize
178KB
MD55df1f3790dd3b9df63f12a6f13277338
SHA17de32dc31c5360aea9024cd02bd4643e11fe2119
SHA256c1d88f290da08027adc76649f54db6b352b76149dc2b3d9cddb7cf50d8af0cff
SHA512fe858c60c3312a40a88cb5aa9a8ee9483d38973cecb356f55ab6dfa422eed25820dbe75bb40301849c9931e0ab8571af5b8102c082b518116343e50ff40c3d27
-
Filesize
4KB
MD5d7197b2f55db9bd83c859a5e8b46a0d7
SHA1598af4d8bcc14c411c48454dfb0caa2e79c1728d
SHA2566cee1cb2cf41b5c0fd969ed062b9d4e2c1f7c921cd886d1df1b0725a301074f0
SHA5127f55208ee395bf6d063ab0af26b0a8e64e3d4fcacf4958db8577183c7588e7be51b6a7144e28f067d8bab7fca34e1100b0e37750bb8b16b5c02492f4d315a366
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
258B
MD540e381411edd280ece4372ff39f721c5
SHA16d90aada218e0cdeadf0fa4c83f90dbcfe2258cd
SHA2561e6eeb8f777e1ecf1fa728e64134f979f9451ada735dc03d42c6fdf55de987bc
SHA512195b9df9fd49af3b9aa355589219cfa2161c363d979f3b4a6ea9c20e3849f48dbee731f7cde76ca5c4c910f25f89499b4363740897b708acc09b9871b8494d3c
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
85B
MD554de83a183d4520fad36ad02d9747e63
SHA115caddac8a52ae3632510292e6eb6bf9a728ae45
SHA256165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e
SHA512fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e
-
Filesize
1KB
MD5889a8f5bb195b72c33c48448fd516a1c
SHA1744b4c40d2527a98e589cc8a04735cfdb92f5079
SHA25645ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a
SHA5123251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367
-
Filesize
7.5MB
MD55794a32dfeb072f764ab82fffa4d309d
SHA136d2dbdddd3b5ebc7d7bbd04d5fe3c46e4be39d0
SHA2561eeee51a2b501f8b2f77d4f75fb415b7d0b99355fd80e8b4740a4e768996e400
SHA512c2a2602257b86af9729a64c362b8e8711867e6cf2c0bb02d44711ccdac1514d4d80baefc7f16e595390bfe04d66a2aada88dab2d5442e390633123db6e4104f7
-
Filesize
7.5MB
MD5c1c8536e675d25027c962abe0d3faf43
SHA113e6375da0162b19db7f8ad74640ce80b8aa73c4
SHA256f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3
SHA512c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
357B
MD5b343125051c1c6e3089b4820446bafab
SHA1ee1d90b463d9f911d032a520df6b5066aca7fa50
SHA256a78161a3b89248d65ae00630eb33d3c934b6c7c3086f373fdd52d58756b20a8a
SHA512ecc6f407892dfa438eab22a67c004760599b8b5fea747ac5c7274180424d2ea95e1e13b10dd8026d641537ef666b74ca5251428eb567cd55241d6334ae64d881
-
Filesize
61B
MD56a51becc27363870d2e17a43a9bb4bf0
SHA1201a12e580cfa5bfac8cbc0c6936fd9cd60a349a
SHA256778cb71c42d697f365084ba1c0f499324bfdcdd67054644d8ff336af9c3e7f80
SHA512ca843d2b3072a7c3b939207c60069e5f4a0fd7a17d7bfb513b9739d9d25fd24148f17540867037e5793aab067dbbcf760df22d865fc5e511d7617f1f56c4efc4
-
Filesize
2KB
MD5cfad575eb56b1059f428ed81fc4194d5
SHA1ff91f34a63f7fa01090643191b39d5742ef8ffe0
SHA25643f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70
SHA512c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f
-
Filesize
1KB
MD5d477e71d1d7080cf90aba3100b9c761a
SHA17642aa8aeabd847519cfd20ae7d7f2d8edb83914
SHA2563482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710
SHA512cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d
-
Filesize
402B
MD51c04a184e8ba8025bb98cd1734a93b68
SHA155f09dde9ae0cebdbe23893c6dbc42549a23a912
SHA25698ddf649d3cafb5130069be87e569082d9dc780ce11f0dc0208348acff0baa55
SHA51260bbfe5cab8e10589a6e24a46d86138f5161579b207b9b8349a8680a84996d94430ef65afdc1bfa124b8b8c93ae68b932a3dfc6a45a418a89453d784670fd296
-
Filesize
76B
MD5f1fbb313731d2b699a48c588486e7f0d
SHA1d70c472a451b074ebd1cf55a42bc8843fa9cfd2f
SHA256c1430e747ddc860d216c77a7445dbc8cf5fc4bee4bca47521333148dd93a3e6a
SHA51212d10b8ac14327b2874dd68b9b0b3d29add7fc96cd371e7ab74e25cb69b42b7a79a16b4ac489cb51214014035baf6ba0c48ec1a123b265c57b57d25939e6bf2e
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64B
MD5dea052a2ad11945b1960577c0192f2eb
SHA11d02626a05a546a90c05902b2551f32c20eb3708
SHA256943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA5125496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917
-
Filesize
236B
MD5a28603e8fa4199a291df6cf3a7ea3b60
SHA195665f4f2ffbbb27da4d27e9fa4efb85833d3c85
SHA2567bf108861ff88bf4d49dcce9b4b6b4c33ada72fe3e3fad7872644af8d34ea1c5
SHA51264857601dcecbfeeed715f011635462a413806167bd7cd75788601de0304dd8a25faeadabed61edf42b2eaaba7d33c93c1a8c3a81b383410ed7333a3feb1307c
-
Filesize
236B
MD519fc45d80964f9ba7cd8dfe32194afd9
SHA15c21ce2291720cf5a00d0df0ff8a7f3c68d61c7d
SHA256ef8a532f730b17ceb22740245c55c732fde8015033664034c89217b767775902
SHA512af8504c70885fb566f78e9d6dba25d0159b926031834b1e207a892d9dcc84f7af238ae34fd0a115167257f0db6cc1fb43bff84f41637c5c72252c8731456844d