Overview
overview
10Static
static
7trojan-lea...64.exe
windows10-1703-x64
1trojan-lea...64.exe
windows7-x64
1trojan-lea...64.exe
windows10-2004-x64
1trojan-lea...er.exe
windows10-1703-x64
trojan-lea...er.exe
windows7-x64
10trojan-lea...er.exe
windows10-2004-x64
trojan-lea...ks.exe
windows10-1703-x64
1trojan-lea...ks.exe
windows7-x64
1trojan-lea...ks.exe
windows10-2004-x64
1trojan-lea...ix.exe
windows10-1703-x64
6trojan-lea...ix.exe
windows7-x64
6trojan-lea...ix.exe
windows10-2004-x64
6trojan-lea...E#.txt
windows10-1703-x64
1trojan-lea...E#.txt
windows7-x64
1trojan-lea...E#.txt
windows10-2004-x64
1trojan-lea...V).exe
windows10-1703-x64
10trojan-lea...V).exe
windows7-x64
10trojan-lea...V).exe
windows10-2004-x64
10trojan-lea...er.zip
windows10-1703-x64
1trojan-lea...er.zip
windows7-x64
1trojan-lea...er.zip
windows10-2004-x64
1trojan-lea...on.zip
windows10-1703-x64
1trojan-lea...on.zip
windows7-x64
1trojan-lea...on.zip
windows10-2004-x64
trojan-lea...23.exe
windows10-1703-x64
1trojan-lea...23.exe
windows7-x64
1trojan-lea...23.exe
windows10-2004-x64
1trojan-lea...n4.zip
windows10-1703-x64
1trojan-lea...n4.zip
windows7-x64
1trojan-lea...n4.zip
windows10-2004-x64
Resubmissions
09-05-2023 19:22
230509-x3fn4adg58 1009-05-2023 19:14
230509-xxsrgaff7x 1009-05-2023 19:14
230509-xxr5yadg42 709-05-2023 19:14
230509-xxrt6sff7w 809-05-2023 19:14
230509-xxrjeaff7v 809-05-2023 19:14
230509-xxqxwadg39 709-05-2023 19:14
230509-xxql4sff7t 1009-05-2023 19:14
230509-xxqbcadg38 709-05-2023 19:10
230509-xvl6xadf64 10Analysis
-
max time kernel
149s -
max time network
182s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
09-05-2023 19:14
Behavioral task
behavioral1
Sample
trojan-leaks-main/Benzene_x64.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
trojan-leaks-main/Benzene_x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
trojan-leaks-main/Benzene_x64.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
trojan-leaks-main/CoViper.exe
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
trojan-leaks-main/CoViper.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
trojan-leaks-main/CoViper.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
trojan-leaks-main/Cs_Hacks_Free_no_hacks.exe
Resource
win10-20230220-en
Behavioral task
behavioral8
Sample
trojan-leaks-main/Cs_Hacks_Free_no_hacks.exe
Resource
win7-20230220-en
Behavioral task
behavioral9
Sample
trojan-leaks-main/Cs_Hacks_Free_no_hacks.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
trojan-leaks-main/Glodrix.exe
Resource
win10-20230220-en
Behavioral task
behavioral11
Sample
trojan-leaks-main/Glodrix.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
trojan-leaks-main/Glodrix.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
trojan-leaks-main/Halloware #READ ME#.txt
Resource
win10-20230220-en
Behavioral task
behavioral14
Sample
trojan-leaks-main/Halloware #READ ME#.txt
Resource
win7-20230220-en
Behavioral task
behavioral15
Sample
trojan-leaks-main/Halloware #READ ME#.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral16
Sample
trojan-leaks-main/Halloware (BerkayV).exe
Resource
win10-20230220-en
Behavioral task
behavioral17
Sample
trojan-leaks-main/Halloware (BerkayV).exe
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
trojan-leaks-main/Halloware (BerkayV).exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral19
Sample
trojan-leaks-main/Holzer.zip
Resource
win10-20230220-en
Behavioral task
behavioral20
Sample
trojan-leaks-main/Holzer.zip
Resource
win7-20230220-en
Behavioral task
behavioral21
Sample
trojan-leaks-main/Holzer.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral22
Sample
trojan-leaks-main/HorrorTrojan Special Edition.zip
Resource
win10-20230220-en
Behavioral task
behavioral23
Sample
trojan-leaks-main/HorrorTrojan Special Edition.zip
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
trojan-leaks-main/HorrorTrojan Special Edition.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
trojan-leaks-main/HorrorTrojan123.exe
Resource
win10-20230220-en
Behavioral task
behavioral26
Sample
trojan-leaks-main/HorrorTrojan123.exe
Resource
win7-20230220-en
Behavioral task
behavioral27
Sample
trojan-leaks-main/HorrorTrojan123.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral28
Sample
trojan-leaks-main/HorrorTrojan4.zip
Resource
win10-20230220-en
Behavioral task
behavioral29
Sample
trojan-leaks-main/HorrorTrojan4.zip
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
trojan-leaks-main/HorrorTrojan4.zip
Resource
win10v2004-20230220-en
General
-
Target
trojan-leaks-main/Halloware (BerkayV).exe
-
Size
23.1MB
-
MD5
2701cf0c52d8d8d961f21f9952af15e7
-
SHA1
d8b9de327f95ba090e5606862003419388fc3dc7
-
SHA256
616830e93c33240ff157b4eeeab1d1a3e9891d6410139afdbd4d01f075da0933
-
SHA512
b4798cd526b116e943f3cba6f58175185898e374efd4ab7afe012495858c7997fb1fba1dac284ae4aa484dfc5f70b6240ad1281d90c9a3642e49edd95ab39110
-
SSDEEP
196608:puv1iLrYSZWLN0dLeGyI8bMU+Ns3tlHO8:UdiHZZWLN1cu3tlHF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\Halloware\\permaban.vbs\"" wscript.exe -
Processes:
wscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 20 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 656 takeown.exe 4956 icacls.exe 3388 icacls.exe 4980 takeown.exe 4964 takeown.exe 4428 takeown.exe 5024 takeown.exe 5020 icacls.exe 4936 icacls.exe 4928 icacls.exe 660 icacls.exe 4748 icacls.exe 3372 takeown.exe 4768 icacls.exe 4900 takeown.exe 5116 takeown.exe 4052 icacls.exe 5012 takeown.exe 4776 takeown.exe 5004 icacls.exe -
Executes dropped EXE 5 IoCs
Processes:
LogonUI.exekosuyorum.exeHware.exeLogonUI.exeLogonUI.exepid process 920 LogonUI.exe 4792 kosuyorum.exe 1076 Hware.exe 1560 LogonUI.exe 4684 LogonUI.exe -
Modifies file permissions 1 TTPs 20 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 4428 takeown.exe 3372 takeown.exe 4936 icacls.exe 5116 takeown.exe 660 icacls.exe 4768 icacls.exe 5024 takeown.exe 5020 icacls.exe 4964 takeown.exe 4052 icacls.exe 4956 icacls.exe 4748 icacls.exe 4980 takeown.exe 4900 takeown.exe 4928 icacls.exe 5012 takeown.exe 4776 takeown.exe 3388 icacls.exe 5004 icacls.exe 656 takeown.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\logonUI.exe cmd.exe File opened for modification C:\Windows\System32\taskmgr.exe cmd.exe -
Drops file in Program Files directory 38 IoCs
Processes:
wscript.execmd.exedescription ioc process File created C:\Program Files\Halloware\fakelogon.vbs wscript.exe File created C:\Program Files\Halloware\Hware.exe wscript.exe File created C:\Program Files\Halloware\data\fakelogon.exe wscript.exe File opened for modification C:\Program Files\Halloware\backup\csrss.bak cmd.exe File created C:\Program Files\Halloware\backup\winload.bak cmd.exe File created C:\Program Files\Halloware\backup\logonUI.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\rundll32.bak cmd.exe File created C:\Program Files\Halloware\bin\@tile@@.jpg wscript.exe File created C:\Program Files\Halloware\inyer.wav wscript.exe File created C:\Program Files\Halloware\takeact.vbs wscript.exe File opened for modification C:\Program Files\Halloware\backup\logonUI.bak cmd.exe File created C:\Program Files\Halloware\backup\notepad.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\regedit.bak cmd.exe File created C:\Program Files\Halloware\bin\pump.ico wscript.exe File created C:\Program Files\Halloware\permaban.vbs wscript.exe File created C:\Program Files\Halloware\screwup.vbs wscript.exe File created C:\Program Files\Halloware\template.vbs wscript.exe File created C:\Program Files\Halloware\backup\sethc.bak cmd.exe File created C:\Program Files\Halloware\backup\bcdedit.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\bcdedit.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\taskmgr.bak cmd.exe File created C:\Program Files\Halloware\intf.wav wscript.exe File created C:\Program Files\Halloware\kosuyorum.exe wscript.exe File opened for modification C:\Program Files\Halloware\backup\winload.bak cmd.exe File created C:\Program Files\Halloware\backup\explorer.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\notepad.bak cmd.exe File created C:\Program Files\Halloware\backup\regedit.bak cmd.exe File created C:\Program Files\Halloware\delc.bat wscript.exe File created C:\Program Files\Halloware\findit.bat wscript.exe File created C:\Program Files\Halloware\takeown.bat wscript.exe File opened for modification C:\Program Files\Halloware\backup\sethc.bak cmd.exe File created C:\Program Files\Halloware\backup\rundll32.bak cmd.exe File created C:\Program Files\Halloware\bin\pumpcur.cur wscript.exe File created C:\Program Files\Halloware\iQShell.vbs wscript.exe File created C:\Program Files\Halloware\backup\csrss.bak cmd.exe File opened for modification C:\Program Files\Halloware\backup\explorer.bak cmd.exe File created C:\Program Files\Halloware\backup\taskmgr.bak cmd.exe File opened for modification C:\Program Files\Halloware\bin\@tile@@.jpg wscript.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\explorer.exe cmd.exe File created C:\Windows\notepad.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 2516 tasklist.exe 2624 tasklist.exe 4784 tasklist.exe 4436 tasklist.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\Cursors wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur" wscript.exe -
Modifies data under HKEY_USERS 59 IoCs
Processes:
wscript.exewscript.exewscript.exeLogonUI.exekosuyorum.exeHware.exeLogonUI.exeLogonUI.exewscript.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kosuyorum.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kosuyorum.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kosuyorum.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kosuyorum.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\System Hware.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kosuyorum.exe Set value (int) \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" Hware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet Hware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe -
Modifies registry class 12 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
takeown.exetasklist.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeshutdown.exetasklist.exeAUDIODG.EXEtasklist.exetasklist.exedescription pid process Token: SeTakeOwnershipPrivilege 4428 takeown.exe Token: SeDebugPrivilege 4436 tasklist.exe Token: SeTakeOwnershipPrivilege 5012 takeown.exe Token: SeTakeOwnershipPrivilege 4776 takeown.exe Token: SeTakeOwnershipPrivilege 3372 takeown.exe Token: SeTakeOwnershipPrivilege 5024 takeown.exe Token: SeTakeOwnershipPrivilege 4980 takeown.exe Token: SeTakeOwnershipPrivilege 4900 takeown.exe Token: SeTakeOwnershipPrivilege 4964 takeown.exe Token: SeTakeOwnershipPrivilege 5116 takeown.exe Token: SeTakeOwnershipPrivilege 656 takeown.exe Token: SeShutdownPrivilege 1200 shutdown.exe Token: SeRemoteShutdownPrivilege 1200 shutdown.exe Token: SeDebugPrivilege 2516 tasklist.exe Token: 33 4144 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4144 AUDIODG.EXE Token: SeDebugPrivilege 2624 tasklist.exe Token: SeDebugPrivilege 4784 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Halloware (BerkayV).exewscript.execmd.exewscript.execmd.execmd.exeLogonUI.exewscript.execmd.exedescription pid process target process PID 4892 wrote to memory of 2424 4892 Halloware (BerkayV).exe wscript.exe PID 4892 wrote to memory of 2424 4892 Halloware (BerkayV).exe wscript.exe PID 2424 wrote to memory of 3756 2424 wscript.exe cmd.exe PID 2424 wrote to memory of 3756 2424 wscript.exe cmd.exe PID 3756 wrote to memory of 2248 3756 cmd.exe wscript.exe PID 3756 wrote to memory of 2248 3756 cmd.exe wscript.exe PID 2424 wrote to memory of 4168 2424 wscript.exe wscript.exe PID 2424 wrote to memory of 4168 2424 wscript.exe wscript.exe PID 4168 wrote to memory of 1636 4168 wscript.exe cmd.exe PID 4168 wrote to memory of 1636 4168 wscript.exe cmd.exe PID 4168 wrote to memory of 1784 4168 wscript.exe cmd.exe PID 4168 wrote to memory of 1784 4168 wscript.exe cmd.exe PID 1636 wrote to memory of 4428 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4428 1636 cmd.exe takeown.exe PID 1784 wrote to memory of 4436 1784 cmd.exe tasklist.exe PID 1784 wrote to memory of 4436 1784 cmd.exe tasklist.exe PID 1636 wrote to memory of 4956 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4956 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 5012 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 5012 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4748 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4748 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4776 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4776 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 3388 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 3388 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 3372 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 3372 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4768 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4768 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 5024 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 5024 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 5004 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 5004 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4980 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4980 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 5020 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 5020 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4900 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4900 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4936 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4936 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4964 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4964 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4928 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4928 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 5116 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 5116 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 660 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 660 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 656 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 656 1636 cmd.exe takeown.exe PID 1636 wrote to memory of 4052 1636 cmd.exe icacls.exe PID 1636 wrote to memory of 4052 1636 cmd.exe icacls.exe PID 4168 wrote to memory of 1200 4168 wscript.exe shutdown.exe PID 4168 wrote to memory of 1200 4168 wscript.exe shutdown.exe PID 920 wrote to memory of 2032 920 LogonUI.exe wscript.exe PID 920 wrote to memory of 2032 920 LogonUI.exe wscript.exe PID 2032 wrote to memory of 1484 2032 wscript.exe cmd.exe PID 2032 wrote to memory of 1484 2032 wscript.exe cmd.exe PID 1484 wrote to memory of 2516 1484 cmd.exe tasklist.exe PID 1484 wrote to memory of 2516 1484 cmd.exe tasklist.exe PID 2032 wrote to memory of 208 2032 wscript.exe cmd.exe PID 2032 wrote to memory of 208 2032 wscript.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\System32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2635.tmp\2636.vbs2⤵
- UAC bypass
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo msgbox"Please wait while halloware infecting your computer",1+48,"Alert" > "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs" & wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"4⤵PID:2248
-
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Program files\halloware\takeact.vbs" RunAsAdministrator3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files\Halloware\takeown.bat"4⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\takeown.exetakeown /f sethc.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\System32\icacls.exeicacls sethc.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4956
-
-
C:\Windows\System32\takeown.exetakeown /f csrss.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\System32\icacls.exeicacls csrss.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4748
-
-
C:\Windows\System32\takeown.exetakeown /f winload.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
C:\Windows\System32\icacls.exeicacls winload.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3388
-
-
C:\Windows\System32\takeown.exetakeown /f logonUI.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\System32\icacls.exeicacls logonUI.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4768
-
-
C:\Windows\System32\takeown.exetakeown /f bcdedit.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Windows\System32\icacls.exeicacls bcdedit.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5004
-
-
C:\Windows\system32\takeown.exetakeown /f explorer.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\system32\icacls.exeicacls explorer.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5020
-
-
C:\Windows\system32\takeown.exetakeown /f notepad.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\system32\icacls.exeicacls sethc.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4936
-
-
C:\Windows\system32\takeown.exetakeown /f regedit.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
C:\Windows\system32\icacls.exeicacls regedit.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4928
-
-
C:\Windows\System32\takeown.exetakeown /f taskmgr.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
C:\Windows\System32\icacls.exeicacls taskmgr.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:660
-
-
C:\Windows\System32\takeown.exetakeown /f rundll32.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
C:\Windows\System32\icacls.exeicacls rundll32.exe /granted "Admin":F /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 004⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad7055 /state1:0x41c64e6d1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\System32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\6784.tmp\6785.vbs /flags:0x0 /state0:0xa3ad7055 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe3⤵PID:208
-
C:\Program Files\Halloware\kosuyorum.exeKosuyorum.exe4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4792 -
C:\Windows\System32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\71F4.tmp\71F5.vbs5⤵
- Modifies data under HKEY_USERS
PID:2144 -
C:\Program Files\halloware\Hware.exe"C:\Program Files\halloware\Hware.exe"6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1076
-
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2001⤵
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ae9855 /state1:0x41c64e6d1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1560 -
C:\Windows\System32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\5138.tmp\5139.vbs /flags:0x0 /state0:0xa3ae9855 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
PID:356 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "3⤵PID:2904
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3af8055 /state1:0x41c64e6d1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4684 -
C:\Windows\System32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\3BA8.tmp\3BA9.vbs /flags:0x0 /state0:0xa3af8055 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
PID:2596 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "3⤵PID:4336
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq kosuyorum.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
7.5MB
MD5c1c8536e675d25027c962abe0d3faf43
SHA113e6375da0162b19db7f8ad74640ce80b8aa73c4
SHA256f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3
SHA512c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
1KB
MD5d477e71d1d7080cf90aba3100b9c761a
SHA17642aa8aeabd847519cfd20ae7d7f2d8edb83914
SHA2563482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710
SHA512cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
85B
MD554de83a183d4520fad36ad02d9747e63
SHA115caddac8a52ae3632510292e6eb6bf9a728ae45
SHA256165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e
SHA512fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e
-
Filesize
2KB
MD5cfad575eb56b1059f428ed81fc4194d5
SHA1ff91f34a63f7fa01090643191b39d5742ef8ffe0
SHA25643f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70
SHA512c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f
-
Filesize
1KB
MD5889a8f5bb195b72c33c48448fd516a1c
SHA1744b4c40d2527a98e589cc8a04735cfdb92f5079
SHA25645ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a
SHA5123251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367
-
Filesize
7.5MB
MD55b457c190f21d6dace76b0495f4aa07c
SHA1289ec2d9541eb6734d187556955f1386196508e2
SHA256a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e
SHA512a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527
-
Filesize
17KB
MD5bfd5ee0327c8d108bd8e2d851a9ed06a
SHA155221d5e1d383cdff5bf0d7694d57bcde09d2faf
SHA25625f194995cf4073a0c2e6625c3ad0514848cc5e4224f5c726e5d73bc81b694d1
SHA5121c456da1da57c0711a2277ffd02e7136d2c1b3d16a3d36dfc66ac67e3f4e9c1d3ca7b536e057da7cd4c37a59c0ded2ea9d5d2ac6cf729d1ccd50d91017ede219
-
Filesize
178KB
MD55df1f3790dd3b9df63f12a6f13277338
SHA17de32dc31c5360aea9024cd02bd4643e11fe2119
SHA256c1d88f290da08027adc76649f54db6b352b76149dc2b3d9cddb7cf50d8af0cff
SHA512fe858c60c3312a40a88cb5aa9a8ee9483d38973cecb356f55ab6dfa422eed25820dbe75bb40301849c9931e0ab8571af5b8102c082b518116343e50ff40c3d27
-
Filesize
4KB
MD5d7197b2f55db9bd83c859a5e8b46a0d7
SHA1598af4d8bcc14c411c48454dfb0caa2e79c1728d
SHA2566cee1cb2cf41b5c0fd969ed062b9d4e2c1f7c921cd886d1df1b0725a301074f0
SHA5127f55208ee395bf6d063ab0af26b0a8e64e3d4fcacf4958db8577183c7588e7be51b6a7144e28f067d8bab7fca34e1100b0e37750bb8b16b5c02492f4d315a366
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
258B
MD540e381411edd280ece4372ff39f721c5
SHA16d90aada218e0cdeadf0fa4c83f90dbcfe2258cd
SHA2561e6eeb8f777e1ecf1fa728e64134f979f9451ada735dc03d42c6fdf55de987bc
SHA512195b9df9fd49af3b9aa355589219cfa2161c363d979f3b4a6ea9c20e3849f48dbee731f7cde76ca5c4c910f25f89499b4363740897b708acc09b9871b8494d3c
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
85B
MD554de83a183d4520fad36ad02d9747e63
SHA115caddac8a52ae3632510292e6eb6bf9a728ae45
SHA256165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e
SHA512fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e
-
Filesize
1KB
MD5889a8f5bb195b72c33c48448fd516a1c
SHA1744b4c40d2527a98e589cc8a04735cfdb92f5079
SHA25645ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a
SHA5123251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367
-
Filesize
7.5MB
MD55794a32dfeb072f764ab82fffa4d309d
SHA136d2dbdddd3b5ebc7d7bbd04d5fe3c46e4be39d0
SHA2561eeee51a2b501f8b2f77d4f75fb415b7d0b99355fd80e8b4740a4e768996e400
SHA512c2a2602257b86af9729a64c362b8e8711867e6cf2c0bb02d44711ccdac1514d4d80baefc7f16e595390bfe04d66a2aada88dab2d5442e390633123db6e4104f7
-
Filesize
7.5MB
MD5c1c8536e675d25027c962abe0d3faf43
SHA113e6375da0162b19db7f8ad74640ce80b8aa73c4
SHA256f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3
SHA512c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768
-
Filesize
58KB
MD57eba5d99235b23ca60597c8aa970f47f
SHA17d0c86680e2c32e709baa4907e9e4eeba51bedad
SHA2565d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb
SHA51280301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87
-
Filesize
357B
MD5b343125051c1c6e3089b4820446bafab
SHA1ee1d90b463d9f911d032a520df6b5066aca7fa50
SHA256a78161a3b89248d65ae00630eb33d3c934b6c7c3086f373fdd52d58756b20a8a
SHA512ecc6f407892dfa438eab22a67c004760599b8b5fea747ac5c7274180424d2ea95e1e13b10dd8026d641537ef666b74ca5251428eb567cd55241d6334ae64d881
-
Filesize
61B
MD56a51becc27363870d2e17a43a9bb4bf0
SHA1201a12e580cfa5bfac8cbc0c6936fd9cd60a349a
SHA256778cb71c42d697f365084ba1c0f499324bfdcdd67054644d8ff336af9c3e7f80
SHA512ca843d2b3072a7c3b939207c60069e5f4a0fd7a17d7bfb513b9739d9d25fd24148f17540867037e5793aab067dbbcf760df22d865fc5e511d7617f1f56c4efc4
-
Filesize
2KB
MD5cfad575eb56b1059f428ed81fc4194d5
SHA1ff91f34a63f7fa01090643191b39d5742ef8ffe0
SHA25643f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70
SHA512c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f
-
Filesize
1KB
MD5d477e71d1d7080cf90aba3100b9c761a
SHA17642aa8aeabd847519cfd20ae7d7f2d8edb83914
SHA2563482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710
SHA512cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d
-
Filesize
402B
MD51c04a184e8ba8025bb98cd1734a93b68
SHA155f09dde9ae0cebdbe23893c6dbc42549a23a912
SHA25698ddf649d3cafb5130069be87e569082d9dc780ce11f0dc0208348acff0baa55
SHA51260bbfe5cab8e10589a6e24a46d86138f5161579b207b9b8349a8680a84996d94430ef65afdc1bfa124b8b8c93ae68b932a3dfc6a45a418a89453d784670fd296
-
Filesize
76B
MD5f1fbb313731d2b699a48c588486e7f0d
SHA1d70c472a451b074ebd1cf55a42bc8843fa9cfd2f
SHA256c1430e747ddc860d216c77a7445dbc8cf5fc4bee4bca47521333148dd93a3e6a
SHA51212d10b8ac14327b2874dd68b9b0b3d29add7fc96cd371e7ab74e25cb69b42b7a79a16b4ac489cb51214014035baf6ba0c48ec1a123b265c57b57d25939e6bf2e
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
58KB
MD58f9b8205dba67cf950f20e3a0efbcc3a
SHA1b50651abd1bcc78c374847caa36a44110d87d5cd
SHA25643ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5
SHA5124dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
572B
MD52ee899c0289cb575bf4852ac5d164f9d
SHA133e1e4c5a6facd78736998c6673ca6ec88e62fe7
SHA256164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2
SHA5121edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf
-
Filesize
117B
MD543ce46af5d7f1ffe2c3914ad9c654fa3
SHA1a98dce4efa618334d57a808d766f821d83d2a75d
SHA2560f3f6a34bbfe0bf01ef189a50402f560d212a3e74a8867a8a76b70b4f6a25f61
SHA512d1c59cf92412684bae18b497a5c9dd823073210150e0a18e69649910bc9f9c192298e242e89c04ccd88550e2f0b21881fbc13879d5c07a0e727c13e8d7186942
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64B
MD5dea052a2ad11945b1960577c0192f2eb
SHA11d02626a05a546a90c05902b2551f32c20eb3708
SHA256943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA5125496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917
-
Filesize
236B
MD5d8d746006a960bfbb0c5bfdf487243a8
SHA159348f25e4af5b09d5637f833bd9357b3721d3ee
SHA2566c23c0de3a9f8d1dd15fd4b218415c2ae0c74d18653ee89f4e092a993397239d
SHA512f8658279be580dae8b639fa558d4203fdd7d7368e35485389e54e81f1720c209edeeb94b6afb25607a15f6b1df372c7c4161ea63fff2224ec034485ee24c4b4a
-
Filesize
236B
MD5a0f72d8df012ee0d81b29688765f5b16
SHA1e0fbbe0e5206c2edd9fe7b7d7a7a61ba8ce911de
SHA25691b5993fcde1444708277508b78d051f3b93055e3f101d9d14d26a3dbd0a5b6f
SHA512fe2a381fd93fe4480310fc0900f4845837fa3d03e3fb7e804806c934dc5cb2c126a6c9abde56197429ea1a37513f6979f29b70f0a615f1abef99f8e45fbd443d