Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe
-
Size
24.7MB
-
MD5
e34ace8f4216078d97f0257da1964c1a
-
SHA1
6646a9d1edc3212e3f04713a69525066f91dad12
-
SHA256
21f05af90bdee3716b1e8a7797e361c6ac31275f1a9c66f9c5f6fc7f9e1c9189
-
SHA512
ccc13266008a86b857afd65bc090618d968a5486bc302a19298927a0169ec6bd1a5ac5f0240984c77d8a2f873c6bc5bd0354cb713b5e9d9b3dd286d14a41e5fa
-
SSDEEP
786432:ZTHwiu9W09E3b3shopoAc7qU+A4ui+QH8eH/uDEVoqN6:ZTHwvWYEraGoR+YiF8eHLeq0
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x00070000000241ff-10.dat family_mofksys behavioral1/files/0x00080000000241fc-17.dat family_mofksys behavioral1/files/0x0010000000024099-29.dat family_mofksys behavioral1/files/0x0009000000024206-37.dat family_mofksys behavioral1/files/0x0009000000024205-53.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 4700 icsys.icn.exe 4592 explorer.exe 4888 spoolsv.exe 5928 svchost.exe 3432 spoolsv.exe 5492 svchost.exe 4116 explorer.exe -
Loads dropped DLL 8 IoCs
pid Process 2636 MsiExec.exe 2636 MsiExec.exe 2636 MsiExec.exe 2636 MsiExec.exe 2636 MsiExec.exe 2636 MsiExec.exe 2636 MsiExec.exe 2636 MsiExec.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\S: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\Y: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\V: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\K: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\N: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\P: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\U: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\E: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\O: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\X: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\R: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\W: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\J: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\L: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\Z: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\T: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe -
Modifies system certificate store 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4700 icsys.icn.exe 4700 icsys.icn.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe 5928 svchost.exe 5928 svchost.exe 4592 explorer.exe 4592 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4592 explorer.exe 5928 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1348 msiexec.exe Token: SeCreateTokenPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeAssignPrimaryTokenPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeLockMemoryPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeIncreaseQuotaPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeMachineAccountPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeTcbPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSecurityPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeTakeOwnershipPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeLoadDriverPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSystemProfilePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSystemtimePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeProfSingleProcessPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeIncBasePriorityPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeCreatePagefilePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeCreatePermanentPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeBackupPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeRestorePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeShutdownPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeDebugPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeAuditPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSystemEnvironmentPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeChangeNotifyPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeRemoteShutdownPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeUndockPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSyncAgentPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeEnableDelegationPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeManageVolumePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeImpersonatePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeCreateGlobalPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeCreateTokenPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeAssignPrimaryTokenPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeLockMemoryPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeIncreaseQuotaPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeMachineAccountPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeTcbPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSecurityPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeTakeOwnershipPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeLoadDriverPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSystemProfilePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSystemtimePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeProfSingleProcessPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeIncBasePriorityPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeCreatePagefilePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeCreatePermanentPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeBackupPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeRestorePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeShutdownPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeDebugPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeAuditPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSystemEnvironmentPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeChangeNotifyPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeRemoteShutdownPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeUndockPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeSyncAgentPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeEnableDelegationPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeManageVolumePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeImpersonatePrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeCreateGlobalPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeCreateTokenPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeAssignPrimaryTokenPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeLockMemoryPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeIncreaseQuotaPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe Token: SeMachineAccountPrivilege 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 4432 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 3088 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 3088 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 4700 icsys.icn.exe 4700 icsys.icn.exe 4592 explorer.exe 4592 explorer.exe 4888 spoolsv.exe 4888 spoolsv.exe 5928 svchost.exe 5928 svchost.exe 3432 spoolsv.exe 3432 spoolsv.exe 4592 explorer.exe 4592 explorer.exe 5492 svchost.exe 5492 svchost.exe 4116 explorer.exe 4116 explorer.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3088 wrote to memory of 4432 3088 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 88 PID 3088 wrote to memory of 4432 3088 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 88 PID 3088 wrote to memory of 4432 3088 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 88 PID 3088 wrote to memory of 4700 3088 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 89 PID 3088 wrote to memory of 4700 3088 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 89 PID 3088 wrote to memory of 4700 3088 2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe 89 PID 4700 wrote to memory of 4592 4700 icsys.icn.exe 90 PID 4700 wrote to memory of 4592 4700 icsys.icn.exe 90 PID 4700 wrote to memory of 4592 4700 icsys.icn.exe 90 PID 4592 wrote to memory of 4888 4592 explorer.exe 92 PID 4592 wrote to memory of 4888 4592 explorer.exe 92 PID 4592 wrote to memory of 4888 4592 explorer.exe 92 PID 4888 wrote to memory of 5928 4888 spoolsv.exe 93 PID 4888 wrote to memory of 5928 4888 spoolsv.exe 93 PID 4888 wrote to memory of 5928 4888 spoolsv.exe 93 PID 5928 wrote to memory of 3432 5928 svchost.exe 94 PID 5928 wrote to memory of 3432 5928 svchost.exe 94 PID 5928 wrote to memory of 3432 5928 svchost.exe 94 PID 5928 wrote to memory of 4984 5928 svchost.exe 99 PID 5928 wrote to memory of 4984 5928 svchost.exe 99 PID 5928 wrote to memory of 4984 5928 svchost.exe 99 PID 4876 wrote to memory of 5492 4876 cmd.exe 101 PID 4876 wrote to memory of 5492 4876 cmd.exe 101 PID 4876 wrote to memory of 5492 4876 cmd.exe 101 PID 5080 wrote to memory of 4116 5080 cmd.exe 102 PID 5080 wrote to memory of 4116 5080 cmd.exe 102 PID 5080 wrote to memory of 4116 5080 cmd.exe 102 PID 1348 wrote to memory of 2636 1348 msiexec.exe 106 PID 1348 wrote to memory of 2636 1348 msiexec.exe 106 PID 1348 wrote to memory of 2636 1348 msiexec.exe 106 PID 5928 wrote to memory of 3256 5928 svchost.exe 123 PID 5928 wrote to memory of 3256 5928 svchost.exe 123 PID 5928 wrote to memory of 3256 5928 svchost.exe 123 PID 5928 wrote to memory of 1108 5928 svchost.exe 126 PID 5928 wrote to memory of 1108 5928 svchost.exe 126 PID 5928 wrote to memory of 1108 5928 svchost.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exec:\users\admin\appdata\local\temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4432
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5928 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3432
-
-
C:\Windows\SysWOW64\at.exeat 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4984
-
-
C:\Windows\SysWOW64\at.exeat 08:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3256
-
-
C:\Windows\SysWOW64\at.exeat 08:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1108
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5492
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 44EC0DC58A2346408020C5807359040D C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2636
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_e34ace8f4216078d97f0257da1964c1a_amadey_black-basta_darkgate_elex_hijackloader_luca-steal.exe
Filesize24.5MB
MD5e5d5acd2bc76a50accda70ea55c40ebf
SHA175b649e01d35e7010d5d60c87545dc7ab47a3420
SHA25667fb9596b6c5d0b12c9f44ea8b04d5843101935ea65e179835707f3efe715802
SHA5123a3e318c926e70e485fbfd42db924fd4dfb8a44596725885372c940fb9bdbeb64a98c2374d4f5c3420e62ad5a67e7b9ed1b1338d83b7888280038ed15ff2e60c
-
Filesize
15KB
MD592a8f755b579ffc8c3f86ec87076f45e
SHA1cd5536b089a281807eabe2def1e6f4020e2b124b
SHA25671a8107a9f5e4464519fb74b4e83b7f7af86812399210f55a2505870391aec66
SHA51211857b0eefbacc7faf7e1056124319c3acfc82eef0c1769a3ad7945a1019b85757fbd8f620a5bd360652c7f877a8634df744a3cee0fb0f7a07689522024d06fb
-
Filesize
5KB
MD5743d8274c5efa5b66c12eff6d89f819e
SHA1655ab5d69e17883d3651792d7c3ff7e133e9ab54
SHA25654305db25aef864e71e02d5a1cdadf831387d7b850a80512e041d9fadc0c5438
SHA5129f261f384932990796143b95cef3540e962757c7ada9bb0485df084f3c8391f28d31ac1eb78478c67eda56ffb1cb238924b107c7ed8e1c72d37cdd6acccc75ae
-
Filesize
550KB
MD58259dc74965f3c8e91d152862580a773
SHA1d2d029f9f9be25be3c5526c5a52449c034c673e1
SHA25684f8a39d32775639bb3f8875b8e871e0e2344f2a96c52ab6660e65d5c33fd7f9
SHA51250903688a44609700a84bfb18859b038ebb9ea69d142b1fc23d7bc639879e8be469dab23de777bba8265eb4da8ca7614747f2559034339061236ea7e2b5fd6d0
-
Filesize
630KB
MD58ecff5e8777908818edd94721ddc349d
SHA1a3ffcfcffae1b44261c1b1a64917ac898c40b9e2
SHA2561c450659c7681df9df21b20412c9647e7e8e5bf0f2945c48b1ab51f330f2516b
SHA5128418049fe52dcf6e294cf58d200b7a7d8e704ba592b3f59243c4c5a4d661c60f8db97540badd9a1718547a0047b39316ec7917c43ddcb8a71bebad49e7baaf08
-
Filesize
1KB
MD591d0484055bd80300fbcc7e546bfd0a2
SHA18e8024a1db97cae891cea172035e0ecfb24579af
SHA25689f930d218b2afc509d8d217ee6b6ff8d29c5772cf2e2234fc0f8a46ef1ee13c
SHA5122ee8859014b416282ba1e0bc4510bcf7cf290b1ab4a1d8040e76981ff14fdae69935ce0f180653519c86c187d5f997b83420060f3b0101906529c13dba6e1579
-
Filesize
206KB
MD507dbf607fdc270184154b89db909d55f
SHA1d02d1c6ee1104f26e21c683e6bcbaaf22750504f
SHA2569c6c49d4afd283c153800b627baf538a36732d2dd264a3f56d59822ad01576f4
SHA5124a9314ff14416de9584ef5c7fe20793ecb606cae6b6004134c39bb2f2dcfede33aeebfd5d3c405ccf77cb5181161a8aab4e41c24f447afb08b94b7172bc1a329
-
Filesize
4.9MB
MD589ca17e0e21a5a0951899a87a50915c9
SHA16d3d6c65b422b6ff2e473580eefcb0e767123e49
SHA25635c9e82daee05184b803a76276b556802da4b76119cb9dc649bd0bae9b3e00f6
SHA51295dae81f840a4143a497e06b58ef5fafe41b246f8e1b76fc4911612d24d57d267ab1cfd0c3372a80f0d229bd4e3a6df07775d2f33c9995beecb5304faa281d69
-
Filesize
206KB
MD5e23bd91ad94ea37e02e57bf2d1f1f341
SHA1ec718c4d1fe92dd20a940184383ba962fa3fc5e6
SHA256475c91a8475878e668b166506d753c5cb2913232dc95ea3978f7d2d81fb9bdab
SHA51259f34df297ccfff43b5423805b19cd07c89c89b3ed07cee8c5eba999e96bd596c206bdf51e040fe614f16fd936664972eec983df5ad681e6eeedb083b97687f6
-
Filesize
206KB
MD56044c74fed1ddb325861bdafae47663f
SHA1055449b958a1164b81ecf79be91d7a24c4117398
SHA256a4fdc5e17a2cd7eb1cc5d28ffa7b9bcd3b6a37b3e48b9b9838f826c392458aa0
SHA5128fe670990b124153cba868e4d3ba57980baa9c1c1a8b91fbb774a5791a524558251b231feb57aff8e40698b2d7c9ce8368f5f25004509a575baf452f7b6231cf
-
Filesize
206KB
MD5046bbff7c2dc7487a54389a2da14e672
SHA12370cb9906eb50cbf450f494b78c8444d8a39fc5
SHA25622636ab900c0f32640e9f7c281502482826603017d93f26d1ffa93e215571903
SHA512720e3534abe838ca5dc5bbe9d4dc9284a6b4e1a02ca9e0fa96401d17545235f8dea0c1be488c60e0938440da4205354b666028ad057cc19839ae41ca8eb46885
-
Filesize
206KB
MD52a79c0addfc0fe399884c0004000896a
SHA15ff51e74351d722736e5e0a302eb926b4f8b1c31
SHA2561f7b408a6087a61483d84ceed314658324ebf9cbeb9d332a8c8c92b326622677
SHA51243e8cafaf13a88d9537e8db496199b80e2261b2a377d3c3678025bf08a8b1fec1df1be738c77a3147f547d899f05d1d1373201cd72f5dc00356385c90f4b3858