Analysis
-
max time kernel
578s -
max time network
550s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-12-2024 16:30
General
-
Target
Pictures.rar
-
Size
32.9MB
-
MD5
ee72786ed638b0a1ff4aaeab2930b124
-
SHA1
9f4cc855008182d693fd95dfc1a01dfa86122e6b
-
SHA256
f8362987559c18f86c3140f587c9afe2fb672bf8e7c9cef72a40b023340ba1d6
-
SHA512
d69eb9647d110c91431392e2dfd8bdafab7fd41400ed60432335213657f3e526428ab4fd0db12c7a584959a37d9a17892c9a3b0042dc87a6a3e18f3f08a8a9e2
-
SSDEEP
786432:LuXBszdWeJLr859RPyUE9ykGTxJM3O/vKxhNR58SzCFKvLYYdhwe1x3H1A4jwU:ixQhAdO+xhyNR58SzpzYgxx3H24EU
Malware Config
Extracted
cybergate
v1.07.5
remote
127.0.0.1:999
CyberGate1
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Signatures
-
Cybergate family
-
Darkcomet family
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x004600000002abad-3633.dat acprotect -
Executes dropped EXE 13 IoCs
pid Process 4864 CyberGate Excel_v2.5.5.1-trial.exe 5240 CyberGate v1.07.5.exe 8224 server.exe 9940 23.exe 12000 CyberGate v1.07.5.exe 6952 server.exe 7260 test2.exe 3204 DarkComet.exe 9324 upnp.exe 9468 upnp.exe 10004 323.exe 10204 2.exe 10132 2.exe -
Loads dropped DLL 1 IoCs
pid Process 3204 DarkComet.exe -
resource yara_rule behavioral1/files/0x004600000002abad-3633.dat upx behavioral1/files/0x0012000000029010-6302.dat upx behavioral1/memory/9324-6317-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/9324-6320-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/9468-6353-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 8320 8224 WerFault.exe 85 9960 9940 WerFault.exe 91 7024 6952 WerFault.exe 102 7320 7260 WerFault.exe 108 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CyberGate Excel_v2.5.5.1-trial.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 323.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DarkComet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe -
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags CyberGate v1.07.5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 CyberGate v1.07.5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 CyberGate v1.07.5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags CyberGate v1.07.5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags CyberGate v1.07.5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom CyberGate v1.07.5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 CyberGate v1.07.5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 CyberGate v1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 CyberGate v1.07.5.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" CyberGate v1.07.5.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" CyberGate v1.07.5.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" DarkComet.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" DarkComet.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" CyberGate v1.07.5.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 000000000200000001000000ffffffff DarkComet.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags DarkComet.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" CyberGate v1.07.5.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 DarkComet.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" DarkComet.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" DarkComet.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" DarkComet.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" CyberGate v1.07.5.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0200000004000000030000000100000000000000ffffffff CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" DarkComet.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" DarkComet.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 6e003100000000003751025c10004359424552477e312e350000540009000400efbe9159ef839159f0832e0000009aab020000001a000000000000000000000000000000000000004300790062006500720047006100740065002000760031002e00300037002e00350000001a000000 CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} CyberGate v1.07.5.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell DarkComet.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" DarkComet.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" DarkComet.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" CyberGate v1.07.5.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" CyberGate v1.07.5.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 0100000000000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\NodeSlot = "5" CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff CyberGate v1.07.5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ CyberGate v1.07.5.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2 = 14002e80922b16d365937a46956b92703aca08af0000 DarkComet.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell DarkComet.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ DarkComet.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} DarkComet.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU CyberGate v1.07.5.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg DarkComet.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 CyberGate v1.07.5.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU DarkComet.exe Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" DarkComet.exe Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 CyberGate v1.07.5.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 3544 7zFM.exe 5240 CyberGate v1.07.5.exe 10360 OpenWith.exe 12000 CyberGate v1.07.5.exe 3204 DarkComet.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3544 7zFM.exe Token: 35 3544 7zFM.exe Token: SeSecurityPrivilege 3544 7zFM.exe Token: SeDebugPrivilege 5240 CyberGate v1.07.5.exe Token: SeDebugPrivilege 12000 CyberGate v1.07.5.exe Token: 33 8824 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 8824 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 10004 323.exe Token: SeSecurityPrivilege 10004 323.exe Token: SeTakeOwnershipPrivilege 10004 323.exe Token: SeLoadDriverPrivilege 10004 323.exe Token: SeSystemProfilePrivilege 10004 323.exe Token: SeSystemtimePrivilege 10004 323.exe Token: SeProfSingleProcessPrivilege 10004 323.exe Token: SeIncBasePriorityPrivilege 10004 323.exe Token: SeCreatePagefilePrivilege 10004 323.exe Token: SeBackupPrivilege 10004 323.exe Token: SeRestorePrivilege 10004 323.exe Token: SeShutdownPrivilege 10004 323.exe Token: SeDebugPrivilege 10004 323.exe Token: SeSystemEnvironmentPrivilege 10004 323.exe Token: SeChangeNotifyPrivilege 10004 323.exe Token: SeRemoteShutdownPrivilege 10004 323.exe Token: SeUndockPrivilege 10004 323.exe Token: SeManageVolumePrivilege 10004 323.exe Token: SeImpersonatePrivilege 10004 323.exe Token: SeCreateGlobalPrivilege 10004 323.exe Token: 33 10004 323.exe Token: 34 10004 323.exe Token: 35 10004 323.exe Token: 36 10004 323.exe Token: SeIncreaseQuotaPrivilege 10204 2.exe Token: SeSecurityPrivilege 10204 2.exe Token: SeTakeOwnershipPrivilege 10204 2.exe Token: SeLoadDriverPrivilege 10204 2.exe Token: SeSystemProfilePrivilege 10204 2.exe Token: SeSystemtimePrivilege 10204 2.exe Token: SeProfSingleProcessPrivilege 10204 2.exe Token: SeIncBasePriorityPrivilege 10204 2.exe Token: SeCreatePagefilePrivilege 10204 2.exe Token: SeBackupPrivilege 10204 2.exe Token: SeRestorePrivilege 10204 2.exe Token: SeShutdownPrivilege 10204 2.exe Token: SeDebugPrivilege 10204 2.exe Token: SeSystemEnvironmentPrivilege 10204 2.exe Token: SeChangeNotifyPrivilege 10204 2.exe Token: SeRemoteShutdownPrivilege 10204 2.exe Token: SeUndockPrivilege 10204 2.exe Token: SeManageVolumePrivilege 10204 2.exe Token: SeImpersonatePrivilege 10204 2.exe Token: SeCreateGlobalPrivilege 10204 2.exe Token: 33 10204 2.exe Token: 34 10204 2.exe Token: 35 10204 2.exe Token: 36 10204 2.exe Token: SeIncreaseQuotaPrivilege 10132 2.exe Token: SeSecurityPrivilege 10132 2.exe Token: SeTakeOwnershipPrivilege 10132 2.exe Token: SeLoadDriverPrivilege 10132 2.exe Token: SeSystemProfilePrivilege 10132 2.exe Token: SeSystemtimePrivilege 10132 2.exe Token: SeProfSingleProcessPrivilege 10132 2.exe Token: SeIncBasePriorityPrivilege 10132 2.exe Token: SeCreatePagefilePrivilege 10132 2.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3544 7zFM.exe 3544 7zFM.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 12000 CyberGate v1.07.5.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe -
Suspicious use of SetWindowsHookEx 35 IoCs
pid Process 5240 CyberGate v1.07.5.exe 5240 CyberGate v1.07.5.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 10360 OpenWith.exe 12000 CyberGate v1.07.5.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe 3204 DarkComet.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3204 wrote to memory of 9324 3204 DarkComet.exe 115 PID 3204 wrote to memory of 9324 3204 DarkComet.exe 115 PID 3204 wrote to memory of 9324 3204 DarkComet.exe 115 PID 3204 wrote to memory of 9468 3204 DarkComet.exe 117 PID 3204 wrote to memory of 9468 3204 DarkComet.exe 117 PID 3204 wrote to memory of 9468 3204 DarkComet.exe 117
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Pictures.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3544
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4736
-
C:\Users\Admin\Desktop\CyberGate Excel v2.5.5.1 - Trial\CyberGate Excel v2.5.5.1 - Trial\CyberGate Excel_v2.5.5.1-trial.exe"C:\Users\Admin\Desktop\CyberGate Excel v2.5.5.1 - Trial\CyberGate Excel v2.5.5.1 - Trial\CyberGate Excel_v2.5.5.1-trial.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864
-
C:\Users\Admin\Desktop\CyberGate v1.07.5\CyberGate v1.07.5\CyberGate v1.07.5.exe"C:\Users\Admin\Desktop\CyberGate v1.07.5\CyberGate v1.07.5\CyberGate v1.07.5.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5240
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- System Location Discovery: System Language Discovery
PID:1752
-
C:\Users\Admin\Desktop\server.exe"C:\Users\Admin\Desktop\server.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8224 -s 5322⤵
- Program crash
PID:8320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 8224 -ip 82241⤵PID:8292
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- System Location Discovery: System Language Discovery
PID:8768
-
C:\Users\Admin\Desktop\23.exe"C:\Users\Admin\Desktop\23.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9940 -s 5322⤵
- Program crash
PID:9960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 9940 -ip 99401⤵PID:9988
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:10360
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵PID:5136
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CyberGate v1.07.5\CyberGate v1.07.5\Settings\Settings.ini1⤵PID:11456
-
C:\Users\Admin\Desktop\CyberGate v1.07.5\CyberGate v1.07.5\CyberGate v1.07.5.exe"C:\Users\Admin\Desktop\CyberGate v1.07.5\CyberGate v1.07.5\CyberGate v1.07.5.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:12000
-
C:\Users\Admin\Desktop\server.exe"C:\Users\Admin\Desktop\server.exe"1⤵
- Executes dropped EXE
PID:6952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 5042⤵
- Program crash
PID:7024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6952 -ip 69521⤵PID:7004
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- System Location Discovery: System Language Discovery
PID:4928
-
C:\Users\Admin\Desktop\test2.exe"C:\Users\Admin\Desktop\test2.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 5322⤵
- Program crash
PID:7320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7260 -ip 72601⤵PID:7300
-
C:\Users\Admin\Desktop\Dark Comet 5.3\Dark Comet\DarkComet.exe"C:\Users\Admin\Desktop\Dark Comet 5.3\Dark Comet\DarkComet.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\upnp.exe"C:\Users\Admin\AppData\Local\Temp\upnp.exe" -a 10.127.0.57 1604 1604 TCP2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9324
-
-
C:\Users\Admin\AppData\Local\Temp\upnp.exe"C:\Users\Admin\AppData\Local\Temp\upnp.exe" -a 10.127.0.57 7777 7777 TCP2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9468
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004D41⤵
- Suspicious use of AdjustPrivilegeToken
PID:8824
-
C:\Users\Admin\Desktop\323.exe"C:\Users\Admin\Desktop\323.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10004
-
C:\Users\Admin\Desktop\2.exe"C:\Users\Admin\Desktop\2.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10204
-
C:\Users\Admin\Desktop\2.exe"C:\Users\Admin\Desktop\2.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD588fabb6a722c12b94a8ec76301b575c6
SHA131a0559dcbc23e55745ab7958e9a907f677459d5
SHA256ba74fe424124a4ebceb63411161bf4dcce77cd37912f100d577c3d06e91adfdf
SHA51201932b15ab0ae5aecf6d5c5ae65ec146b090d4f5365f999263e99f1e12e27362cdecde596d0f967eb81a86cd75dc9c7e8fc96e768aa28f269e1d7460ab70306f
-
Filesize
28KB
MD50b9df186812a8c9f0d4d1dc84b10af31
SHA147b6ea9b71847aa2f75ba8e45b76dffdc4f6dea1
SHA2561b7c5d1c2b4bc4aa3d786da1017cdd3a22066a09000972722b6f305ee3ed5d5e
SHA5128d3a71627ec2c0339a8dbae1522fb549e8bb0cbe55de06cd9785c3973a0975f03fb2584fa47d783be52bb128630b130b2f6d0a13db3bc97d65df042c21d0f199
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f019fde6-05b3-4191-9b5e-8003df5e02aa.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
2KB
MD58c4f592491dcc9c7a2d04cbb35f1f3b0
SHA1bd5321444edcd53b7284deb3f565ce20be276cdb
SHA256342dcc31c45cca904817b2daa4535603cfa19c65b39f98caadae4481e3fbde7f
SHA51279bba8bf77c24db641243a22292df296094779475eff66ba32b456cb56476c6097de6e3de78cfeb2a9d9cacc44cd85f969be66a823e9162b72cad5f706900cbb
-
Filesize
12KB
MD513804f8dc4e72ba103d5e34de895c9db
SHA103d7a0500ccb2fef3222ed1eb55f2cbedbb8b8c5
SHA256da659d8c05cfcb5f0abe167191665359123643000d12140836c28d204294ceb6
SHA5129abb98795a1b1c142c50c7c110966b4249972de5b1f40445b27d70c3127140b0ddaaada1d92297e96ffd71177b12cd87749953ffdcf6e5da7803b9f9527d7652
-
Filesize
657KB
MD534960f869aa933675a70c0c7c17addfe
SHA1b01ec370b3571d70a2d111f35d5514cc7a18d422
SHA2569343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2
SHA5125993de154bc0f5db448a243a3d0ec7929e968823b24ae256226e2d8e82f1d50d62977e5a21a2b775cd422416d8656ed0dec103b850a58633b12bec074a4f58d5
-
C:\Users\Admin\Desktop\CyberGate Excel v2.5.5.1 - Trial\CyberGate Excel v2.5.5.1 - Trial\CyberGate Excel_v2.5.5.1-trial.exe
Filesize20.0MB
MD5e439e5634e7ec43b46bcf1d54c6ad292
SHA1055cfa10a8be6ef9e49786c1206f2f855b2dd637
SHA2567dfb0ece83deed38190bb57a9aab44a101203fa7e0b3e633e7c7231173a43fd1
SHA51206a91704625a572255ed256286da965443d01c7d581d69dd91164144f7ce2113f3830a749c99f7d63b2b04572ae31e699455c888d5015df3391860e6beb41ed5
-
Filesize
2.3MB
MD5fc6ee683f28c4d867b069841b45cde8b
SHA17ba5b8f07bd86a85b583f8c92d27bb94792b6373
SHA256d2119d9dce199cab558514bb1de19a59b207a9d654d0ed1477fa2d98f20e3dc3
SHA512a74f81bb2fa4806abb61e7c8b66fe60b2827120a5558ced95076d3af37e517a4395f28750875fb7cca197258502d8eee3221ee6c4a9fd76e5ec95c4ec5563f56
-
Filesize
25B
MD546a2212a32ae5938b3339472b7f88f73
SHA1001ca5eae8cb891fc02938b8d8c603b65a683653
SHA256fc0b2b4712425d1c57960d1783082cfc79674689250eaef3fb1ec904077ec65c
SHA5128eb997759bf735aaed29d570d61998b03e99e132cd92aeaa45276c4c913d5c5ad83da81df179beb3d31e5d588385efde583a5fe6aedd280651c1e4fec264c465
-
Filesize
16KB
MD5c31f9719e10071c3591a5ab99f8bb6c3
SHA1123b4045ed0a4094cc5ea7f5456ee48fa567e7cd
SHA256c2349fec416c3d0fcd12050b647d000a9049619002219ff45d2d1855a7739afd
SHA512103839c5dcb2e25d4e6f7ce24f5a800988de58fb156b946c6bb794b510a2a102dda67cba826ffadca7ee52af13daf8e0e94ecfec1fd2f2d04c6557653234784c
-
Filesize
156B
MD5b3a594208b863dfc5664e1547be6cd43
SHA1a69adeecfe7ab53ee0b67736819dcd6cf4b326a0
SHA25677ccdcedaedb145136294ac1d272e55757f33548e2e8d03e34543dc75a758c0f
SHA5125056c74417db21c2e04e7ec60d63b9e7a58bae690fbc178a68ee1af7db939b759d12fe6ababa6b32d1965cb20ace37058234460c036b36a59ab2af1fc46aaf31
-
Filesize
287B
MD516ce185a2a7dd8f790abfde05b8e86a5
SHA1064a241087b8082ca1e3b198cdbb2cb68f085ad4
SHA256ea0a143ca935b5d108c7b533c39413968d5a0577ed3d15ebb1905809fdd61bee
SHA512c1c18bdb00c9b6d7c50c5e113d1ced08422306dedb8dc6e714c5c8a0c643d4f50ef697e6293e9a98a3f49caa4dfd13362df2f803dc2033df04521648fb5bd0e5
-
Filesize
1KB
MD52df9577638aa7bea83c4edf9fe144825
SHA1f5d3d064c795bc1fd65692e5061077ce3c953b64
SHA2561363573d7c97a8a9a3ce94eaa901c7ad15012f54fec3b3494b736a088945411a
SHA512a3761ce46ce7506056599783ce7cc16eb6f4ae6cb756a0cff2d7f0907627d858b2fa47907e866d8eabf8199231ac2ca20964e22f9baffcf9c3f73083a8fb6262
-
Filesize
1KB
MD52f4a05a3541e9f65f448c1efffe428c1
SHA1f536851abdc6bf38339adb21a93c2ac37ba78bfc
SHA256fab63b58f9afcac4e0967dae2b002f3d281c863938eb8fb8f9667e5a0b017469
SHA5128db473c62e999d0976f9c1e5b92551ee1c4c2c87a4f6355c1a5d7bc715c6b0f40514d5a29422b7fa4c622df3170e3a7fcd1c02611ecc69fb672f4f3194e2f489
-
Filesize
1KB
MD5db31fa39e15616828b179a4289312b7b
SHA1a8c6500e211bc0f248fe902966a4301434444b1e
SHA256a6d552ae0787f517ceb1b2545a03de19f7be5149977a9a718330cfc18043f324
SHA5122f28f55a65dab2654baed3ef16d540c7f3e8035b44d66132ca1caeee9a68f3000c8e3d4a6cd0ef2d3a2dff663baef8d61549416ab4ba39865e077128c5903858
-
Filesize
1KB
MD5cf5972d5a130a77fd036aecb03b37f7a
SHA1a0d5c556c6bddd42536681d079df4b9cd5ff5456
SHA256dbcb6220e361aee15e339e983a510fd6510bedfdff0e6ae7bf10eeec909133f7
SHA512a5ef043ca40d3cf76873319bdb7201f568afff63c3cafe4480a138e440d85971652aba0f434904f8b97900a02df02268b12dccbb8990f9be8831890f8c547819
-
Filesize
1KB
MD5ce60f9d7fd32de0d84b18b05aa119511
SHA1f8ea32880ead5459d3c94bfa6c3514c6ef728407
SHA2564c7cfd384680b9826ff292374ebbec73ec4365da4c1962c1c94dbd39097ece8b
SHA512a8d5e6a076b3aca6a71320536af3ab97bc11e2732d4eeae0132a619f281770707343b1a0712ba7388410e5a396fd8cfa292dc25fbffbd5bc53b94b05e95d92af
-
Filesize
1KB
MD54f110b77a2cbccdc41ad85001adc6d2c
SHA166a21a812c9b8d411d59800f6771b5d6f18ec463
SHA256a75d6ffd498d6d83936fc472bbfc42415905c1137e2f444e440ba58ef8c0f92f
SHA512c38b1540bbdf78d93869ef3bd008c25cdb387c875b6002899eefa54de71d2d52627884cf150ef0ed1eebdae4cbd9a532778b6db49b3827aaf083926a84ccb7d1
-
Filesize
1KB
MD5cc2271ca96a0a5205b60202faa2ea1ef
SHA1a14b2d1dd0f47ec65ecd98bf56b66d4719c76be8
SHA256f45d58dc88ef3c48e9144bac975ea9beb9be517afb46a1c82a3229a5091a3b05
SHA512df62274de0ab92dcbba3fadc19362f8c1d49fe926fa870ae1a6f4e07d0ae7174abf4481b5a065d5c05f9250d6e5af0e8bcab0bd5a58f42bcb0816aeae335a5e3
-
Filesize
1KB
MD5ee3a4f4eb1459fba9f90f430b54572bd
SHA15a383ee2c2e02baff0739b0cd6332d8f895e9e2e
SHA256917ae897493a9d1ebf09da1e3a9379e9f8c2d3ddbb73af1d9e898e5ac5c74e1a
SHA512bdf74bf9cab0405a8c62abe5442dcce2be7f865ab6f69e161bc93404ba9ce00bcc275fbf4316b13dd8320ff781f963309a3b3f30fb27e24bf267e2d8b5bd3eaf
-
Filesize
296KB
MD58af5123bd112bc7ab914541510debe78
SHA1e3933efe1c86d97ad198a1065065184edca1f0d8
SHA2563a503f261baea1d0cdd69d3dd8b397d7a403b8b987da910b633a1d89743842d0
SHA51281b10a53567aab61ee1ec54e0a11a1dabb99ca636c84d1842db847dc63b437c1b0feca337c848b04e1d5b9d222aad84a6386b848ec2467c07933a8ce85692c82
-
Filesize
171KB
MD5744dcc4cbbfbb18fe3878c4e769ec48f
SHA1c1f2c56ee2d91203a01d3465f185295477a1217d
SHA25633eb31a2a576e663474a895ff0190316c64a93d9ce05a55df0d53f9beeb61163
SHA512706630be2ca09e574a7794e32e515a0a3f993643d034647b8cb976c1e7045e87e30362757cc65fcdb95f4a4327f0dcda3edc82ba84e5ed9115870a037e13af21
-
Filesize
11.3MB
MD5d761f3aa64064a706a521ba14d0f8741
SHA1ab7382bcfdf494d0327fccce9c884592bcc1adeb
SHA25621ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
SHA512d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
-
Filesize
97KB
MD5b87dbd32f31532ea8f7af9d28ee7800c
SHA10e3e2f5ed1186d09716d91f25913a6341268e47d
SHA256c3c3b009cb602535c18ed168c0bc448441a62b63c69ff27e3f9c2d8973411250
SHA5125cbe3a820268917be43ec2991502aff0a7880972eb7804ed1d8709094a26ba4585b95b1505ae4fc7bdaad11e77ad1dde1e7cbdde530bb32b0d95617a47d15de3
-
Filesize
97KB
MD55af592df403c50b14b47f9185cfb417f
SHA1e0a7885d8208c76dfaf0e10d4acd942fc2e917fe
SHA25699b5cee64ef8164a68cae08d883aef65c4c96d3b57a8b075d330c537aab183c5
SHA512aae53540e24db201054d9f9291db54b5744f15f3ed097fb9ba405155d85b983b0654352f7c0b0187b34c4dfc45991d38c87d65120aa27e1ddeaf8d77c23262d7
-
Filesize
97KB
MD573d8decab435acb32df1dce812ed3acd
SHA11cdf281a6f297f09698a155a9010e2c7f6a212e1
SHA2568e44bc15b2a99d99d4670112b6e3c494ea46adb49a35899ec0192f12dcc30f5f
SHA512d5f2b589dc2203c03db601b512d3a5dfe40a651931b0c1cc883c17c0202e045e690eeaa2c321cdc08827a86d1dfa4046d6c51f5c5ecd9e4a2a80cffc95bee80d
-
Filesize
97KB
MD516a9e9b49f6e08635ebe55f5ecd5f346
SHA11e846edddaf2857168db8e8387916492c3b3405b
SHA256fcd5923f3401b523c3ad27ce999398328612a86eec253cc7c09030a0035b0f99
SHA5121a4aafb3cb535c41f3afae7938a41f6ae84ea5bcd7b4b3531e253d1635783e53c950ef1bdf0433db92848e283fe6c1efe58ce2380b39f3f5aee4c35ea85460b9
-
Filesize
97KB
MD5f273cf2c932b6d768bb2d1d62e9d2a4a
SHA1a473fb4b3fb13830e3adbf547e1d7129f7ab5e18
SHA256713cc5ede2b35ae4933ad31b02b7c4bda1255c9709b219a13162b72f228df652
SHA5123dc9334afce339eb43a1a76c08aee16daa9cbbc91abf618081e07ebaa990fcf7ebd5b3877d1cbf9b1bf442cced476428dedaf14076501c8493233c41985800c3
-
Filesize
97KB
MD57a19ef1c29ec87e43983fc94f95ce198
SHA1f425ac0e69248a441e718238dc24e9f1f24bffbe
SHA256101169e184ec7450b03811c6f4fee4460ade14a2b93f275a55b617417e7cb5ea
SHA512897846edd45fbb01fdb133dcb048518c076ecdad97b9ff57832d29c5ee12105ce54253e8a454577d3b9b314202a5fe564b8f09f48faf712a44a9521e9c2e9b71
-
Filesize
97KB
MD5c6120e467c833d5f277c2b939251918e
SHA18794f9b3dd83a26a1c745dd61f67c7e143287db0
SHA25662a4fbd69e3e534e2ce8fe2f664ea8a803eb29f2eff3bc7503dba641ab33e589
SHA512c746c806b2a350463c30328f2e0c0eb1f3ea46c58ad2fcdf62d7bf9853bb687d58772e88ea8395af73c91721a578b47828655a9ce38a54458404d5b00ac823f2
-
Filesize
97KB
MD5a219e70366471a9b13953789791e9a42
SHA194678b982b8366be0a4976118b65cfa7550d2a7c
SHA2567a18fb1007712b31600043bd3c2400b6f8ab1ebabd603f4aa6730089368af734
SHA51208ad1a527c81bc96dd82eda16431c4e81b298e756257e8a982c38c1152f34977165a6db2b7b7d3700eab0e163a9a1c3181fc1269ef6f9ba77630428ea1995705
-
Filesize
97KB
MD59ec80b1ed453ced93e4dc6f1131e4cf7
SHA199896ee3687b44fc55f1b2f4d549d5179383755e
SHA256e5e9481ebc946c869655aca4dd53407b0921faed0172cad9cda4d4dc47c7351e
SHA512fdf4f8c5506991068387d44b221fc5e679c3d7460aca41b7a83ce92efe63618944fb844e032a8d2de5c53ad30a036083053fa87615fbfc309b948351bcd725b2
-
Filesize
97KB
MD53bb3e1c6a6ad5c89934f34be4b1e458d
SHA17444b0857ccb72e3dee1b07f1273348c15f295cf
SHA2565b4ee4c5878336be86574d599a252d1a5472fc0579bafcccd71f25bccfb0c003
SHA5121221c68c591624218b2f6809c36892400ab2c399971780a4828e83cef4018ad8e33bf2d6bac6cc5cfbd3565feffba7fac749d14baf7d831fc0fd9a9038bf6626
-
Filesize
97KB
MD5882bbfbf5cbc4c791e32e6a74d0f4eed
SHA1affaca5862ccffc5e8148d709fe5e6335dcafb6f
SHA256a3bf3fee486dc890cc3c8295a36da3a6045d2ee70d17d8a370b87eccb0473b5e
SHA512a54e1841b8fbd90344992f00f4b0586b57090214b5eccff4b7792eb349be4ae887d4bcef697d11d6d64ef05cb2f4e207a020c047fc572527ed1ec7364cca8152
-
Filesize
97KB
MD5846e57f8ba357943141eeebd6c454e33
SHA19d7eeb6113fdb188c58e0bd21b7bc43cfacfa96b
SHA2569f4f839255213d82abe0070caa720aeef01b1f0195ddac8a3437d7931b31a890
SHA512d67512dfba0c7023428b2a8f4cc0ba81e2a2a2eb2514f0f934b3618a348581bc3216c9cef4923006264b3f5dc4b50980b42b0d0c40988d7498905fe5d48e13f2
-
Filesize
97KB
MD5ad26dd83ae2ec2ddf0cc07021825d063
SHA11833edf0070e4f089470834ccd264725e206ec70
SHA25611d3eac0551cae9686bc6ebe6166e6eeab70c3b5f5bfc56db45ff9dafc8188d7
SHA51298238db2f29264b18d5c1b23ae38a67819faa19db55a94f8a6ace95e43e0742735a72f2a8191b254e86424f82a46b09504c5e4090031ee1f7b362d4375897502
-
Filesize
97KB
MD57ac0c49cc1cd32b141693995e8163479
SHA1591b52e827426974bed3caddb17f9701f1729198
SHA256a367776a8dc47053258f37edef7537d251e40d409cc8f51bc9d271d785be291b
SHA512ce90c7d23cdbffacba7f83613fa0562af5a0932e8543739174ceb5b9320e8c7faa60299fdf667ee3c19dccef3c2566df00c8cec029303c4205f52d169d2d5c42
-
Filesize
97KB
MD58f880b2b80387f6acde78230ef28bc77
SHA1dd6984de04b1b74805882050525de70426e753d1
SHA25679661a5ed0eeb027958aeeedb66de400412a6fe06f1dfd5ab8abe3c14a1570eb
SHA512cd084b648ea58e3b062ec602e25342509d425949ae20a73349322a11376ee1ad556604facc6ec6ad38479007bdccddc3ef96efbe6624dabc566677dd10122c94
-
Filesize
97KB
MD575c74ff8112550471b9735189cb36c70
SHA12b2e1fefdbf6e8c5a1875a01f8f98b94bdd2630f
SHA256330467c3b86d06b43d3c5d7148c4aee3672c096aba4a0a99fea124cfe303095d
SHA512b879da97937a7c7e21a8fe7ddb1104261c92340f4f75f896839a49c15e486bcd1395efc820d5b6fc5c3f10c39929f2ae56539b2c808343e296e31170d665a17c
-
Filesize
97KB
MD5925fdf30a687bba4d7bd85def5def9f0
SHA161962dac96adcb884dbb7786ad9adf22a166232a
SHA256279eaad8880dea2d52b8221c38f501fa34701f5127bbc41591921b69a5a0934d
SHA51259af01947f36e8a751d2d7cb199f9f379f7b886779112debae9d6a0f6c47c137903500f27ff06587a977247610f5912957079f36b9f7a3a097009caf90f0ef0c
-
Filesize
97KB
MD571ea5c0cc8245978042ca1a57e70149c
SHA17f4aac912657c833f22bdd6ab993ae1cccebad1f
SHA2569deffadaca7d25ae8e04d2cbab6acb19e79c17c9456e30d8750cf5803b5f298c
SHA51274bc9e3e11ec593f6a10228e30ad4658608b532dc36f94ec04b49e6e75bf3eb1feae508697b7ac0e5c9ca91e6ab38b0594856b8cbd49adfbd162a07ff2604bce
-
Filesize
97KB
MD5f11ca004114c0382836197bb597bf509
SHA196488172264d9c041da502a4a357b2f41c0967f0
SHA256c42ee1c8031b1e1917cef782b2d73460cc65ac3cfd6fe48737804459e25226be
SHA512b8d34d1f4f913e48d73379cc7389e91facfe8da9f06bd78499ff31523f5b0ef6efb5dae1211a50905962d3fedc47cb8b182db1f514c5877d8a1678b15c0023b1
-
Filesize
97KB
MD5ede558c3365551e09a966536b1a61209
SHA1f12a153e8f2ecfb8236ebb16db493dbd045df98f
SHA256964d15e5aa45d26fc0d14912416e268f3caf31420f949c7734c92b7d58dd22f2
SHA5122dcc1302ca6d05fd1797182d99557202ec437093bb25403d3ba780e01ad87f344936f963ca1d9243519a7cbcf023daa8004328b036f16798431b29681aaa4de0
-
Filesize
97KB
MD5a4e06cf0293bc3fa83db852e1c9ca2bb
SHA199cbe81b5a67ee920070800d4d5b8e5d617ece80
SHA25642ae2353c1a9f101567bf0f5dc0dd848c9f1c7f25a1fa9b526b0e881e017cdec
SHA51222f478d364bb32fb696519b5c895dafcf47f470c28bead5ea3fbb97ace0f6900268b309107ccd0dafbc8571bb28200d6e8bf4b9693071f5440c3139cd64cfebb
-
Filesize
97KB
MD5a7b87171a833e2eae9e0610545e4fe48
SHA1af9c18e50d1a5eb41c44c037a579ed1383826221
SHA2569f02ceca15fbb244a3dc8ddcedc82441779e43e56495233098d096157c1497aa
SHA512bcd7b0630f08d48dd3537f1c382982fa5a42fd7d82731fb2628a3c65a51955abffba976400629b3e270ee0cc3ce7e1ce342d252273e351dcc6f0f7f5e9985d54
-
Filesize
97KB
MD513a203726213ebe1120330a01c85e020
SHA10ba42571c83fa789a40e2377ca747a52af785f39
SHA25617a55f7e7cde8b9e75a1a54930047014d2de0f3c90f7d297dc71af984e6eabf5
SHA5126cdcc39b0d3d6309a8f23184460012d44bd498218a6f55ccc0d2916e45cd97738cc1487df96a2f04da2e858c66e7c1fd6fe5494120403916db24f7197f1150ad
-
Filesize
97KB
MD5fe767036dde72aa116dfec4d85316097
SHA138015110c63531c2b83623c7ad2a7ea38974d823
SHA2560d0b0e33fe0c7058298d161e4fdb7a95fc30620aefb3cc86ec989ee00e6f085c
SHA5120bbf9ad9e5d653c3a5149243a87656eedbc36975021067c9474d639d33e56168787fbed45cdeecc05ce3d7d96397919a0c2fbe7f933aaf677fa1500f9f7eba4b
-
Filesize
97KB
MD59bd46aa8a6a9515ce610c48b568b04db
SHA1c7acd58ebce43b7b106f2be73a3dbf0f3823f1ae
SHA256fcf06a10537d646cb9d0af81b9bf096b5766b87fbe8d5aa487c2765dc7563cfa
SHA512f2869bf9a74e2d3bf6ad1043069de3b1cbe7903fb13d0b089f9ff68c646b9f3bc2117bef73d13b2f9de53d1697ca395ce3da8d24acaaf154d0518d783246767e
-
Filesize
14KB
MD5fcf35c04537b9f0bfed48b00dfdac72f
SHA11a8535fc1d38afaf32341980aafbe106736e6855
SHA25608f38e7bdd931bd2dd3b7da2800f21e4492b53a81dd97d6a1c4723c87ca6a87b
SHA5124f8132268dd668b0e84380cebc2a7d1e647964ced2757fb761ab0070c35f5e9f9dba170b42831f96354604a383dc7fbc3507fbc504ed33f0864d4000466f5605
-
Filesize
31KB
MD5668b3283b8b3355e456d8f757d29d306
SHA1fe18afd55f490f495823b5d5c67eefac3d3d9cdc
SHA256a459017f231416448a88180a76619fa54acabafbc3aea12cb7e3c245c1c77ffd
SHA51265c1d52e89adc6377acd6cf27491c1da08f68315a550338a6e7c37266ad96eb332f98ca1d30b22173b4421fb8d4595c68985354cd5550575c07e083fd25824c1
-
Filesize
97KB
MD5731bff80b494d3337ed41322ad5e8bd3
SHA1920bcbb93bb73414d17e7155630c73e633f34275
SHA25657cb616228fedb666ed3d157c14b7a6eed08239aba8bcb2895d9243d6eb64c74
SHA512fbd0722cdf439c8842e6c6a207036dece7c926301255caf6d19bb45aa38b10474f3b445f12af59bb2ced961e7905098eb092adc2ea0f0884013f1f41f811c600
-
Filesize
15KB
MD52dc2c552a94bf5f138e033d8b83e6650
SHA1e41201090659883258521cf1f7427f568daf4cfb
SHA256951ac1b02c535f2b6ad412c1d995a6f840642b0b614fba9f8a0cf65e2b6447db
SHA512c705a4961b229491db82ac34cde40edaa5f78423e9bb4269741fed589472670d4116a02630f600be56feed331386792f9d1fdf83011f3a0893c98fa6d3f0d598
-
Filesize
2KB
MD5227dbbf06cb72b05d459ff385e78c01b
SHA11a9bf16b07d44fcb5f1785d0840a6eaaca6f7f11
SHA256c9acbbd78073afcb8dd951b0024673cbaed8ac6bd7f1002289fa70ffabdfd382
SHA5125fe6c13585343ec37f0b0109f1036a8a0eec9bac274e8c0e977925707ef9253580adc13ef17fae7517a8f871aa7e5b9dc9529ba23d37ee4b0a6e94bad4ed3831
-
Filesize
510KB
MD5d3979db259f55d59b4edb327673c1905
SHA10697e8f35b5951c61a3a632d74fd96843c941628
SHA256043e5570299c6099756c1809c5632eabeab95ed3c1a55c86843c0ec218940e5a
SHA5120b87c89aafd3e627c7d6bed0b833601fea1917a76a972061f32a2d9e4aa2e9e85b5e8a67cb330ca44aff17915d0fe2793798451a109d3f0b5014eed06b73bb45
-
Filesize
71KB
MD56eaa1ed1646984128139d2989e241983
SHA1d1120083cc4e5ab46a443e8d5c9e4dde5119afc2
SHA2565eae6265385214548f6070ecdc6cc1d430f0338a780a4682f877b49c6da177d9
SHA51244355505f2a5e7fb0123fa5f3976ee8c978b33032f11042f59e9022f3ee085dc7bf04b2750775e533bb8d3ccbc1f14952db0031b7a45cc0c2ba7582ed90f003e
-
Filesize
69KB
MD562105ecbc20f212398d3ff5fd1f93d1d
SHA1ae5514788b0049af5b099a58396f907f352d36d9
SHA2564f64c6bf00d1d5e54d97055a784925e9922686ebf98d46fb348563240f5c3a35
SHA512c1bb299a4884f541850f30a0e2d16b95f8b74fb3b06cdbebcb13447b7b4d97381d96caa96b428b65cfb7172b134a06c8fbc8d268641faae54901fd993b7a2119