Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
320s -
max time network
352s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21/09/2022, 03:54
General
-
Target
goby-win-x64-2.0.5-redteam-cracked_by_hlop/Goby.exe
-
Size
133.2MB
-
MD5
27bd09efcf2746a98312f507d6d96f7e
-
SHA1
ae156478009b0c89ac132af3d63249c85cf2ce17
-
SHA256
ae12cfdb41c3dc3fc383ce5e4e2856b28cd8dee6352b047b9981b1dd51e55ce1
-
SHA512
6bb6823809cc407aa99f53a3d5acfe5bc8ce7503fbe87bfd5dee8349dc2679562c10ea9913c48cc9865c7320df8a7424d3abac7131462247750030e12bded3e6
-
SSDEEP
786432:vdWnQaBaRvHGYJKQSXPz9T/G2nXpf/EtBfamfrpcvFBJFoF2PScuNWqW:VxTRvHF8QS/z9zGud/ET3fcCWq
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 20 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 42 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 38 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Gathers network information 2 TTPs 9 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 20 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 55 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe" --type=gpu-process --field-trial-handle=1484,7276437405792593471,9657248040149123390,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --no-sandbox=true --user-data-dir="C:\Users\Admin\AppData\Roaming\Goby" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,7276437405792593471,9657248040149123390,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --no-sandbox=true --ignore-certificate-errors --ignore-certificate-errors --user-data-dir="C:\Users\Admin\AppData\Roaming\Goby" --mojo-platform-channel-handle=1880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Goby" --app-path="C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\resources\app.asar" --no-sandbox --no-zygote --no-sandbox=true --field-trial-handle=1484,7276437405792593471,9657248040149123390,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2144 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM goby-cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM goby-cmd.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\golib\goby-cmd.exeC:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop/golib/goby-cmd -mode api -bind 127.0.0.1:8361 -rate 100 -dns 8.8.8.8:53 -random true3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netstat.exenetstat -ran4⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
C:\Windows\system32\netstat.exenetstat -ran4⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
C:\Windows\system32\netstat.exenetstat -ran4⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://nmap.org/npcap/dist/npcap-1.60.exe3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb3f0c46f8,0x7ffb3f0c4708,0x7ffb3f0c47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5648 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5720 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0x7ff721e45460,0x7ff721e45470,0x7ff721e454805⤵
-
-
-
C:\Users\Admin\Downloads\npcap-1.60.exe"C:\Users\Admin\Downloads\npcap-1.60.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\nscB12C.tmp\NPFInstall.exe"C:\Users\Admin\AppData\Local\Temp\nscB12C.tmp\NPFInstall.exe" -n -check_dll5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\certutil.execertutil -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nscB12C.tmp\roots.p7b"5⤵
-
-
C:\Windows\SysWOW64\certutil.execertutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nscB12C.tmp\signing.p7b"5⤵
-
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -c5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\pnputil.exepnputil.exe -e6⤵
-
-
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -iw5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -i5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Start-Service -Name npcap -PassThru | Stop-Service -PassThru | Start-Service"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2332811322724990099,209616054917951723,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:14⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM goby-cmd.exe"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM goby-cmd.exe4⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\golib\goby-cmd.exeC:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop/golib/goby-cmd -mode api -bind 127.0.0.1:8361 -rate 100 -dns 8.8.8.8:53 -random true3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netstat.exenetstat -ran4⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
C:\Windows\system32\netstat.exenetstat -ran4⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
C:\Windows\system32\netstat.exenetstat -ran4⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM goby-cmd.exe"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM goby-cmd.exe4⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\golib\goby-cmd.exeC:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop/golib/goby-cmd -mode api -bind 127.0.0.1:8361 -rate 100 -dns 8.8.8.8:53 -random true3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netstat.exenetstat -ran4⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
C:\Windows\system32\netstat.exenetstat -ran4⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
C:\Windows\system32\netstat.exenetstat -ran4⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://npcap.com/dist/npcap-1.60.exe3⤵
- Adds Run key to start application
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb3f0c46f8,0x7ffb3f0c4708,0x7ffb3f0c47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4292 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,16582279136566812482,2365129706992611952,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 /prefetch:84⤵
-
-
C:\Users\Admin\Downloads\npcap-1.60 (1).exe"C:\Users\Admin\Downloads\npcap-1.60 (1).exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "explorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log""3⤵
-
C:\Windows\explorer.exeexplorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log"4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "explorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log""3⤵
-
C:\Windows\explorer.exeexplorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log"4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "explorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log""3⤵
-
C:\Windows\explorer.exeexplorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log"4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "explorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log""3⤵
-
C:\Windows\explorer.exeexplorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log"4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "explorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log""3⤵
-
C:\Windows\explorer.exeexplorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log"4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "explorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log""3⤵
-
C:\Windows\explorer.exeexplorer.exe /select,"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\data\logs\scan_error.log"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe"C:\Users\Admin\AppData\Local\Temp\goby-win-x64-2.0.5-redteam-cracked_by_hlop\Goby.exe" --type=gpu-process --field-trial-handle=1484,7276437405792593471,9657248040149123390,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox=true --user-data-dir="C:\Users\Admin\AppData\Roaming\Goby" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{de41f7a9-3f0a-e648-b98f-326626ff0374}\NPCAP.inf" "9" "405306be3" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Npcap"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5e3d66e1e2baff679677d469c606160a9
SHA15c93d82a269008200f69c074629b6069a15d5dc1
SHA256439a357b97b5c5e8807a220417adf37ddb58ef9ef10967754e91c2d4c29554b6
SHA512fa0930464324d870697a88ab84d3e7acc47c2141d6e2eb8dc68c80a6b93bbb71318e536e4f7e9f69b022b7edde6f2dfede011cbb98a6277157045bc1c1b5bc57
-
Filesize
71KB
MD5ca9ebb9a6cf542635a70c82164adb200
SHA108070f574378a0512c66a757301936959841e2e3
SHA2563a73a86559a6fd6245a8c55cf677e6d3b09957156086da7f0636ebff4c61f7b9
SHA512139666c0efa627307736c3903f6ab37647f0754876c1056757168136ad2f80b23da4b5f2cb6f1483b5b574d6fca0c05d5be6dfe256a2c2346f4abdbc81599a13
-
Filesize
8KB
MD533b22d723069338b774e31dfed393376
SHA17fcde54e03a4d2597c32219c3276333920add800
SHA256fce275f2964e1dc93ede4c55e5d418a546603335397ed9da33303251892d8b48
SHA512bb6c6eea8c4fa0d9320c185688d719c9e0f40b1b659dbcf2e33da9ff4d4011063717db8e569fdea22e239cab75b91dbda14bb5fb8ca21fb5817219340c392173
-
Filesize
2KB
MD5268dfa274db647ec6c985d0aed993927
SHA1359d39ab810bee74b4303146f4a2219ba6ba1b2b
SHA2565ac11aa3c51ceaa620ea8463f6e36df13423472f5489b2addb7483974368701b
SHA51264e7c0de9c2f589392c85bd6f779b24d8d57baf22e4006fd6281415ee783af9904e243b10207275fb395b5f3e36b27283b07a18baad3ccdf87adb0f812ca6026
-
Filesize
288KB
MD500e02670e72c918dcd5656ecb083049c
SHA16ce8b5bb566ff9bca832187f53f57e8c1fcd3742
SHA256b394d6508579449c63b9a220f62aedd9dff25e03afa1716c62c8d5dfd35ed114
SHA5120cbbafae0bbe02ff6b2c96e69374f3e6df4b6f2393ccbb73cd460febee9e862c63cd3752828396648521632e24552e5411279f02247d63deedc3d8c856c298ea
-
Filesize
288KB
MD500e02670e72c918dcd5656ecb083049c
SHA16ce8b5bb566ff9bca832187f53f57e8c1fcd3742
SHA256b394d6508579449c63b9a220f62aedd9dff25e03afa1716c62c8d5dfd35ed114
SHA5120cbbafae0bbe02ff6b2c96e69374f3e6df4b6f2393ccbb73cd460febee9e862c63cd3752828396648521632e24552e5411279f02247d63deedc3d8c856c298ea
-
Filesize
288KB
MD500e02670e72c918dcd5656ecb083049c
SHA16ce8b5bb566ff9bca832187f53f57e8c1fcd3742
SHA256b394d6508579449c63b9a220f62aedd9dff25e03afa1716c62c8d5dfd35ed114
SHA5120cbbafae0bbe02ff6b2c96e69374f3e6df4b6f2393ccbb73cd460febee9e862c63cd3752828396648521632e24552e5411279f02247d63deedc3d8c856c298ea
-
Filesize
288KB
MD500e02670e72c918dcd5656ecb083049c
SHA16ce8b5bb566ff9bca832187f53f57e8c1fcd3742
SHA256b394d6508579449c63b9a220f62aedd9dff25e03afa1716c62c8d5dfd35ed114
SHA5120cbbafae0bbe02ff6b2c96e69374f3e6df4b6f2393ccbb73cd460febee9e862c63cd3752828396648521632e24552e5411279f02247d63deedc3d8c856c298ea
-
Filesize
2KB
MD5d8839cb222941eb3aee80722d26eaed1
SHA1a46053cdaf55911960e490d23b665181c6304dc1
SHA2565fc609ed53f7d483c3ba39f6a7229036c975004186e7f505317464f43f6e2b20
SHA512136ea444b080488ea1e3477d545c34cee15cc3a806fc9603d02979082bd8b9e8537b2559893d9f00e078bb41c0c5693c1f087aa4be7a33c9e55facc9875a883c
-
Filesize
3KB
MD5f4e166c25b163329d62b5c0d9bc8c6d8
SHA19c54b796099d5582933d1b6be31f2ebb0d06cc32
SHA256daa81e1855c31696c2aa377ce735d60af68ae4a326ad1545e2787fc445ba1dcc
SHA5122882bd3e0af119d261228badd6a0e38e3dcae2911ed0d2bd2f82000c59e8c11bd2fcfbd7bc8cc269596f59bb94d6a07d81487971a5f73b87f809902eeb9164e4
-
Filesize
4KB
MD56875c43a31666755793d99c63f6db5a4
SHA1f27e04165f139ea427232599fadb09ee1498191f
SHA256e5173b70f72a2b3e4c82262d6a43a68040e96046283946204829d782d32ecf05
SHA5128215461d256759462469b89b53e45a467b3505f53e438e5eeabb00d59a39fda1d34926059d420387dd63212f16588af89436c02ef48b56a07cbb803820ba40ab
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
152B
MD5f647a9024e00f209b4882586b48a6d1c
SHA1825a1e51260086c4261315dbc9704e1848fe5ff7
SHA25677614c9d1cb42c41c0ce0415aecc9a20823ba79bdcdb8a27e90be7a16c57229b
SHA51284961cc97defa398b0053b40453db58198b3e5bd2ad59770707ed11eb282eff479664253e616427826b40377e6486cdc1676369324617e5b5b0262b904f2ca9a
-
Filesize
18KB
MD589fa224638f02cfe9a66bc7c46782720
SHA102a182ea5e2c3e9ac05dcf276a23c7722399f697
SHA25625c83903ec97e63635b8fd183db6e6265708d9e69450add9bbc51916439130dd
SHA512f7f00698780937e00a3e3ae09c1bfb332f90cf44a84bd374aa338a7b5058e35595a8192ec840b58bc704e6053a40ee57d000771fe5d62096e032f3f4087d4d01
-
Filesize
4KB
MD552cd5dca0f8a19ec8a39f01af7a85a0a
SHA1d9509ed05ea4a6ca8c3958f1954658894d40ceb2
SHA256ec6a6ae6515666114f6463ab36ab1b410272795f4b7d9f19b667d56f0272c7e7
SHA512e580571cdca9088a61f281b044014e949c0618623b23fbc84b083b0ef35c1642434c41eea839c44affe44e6043b3214a65abfd96bbed612901308b7c7a13a20e
-
Filesize
456KB
MD5d56c17ffb79d9013fe73fc1d62bc2fee
SHA18407f5090a957aacfd8af725d391bdd7e4f17d8c
SHA25666892033677d7285955646966c218fa3ed98bf7f5abbe6067612c601006ccc6f
SHA51268d3ff13e1bdca6c0c1b978bebc5a2bd0ed81c073cff091321c4b0520219dcca16a7018a23b7f7fe19f10bf173b802bd426a1ec4e21c00884c4323dc12b75396
-
Filesize
245KB
MD59e3be1a147f4ce0d61678a2c614e7907
SHA1c472acd50b81683d1222be423db1b69d67d4ca7a
SHA25634c3e5153e3b2a5013228069e26bd45ff2b00d4fc0a9f896e7430738a8fe7d0e
SHA512c5ae490560522aa7aff265175bf888a0cdf269dde41b401c8b712c2d2d0a6f99d70aec524394015b97f78b5b80ed180c0dbcc6f001cdae655eb13bcfabeaabd8
-
Filesize
3.9MB
MD53b37a439dc901681634895e932b298ee
SHA194cce856b508fcd1ee11244daa6dc747321d1c0f
SHA25644f83e789c44aa131d3f18f7cff87bf79bb44a1c5dadc2637028143760118ec8
SHA5123763803e98a105b1259e890aea2612b38703fb2e901e45890bbd7feaa7e7c368fd9f1af84eaa6ca9b93011d3bb7e2da74fa7760e942dc2fdf05bc60d6ad63b70
-
Filesize
22KB
MD5170c17ac80215d0a377b42557252ae10
SHA14cbab6cc189d02170dd3ba7c25aa492031679411
SHA25661ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d
SHA5120fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f
-
Filesize
22KB
MD5170c17ac80215d0a377b42557252ae10
SHA14cbab6cc189d02170dd3ba7c25aa492031679411
SHA25661ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d
SHA5120fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f
-
Filesize
22KB
MD5170c17ac80215d0a377b42557252ae10
SHA14cbab6cc189d02170dd3ba7c25aa492031679411
SHA25661ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d
SHA5120fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f
-
Filesize
22KB
MD5170c17ac80215d0a377b42557252ae10
SHA14cbab6cc189d02170dd3ba7c25aa492031679411
SHA25661ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d
SHA5120fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f
-
Filesize
288KB
MD500e02670e72c918dcd5656ecb083049c
SHA16ce8b5bb566ff9bca832187f53f57e8c1fcd3742
SHA256b394d6508579449c63b9a220f62aedd9dff25e03afa1716c62c8d5dfd35ed114
SHA5120cbbafae0bbe02ff6b2c96e69374f3e6df4b6f2393ccbb73cd460febee9e862c63cd3752828396648521632e24552e5411279f02247d63deedc3d8c856c298ea
-
Filesize
288KB
MD500e02670e72c918dcd5656ecb083049c
SHA16ce8b5bb566ff9bca832187f53f57e8c1fcd3742
SHA256b394d6508579449c63b9a220f62aedd9dff25e03afa1716c62c8d5dfd35ed114
SHA5120cbbafae0bbe02ff6b2c96e69374f3e6df4b6f2393ccbb73cd460febee9e862c63cd3752828396648521632e24552e5411279f02247d63deedc3d8c856c298ea
-
Filesize
19KB
MD5f020a8d9ede1fb2af3651ad6e0ac9cb1
SHA1341f9345d669432b2a51d107cbd101e8b82e37b1
SHA2567efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0
SHA512408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
1KB
MD5397a5848d3696fc6ba0823088fea83db
SHA19189985f027de80d4882ab5e01604c59d6fc1f16
SHA256ad3bca6f2b0ec032c7f1fe1adb186bd73be6a332c868bf16c9765087fff1c1ca
SHA51266129a206990753967cd98c14a0a3e0e2a73bc4cd10cf84a5a05da7bf20719376989d64c6c7880a3e4754fc74653dd49f2ffeffd55fc4ee5966f65beb857118c
-
Filesize
7KB
MD5dd4bc901ef817319791337fb345932e8
SHA1f8a3454a09d90a09273935020c1418fdb7b7eb7c
SHA2568e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71
SHA5120a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5
-
Filesize
12KB
MD5e3d66e1e2baff679677d469c606160a9
SHA15c93d82a269008200f69c074629b6069a15d5dc1
SHA256439a357b97b5c5e8807a220417adf37ddb58ef9ef10967754e91c2d4c29554b6
SHA512fa0930464324d870697a88ab84d3e7acc47c2141d6e2eb8dc68c80a6b93bbb71318e536e4f7e9f69b022b7edde6f2dfede011cbb98a6277157045bc1c1b5bc57
-
Filesize
71KB
MD5ca9ebb9a6cf542635a70c82164adb200
SHA108070f574378a0512c66a757301936959841e2e3
SHA2563a73a86559a6fd6245a8c55cf677e6d3b09957156086da7f0636ebff4c61f7b9
SHA512139666c0efa627307736c3903f6ab37647f0754876c1056757168136ad2f80b23da4b5f2cb6f1483b5b574d6fca0c05d5be6dfe256a2c2346f4abdbc81599a13
-
Filesize
8KB
MD533b22d723069338b774e31dfed393376
SHA17fcde54e03a4d2597c32219c3276333920add800
SHA256fce275f2964e1dc93ede4c55e5d418a546603335397ed9da33303251892d8b48
SHA512bb6c6eea8c4fa0d9320c185688d719c9e0f40b1b659dbcf2e33da9ff4d4011063717db8e569fdea22e239cab75b91dbda14bb5fb8ca21fb5817219340c392173
-
Filesize
1.0MB
MD53081d2266918768da067a99f767e2a0b
SHA1c1844016b5e991449ee1e62d44a312065d83e354
SHA25687d3624772b8272767a3a4ffcceecc3052489cd09e494a6c352dce5e5efa4070
SHA512e4c09130ac0124770014c7224e543c93fe473836c28a03466f5130bbbd61f7ddad5106bc10f82036028aabb76c5c2a31d40296ae818ed9f178f6ac96d68fe448
-
Filesize
1.0MB
MD53081d2266918768da067a99f767e2a0b
SHA1c1844016b5e991449ee1e62d44a312065d83e354
SHA25687d3624772b8272767a3a4ffcceecc3052489cd09e494a6c352dce5e5efa4070
SHA512e4c09130ac0124770014c7224e543c93fe473836c28a03466f5130bbbd61f7ddad5106bc10f82036028aabb76c5c2a31d40296ae818ed9f178f6ac96d68fe448
-
Filesize
8KB
MD533b22d723069338b774e31dfed393376
SHA17fcde54e03a4d2597c32219c3276333920add800
SHA256fce275f2964e1dc93ede4c55e5d418a546603335397ed9da33303251892d8b48
SHA512bb6c6eea8c4fa0d9320c185688d719c9e0f40b1b659dbcf2e33da9ff4d4011063717db8e569fdea22e239cab75b91dbda14bb5fb8ca21fb5817219340c392173
-
Filesize
71KB
MD5ca9ebb9a6cf542635a70c82164adb200
SHA108070f574378a0512c66a757301936959841e2e3
SHA2563a73a86559a6fd6245a8c55cf677e6d3b09957156086da7f0636ebff4c61f7b9
SHA512139666c0efa627307736c3903f6ab37647f0754876c1056757168136ad2f80b23da4b5f2cb6f1483b5b574d6fca0c05d5be6dfe256a2c2346f4abdbc81599a13
-
Filesize
8KB
MD533b22d723069338b774e31dfed393376
SHA17fcde54e03a4d2597c32219c3276333920add800
SHA256fce275f2964e1dc93ede4c55e5d418a546603335397ed9da33303251892d8b48
SHA512bb6c6eea8c4fa0d9320c185688d719c9e0f40b1b659dbcf2e33da9ff4d4011063717db8e569fdea22e239cab75b91dbda14bb5fb8ca21fb5817219340c392173
-
Filesize
201KB
MD55fc00659d63dc1f6d3ea47ad282ff3d2
SHA1cf1c989875a1a98c3ff4af0b469ee863636d1f06
SHA2563dec61995d23d603224c67c41a1f49fe39d9c7c174a92a387bc5507a3ceba863
SHA5128a00bdd0730a1922c9d29f4a202592c4088798dd767c927ce50b8625c71afb0f3e350e0a6f8d880fb6900f2ff6c9ad8134d8e352cdda97915be4ff28c0778d33
-
Filesize
201KB
MD55fc00659d63dc1f6d3ea47ad282ff3d2
SHA1cf1c989875a1a98c3ff4af0b469ee863636d1f06
SHA2563dec61995d23d603224c67c41a1f49fe39d9c7c174a92a387bc5507a3ceba863
SHA5128a00bdd0730a1922c9d29f4a202592c4088798dd767c927ce50b8625c71afb0f3e350e0a6f8d880fb6900f2ff6c9ad8134d8e352cdda97915be4ff28c0778d33
-
Filesize
452KB
MD539473870c6054c3618a703123692aa39
SHA104ce393dec066328fd531ea76a414244a6f1c6c0
SHA256678fc5516c47dd2518732818027bb481414be3627b59faf0d4e3dfc949b81811
SHA5123224e1b13c5b531a84bb3cd72d802b07d36b24c11d4be4b89872c9c8391d14b2d79d9a409ea1bd0f11c70d471576fbd1b97c233ab46de184face1de3572f4dab
-
Filesize
452KB
MD539473870c6054c3618a703123692aa39
SHA104ce393dec066328fd531ea76a414244a6f1c6c0
SHA256678fc5516c47dd2518732818027bb481414be3627b59faf0d4e3dfc949b81811
SHA5123224e1b13c5b531a84bb3cd72d802b07d36b24c11d4be4b89872c9c8391d14b2d79d9a409ea1bd0f11c70d471576fbd1b97c233ab46de184face1de3572f4dab
-
Filesize
201KB
MD55fc00659d63dc1f6d3ea47ad282ff3d2
SHA1cf1c989875a1a98c3ff4af0b469ee863636d1f06
SHA2563dec61995d23d603224c67c41a1f49fe39d9c7c174a92a387bc5507a3ceba863
SHA5128a00bdd0730a1922c9d29f4a202592c4088798dd767c927ce50b8625c71afb0f3e350e0a6f8d880fb6900f2ff6c9ad8134d8e352cdda97915be4ff28c0778d33
-
Filesize
452KB
MD539473870c6054c3618a703123692aa39
SHA104ce393dec066328fd531ea76a414244a6f1c6c0
SHA256678fc5516c47dd2518732818027bb481414be3627b59faf0d4e3dfc949b81811
SHA5123224e1b13c5b531a84bb3cd72d802b07d36b24c11d4be4b89872c9c8391d14b2d79d9a409ea1bd0f11c70d471576fbd1b97c233ab46de184face1de3572f4dab
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
600KB
-
Filesize
104KB