Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 13:40
Behavioral task
behavioral1
Sample
2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
4ef732014f3960208622c83e02a5c0b9
-
SHA1
53651734198a53ddbf905b3c13c93e0c9c090ea7
-
SHA256
01e3cf22bd114a497ceb52897d54fe8bccc7bf701e8ea108db17fad28f426a2a
-
SHA512
4ea010ac54de2972fbbca118fc5d87ced82b8d4853a8dd69b924bc4755f8c486270cfb7c49db4bb7e33fd7ac9445a5b78b521ddc0994804a37e8cc102cfba7a8
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUW:T+856utgpPF8u/7W
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\stsNZCT.exe cobalt_reflective_dll \Windows\system\LPfparq.exe cobalt_reflective_dll C:\Windows\system\UtkCAsd.exe cobalt_reflective_dll C:\Windows\system\XuHHsVB.exe cobalt_reflective_dll \Windows\system\AwGQqYl.exe cobalt_reflective_dll \Windows\system\ssSRkvk.exe cobalt_reflective_dll \Windows\system\IsyTiWu.exe cobalt_reflective_dll \Windows\system\ZPkWfnd.exe cobalt_reflective_dll \Windows\system\nkHYLYA.exe cobalt_reflective_dll \Windows\system\LKMLfnY.exe cobalt_reflective_dll C:\Windows\system\AkxKWTX.exe cobalt_reflective_dll C:\Windows\system\sgSRCiP.exe cobalt_reflective_dll \Windows\system\tyXFxAw.exe cobalt_reflective_dll C:\Windows\system\TPuwYLG.exe cobalt_reflective_dll \Windows\system\XSKqKip.exe cobalt_reflective_dll \Windows\system\ilHtwQR.exe cobalt_reflective_dll C:\Windows\system\ifXJFoG.exe cobalt_reflective_dll C:\Windows\system\ysvBiTa.exe cobalt_reflective_dll \Windows\system\TJXHSeB.exe cobalt_reflective_dll \Windows\system\BmZvnBB.exe cobalt_reflective_dll C:\Windows\system\ZULYpBh.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 21 IoCs
Processes:
resource yara_rule \Windows\system\stsNZCT.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\LPfparq.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\UtkCAsd.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\XuHHsVB.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\AwGQqYl.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\ssSRkvk.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\IsyTiWu.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\ZPkWfnd.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\nkHYLYA.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\LKMLfnY.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\AkxKWTX.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\sgSRCiP.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\tyXFxAw.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\TPuwYLG.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\XSKqKip.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\ilHtwQR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ifXJFoG.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ysvBiTa.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\TJXHSeB.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\BmZvnBB.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\ZULYpBh.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 56 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-0-0x000000013F500000-0x000000013F854000-memory.dmp UPX \Windows\system\stsNZCT.exe UPX behavioral1/memory/1796-6-0x00000000022A0000-0x00000000025F4000-memory.dmp UPX \Windows\system\LPfparq.exe UPX behavioral1/memory/2236-13-0x000000013F1E0000-0x000000013F534000-memory.dmp UPX behavioral1/memory/2004-16-0x000000013FB50000-0x000000013FEA4000-memory.dmp UPX C:\Windows\system\UtkCAsd.exe UPX behavioral1/memory/1992-22-0x000000013F3D0000-0x000000013F724000-memory.dmp UPX C:\Windows\system\XuHHsVB.exe UPX behavioral1/memory/2724-29-0x000000013F830000-0x000000013FB84000-memory.dmp UPX \Windows\system\AwGQqYl.exe UPX behavioral1/memory/2636-36-0x000000013F600000-0x000000013F954000-memory.dmp UPX \Windows\system\ssSRkvk.exe UPX \Windows\system\IsyTiWu.exe UPX behavioral1/memory/2648-49-0x000000013F580000-0x000000013F8D4000-memory.dmp UPX \Windows\system\ZPkWfnd.exe UPX behavioral1/memory/2568-56-0x000000013F410000-0x000000013F764000-memory.dmp UPX \Windows\system\nkHYLYA.exe UPX behavioral1/memory/2576-63-0x000000013F800000-0x000000013FB54000-memory.dmp UPX behavioral1/memory/1796-62-0x000000013F500000-0x000000013F854000-memory.dmp UPX \Windows\system\LKMLfnY.exe UPX C:\Windows\system\AkxKWTX.exe UPX behavioral1/memory/2236-79-0x000000013F1E0000-0x000000013F534000-memory.dmp UPX behavioral1/memory/1652-80-0x000000013F650000-0x000000013F9A4000-memory.dmp UPX C:\Windows\system\sgSRCiP.exe UPX behavioral1/memory/1992-82-0x000000013F3D0000-0x000000013F724000-memory.dmp UPX behavioral1/memory/2108-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp UPX behavioral1/memory/3036-78-0x000000013F510000-0x000000013F864000-memory.dmp UPX \Windows\system\tyXFxAw.exe UPX behavioral1/memory/2900-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp UPX C:\Windows\system\TPuwYLG.exe UPX behavioral1/memory/2476-98-0x000000013F610000-0x000000013F964000-memory.dmp UPX \Windows\system\XSKqKip.exe UPX \Windows\system\ilHtwQR.exe UPX C:\Windows\system\ifXJFoG.exe UPX C:\Windows\system\ysvBiTa.exe UPX \Windows\system\TJXHSeB.exe UPX \Windows\system\BmZvnBB.exe UPX C:\Windows\system\ZULYpBh.exe UPX behavioral1/memory/2800-134-0x000000013F3D0000-0x000000013F724000-memory.dmp UPX behavioral1/memory/2568-136-0x000000013F410000-0x000000013F764000-memory.dmp UPX behavioral1/memory/2108-137-0x000000013FB50000-0x000000013FEA4000-memory.dmp UPX behavioral1/memory/2236-139-0x000000013F1E0000-0x000000013F534000-memory.dmp UPX behavioral1/memory/2004-140-0x000000013FB50000-0x000000013FEA4000-memory.dmp UPX behavioral1/memory/1992-141-0x000000013F3D0000-0x000000013F724000-memory.dmp UPX behavioral1/memory/2724-142-0x000000013F830000-0x000000013FB84000-memory.dmp UPX behavioral1/memory/2636-143-0x000000013F600000-0x000000013F954000-memory.dmp UPX behavioral1/memory/2800-144-0x000000013F3D0000-0x000000013F724000-memory.dmp UPX behavioral1/memory/2648-145-0x000000013F580000-0x000000013F8D4000-memory.dmp UPX behavioral1/memory/2568-146-0x000000013F410000-0x000000013F764000-memory.dmp UPX behavioral1/memory/2576-147-0x000000013F800000-0x000000013FB54000-memory.dmp UPX behavioral1/memory/3036-148-0x000000013F510000-0x000000013F864000-memory.dmp UPX behavioral1/memory/1652-149-0x000000013F650000-0x000000013F9A4000-memory.dmp UPX behavioral1/memory/2108-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp UPX behavioral1/memory/2900-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp UPX behavioral1/memory/2476-152-0x000000013F610000-0x000000013F964000-memory.dmp UPX -
XMRig Miner payload 57 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-0-0x000000013F500000-0x000000013F854000-memory.dmp xmrig \Windows\system\stsNZCT.exe xmrig behavioral1/memory/1796-6-0x00000000022A0000-0x00000000025F4000-memory.dmp xmrig \Windows\system\LPfparq.exe xmrig behavioral1/memory/2236-13-0x000000013F1E0000-0x000000013F534000-memory.dmp xmrig behavioral1/memory/2004-16-0x000000013FB50000-0x000000013FEA4000-memory.dmp xmrig C:\Windows\system\UtkCAsd.exe xmrig behavioral1/memory/1992-22-0x000000013F3D0000-0x000000013F724000-memory.dmp xmrig C:\Windows\system\XuHHsVB.exe xmrig behavioral1/memory/2724-29-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig \Windows\system\AwGQqYl.exe xmrig behavioral1/memory/2636-36-0x000000013F600000-0x000000013F954000-memory.dmp xmrig \Windows\system\ssSRkvk.exe xmrig behavioral1/memory/1796-41-0x00000000022A0000-0x00000000025F4000-memory.dmp xmrig \Windows\system\IsyTiWu.exe xmrig behavioral1/memory/2648-49-0x000000013F580000-0x000000013F8D4000-memory.dmp xmrig \Windows\system\ZPkWfnd.exe xmrig behavioral1/memory/2568-56-0x000000013F410000-0x000000013F764000-memory.dmp xmrig \Windows\system\nkHYLYA.exe xmrig behavioral1/memory/2576-63-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig behavioral1/memory/1796-62-0x000000013F500000-0x000000013F854000-memory.dmp xmrig \Windows\system\LKMLfnY.exe xmrig C:\Windows\system\AkxKWTX.exe xmrig behavioral1/memory/2236-79-0x000000013F1E0000-0x000000013F534000-memory.dmp xmrig behavioral1/memory/1652-80-0x000000013F650000-0x000000013F9A4000-memory.dmp xmrig C:\Windows\system\sgSRCiP.exe xmrig behavioral1/memory/1992-82-0x000000013F3D0000-0x000000013F724000-memory.dmp xmrig behavioral1/memory/2108-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp xmrig behavioral1/memory/3036-78-0x000000013F510000-0x000000013F864000-memory.dmp xmrig \Windows\system\tyXFxAw.exe xmrig behavioral1/memory/2900-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp xmrig C:\Windows\system\TPuwYLG.exe xmrig behavioral1/memory/2476-98-0x000000013F610000-0x000000013F964000-memory.dmp xmrig \Windows\system\XSKqKip.exe xmrig \Windows\system\ilHtwQR.exe xmrig C:\Windows\system\ifXJFoG.exe xmrig C:\Windows\system\ysvBiTa.exe xmrig \Windows\system\TJXHSeB.exe xmrig \Windows\system\BmZvnBB.exe xmrig C:\Windows\system\ZULYpBh.exe xmrig behavioral1/memory/2800-134-0x000000013F3D0000-0x000000013F724000-memory.dmp xmrig behavioral1/memory/2568-136-0x000000013F410000-0x000000013F764000-memory.dmp xmrig behavioral1/memory/2108-137-0x000000013FB50000-0x000000013FEA4000-memory.dmp xmrig behavioral1/memory/2236-139-0x000000013F1E0000-0x000000013F534000-memory.dmp xmrig behavioral1/memory/2004-140-0x000000013FB50000-0x000000013FEA4000-memory.dmp xmrig behavioral1/memory/1992-141-0x000000013F3D0000-0x000000013F724000-memory.dmp xmrig behavioral1/memory/2724-142-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig behavioral1/memory/2636-143-0x000000013F600000-0x000000013F954000-memory.dmp xmrig behavioral1/memory/2800-144-0x000000013F3D0000-0x000000013F724000-memory.dmp xmrig behavioral1/memory/2648-145-0x000000013F580000-0x000000013F8D4000-memory.dmp xmrig behavioral1/memory/2568-146-0x000000013F410000-0x000000013F764000-memory.dmp xmrig behavioral1/memory/2576-147-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig behavioral1/memory/3036-148-0x000000013F510000-0x000000013F864000-memory.dmp xmrig behavioral1/memory/1652-149-0x000000013F650000-0x000000013F9A4000-memory.dmp xmrig behavioral1/memory/2108-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp xmrig behavioral1/memory/2900-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp xmrig behavioral1/memory/2476-152-0x000000013F610000-0x000000013F964000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
stsNZCT.exeLPfparq.exeUtkCAsd.exeXuHHsVB.exeAwGQqYl.exessSRkvk.exeIsyTiWu.exeZPkWfnd.exenkHYLYA.exeLKMLfnY.exeAkxKWTX.exesgSRCiP.exetyXFxAw.exeTPuwYLG.exeXSKqKip.exeilHtwQR.exeifXJFoG.exeysvBiTa.exeTJXHSeB.exeBmZvnBB.exeZULYpBh.exepid process 2236 stsNZCT.exe 2004 LPfparq.exe 1992 UtkCAsd.exe 2724 XuHHsVB.exe 2636 AwGQqYl.exe 2800 ssSRkvk.exe 2648 IsyTiWu.exe 2568 ZPkWfnd.exe 2576 nkHYLYA.exe 3036 LKMLfnY.exe 1652 AkxKWTX.exe 2108 sgSRCiP.exe 2900 tyXFxAw.exe 2476 TPuwYLG.exe 1924 XSKqKip.exe 1616 ilHtwQR.exe 1628 ifXJFoG.exe 1656 ysvBiTa.exe 2160 TJXHSeB.exe 2316 BmZvnBB.exe 2784 ZULYpBh.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exepid process 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/1796-0-0x000000013F500000-0x000000013F854000-memory.dmp upx \Windows\system\stsNZCT.exe upx behavioral1/memory/1796-6-0x00000000022A0000-0x00000000025F4000-memory.dmp upx \Windows\system\LPfparq.exe upx behavioral1/memory/2236-13-0x000000013F1E0000-0x000000013F534000-memory.dmp upx behavioral1/memory/2004-16-0x000000013FB50000-0x000000013FEA4000-memory.dmp upx C:\Windows\system\UtkCAsd.exe upx behavioral1/memory/1992-22-0x000000013F3D0000-0x000000013F724000-memory.dmp upx C:\Windows\system\XuHHsVB.exe upx behavioral1/memory/2724-29-0x000000013F830000-0x000000013FB84000-memory.dmp upx \Windows\system\AwGQqYl.exe upx behavioral1/memory/2636-36-0x000000013F600000-0x000000013F954000-memory.dmp upx \Windows\system\ssSRkvk.exe upx \Windows\system\IsyTiWu.exe upx behavioral1/memory/2648-49-0x000000013F580000-0x000000013F8D4000-memory.dmp upx \Windows\system\ZPkWfnd.exe upx behavioral1/memory/2568-56-0x000000013F410000-0x000000013F764000-memory.dmp upx \Windows\system\nkHYLYA.exe upx behavioral1/memory/2576-63-0x000000013F800000-0x000000013FB54000-memory.dmp upx behavioral1/memory/1796-62-0x000000013F500000-0x000000013F854000-memory.dmp upx \Windows\system\LKMLfnY.exe upx C:\Windows\system\AkxKWTX.exe upx behavioral1/memory/2236-79-0x000000013F1E0000-0x000000013F534000-memory.dmp upx behavioral1/memory/1652-80-0x000000013F650000-0x000000013F9A4000-memory.dmp upx C:\Windows\system\sgSRCiP.exe upx behavioral1/memory/1992-82-0x000000013F3D0000-0x000000013F724000-memory.dmp upx behavioral1/memory/2108-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp upx behavioral1/memory/3036-78-0x000000013F510000-0x000000013F864000-memory.dmp upx \Windows\system\tyXFxAw.exe upx behavioral1/memory/2900-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp upx C:\Windows\system\TPuwYLG.exe upx behavioral1/memory/2476-98-0x000000013F610000-0x000000013F964000-memory.dmp upx \Windows\system\XSKqKip.exe upx \Windows\system\ilHtwQR.exe upx C:\Windows\system\ifXJFoG.exe upx C:\Windows\system\ysvBiTa.exe upx \Windows\system\TJXHSeB.exe upx \Windows\system\BmZvnBB.exe upx C:\Windows\system\ZULYpBh.exe upx behavioral1/memory/2800-134-0x000000013F3D0000-0x000000013F724000-memory.dmp upx behavioral1/memory/2568-136-0x000000013F410000-0x000000013F764000-memory.dmp upx behavioral1/memory/2108-137-0x000000013FB50000-0x000000013FEA4000-memory.dmp upx behavioral1/memory/2236-139-0x000000013F1E0000-0x000000013F534000-memory.dmp upx behavioral1/memory/2004-140-0x000000013FB50000-0x000000013FEA4000-memory.dmp upx behavioral1/memory/1992-141-0x000000013F3D0000-0x000000013F724000-memory.dmp upx behavioral1/memory/2724-142-0x000000013F830000-0x000000013FB84000-memory.dmp upx behavioral1/memory/2636-143-0x000000013F600000-0x000000013F954000-memory.dmp upx behavioral1/memory/2800-144-0x000000013F3D0000-0x000000013F724000-memory.dmp upx behavioral1/memory/2648-145-0x000000013F580000-0x000000013F8D4000-memory.dmp upx behavioral1/memory/2568-146-0x000000013F410000-0x000000013F764000-memory.dmp upx behavioral1/memory/2576-147-0x000000013F800000-0x000000013FB54000-memory.dmp upx behavioral1/memory/3036-148-0x000000013F510000-0x000000013F864000-memory.dmp upx behavioral1/memory/1652-149-0x000000013F650000-0x000000013F9A4000-memory.dmp upx behavioral1/memory/2108-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp upx behavioral1/memory/2900-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp upx behavioral1/memory/2476-152-0x000000013F610000-0x000000013F964000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\ZULYpBh.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\stsNZCT.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UtkCAsd.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ssSRkvk.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\IsyTiWu.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LKMLfnY.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ilHtwQR.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ifXJFoG.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XuHHsVB.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AwGQqYl.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZPkWfnd.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\sgSRCiP.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TPuwYLG.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nkHYLYA.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AkxKWTX.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XSKqKip.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ysvBiTa.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TJXHSeB.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LPfparq.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\tyXFxAw.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BmZvnBB.exe 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1796 wrote to memory of 2236 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe stsNZCT.exe PID 1796 wrote to memory of 2236 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe stsNZCT.exe PID 1796 wrote to memory of 2236 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe stsNZCT.exe PID 1796 wrote to memory of 2004 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe LPfparq.exe PID 1796 wrote to memory of 2004 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe LPfparq.exe PID 1796 wrote to memory of 2004 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe LPfparq.exe PID 1796 wrote to memory of 1992 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe UtkCAsd.exe PID 1796 wrote to memory of 1992 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe UtkCAsd.exe PID 1796 wrote to memory of 1992 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe UtkCAsd.exe PID 1796 wrote to memory of 2724 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe XuHHsVB.exe PID 1796 wrote to memory of 2724 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe XuHHsVB.exe PID 1796 wrote to memory of 2724 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe XuHHsVB.exe PID 1796 wrote to memory of 2636 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe AwGQqYl.exe PID 1796 wrote to memory of 2636 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe AwGQqYl.exe PID 1796 wrote to memory of 2636 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe AwGQqYl.exe PID 1796 wrote to memory of 2800 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ssSRkvk.exe PID 1796 wrote to memory of 2800 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ssSRkvk.exe PID 1796 wrote to memory of 2800 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ssSRkvk.exe PID 1796 wrote to memory of 2648 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe IsyTiWu.exe PID 1796 wrote to memory of 2648 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe IsyTiWu.exe PID 1796 wrote to memory of 2648 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe IsyTiWu.exe PID 1796 wrote to memory of 2568 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ZPkWfnd.exe PID 1796 wrote to memory of 2568 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ZPkWfnd.exe PID 1796 wrote to memory of 2568 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ZPkWfnd.exe PID 1796 wrote to memory of 2576 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe nkHYLYA.exe PID 1796 wrote to memory of 2576 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe nkHYLYA.exe PID 1796 wrote to memory of 2576 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe nkHYLYA.exe PID 1796 wrote to memory of 3036 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe LKMLfnY.exe PID 1796 wrote to memory of 3036 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe LKMLfnY.exe PID 1796 wrote to memory of 3036 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe LKMLfnY.exe PID 1796 wrote to memory of 2108 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe sgSRCiP.exe PID 1796 wrote to memory of 2108 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe sgSRCiP.exe PID 1796 wrote to memory of 2108 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe sgSRCiP.exe PID 1796 wrote to memory of 1652 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe AkxKWTX.exe PID 1796 wrote to memory of 1652 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe AkxKWTX.exe PID 1796 wrote to memory of 1652 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe AkxKWTX.exe PID 1796 wrote to memory of 2900 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe tyXFxAw.exe PID 1796 wrote to memory of 2900 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe tyXFxAw.exe PID 1796 wrote to memory of 2900 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe tyXFxAw.exe PID 1796 wrote to memory of 2476 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe TPuwYLG.exe PID 1796 wrote to memory of 2476 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe TPuwYLG.exe PID 1796 wrote to memory of 2476 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe TPuwYLG.exe PID 1796 wrote to memory of 1924 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe XSKqKip.exe PID 1796 wrote to memory of 1924 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe XSKqKip.exe PID 1796 wrote to memory of 1924 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe XSKqKip.exe PID 1796 wrote to memory of 1616 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ilHtwQR.exe PID 1796 wrote to memory of 1616 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ilHtwQR.exe PID 1796 wrote to memory of 1616 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ilHtwQR.exe PID 1796 wrote to memory of 1628 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ifXJFoG.exe PID 1796 wrote to memory of 1628 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ifXJFoG.exe PID 1796 wrote to memory of 1628 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ifXJFoG.exe PID 1796 wrote to memory of 1656 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ysvBiTa.exe PID 1796 wrote to memory of 1656 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ysvBiTa.exe PID 1796 wrote to memory of 1656 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ysvBiTa.exe PID 1796 wrote to memory of 2160 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe TJXHSeB.exe PID 1796 wrote to memory of 2160 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe TJXHSeB.exe PID 1796 wrote to memory of 2160 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe TJXHSeB.exe PID 1796 wrote to memory of 2316 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe BmZvnBB.exe PID 1796 wrote to memory of 2316 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe BmZvnBB.exe PID 1796 wrote to memory of 2316 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe BmZvnBB.exe PID 1796 wrote to memory of 2784 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ZULYpBh.exe PID 1796 wrote to memory of 2784 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ZULYpBh.exe PID 1796 wrote to memory of 2784 1796 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe ZULYpBh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\System\stsNZCT.exeC:\Windows\System\stsNZCT.exe2⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\System\LPfparq.exeC:\Windows\System\LPfparq.exe2⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\System\UtkCAsd.exeC:\Windows\System\UtkCAsd.exe2⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\System\XuHHsVB.exeC:\Windows\System\XuHHsVB.exe2⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\System\AwGQqYl.exeC:\Windows\System\AwGQqYl.exe2⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\System\ssSRkvk.exeC:\Windows\System\ssSRkvk.exe2⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\System\IsyTiWu.exeC:\Windows\System\IsyTiWu.exe2⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\System\ZPkWfnd.exeC:\Windows\System\ZPkWfnd.exe2⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\System\nkHYLYA.exeC:\Windows\System\nkHYLYA.exe2⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\System\LKMLfnY.exeC:\Windows\System\LKMLfnY.exe2⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\System\sgSRCiP.exeC:\Windows\System\sgSRCiP.exe2⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\System\AkxKWTX.exeC:\Windows\System\AkxKWTX.exe2⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\System\tyXFxAw.exeC:\Windows\System\tyXFxAw.exe2⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\System\TPuwYLG.exeC:\Windows\System\TPuwYLG.exe2⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\System\XSKqKip.exeC:\Windows\System\XSKqKip.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\System\ilHtwQR.exeC:\Windows\System\ilHtwQR.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\System\ifXJFoG.exeC:\Windows\System\ifXJFoG.exe2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\System\ysvBiTa.exeC:\Windows\System\ysvBiTa.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\System\TJXHSeB.exeC:\Windows\System\TJXHSeB.exe2⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\System\BmZvnBB.exeC:\Windows\System\BmZvnBB.exe2⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\System\ZULYpBh.exeC:\Windows\System\ZULYpBh.exe2⤵
- Executes dropped EXE
PID:2784
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD51aca1d85a423ead488b749ce232225ff
SHA1f0cea1ebfd051f488d3dde756e3ad33e7f6983e1
SHA256a4f41c4cb6102e0cc1a7828025b85909b026d06f757c03fa6dabe6f77f9bf702
SHA5126c3a774c750154c2913d3189ed743f06305b9df5a1534885d02b9d13648a3c7448e06b3b764a0862d7d34a8c1f12009a5141ec7a7027728a494efad47b98c4f7
-
Filesize
5.9MB
MD5f7d858dc8fe898246ae4a22ccabbae98
SHA1e27e3e0c5b80a61076ce56e08ab8ca882b100e41
SHA256a468810f06f8c4b4e98247a7db49ed183ed5092490d5676bac827f6f9c00ca27
SHA512ce0ffffa991d46dc618bbe2ebee77e4b9ac36d9217d7c3fb2fdbb38cac822b0c3d94ef62964ee8078050fd9201a2a80a22f1b53a0985ea2d0686d8566246680d
-
Filesize
5.9MB
MD5cc2cbefd688894b23cb3e6f34c25f21c
SHA15466d1e91136b9e96c50f8a2d208b4fdea1413ab
SHA2562ea746daf90c97b0e3a04a78cace32e07044dc6f30a6cdc124df8f2b11e91cb8
SHA5127a4044e26634f4e414f9f7d574ecb88e5279b38ab3252839452417f8a03051454c63887d5ce0eee3e635334d03b9a882994abc02af7386dea72de340539c1725
-
Filesize
5.9MB
MD584a0325dfa6ae96fc46b698c5b5a3aa1
SHA1e0c801d8134857676741f1c6405a9b2352ba542d
SHA256ceabf20c4b4eebaee9e0c40c446f71f056cb1c0bce378c802547927f0368e5ce
SHA512f97721d02e019b1514e559c7cb6af90bf0118700e82b7a07a112a343262930b04c5b76bc3c7a085bc077642059fad5c9370e9fb3af4ea55548fa1a5e180dcbb4
-
Filesize
5.9MB
MD55824adffb437c8b8af60082d79376d88
SHA14c7ecec1bac4128d886028711b7a7c88b5a64d30
SHA256d1091bfd4ec2935e4daa9b044ba35eaa92422ed537d0ea74a3df2d5dfdbcff64
SHA512092d476e651421e358e05ead147cf979b34d1dd908dc8a81ce4dd7bfc55aeb555652b055cb079512e2964fd731c6fee7df02384c60e4bb7363bb75b61953922e
-
Filesize
5.9MB
MD55a65fb49bdf331b72398cd5ffad2500e
SHA1c902379c158f9dc61a3443f36164838b0bbac041
SHA2563962cec8b6e5ac72389f162901a4aa228d74a340cfdf909a1484b801dbb9b70d
SHA512f30e93088e773ad1f3e7bea8270016e46d79dde67d887a080377c970e6cc289bfed2b195f45dbd4f7a9f1daa647e4eeed39834c0edc95fcc3af4f76c1984ab47
-
Filesize
5.9MB
MD5cb58d94d9dfeae4c319f8e4f9d3d1d35
SHA17133a952f15c46286d28c0dd3343fc1a11e119f6
SHA25674a9a0a45343dc8bd15059d7c6ec3a60c1db0a30430a5e3d5a765dc7b37e1c4c
SHA5127bf70b21d392ced63b9fecd45b6bbc1def173ca87e3577af2f1b10a4d949a1d40937c5ee53502db4c88431748ed339bb61ad349aaa6261e178cb85f161592fc5
-
Filesize
5.9MB
MD5c0bc1d06a5dfa2c7f51abdec1311f48c
SHA1eabb89d4b59b9be94dfdc78d66015ee88e8b192a
SHA2567ddb947b4285e8209ecb32f81e8c0a20332f9162332dab1ec84fc00442352fe2
SHA51261cc421d07fa57f12d2c36cd58507b004dba880f3753d41a33136da80cf20b86a732aa323be903530855cdcda126652703430225b5b24357ff228d46a6ac3c6a
-
Filesize
5.9MB
MD5d1954a63b3d9a6a0d6dcaa196e40f316
SHA14ca0fd5dbbc36652d6ef9711848231e8fd62ee8d
SHA2569e141e5c445e2bfc5ac643e0a0910ed0f8f34213030e40c7f46d897a8e7d88eb
SHA512ef28da11f7ac02af7ab503228482f56a4f09dfb8498c4b61f31fc8def2df177a3b9183559c16dbbeb6fec2d56b2b535f63a642d72d914c76bc1b38a67a3545d3
-
Filesize
5.9MB
MD55542509da3ea7192615c3fcd57d5dc09
SHA1e5b3cd83b307d98c6563f8d0bfd9e5d60de9e0f9
SHA256675d893e887cd51095107bd84e9bb1c0fd1754b642a59a1b71fdda0d549222ac
SHA512f7b2cbeca577886832c60d35937a6ae29c36ee6d1039d0c9e01ec390db498f5b5ebbf8881e95d46aef92d4e8aad208b5c42aa095f2e84cbe428abe5712ac6288
-
Filesize
5.9MB
MD5870cbd2ca13366137bd6dca72095742c
SHA1acfeae3a7dea3a627db0c39a42dcc9bbe3c6f1a7
SHA256cf9da6e877c578b22f776ed5a2a9eecbd4abf0b6235b3eed48219f9c3f062857
SHA512a68962809626f53274d8fea2b8a084d7772981968e063e65642e3e6b1851bbbafe7cb4e2277924639e913d4bbcd29ae19b3c18e112057659f85fc09cc66886e2
-
Filesize
5.9MB
MD5a914e26892b025486abb31a18b2f8aec
SHA1d05f9f674bf16897f7d28f688ff96733a79d1e78
SHA256ed60aad90a9094535f7ef259eec1f18d5264074f9294de5c6f4b15ecba448459
SHA5127a0383a2f76cb67e6fc89dbaa6265d9c7c5bce809cab96447d8155252c5263a3c27249b88c6dda9502bd82b399f8bb05a9f690a2d2fbbe8092c1f413ac389aa2
-
Filesize
5.9MB
MD59816b8cc5cdd7a65eb8b89ef98826d11
SHA10363f60850bdd6c88799bbc45001e17010df0d87
SHA2566b1a7539689e86b26290d47762c7298627d07b2c4ca78a73c36d4ce112cdc4c9
SHA51243c28ce67b1bb29c38c39f80d6404a2e6f7268de5f39b08bb000925a699685a5acc0d65829687305b9421a98646acb7228ba1af2d96d97dd78df2b94b1a8c370
-
Filesize
5.9MB
MD5ef163fb6261345a5d1511d938e28406b
SHA151f91004c35aff8971a23a37ca5c89a8eb2c6c3c
SHA256e9ec6813e4f6a008b0f1791f31681f6e72c8bd7b9457eb2b4df5d91ab797e27f
SHA5126ba82108f558c421b85660b898fe48349cb94cc6bd85074c49bc5bd48844d1b684e352a28002da315a5c2ea5da1fb175d9558c7b33c0daf26350198a11dceec7
-
Filesize
5.9MB
MD53e4aa9448e419a1b0c78cf41ef6ff784
SHA116457008a264e611ea8386886726ffdf1f5c8507
SHA256565799724f1d0a8709ccf1aa083500a1aae00da83a1c8351a8dce7320bec61ca
SHA512e8a1f176b674e56bdf94fb0c8d0c9b995da8c3228fb8aa4b437f837500771d59aa6bb03d80292b0ff4fe3bb696f68bc058b378e202b695e351e270c0d5a4910b
-
Filesize
5.9MB
MD55a436a91f1640ab06c82a90481a4297d
SHA1cf0f06c8a89accb1918ad4d9968af5d7eada02be
SHA256bbd0142fbe6a3b6b41b312f4cc4b1b185e42dedf0f38a17f6901279e13b44dc3
SHA5120a06ca12e0b270964104cc12d88e96a7f2e30357d3dec7bebf4b0f8f3dea12edbb4487b72f5f2d969a0e57d12245eab4a4b6823df73a7fa3106c0425e5c304ea
-
Filesize
5.9MB
MD5babe325dd7d52907435a4c50060b482e
SHA1f25bfbad87611fb63f9fc5ff2866ae7ca2ac7dd4
SHA25699203576285266f6f230d58b789b0684b4cb877f254407c4c8e9f2fa920c5470
SHA51253968d80320bcdcf0fee5c37d0be16d7aadae2938b9b9002cf56c0eb3c403b76f74dff6ea2ae44a37616cc307c97fb20f75a0537fe38a93afa435d77ff51fe04
-
Filesize
5.9MB
MD56fe5b3464666935105209ce57d57fcac
SHA1ecc78cfb715eb25a119e2c078a414dba781fac94
SHA25661445a7d5d7094637ddd1cead767c6eff636edbca9ad1ebf93e240e32605d7b6
SHA5122f72033d04bc2d382ae1e0eba6d097eb9a18f4a2ebf3f4b343730211dd19a65c2ca479f28d579f72f86305ec7ad3e7d135af142c73b3f4afd3da3a905aaa1ae3
-
Filesize
5.9MB
MD589f9c382cda4d76059ec7f8d21a27986
SHA1e9b619f78f3707bb1ac5419f5b7d2adfe530a130
SHA256b56ff2fbb12cd66765c9228eecc8eebfb51056ce7eb45c1a9942c15f8c95eb0b
SHA512e165b0455d73cd9baa5942846f9c02c81ff49d6a002b309db7bb2eee0e9602a755cd99a788ad8207dd7aca9f8f4fddb9e81d417b40682c00d70c802ed7cf32ce
-
Filesize
5.9MB
MD53dc5b5db48b16012afa27e17a57d6a3e
SHA15f9cd444d94443c0db48feb51132b0d474a2a15c
SHA256164c1cfdcffa03baca591a8986b7034a58a69f1d84374113c66f42737b5e9ade
SHA5126474f7c83c03ea29cec78ea907b2f4f600a6005d7a464190a1ed94f0b5495abd1e2764530852f820fed57a0c372af90bb0819e1aaaf8cb92c454c9942b7b554a
-
Filesize
5.9MB
MD5ea73d2f9647662be744a917da561e750
SHA103abb6161db56d98fe377461d23f6408b3e8be5d
SHA2566716ff65e9446f8bfb4c34774cf911b984de9c191c02fe09f8430e14559a5d72
SHA512b2daa9f07a95c146f7073d72bdc47a793c091a30100bfdc37a319285d394b48b4e585e6eafa8971a465ea61543acd66801b7a7452d78872ff905346c69b2874f