Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 01:35
Behavioral task
behavioral1
Sample
2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
71d7214962e810bfdb71cfc756fec6aa
-
SHA1
39292f77b43716fddcea2f83dd09d8257415a801
-
SHA256
22ae0182924e0e496ff9ac822afbe6a212d4a4be1d924f577ca85a4f929718f6
-
SHA512
76fb68d7071768e859be65eca02fcaded8e2962c27740a807b2d3b561ab8bfa16c663e5007a0498c531ed42ef4e52926f182d1c0c52859544c53deb165b9ae05
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU2:Q+856utgpPF8u/72
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 1 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule C:\Windows\System\lsmnVXb.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 1 IoCs
Processes:
resource yara_rule C:\Windows\System\lsmnVXb.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 57 IoCs
Processes:
resource yara_rule behavioral2/memory/1064-0-0x00007FF611700000-0x00007FF611A54000-memory.dmp UPX C:\Windows\System\XAApyEK.exe UPX behavioral2/memory/3056-8-0x00007FF6743B0000-0x00007FF674704000-memory.dmp UPX C:\Windows\System\bRqcGBg.exe UPX C:\Windows\System\bRqcGBg.exe UPX behavioral2/memory/1880-14-0x00007FF680E60000-0x00007FF6811B4000-memory.dmp UPX behavioral2/memory/4804-20-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp UPX C:\Windows\System\lsmnVXb.exe UPX C:\Windows\System\zLmilRb.exe UPX C:\Windows\System\uAtOVzE.exe UPX behavioral2/memory/1120-30-0x00007FF751520000-0x00007FF751874000-memory.dmp UPX C:\Windows\System\MrdGOGw.exe UPX C:\Windows\System\VlnxWAo.exe UPX C:\Windows\System\xkUUgYh.exe UPX behavioral2/memory/3016-68-0x00007FF653950000-0x00007FF653CA4000-memory.dmp UPX C:\Windows\System\QnVDKyn.exe UPX C:\Windows\System\paVrAXC.exe UPX behavioral2/memory/1928-61-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp UPX behavioral2/memory/2440-56-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp UPX behavioral2/memory/4804-80-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp UPX C:\Windows\System\LlNLCeS.exe UPX C:\Windows\System\LlNLCeS.exe UPX C:\Windows\System\gyGvbcF.exe UPX behavioral2/memory/4812-127-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp UPX behavioral2/memory/4136-121-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp UPX behavioral2/memory/4348-116-0x00007FF614700000-0x00007FF614A54000-memory.dmp UPX behavioral2/memory/5088-112-0x00007FF689960000-0x00007FF689CB4000-memory.dmp UPX behavioral2/memory/4448-107-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp UPX C:\Windows\System\QasVIHB.exe UPX behavioral2/memory/1824-101-0x00007FF67F1F0000-0x00007FF67F544000-memory.dmp UPX behavioral2/memory/4988-90-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp UPX behavioral2/memory/372-86-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp UPX behavioral2/memory/2412-85-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp UPX C:\Windows\System\pLWLluZ.exe UPX behavioral2/memory/2220-136-0x00007FF79A7B0000-0x00007FF79AB04000-memory.dmp UPX behavioral2/memory/1928-134-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp UPX behavioral2/memory/4252-48-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp UPX behavioral2/memory/1492-46-0x00007FF755930000-0x00007FF755C84000-memory.dmp UPX behavioral2/memory/4448-38-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp UPX C:\Windows\System\uAtOVzE.exe UPX behavioral2/memory/372-24-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp UPX behavioral2/memory/4988-139-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp UPX behavioral2/memory/4812-142-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp UPX behavioral2/memory/4136-141-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp UPX behavioral2/memory/3056-143-0x00007FF6743B0000-0x00007FF674704000-memory.dmp UPX behavioral2/memory/4804-145-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp UPX behavioral2/memory/372-146-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp UPX behavioral2/memory/4252-150-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp UPX behavioral2/memory/2440-151-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp UPX behavioral2/memory/1928-152-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp UPX behavioral2/memory/3016-153-0x00007FF653950000-0x00007FF653CA4000-memory.dmp UPX behavioral2/memory/1384-154-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp UPX behavioral2/memory/2412-155-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp UPX behavioral2/memory/1824-157-0x00007FF67F1F0000-0x00007FF67F544000-memory.dmp UPX behavioral2/memory/2220-163-0x00007FF79A7B0000-0x00007FF79AB04000-memory.dmp UPX behavioral2/memory/4348-162-0x00007FF614700000-0x00007FF614A54000-memory.dmp UPX behavioral2/memory/4136-160-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1064-0-0x00007FF611700000-0x00007FF611A54000-memory.dmp xmrig C:\Windows\System\XAApyEK.exe xmrig behavioral2/memory/3056-8-0x00007FF6743B0000-0x00007FF674704000-memory.dmp xmrig C:\Windows\System\bRqcGBg.exe xmrig C:\Windows\System\bRqcGBg.exe xmrig behavioral2/memory/1880-14-0x00007FF680E60000-0x00007FF6811B4000-memory.dmp xmrig behavioral2/memory/4804-20-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp xmrig C:\Windows\System\lsmnVXb.exe xmrig C:\Windows\System\zLmilRb.exe xmrig C:\Windows\System\uAtOVzE.exe xmrig behavioral2/memory/1120-30-0x00007FF751520000-0x00007FF751874000-memory.dmp xmrig C:\Windows\System\MrdGOGw.exe xmrig C:\Windows\System\VlnxWAo.exe xmrig C:\Windows\System\xkUUgYh.exe xmrig behavioral2/memory/1384-72-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp xmrig behavioral2/memory/3016-68-0x00007FF653950000-0x00007FF653CA4000-memory.dmp xmrig C:\Windows\System\QnVDKyn.exe xmrig C:\Windows\System\paVrAXC.exe xmrig behavioral2/memory/1928-61-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp xmrig behavioral2/memory/1064-60-0x00007FF611700000-0x00007FF611A54000-memory.dmp xmrig behavioral2/memory/2440-56-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp xmrig behavioral2/memory/4804-80-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp xmrig C:\Windows\System\LlNLCeS.exe xmrig behavioral2/memory/4252-119-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp xmrig C:\Windows\System\LlNLCeS.exe xmrig C:\Windows\System\gyGvbcF.exe xmrig behavioral2/memory/4812-127-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp xmrig behavioral2/memory/2440-122-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp xmrig behavioral2/memory/4136-121-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp xmrig behavioral2/memory/4348-116-0x00007FF614700000-0x00007FF614A54000-memory.dmp xmrig behavioral2/memory/5088-112-0x00007FF689960000-0x00007FF689CB4000-memory.dmp xmrig behavioral2/memory/2920-110-0x00007FF793120000-0x00007FF793474000-memory.dmp xmrig behavioral2/memory/4448-107-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp xmrig C:\Windows\System\QasVIHB.exe xmrig behavioral2/memory/1824-101-0x00007FF67F1F0000-0x00007FF67F544000-memory.dmp xmrig behavioral2/memory/1120-97-0x00007FF751520000-0x00007FF751874000-memory.dmp xmrig behavioral2/memory/4988-90-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp xmrig behavioral2/memory/372-86-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp xmrig behavioral2/memory/2412-85-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp xmrig C:\Windows\System\pLWLluZ.exe xmrig behavioral2/memory/2220-136-0x00007FF79A7B0000-0x00007FF79AB04000-memory.dmp xmrig behavioral2/memory/3016-135-0x00007FF653950000-0x00007FF653CA4000-memory.dmp xmrig behavioral2/memory/1928-134-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp xmrig behavioral2/memory/4252-48-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp xmrig behavioral2/memory/1492-46-0x00007FF755930000-0x00007FF755C84000-memory.dmp xmrig behavioral2/memory/4448-38-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp xmrig C:\Windows\System\uAtOVzE.exe xmrig behavioral2/memory/372-24-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp xmrig behavioral2/memory/2412-138-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp xmrig behavioral2/memory/1384-137-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp xmrig behavioral2/memory/4988-139-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp xmrig behavioral2/memory/4812-142-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp xmrig behavioral2/memory/4136-141-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp xmrig behavioral2/memory/3056-143-0x00007FF6743B0000-0x00007FF674704000-memory.dmp xmrig behavioral2/memory/1880-144-0x00007FF680E60000-0x00007FF6811B4000-memory.dmp xmrig behavioral2/memory/4804-145-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp xmrig behavioral2/memory/372-146-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp xmrig behavioral2/memory/1120-147-0x00007FF751520000-0x00007FF751874000-memory.dmp xmrig behavioral2/memory/4448-148-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp xmrig behavioral2/memory/1492-149-0x00007FF755930000-0x00007FF755C84000-memory.dmp xmrig behavioral2/memory/4252-150-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp xmrig behavioral2/memory/2440-151-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp xmrig behavioral2/memory/1928-152-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp xmrig behavioral2/memory/3016-153-0x00007FF653950000-0x00007FF653CA4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
XAApyEK.exebRqcGBg.exelsmnVXb.exezLmilRb.exefwtxXTS.exeuAtOVzE.exeMrdGOGw.exeVlnxWAo.exexkUUgYh.exepaVrAXC.exeQnVDKyn.exeDZBWypS.exefyNQaYx.exepLWLluZ.exeZdJpNGZ.exeAaEaBtE.exeQasVIHB.exeLlNLCeS.exeepWSXoF.exeIHvkGfr.exegyGvbcF.exepid process 3056 XAApyEK.exe 1880 bRqcGBg.exe 4804 lsmnVXb.exe 372 zLmilRb.exe 1120 fwtxXTS.exe 4448 uAtOVzE.exe 1492 MrdGOGw.exe 4252 VlnxWAo.exe 2440 xkUUgYh.exe 1928 paVrAXC.exe 3016 QnVDKyn.exe 1384 DZBWypS.exe 2412 fyNQaYx.exe 4988 pLWLluZ.exe 1824 ZdJpNGZ.exe 2920 AaEaBtE.exe 5088 QasVIHB.exe 4348 LlNLCeS.exe 4136 epWSXoF.exe 4812 IHvkGfr.exe 2220 gyGvbcF.exe -
Processes:
resource yara_rule behavioral2/memory/1064-0-0x00007FF611700000-0x00007FF611A54000-memory.dmp upx C:\Windows\System\XAApyEK.exe upx behavioral2/memory/3056-8-0x00007FF6743B0000-0x00007FF674704000-memory.dmp upx C:\Windows\System\bRqcGBg.exe upx C:\Windows\System\bRqcGBg.exe upx behavioral2/memory/1880-14-0x00007FF680E60000-0x00007FF6811B4000-memory.dmp upx behavioral2/memory/4804-20-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp upx C:\Windows\System\lsmnVXb.exe upx C:\Windows\System\zLmilRb.exe upx C:\Windows\System\uAtOVzE.exe upx behavioral2/memory/1120-30-0x00007FF751520000-0x00007FF751874000-memory.dmp upx C:\Windows\System\MrdGOGw.exe upx C:\Windows\System\VlnxWAo.exe upx C:\Windows\System\xkUUgYh.exe upx behavioral2/memory/1384-72-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp upx behavioral2/memory/3016-68-0x00007FF653950000-0x00007FF653CA4000-memory.dmp upx C:\Windows\System\QnVDKyn.exe upx C:\Windows\System\paVrAXC.exe upx behavioral2/memory/1928-61-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp upx behavioral2/memory/1064-60-0x00007FF611700000-0x00007FF611A54000-memory.dmp upx behavioral2/memory/2440-56-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp upx behavioral2/memory/4804-80-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp upx C:\Windows\System\LlNLCeS.exe upx behavioral2/memory/4252-119-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp upx C:\Windows\System\LlNLCeS.exe upx C:\Windows\System\gyGvbcF.exe upx behavioral2/memory/4812-127-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp upx behavioral2/memory/2440-122-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp upx behavioral2/memory/4136-121-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp upx behavioral2/memory/4348-116-0x00007FF614700000-0x00007FF614A54000-memory.dmp upx behavioral2/memory/5088-112-0x00007FF689960000-0x00007FF689CB4000-memory.dmp upx behavioral2/memory/2920-110-0x00007FF793120000-0x00007FF793474000-memory.dmp upx behavioral2/memory/4448-107-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp upx C:\Windows\System\QasVIHB.exe upx behavioral2/memory/1824-101-0x00007FF67F1F0000-0x00007FF67F544000-memory.dmp upx behavioral2/memory/1120-97-0x00007FF751520000-0x00007FF751874000-memory.dmp upx behavioral2/memory/4988-90-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp upx behavioral2/memory/372-86-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp upx behavioral2/memory/2412-85-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp upx C:\Windows\System\pLWLluZ.exe upx behavioral2/memory/2220-136-0x00007FF79A7B0000-0x00007FF79AB04000-memory.dmp upx behavioral2/memory/3016-135-0x00007FF653950000-0x00007FF653CA4000-memory.dmp upx behavioral2/memory/1928-134-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp upx behavioral2/memory/4252-48-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp upx behavioral2/memory/1492-46-0x00007FF755930000-0x00007FF755C84000-memory.dmp upx behavioral2/memory/4448-38-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp upx C:\Windows\System\uAtOVzE.exe upx behavioral2/memory/372-24-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp upx behavioral2/memory/2412-138-0x00007FF7D0FB0000-0x00007FF7D1304000-memory.dmp upx behavioral2/memory/1384-137-0x00007FF7AEF10000-0x00007FF7AF264000-memory.dmp upx behavioral2/memory/4988-139-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp upx behavioral2/memory/4348-140-0x00007FF614700000-0x00007FF614A54000-memory.dmp upx behavioral2/memory/4812-142-0x00007FF7E96F0000-0x00007FF7E9A44000-memory.dmp upx behavioral2/memory/4136-141-0x00007FF70FCF0000-0x00007FF710044000-memory.dmp upx behavioral2/memory/3056-143-0x00007FF6743B0000-0x00007FF674704000-memory.dmp upx behavioral2/memory/1880-144-0x00007FF680E60000-0x00007FF6811B4000-memory.dmp upx behavioral2/memory/4804-145-0x00007FF7C5840000-0x00007FF7C5B94000-memory.dmp upx behavioral2/memory/372-146-0x00007FF6E3300000-0x00007FF6E3654000-memory.dmp upx behavioral2/memory/1120-147-0x00007FF751520000-0x00007FF751874000-memory.dmp upx behavioral2/memory/4448-148-0x00007FF67EC70000-0x00007FF67EFC4000-memory.dmp upx behavioral2/memory/1492-149-0x00007FF755930000-0x00007FF755C84000-memory.dmp upx behavioral2/memory/4252-150-0x00007FF61D090000-0x00007FF61D3E4000-memory.dmp upx behavioral2/memory/2440-151-0x00007FF76CE50000-0x00007FF76D1A4000-memory.dmp upx behavioral2/memory/1928-152-0x00007FF7EBBE0000-0x00007FF7EBF34000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\pLWLluZ.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LlNLCeS.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\lsmnVXb.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MrdGOGw.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\uAtOVzE.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xkUUgYh.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\DZBWypS.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZdJpNGZ.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QasVIHB.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\IHvkGfr.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bRqcGBg.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fwtxXTS.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\paVrAXC.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fyNQaYx.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\epWSXoF.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\XAApyEK.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\VlnxWAo.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AaEaBtE.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\gyGvbcF.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\zLmilRb.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QnVDKyn.exe 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exedescription pid process target process PID 1064 wrote to memory of 3056 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe XAApyEK.exe PID 1064 wrote to memory of 3056 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe XAApyEK.exe PID 1064 wrote to memory of 1880 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe bRqcGBg.exe PID 1064 wrote to memory of 1880 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe bRqcGBg.exe PID 1064 wrote to memory of 4804 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe lsmnVXb.exe PID 1064 wrote to memory of 4804 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe lsmnVXb.exe PID 1064 wrote to memory of 372 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe zLmilRb.exe PID 1064 wrote to memory of 372 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe zLmilRb.exe PID 1064 wrote to memory of 1120 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe fwtxXTS.exe PID 1064 wrote to memory of 1120 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe fwtxXTS.exe PID 1064 wrote to memory of 4448 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe uAtOVzE.exe PID 1064 wrote to memory of 4448 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe uAtOVzE.exe PID 1064 wrote to memory of 1492 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe MrdGOGw.exe PID 1064 wrote to memory of 1492 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe MrdGOGw.exe PID 1064 wrote to memory of 4252 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe VlnxWAo.exe PID 1064 wrote to memory of 4252 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe VlnxWAo.exe PID 1064 wrote to memory of 2440 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe xkUUgYh.exe PID 1064 wrote to memory of 2440 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe xkUUgYh.exe PID 1064 wrote to memory of 1928 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe paVrAXC.exe PID 1064 wrote to memory of 1928 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe paVrAXC.exe PID 1064 wrote to memory of 3016 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe QnVDKyn.exe PID 1064 wrote to memory of 3016 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe QnVDKyn.exe PID 1064 wrote to memory of 1384 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe DZBWypS.exe PID 1064 wrote to memory of 1384 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe DZBWypS.exe PID 1064 wrote to memory of 2412 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe fyNQaYx.exe PID 1064 wrote to memory of 2412 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe fyNQaYx.exe PID 1064 wrote to memory of 4988 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe pLWLluZ.exe PID 1064 wrote to memory of 4988 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe pLWLluZ.exe PID 1064 wrote to memory of 1824 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe ZdJpNGZ.exe PID 1064 wrote to memory of 1824 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe ZdJpNGZ.exe PID 1064 wrote to memory of 2920 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe AaEaBtE.exe PID 1064 wrote to memory of 2920 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe AaEaBtE.exe PID 1064 wrote to memory of 5088 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe QasVIHB.exe PID 1064 wrote to memory of 5088 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe QasVIHB.exe PID 1064 wrote to memory of 4348 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe LlNLCeS.exe PID 1064 wrote to memory of 4348 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe LlNLCeS.exe PID 1064 wrote to memory of 4136 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe epWSXoF.exe PID 1064 wrote to memory of 4136 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe epWSXoF.exe PID 1064 wrote to memory of 4812 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe IHvkGfr.exe PID 1064 wrote to memory of 4812 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe IHvkGfr.exe PID 1064 wrote to memory of 2220 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe gyGvbcF.exe PID 1064 wrote to memory of 2220 1064 2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe gyGvbcF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_71d7214962e810bfdb71cfc756fec6aa_cobalt-strike_cobaltstrike.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\System\XAApyEK.exeC:\Windows\System\XAApyEK.exe2⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\System\bRqcGBg.exeC:\Windows\System\bRqcGBg.exe2⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\System\lsmnVXb.exeC:\Windows\System\lsmnVXb.exe2⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\System\zLmilRb.exeC:\Windows\System\zLmilRb.exe2⤵
- Executes dropped EXE
PID:372 -
C:\Windows\System\fwtxXTS.exeC:\Windows\System\fwtxXTS.exe2⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\System\uAtOVzE.exeC:\Windows\System\uAtOVzE.exe2⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\System\MrdGOGw.exeC:\Windows\System\MrdGOGw.exe2⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\System\VlnxWAo.exeC:\Windows\System\VlnxWAo.exe2⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\System\xkUUgYh.exeC:\Windows\System\xkUUgYh.exe2⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\System\paVrAXC.exeC:\Windows\System\paVrAXC.exe2⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\System\QnVDKyn.exeC:\Windows\System\QnVDKyn.exe2⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\System\DZBWypS.exeC:\Windows\System\DZBWypS.exe2⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\System\fyNQaYx.exeC:\Windows\System\fyNQaYx.exe2⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\System\pLWLluZ.exeC:\Windows\System\pLWLluZ.exe2⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\System\ZdJpNGZ.exeC:\Windows\System\ZdJpNGZ.exe2⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\System\AaEaBtE.exeC:\Windows\System\AaEaBtE.exe2⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\System\QasVIHB.exeC:\Windows\System\QasVIHB.exe2⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\System\LlNLCeS.exeC:\Windows\System\LlNLCeS.exe2⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\System\epWSXoF.exeC:\Windows\System\epWSXoF.exe2⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\System\IHvkGfr.exeC:\Windows\System\IHvkGfr.exe2⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\System\gyGvbcF.exeC:\Windows\System\gyGvbcF.exe2⤵
- Executes dropped EXE
PID:2220
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD57d9f1099f6b47550fd37adb914ba896f
SHA173597804426883357ebb880f6c0164793f40ad60
SHA25666cd4cd4af8f630e7f196e1d09756e078751dfa9bcc54e0d14fae0ccbe492285
SHA512e8add13893f4c014a42f0f57f95da110b546828bbf0b90c6e45d275710a9847ff130353175caa02a22132a7aec183fbbcda6a7a954c359f2b63e3b3f4a4cba77
-
Filesize
5.4MB
MD56fb6863d9548f3879b1ba1b64fc45a68
SHA10dc40616de903c417cc9a8b581f9078af09ea60a
SHA256b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82
SHA512cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61
-
Filesize
1.8MB
MD5c665d55523745ebd550a2c4296ad8ec9
SHA143f72a8e93454ded742dbec7a7c84f59cb0d6520
SHA2564ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b
SHA51257b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454
-
Filesize
5.9MB
MD5f6cdfb3d88537b367792cbd894bd98ed
SHA13d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA25605dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA5120da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3
-
Filesize
3.6MB
MD50628374c349921c969043e8b725a574d
SHA1d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA2566f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA5122db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1
-
Filesize
2.4MB
MD5ffafad94c04d076c16e861ff07a4cb57
SHA1c3501d64aef8c1b093200710a06e749c69db782a
SHA2568937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295
SHA51264f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700
-
Filesize
5.6MB
MD538e1b7b0b9aa649f5c14f03127a6d132
SHA13917ca36707cd2c4dba6b6926d34a14a7bb117b1
SHA256ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72
SHA51247f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0
-
Filesize
5.3MB
MD5e8c4508a392ccf08590d3627a36cc3c3
SHA13a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410
-
Filesize
5.5MB
MD5992e15ebc2245cf970acce9948576d6c
SHA13322f50d4aebf915abc8a5277cd07a23adf5f127
SHA25634aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA5122299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7
-
Filesize
2.6MB
MD52e820f8af7aa3bf225d37608a0a87341
SHA1b813ceb09756bee341a57c9525bd3abdbe863ab8
SHA256de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa
SHA51294100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4
-
Filesize
5.9MB
MD577671172f7ce39fbac5dee833603eeb4
SHA1b6efc4c5702bc17a65da0a050b8439a8e901b2a2
SHA25660bb6732a28f20f84d03ce56d84db8cfd88ce5797554645f75ac7dfe59070545
SHA5124fa255e6a83c6d1e0ab12aca2ef29576a5d4b818456edf8542902b0cf3bfa08e86c8fc4a823479b6d2f9b4230442ba67e81b29d730c85843726ee60c3f75b032
-
Filesize
5.2MB
MD503686cfd6bbb43c8ac4dc50889b137b9
SHA16800d5588f6a43ca169ee2c40a9fceeb5a54e5ee
SHA256ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471
SHA512529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2
-
Filesize
1.2MB
MD53ed5a609fc99609f477b127cb1075f8e
SHA1efbe9eae011603d0818e0ea87d848f4505a8ca00
SHA256f5c7ed548f4ba98079252e02c14f981d3b1b5468313f0be262b25ccc06a1f939
SHA512adf3c7526c8d008f32ef1391728203330e532d5ab3157f9a2a7fe21b8a1324527c1ba05f5b2198a9d7b1cc621dddfe091207ec334b309442cd5608fc15d0fd18
-
Filesize
5.8MB
MD5984a8cf637fc9f46a5be1646493a183b
SHA1eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA2560d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d
-
Filesize
5.7MB
MD51d51a6f9f8f706d40a78f27cac287065
SHA1981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA25615b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97
-
Filesize
5.4MB
MD58003c8ca1c6255c4a9df50b61d369786
SHA1ef521c59d5519424152618453d9a1ec413a267cf
SHA256caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA5120384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795
-
Filesize
5.6MB
MD51e2459942327eb396bd8cd9cbc885d14
SHA1b979cbcb517509c30843efb1d91bef30f1f24a44
SHA25654a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a
SHA51262534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7