Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07-08-2024 21:43
Behavioral task
behavioral1
Sample
2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
57e09187c49574ec42bf2d3c5d963c35
-
SHA1
1e9440d172a8bb7b3d47214d64d890788f44b9af
-
SHA256
353b6fb0219aab7e8d52e3660c2f631f35331760da779259bdd02904b7d742a6
-
SHA512
e0eb2457afe6429f39152729bdb6a251c5a977eec28f825be166625109bf6176d47fc1d831213d57c17f20f8314b8774177653e2c995a673b7155ff9931fec52
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lG:RWWBibf56utgpPFotBER/mQ32lU6
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x00070000000120fb-3.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d51-52.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d41-91.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d8b-59.dat cobalt_reflective_dll behavioral1/files/0x0006000000017201-123.dat cobalt_reflective_dll behavioral1/files/0x0006000000016dbe-72.dat cobalt_reflective_dll behavioral1/files/0x0006000000016daa-65.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d45-108.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d25-103.dat cobalt_reflective_dll behavioral1/files/0x000a000000015675-98.dat cobalt_reflective_dll behavioral1/files/0x0006000000016dc4-96.dat cobalt_reflective_dll behavioral1/files/0x0006000000016db3-95.dat cobalt_reflective_dll behavioral1/files/0x0006000000016da1-94.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d79-93.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d49-92.dat cobalt_reflective_dll behavioral1/files/0x0009000000015d57-90.dat cobalt_reflective_dll behavioral1/files/0x000700000001565c-89.dat cobalt_reflective_dll behavioral1/files/0x0007000000015605-88.dat cobalt_reflective_dll behavioral1/files/0x0007000000014b87-87.dat cobalt_reflective_dll behavioral1/files/0x0007000000015652-78.dat cobalt_reflective_dll behavioral1/files/0x0008000000014d78-28.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 34 IoCs
resource yara_rule behavioral1/memory/2340-119-0x000000013FB50000-0x000000013FEA1000-memory.dmp xmrig behavioral1/memory/2524-68-0x000000013FAF0000-0x000000013FE41000-memory.dmp xmrig behavioral1/memory/2076-117-0x000000013FA50000-0x000000013FDA1000-memory.dmp xmrig behavioral1/memory/2916-116-0x000000013F1B0000-0x000000013F501000-memory.dmp xmrig behavioral1/memory/2720-114-0x000000013F580000-0x000000013F8D1000-memory.dmp xmrig behavioral1/memory/1544-105-0x000000013F7F0000-0x000000013FB41000-memory.dmp xmrig behavioral1/memory/2380-97-0x000000013FF60000-0x00000001402B1000-memory.dmp xmrig behavioral1/memory/1984-129-0x000000013FF10000-0x0000000140261000-memory.dmp xmrig behavioral1/memory/2784-86-0x000000013FE00000-0x0000000140151000-memory.dmp xmrig behavioral1/memory/1984-32-0x000000013FF10000-0x0000000140261000-memory.dmp xmrig behavioral1/memory/2380-20-0x000000013FF60000-0x00000001402B1000-memory.dmp xmrig behavioral1/memory/2524-131-0x000000013FAF0000-0x000000013FE41000-memory.dmp xmrig behavioral1/memory/2696-140-0x000000013FC20000-0x000000013FF71000-memory.dmp xmrig behavioral1/memory/2464-138-0x000000013FD50000-0x00000001400A1000-memory.dmp xmrig behavioral1/memory/3068-142-0x000000013F300000-0x000000013F651000-memory.dmp xmrig behavioral1/memory/2904-143-0x000000013F720000-0x000000013FA71000-memory.dmp xmrig behavioral1/memory/2876-147-0x000000013F570000-0x000000013F8C1000-memory.dmp xmrig behavioral1/memory/2224-151-0x000000013F120000-0x000000013F471000-memory.dmp xmrig behavioral1/memory/1432-150-0x000000013F0D0000-0x000000013F421000-memory.dmp xmrig behavioral1/memory/1532-149-0x000000013F740000-0x000000013FA91000-memory.dmp xmrig behavioral1/memory/2588-148-0x000000013FFA0000-0x00000001402F1000-memory.dmp xmrig behavioral1/memory/2896-146-0x000000013F540000-0x000000013F891000-memory.dmp xmrig behavioral1/memory/2616-145-0x000000013F820000-0x000000013FB71000-memory.dmp xmrig behavioral1/memory/3032-144-0x000000013FC30000-0x000000013FF81000-memory.dmp xmrig behavioral1/memory/680-152-0x000000013F550000-0x000000013F8A1000-memory.dmp xmrig behavioral1/memory/2524-154-0x000000013FAF0000-0x000000013FE41000-memory.dmp xmrig behavioral1/memory/2380-221-0x000000013FF60000-0x00000001402B1000-memory.dmp xmrig behavioral1/memory/1984-223-0x000000013FF10000-0x0000000140261000-memory.dmp xmrig behavioral1/memory/2784-225-0x000000013FE00000-0x0000000140151000-memory.dmp xmrig behavioral1/memory/1544-229-0x000000013F7F0000-0x000000013FB41000-memory.dmp xmrig behavioral1/memory/2720-231-0x000000013F580000-0x000000013F8D1000-memory.dmp xmrig behavioral1/memory/2916-233-0x000000013F1B0000-0x000000013F501000-memory.dmp xmrig behavioral1/memory/2340-239-0x000000013FB50000-0x000000013FEA1000-memory.dmp xmrig behavioral1/memory/2076-237-0x000000013FA50000-0x000000013FDA1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2380 JHOtLra.exe 1984 muQVkcZ.exe 2784 EkyyyzH.exe 2340 zfZqYfo.exe 1544 xpXaodb.exe 2720 hCELsed.exe 2916 gnKZinp.exe 2076 pxgCrZv.exe 2904 mpzikQM.exe 2616 TxvQeVL.exe 2876 GyUSZAf.exe 1532 mczeItP.exe 2224 gVZKfGj.exe 2464 FkznUwC.exe 2696 DhfywGF.exe 3068 pcYwxyE.exe 3032 wQTsALv.exe 2896 qlkFcPl.exe 2588 hquZEjj.exe 1432 qiDeCoa.exe 680 PiVvFkf.exe -
Loads dropped DLL 21 IoCs
pid Process 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe -
resource yara_rule behavioral1/memory/2524-0-0x000000013FAF0000-0x000000013FE41000-memory.dmp upx behavioral1/files/0x00070000000120fb-3.dat upx behavioral1/files/0x0006000000016d51-52.dat upx behavioral1/files/0x0006000000016d41-91.dat upx behavioral1/memory/2340-119-0x000000013FB50000-0x000000013FEA1000-memory.dmp upx behavioral1/files/0x0006000000016d8b-59.dat upx behavioral1/files/0x0006000000017201-123.dat upx behavioral1/files/0x0006000000016dbe-72.dat upx behavioral1/memory/2524-68-0x000000013FAF0000-0x000000013FE41000-memory.dmp upx behavioral1/files/0x0006000000016daa-65.dat upx behavioral1/memory/2076-117-0x000000013FA50000-0x000000013FDA1000-memory.dmp upx behavioral1/memory/2916-116-0x000000013F1B0000-0x000000013F501000-memory.dmp upx behavioral1/memory/2720-114-0x000000013F580000-0x000000013F8D1000-memory.dmp upx behavioral1/files/0x0006000000016d45-108.dat upx behavioral1/memory/1544-105-0x000000013F7F0000-0x000000013FB41000-memory.dmp upx behavioral1/files/0x0007000000016d25-103.dat upx behavioral1/files/0x000a000000015675-98.dat upx behavioral1/memory/2380-97-0x000000013FF60000-0x00000001402B1000-memory.dmp upx behavioral1/files/0x0006000000016dc4-96.dat upx behavioral1/files/0x0006000000016db3-95.dat upx behavioral1/files/0x0006000000016da1-94.dat upx behavioral1/files/0x0006000000016d79-93.dat upx behavioral1/files/0x0006000000016d49-92.dat upx behavioral1/files/0x0009000000015d57-90.dat upx behavioral1/memory/1984-129-0x000000013FF10000-0x0000000140261000-memory.dmp upx behavioral1/files/0x000700000001565c-89.dat upx behavioral1/files/0x0007000000015605-88.dat upx behavioral1/files/0x0007000000014b87-87.dat upx behavioral1/memory/2784-86-0x000000013FE00000-0x0000000140151000-memory.dmp upx behavioral1/files/0x0007000000015652-78.dat upx behavioral1/files/0x0008000000014d78-28.dat upx behavioral1/memory/1984-32-0x000000013FF10000-0x0000000140261000-memory.dmp upx behavioral1/memory/2380-20-0x000000013FF60000-0x00000001402B1000-memory.dmp upx behavioral1/memory/2524-131-0x000000013FAF0000-0x000000013FE41000-memory.dmp upx behavioral1/memory/2696-140-0x000000013FC20000-0x000000013FF71000-memory.dmp upx behavioral1/memory/2464-138-0x000000013FD50000-0x00000001400A1000-memory.dmp upx behavioral1/memory/3068-142-0x000000013F300000-0x000000013F651000-memory.dmp upx behavioral1/memory/2904-143-0x000000013F720000-0x000000013FA71000-memory.dmp upx behavioral1/memory/2876-147-0x000000013F570000-0x000000013F8C1000-memory.dmp upx behavioral1/memory/2224-151-0x000000013F120000-0x000000013F471000-memory.dmp upx behavioral1/memory/1432-150-0x000000013F0D0000-0x000000013F421000-memory.dmp upx behavioral1/memory/1532-149-0x000000013F740000-0x000000013FA91000-memory.dmp upx behavioral1/memory/2588-148-0x000000013FFA0000-0x00000001402F1000-memory.dmp upx behavioral1/memory/2896-146-0x000000013F540000-0x000000013F891000-memory.dmp upx behavioral1/memory/2616-145-0x000000013F820000-0x000000013FB71000-memory.dmp upx behavioral1/memory/3032-144-0x000000013FC30000-0x000000013FF81000-memory.dmp upx behavioral1/memory/680-152-0x000000013F550000-0x000000013F8A1000-memory.dmp upx behavioral1/memory/2524-154-0x000000013FAF0000-0x000000013FE41000-memory.dmp upx behavioral1/memory/2380-221-0x000000013FF60000-0x00000001402B1000-memory.dmp upx behavioral1/memory/1984-223-0x000000013FF10000-0x0000000140261000-memory.dmp upx behavioral1/memory/2784-225-0x000000013FE00000-0x0000000140151000-memory.dmp upx behavioral1/memory/1544-229-0x000000013F7F0000-0x000000013FB41000-memory.dmp upx behavioral1/memory/2720-231-0x000000013F580000-0x000000013F8D1000-memory.dmp upx behavioral1/memory/2916-233-0x000000013F1B0000-0x000000013F501000-memory.dmp upx behavioral1/memory/2340-239-0x000000013FB50000-0x000000013FEA1000-memory.dmp upx behavioral1/memory/2076-237-0x000000013FA50000-0x000000013FDA1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\TxvQeVL.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GyUSZAf.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hquZEjj.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qiDeCoa.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PiVvFkf.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\muQVkcZ.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pcYwxyE.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FkznUwC.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pxgCrZv.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qlkFcPl.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gVZKfGj.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JHOtLra.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xpXaodb.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hCELsed.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DhfywGF.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zfZqYfo.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EkyyyzH.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wQTsALv.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mczeItP.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gnKZinp.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mpzikQM.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2380 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 31 PID 2524 wrote to memory of 2380 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 31 PID 2524 wrote to memory of 2380 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 31 PID 2524 wrote to memory of 2340 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2524 wrote to memory of 2340 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2524 wrote to memory of 2340 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2524 wrote to memory of 1984 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2524 wrote to memory of 1984 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2524 wrote to memory of 1984 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2524 wrote to memory of 1544 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2524 wrote to memory of 1544 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2524 wrote to memory of 1544 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2524 wrote to memory of 2784 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2524 wrote to memory of 2784 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2524 wrote to memory of 2784 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2524 wrote to memory of 2720 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2524 wrote to memory of 2720 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2524 wrote to memory of 2720 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2524 wrote to memory of 2464 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2524 wrote to memory of 2464 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2524 wrote to memory of 2464 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2524 wrote to memory of 2916 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2524 wrote to memory of 2916 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2524 wrote to memory of 2916 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2524 wrote to memory of 2696 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2524 wrote to memory of 2696 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2524 wrote to memory of 2696 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2524 wrote to memory of 2076 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2524 wrote to memory of 2076 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2524 wrote to memory of 2076 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2524 wrote to memory of 3068 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2524 wrote to memory of 3068 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2524 wrote to memory of 3068 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2524 wrote to memory of 2904 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2524 wrote to memory of 2904 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2524 wrote to memory of 2904 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2524 wrote to memory of 3032 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2524 wrote to memory of 3032 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2524 wrote to memory of 3032 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2524 wrote to memory of 2616 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2524 wrote to memory of 2616 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2524 wrote to memory of 2616 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2524 wrote to memory of 2896 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2524 wrote to memory of 2896 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2524 wrote to memory of 2896 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2524 wrote to memory of 2876 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2524 wrote to memory of 2876 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2524 wrote to memory of 2876 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2524 wrote to memory of 2588 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2524 wrote to memory of 2588 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2524 wrote to memory of 2588 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2524 wrote to memory of 1532 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2524 wrote to memory of 1532 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2524 wrote to memory of 1532 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2524 wrote to memory of 1432 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2524 wrote to memory of 1432 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2524 wrote to memory of 1432 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2524 wrote to memory of 2224 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 50 PID 2524 wrote to memory of 2224 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 50 PID 2524 wrote to memory of 2224 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 50 PID 2524 wrote to memory of 680 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 51 PID 2524 wrote to memory of 680 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 51 PID 2524 wrote to memory of 680 2524 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\System\JHOtLra.exeC:\Windows\System\JHOtLra.exe2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\System\zfZqYfo.exeC:\Windows\System\zfZqYfo.exe2⤵
- Executes dropped EXE
PID:2340
-
-
C:\Windows\System\muQVkcZ.exeC:\Windows\System\muQVkcZ.exe2⤵
- Executes dropped EXE
PID:1984
-
-
C:\Windows\System\xpXaodb.exeC:\Windows\System\xpXaodb.exe2⤵
- Executes dropped EXE
PID:1544
-
-
C:\Windows\System\EkyyyzH.exeC:\Windows\System\EkyyyzH.exe2⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\System\hCELsed.exeC:\Windows\System\hCELsed.exe2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\System\FkznUwC.exeC:\Windows\System\FkznUwC.exe2⤵
- Executes dropped EXE
PID:2464
-
-
C:\Windows\System\gnKZinp.exeC:\Windows\System\gnKZinp.exe2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Windows\System\DhfywGF.exeC:\Windows\System\DhfywGF.exe2⤵
- Executes dropped EXE
PID:2696
-
-
C:\Windows\System\pxgCrZv.exeC:\Windows\System\pxgCrZv.exe2⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\System\pcYwxyE.exeC:\Windows\System\pcYwxyE.exe2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\System\mpzikQM.exeC:\Windows\System\mpzikQM.exe2⤵
- Executes dropped EXE
PID:2904
-
-
C:\Windows\System\wQTsALv.exeC:\Windows\System\wQTsALv.exe2⤵
- Executes dropped EXE
PID:3032
-
-
C:\Windows\System\TxvQeVL.exeC:\Windows\System\TxvQeVL.exe2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\System\qlkFcPl.exeC:\Windows\System\qlkFcPl.exe2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Windows\System\GyUSZAf.exeC:\Windows\System\GyUSZAf.exe2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\System\hquZEjj.exeC:\Windows\System\hquZEjj.exe2⤵
- Executes dropped EXE
PID:2588
-
-
C:\Windows\System\mczeItP.exeC:\Windows\System\mczeItP.exe2⤵
- Executes dropped EXE
PID:1532
-
-
C:\Windows\System\qiDeCoa.exeC:\Windows\System\qiDeCoa.exe2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\System\gVZKfGj.exeC:\Windows\System\gVZKfGj.exe2⤵
- Executes dropped EXE
PID:2224
-
-
C:\Windows\System\PiVvFkf.exeC:\Windows\System\PiVvFkf.exe2⤵
- Executes dropped EXE
PID:680
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD536457a1f0e991aaa986c4dc0c354a68e
SHA1066bb234bd01f4d1b9341bb9825ed2449bf1ac83
SHA256c4baeefeb95a76e7de1a2062a9a43eb313f8d754701758b5dec753f6be8896ae
SHA5126bb66dce1650cdf6c2e737f07e76365200a941be6e3e7da6900cbbde2c197bc66a98ce02a3370ad78bd3bb96391681820d1fe5947fa74179c9cafb45af3392e0
-
Filesize
5.2MB
MD55ad199d468eecb9aec1b53e86827590a
SHA1c526f25369a79f4a30787758026b82372321c9ab
SHA256473a12a90ff0463443e61f65617a3b046597ef7670a51ff37ff630a9d44fa8d4
SHA51259e8bc9b16fd69738b53f1fb6af791c804b70ab88ee9fdebb4aee98a27cf1f5cde6e7afa89644d028179f6aac11bd57f76570f9fd810bce3c0dfcece91c7335d
-
Filesize
5.2MB
MD51391ddc7d1ddba53c168b6022fdb3583
SHA146921b0cd92131da1715018c7f9bfcaafd7ef386
SHA2567692034f7ec5db23195fdec3d97f69bf9e5d4ad7efeac3f7f754adf1e8124ae6
SHA51204b222afaf8f2a07ba821e377c8b4102310a0bcb9e3c5e26c642d8be5fdc8f08b0f0ccbcf8c5d3a91dbf3e6de50ce7e04fc9d4bbc6e08f87b6dc16ce2de5e3c0
-
Filesize
5.2MB
MD5a8563224ac1046cc9b8730b709712476
SHA1942345b6be2d2da493fb5a16731e432f65f651cc
SHA25689dce75e7c569a74aecef52ff7d7f47dc577575c0df475bf5cddca978c2dc501
SHA512efce7b10073ebc47a7d60306fb79eed800d9e9808d4f9a4a0155ef97960c74240d4645cac510b711c4b6cd34279b69cd303742a04acd5ffe05e044faf36aa4ce
-
Filesize
5.2MB
MD5c15e8fd2287c39dd19d8c0930c694c5e
SHA16b44aa852c520fb2841494be1cd14bfdb411ead8
SHA25609b9d2b2df8550184112f9d4282da645c38474ee363f88d0e534e78d92f84685
SHA512c9fdb0e18f19362a78fa569d36896dbfae1362cc0f64daa688ea6729eda5d6a961d7df9e7737a89f02f185cc4ebda34787d01adba8a446b182a3433802d07cb1
-
Filesize
5.2MB
MD519781a01a092d8b924d87e4df7cf112d
SHA182c00507b8c887f2b8aacca1ce6494b4a9d5607f
SHA256c911ce0bb89900ba8e42e332ff48fb83424f209805c52d73d89f781306331a3e
SHA51253ef87aa733826e724ea667ccea24e64e50fccc4e977327d8f86fbe2c4392f3f32523ff18404388104c73c0e12bad6ef0922bce14b1179288ab8763511d135f0
-
Filesize
5.2MB
MD5d21c48c998b4b5838b666a7c0b8d9995
SHA11454b8b5ef86a949ec99c58bd92b7bb349af51f1
SHA2569e7dfc00327e5cecf7a51484d6ecda6beeca9c91504777be5e2ccb0d9626ff52
SHA51213fb3cdfa65d3d700dfb6ef8b1978e39e52f33b0695039562442f35e8a5c768673cd8e4859bbd7852e406d1cac8ced6b014497eb052cae56a573ea71bb6d74b3
-
Filesize
5.2MB
MD5710df90c2dccd757a5dd0d8b8d0ea0a2
SHA1dd286c0212274c31595a36154ad48bead1497ce4
SHA25654800950ca7376ba115abee773cd7dc51edd114a9a681036ba1eae196a011804
SHA512c651cb11d6aac8020d6d514ef8a72a88788817726b0d7359e653b7f2d905e4b271d68431cb4291acdb4c49f88392c54773fc38d9c123298a59c33b1c76a947c1
-
Filesize
5.2MB
MD58ffcabb9ad126cb507c6489e4e330955
SHA1f35518511ad03f814812b7adebcf32a8aa76d71d
SHA256d638a82423ca8254baae021937222626bc2e2ad1df5472a1c5b8b85f575f38f0
SHA512cfc5cef1806662f4333dc277fc627d9d9ae365deb2d3e505c6545909a3170461b86862d67bc68ade24ca8ab6f42023abbfff068e6164cd961dae4ca81b5fe168
-
Filesize
5.2MB
MD5b92b87b037fc488ddc07ea15af6cc2d6
SHA136adc32e172c1f490e3623830e49bc015872c937
SHA2564a6d51b284ad5ae1c41c2bf42c02493b481fd42c8aa7613722b9096865c72d92
SHA512b8f15ac97fb1fc83954082239d5b90d52ced36aa1215d23b3602716d929c8016a7c554b12b175c324be424351a4f7dfea3ae5f194ceb576e1093823d6acaecb3
-
Filesize
5.2MB
MD576390b7e774ccde1904407735dd5edc8
SHA198d0676b8d6391512b6a708a1cbc8ba4da78c923
SHA2568fb23a20861fd2a321a56557fc47209034abf26e7bd22ece1ec5a52d80480cdc
SHA5124b369b6d24a3ff326b2d3eda20de8cbfb221d6a6231681677af0a90b9fe26b55a45588241f82975c52998b57adc167132221106c8e94bd977035147a3358dadd
-
Filesize
5.2MB
MD522381b981a21324df9ce8015e38c046d
SHA12e4cadb009c9dde8874af0f72d3e5964a2ba739c
SHA25649db7d633d1ba2c235a42e8ee171e14c0ee31315a28a84d6386f8a744b7da9cd
SHA512672b98c6a1b059656fcdc5f8dd161f1ccda85778db6fe09674ca613b7650115d228e84256908261222c8dbe92c63a7624a6ec36b95dbd8958a5bc288400fe372
-
Filesize
5.2MB
MD57d5d946fbeafc926ea5931534ed5fda9
SHA19238f7989dc6560bddb1b03fd190ab637b894d3a
SHA256a37e99d6f5bd59f113be7c74f45c632352cde87134570dc42fcb47bc1f67190a
SHA51220fc24cd1f665c92bb99c30f601b3059e96c7d63d6bbbdede7a2ef5de93bd6859c2fd772e1a85a741bd4955a669111e8f7b7e0a564e631e12bcb382c9bc6e9f4
-
Filesize
5.2MB
MD521986ce871d88e22e6bfcd86f240277e
SHA14d7e85696d8372c2ff2c80303c968887c493ea43
SHA2562c4498eb46097582bf4d0279a3d6951a46fb4a72c640f0af5bce96823c83593d
SHA512f7d2e329e852392a5c9afa7900b66e6de997eb62dc4f7b279cd4dcc618c8ae45d6e9a67c8edea5d87d4157d8a18a956c155489be5a0c91248c9b15f873445bbe
-
Filesize
5.2MB
MD529b703740e5166968a950cfd66b39df4
SHA16a3e907e029124285afa8003918c70239161f335
SHA25685b529f42333daba4b5012d840d441a4ed6d48a277c6a136ba78d08c146f97b5
SHA512e03516a20eb950ace84c63e2303148d54aa10ecb14de629c27c8c11265ea14b301eb737e2ace4ae63d64d2d82d06037dda02fa9257f1ae1e232c9fae9c70aa9a
-
Filesize
5.2MB
MD5aa0993cdee237f3ba1bfaca6d76ad704
SHA116729b73c6bd77ed625ea914cff3c74b95263114
SHA256e086102dbc03515d985449bd13a00afc2e5cf2ca97d6d919bce2d44d89bb9872
SHA51273dd3df4eba8006d9d771866268f906948024b940bf220209d025e21a789c644fb13d45aa8ac274572a8b1d4300390f76ba511ed8d481917102d95aea45654bc
-
Filesize
5.2MB
MD5ef9b72f89ccfcae1542ad2487f4f490f
SHA14936cb5922f3667f28b3b39862213c408b6f11b6
SHA256bc80634215b2019a170f0b80e50d5672a3f967fa2f98ad6391cb9cb1687d4b9d
SHA5125b1c7e08bc369a1a1f2c683f3e0b9aebff65fc88fa85af2eb8ce5308bcede473f34f938ed86a3fed57a4380853b26f3d261508833ece5e77323e10a7027fdb40
-
Filesize
5.2MB
MD5e226b0d3d1c8d5167e550d74c144a4de
SHA15314285144475db5dd6d2c17a890141fd6f88070
SHA256380983f259ce20013a056046822fac868eec1fa91c47c142a435c37ca555fb81
SHA5121c8142aba4e3547732e8afa48a1029e2ec04811a348f05fc51c9f781841f7085825f0b421698defbb0eaa33f073d6aba22ac65762a412b626417c19b4404e0e6
-
Filesize
5.2MB
MD5187ce331885a0b436384bb9405837e55
SHA18a1c4a28b36bd23eb011691825851b134ee918bf
SHA2566a99155df0d8a76fd61535ba1a7c73d603d0d168e9da6bf07bacd5c73198970c
SHA5120cf6414c279e2fea85fd1bc2c7c949bb901f26bf05184a2349f99f3b986ead009807431ce824d5367c26dcff585b1bd8b4c76cca67321158087a09bdc970617b
-
Filesize
5.2MB
MD58eb3995bc074a32846c4fe098deeda30
SHA103ff968bb17a756e7e2d3c7ab6f790ef273673e8
SHA25690d2013c9388a9d12449c3f10e7a1d820c701380f21da858e8939977cd00b87c
SHA512486d53115ff602b77540a47f782711d3ea57a9966f3e4e711fbb7ff03cfc57d2df4acac4994e9abb4c657c2596968a727d5166b0c2f134b71e429abda0d83e9f
-
Filesize
5.2MB
MD5ea6ae35fcf879e444591ff494baad5d3
SHA16be922624a3bb34a07544b15d8f8e207e870640f
SHA256dccb3c4e235e86898ffcc9a7493d683ad8523cdfdff2225ff5e37222fcf09894
SHA512b3502a8efb761b6d6176163e3b9c285cebcb10204fbbb915e98c913b52a6ba3685c70b6a31f5572b95794240117622b370971c68d2d517589c7cfd90c7a1a2c8