Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 04:24
Behavioral task
behavioral1
Sample
2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
ba2cfae820b48b90488536770b7d5b73
-
SHA1
65ea5d166e2dce4eb49b24ddc0689c985e709f5d
-
SHA256
953fed62f0a7328e96c4626e0bac4f00e3a427040f4467724b1c8a5ce1c76e8b
-
SHA512
cdbdd3854d7a7ee8f82493df2d65381247c6df6971a69465a83a77b4034139555590c70734f1907614319ded59af030ab1bfb9eaa713626250ea3d72b4531392
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibd56utgpPFotBER/mQ32lUK
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x0007000000012118-3.dat cobalt_reflective_dll behavioral1/files/0x000800000001686c-10.dat cobalt_reflective_dll behavioral1/files/0x0008000000016c73-11.dat cobalt_reflective_dll behavioral1/files/0x0007000000016c95-25.dat cobalt_reflective_dll behavioral1/files/0x0007000000016ce1-24.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d0d-37.dat cobalt_reflective_dll behavioral1/files/0x00090000000164db-42.dat cobalt_reflective_dll behavioral1/files/0x0005000000018696-125.dat cobalt_reflective_dll behavioral1/files/0x00050000000187a2-85.dat cobalt_reflective_dll behavioral1/files/0x0006000000018c44-91.dat cobalt_reflective_dll behavioral1/files/0x000600000001757f-68.dat cobalt_reflective_dll behavioral1/files/0x00060000000174a6-61.dat cobalt_reflective_dll behavioral1/files/0x000600000001746a-55.dat cobalt_reflective_dll behavioral1/files/0x0006000000018f65-106.dat cobalt_reflective_dll behavioral1/files/0x0006000000018c34-105.dat cobalt_reflective_dll behavioral1/files/0x0005000000018697-104.dat cobalt_reflective_dll behavioral1/files/0x0015000000018676-103.dat cobalt_reflective_dll behavioral1/files/0x0009000000016d47-97.dat cobalt_reflective_dll behavioral1/files/0x00060000000174c3-84.dat cobalt_reflective_dll behavioral1/files/0x0006000000017488-82.dat cobalt_reflective_dll behavioral1/files/0x0008000000017403-73.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 34 IoCs
resource yara_rule behavioral1/memory/2420-35-0x000000013FCC0000-0x0000000140011000-memory.dmp xmrig behavioral1/memory/1312-34-0x000000013FFB0000-0x0000000140301000-memory.dmp xmrig behavioral1/memory/2936-33-0x000000013F450000-0x000000013F7A1000-memory.dmp xmrig behavioral1/memory/2580-31-0x000000013F110000-0x000000013F461000-memory.dmp xmrig behavioral1/memory/2408-131-0x000000013F7B0000-0x000000013FB01000-memory.dmp xmrig behavioral1/memory/3028-117-0x000000013FB70000-0x000000013FEC1000-memory.dmp xmrig behavioral1/memory/3044-116-0x000000013FFB0000-0x0000000140301000-memory.dmp xmrig behavioral1/memory/2648-115-0x000000013FF70000-0x00000001402C1000-memory.dmp xmrig behavioral1/memory/316-132-0x000000013F780000-0x000000013FAD1000-memory.dmp xmrig behavioral1/memory/2748-112-0x000000013F920000-0x000000013FC71000-memory.dmp xmrig behavioral1/memory/2408-134-0x000000013F7B0000-0x000000013FB01000-memory.dmp xmrig behavioral1/memory/1768-141-0x000000013FC30000-0x000000013FF81000-memory.dmp xmrig behavioral1/memory/2188-143-0x000000013F570000-0x000000013F8C1000-memory.dmp xmrig behavioral1/memory/2752-145-0x000000013F140000-0x000000013F491000-memory.dmp xmrig behavioral1/memory/2632-151-0x000000013F230000-0x000000013F581000-memory.dmp xmrig behavioral1/memory/564-156-0x000000013F850000-0x000000013FBA1000-memory.dmp xmrig behavioral1/memory/2976-155-0x000000013F460000-0x000000013F7B1000-memory.dmp xmrig behavioral1/memory/2572-154-0x000000013F650000-0x000000013F9A1000-memory.dmp xmrig behavioral1/memory/2512-153-0x000000013FA50000-0x000000013FDA1000-memory.dmp xmrig behavioral1/memory/2560-152-0x000000013F6F0000-0x000000013FA41000-memory.dmp xmrig behavioral1/memory/2520-150-0x000000013F3B0000-0x000000013F701000-memory.dmp xmrig behavioral1/memory/2760-149-0x000000013F3C0000-0x000000013F711000-memory.dmp xmrig behavioral1/memory/2628-147-0x000000013FD00000-0x0000000140051000-memory.dmp xmrig behavioral1/memory/2408-157-0x000000013F7B0000-0x000000013FB01000-memory.dmp xmrig behavioral1/memory/316-209-0x000000013F780000-0x000000013FAD1000-memory.dmp xmrig behavioral1/memory/2580-211-0x000000013F110000-0x000000013F461000-memory.dmp xmrig behavioral1/memory/2936-215-0x000000013F450000-0x000000013F7A1000-memory.dmp xmrig behavioral1/memory/2420-214-0x000000013FCC0000-0x0000000140011000-memory.dmp xmrig behavioral1/memory/1312-217-0x000000013FFB0000-0x0000000140301000-memory.dmp xmrig behavioral1/memory/1768-234-0x000000013FC30000-0x000000013FF81000-memory.dmp xmrig behavioral1/memory/3028-236-0x000000013FB70000-0x000000013FEC1000-memory.dmp xmrig behavioral1/memory/2748-238-0x000000013F920000-0x000000013FC71000-memory.dmp xmrig behavioral1/memory/3044-240-0x000000013FFB0000-0x0000000140301000-memory.dmp xmrig behavioral1/memory/2648-244-0x000000013FF70000-0x00000001402C1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 316 teMeySE.exe 2420 cgZNoeu.exe 2580 YUVGoGI.exe 2936 lWXUrRn.exe 1312 DoMKlNY.exe 1768 LpKndmh.exe 3028 CflhmPh.exe 2748 DetTUXU.exe 2648 NLIHibS.exe 3044 YoFKoxN.exe 2188 ofELQEa.exe 2520 cMSsmFY.exe 2560 mLAGNuy.exe 2572 VhjLvwx.exe 564 KQytjBi.exe 2752 rtzAjIR.exe 2628 QyjKxfH.exe 2760 SgDgCeH.exe 2632 cFlzpLS.exe 2512 XOhWrlW.exe 2976 uGdnmAF.exe -
Loads dropped DLL 21 IoCs
pid Process 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe -
resource yara_rule behavioral1/memory/2408-0-0x000000013F7B0000-0x000000013FB01000-memory.dmp upx behavioral1/files/0x0007000000012118-3.dat upx behavioral1/files/0x000800000001686c-10.dat upx behavioral1/files/0x0008000000016c73-11.dat upx behavioral1/files/0x0007000000016c95-25.dat upx behavioral1/files/0x0007000000016ce1-24.dat upx behavioral1/memory/316-17-0x000000013F780000-0x000000013FAD1000-memory.dmp upx behavioral1/files/0x0007000000016d0d-37.dat upx behavioral1/memory/2420-35-0x000000013FCC0000-0x0000000140011000-memory.dmp upx behavioral1/memory/1312-34-0x000000013FFB0000-0x0000000140301000-memory.dmp upx behavioral1/memory/2936-33-0x000000013F450000-0x000000013F7A1000-memory.dmp upx behavioral1/memory/2580-31-0x000000013F110000-0x000000013F461000-memory.dmp upx behavioral1/files/0x00090000000164db-42.dat upx behavioral1/files/0x0005000000018696-125.dat upx behavioral1/files/0x00050000000187a2-85.dat upx behavioral1/files/0x0006000000018c44-91.dat upx behavioral1/files/0x000600000001757f-68.dat upx behavioral1/files/0x00060000000174a6-61.dat upx behavioral1/files/0x000600000001746a-55.dat upx behavioral1/memory/2408-131-0x000000013F7B0000-0x000000013FB01000-memory.dmp upx behavioral1/memory/3028-117-0x000000013FB70000-0x000000013FEC1000-memory.dmp upx behavioral1/memory/3044-116-0x000000013FFB0000-0x0000000140301000-memory.dmp upx behavioral1/memory/2648-115-0x000000013FF70000-0x00000001402C1000-memory.dmp upx behavioral1/memory/316-132-0x000000013F780000-0x000000013FAD1000-memory.dmp upx behavioral1/memory/2748-112-0x000000013F920000-0x000000013FC71000-memory.dmp upx behavioral1/files/0x0006000000018f65-106.dat upx behavioral1/files/0x0006000000018c34-105.dat upx behavioral1/files/0x0005000000018697-104.dat upx behavioral1/files/0x0015000000018676-103.dat upx behavioral1/files/0x0009000000016d47-97.dat upx behavioral1/files/0x00060000000174c3-84.dat upx behavioral1/files/0x0006000000017488-82.dat upx behavioral1/files/0x0008000000017403-73.dat upx behavioral1/memory/1768-48-0x000000013FC30000-0x000000013FF81000-memory.dmp upx behavioral1/memory/2408-134-0x000000013F7B0000-0x000000013FB01000-memory.dmp upx behavioral1/memory/1768-141-0x000000013FC30000-0x000000013FF81000-memory.dmp upx behavioral1/memory/2188-143-0x000000013F570000-0x000000013F8C1000-memory.dmp upx behavioral1/memory/2752-145-0x000000013F140000-0x000000013F491000-memory.dmp upx behavioral1/memory/2632-151-0x000000013F230000-0x000000013F581000-memory.dmp upx behavioral1/memory/564-156-0x000000013F850000-0x000000013FBA1000-memory.dmp upx behavioral1/memory/2976-155-0x000000013F460000-0x000000013F7B1000-memory.dmp upx behavioral1/memory/2572-154-0x000000013F650000-0x000000013F9A1000-memory.dmp upx behavioral1/memory/2512-153-0x000000013FA50000-0x000000013FDA1000-memory.dmp upx behavioral1/memory/2560-152-0x000000013F6F0000-0x000000013FA41000-memory.dmp upx behavioral1/memory/2520-150-0x000000013F3B0000-0x000000013F701000-memory.dmp upx behavioral1/memory/2760-149-0x000000013F3C0000-0x000000013F711000-memory.dmp upx behavioral1/memory/2628-147-0x000000013FD00000-0x0000000140051000-memory.dmp upx behavioral1/memory/2408-157-0x000000013F7B0000-0x000000013FB01000-memory.dmp upx behavioral1/memory/316-209-0x000000013F780000-0x000000013FAD1000-memory.dmp upx behavioral1/memory/2580-211-0x000000013F110000-0x000000013F461000-memory.dmp upx behavioral1/memory/2936-215-0x000000013F450000-0x000000013F7A1000-memory.dmp upx behavioral1/memory/2420-214-0x000000013FCC0000-0x0000000140011000-memory.dmp upx behavioral1/memory/1312-217-0x000000013FFB0000-0x0000000140301000-memory.dmp upx behavioral1/memory/1768-234-0x000000013FC30000-0x000000013FF81000-memory.dmp upx behavioral1/memory/3028-236-0x000000013FB70000-0x000000013FEC1000-memory.dmp upx behavioral1/memory/2748-238-0x000000013F920000-0x000000013FC71000-memory.dmp upx behavioral1/memory/3044-240-0x000000013FFB0000-0x0000000140301000-memory.dmp upx behavioral1/memory/2648-244-0x000000013FF70000-0x00000001402C1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\ofELQEa.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mLAGNuy.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YUVGoGI.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DoMKlNY.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LpKndmh.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CflhmPh.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QyjKxfH.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cMSsmFY.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cFlzpLS.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XOhWrlW.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VhjLvwx.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\teMeySE.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lWXUrRn.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rtzAjIR.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NLIHibS.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SgDgCeH.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KQytjBi.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cgZNoeu.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DetTUXU.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YoFKoxN.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uGdnmAF.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2408 wrote to memory of 316 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 29 PID 2408 wrote to memory of 316 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 29 PID 2408 wrote to memory of 316 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 29 PID 2408 wrote to memory of 2420 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 30 PID 2408 wrote to memory of 2420 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 30 PID 2408 wrote to memory of 2420 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 30 PID 2408 wrote to memory of 2580 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 31 PID 2408 wrote to memory of 2580 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 31 PID 2408 wrote to memory of 2580 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 31 PID 2408 wrote to memory of 1312 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2408 wrote to memory of 1312 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2408 wrote to memory of 1312 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2408 wrote to memory of 2936 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2408 wrote to memory of 2936 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2408 wrote to memory of 2936 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2408 wrote to memory of 1768 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2408 wrote to memory of 1768 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2408 wrote to memory of 1768 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2408 wrote to memory of 3028 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2408 wrote to memory of 3028 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2408 wrote to memory of 3028 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2408 wrote to memory of 2188 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2408 wrote to memory of 2188 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2408 wrote to memory of 2188 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2408 wrote to memory of 2748 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2408 wrote to memory of 2748 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2408 wrote to memory of 2748 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2408 wrote to memory of 2752 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2408 wrote to memory of 2752 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2408 wrote to memory of 2752 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2408 wrote to memory of 2648 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2408 wrote to memory of 2648 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2408 wrote to memory of 2648 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2408 wrote to memory of 2628 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2408 wrote to memory of 2628 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2408 wrote to memory of 2628 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2408 wrote to memory of 3044 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2408 wrote to memory of 3044 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2408 wrote to memory of 3044 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2408 wrote to memory of 2760 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2408 wrote to memory of 2760 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2408 wrote to memory of 2760 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2408 wrote to memory of 2520 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2408 wrote to memory of 2520 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2408 wrote to memory of 2520 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2408 wrote to memory of 2632 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2408 wrote to memory of 2632 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2408 wrote to memory of 2632 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2408 wrote to memory of 2560 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2408 wrote to memory of 2560 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2408 wrote to memory of 2560 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2408 wrote to memory of 2512 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2408 wrote to memory of 2512 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2408 wrote to memory of 2512 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2408 wrote to memory of 2572 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2408 wrote to memory of 2572 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2408 wrote to memory of 2572 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2408 wrote to memory of 2976 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2408 wrote to memory of 2976 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2408 wrote to memory of 2976 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2408 wrote to memory of 564 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2408 wrote to memory of 564 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2408 wrote to memory of 564 2408 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System\teMeySE.exeC:\Windows\System\teMeySE.exe2⤵
- Executes dropped EXE
PID:316
-
-
C:\Windows\System\cgZNoeu.exeC:\Windows\System\cgZNoeu.exe2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\System\YUVGoGI.exeC:\Windows\System\YUVGoGI.exe2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Windows\System\DoMKlNY.exeC:\Windows\System\DoMKlNY.exe2⤵
- Executes dropped EXE
PID:1312
-
-
C:\Windows\System\lWXUrRn.exeC:\Windows\System\lWXUrRn.exe2⤵
- Executes dropped EXE
PID:2936
-
-
C:\Windows\System\LpKndmh.exeC:\Windows\System\LpKndmh.exe2⤵
- Executes dropped EXE
PID:1768
-
-
C:\Windows\System\CflhmPh.exeC:\Windows\System\CflhmPh.exe2⤵
- Executes dropped EXE
PID:3028
-
-
C:\Windows\System\ofELQEa.exeC:\Windows\System\ofELQEa.exe2⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\System\DetTUXU.exeC:\Windows\System\DetTUXU.exe2⤵
- Executes dropped EXE
PID:2748
-
-
C:\Windows\System\rtzAjIR.exeC:\Windows\System\rtzAjIR.exe2⤵
- Executes dropped EXE
PID:2752
-
-
C:\Windows\System\NLIHibS.exeC:\Windows\System\NLIHibS.exe2⤵
- Executes dropped EXE
PID:2648
-
-
C:\Windows\System\QyjKxfH.exeC:\Windows\System\QyjKxfH.exe2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\System\YoFKoxN.exeC:\Windows\System\YoFKoxN.exe2⤵
- Executes dropped EXE
PID:3044
-
-
C:\Windows\System\SgDgCeH.exeC:\Windows\System\SgDgCeH.exe2⤵
- Executes dropped EXE
PID:2760
-
-
C:\Windows\System\cMSsmFY.exeC:\Windows\System\cMSsmFY.exe2⤵
- Executes dropped EXE
PID:2520
-
-
C:\Windows\System\cFlzpLS.exeC:\Windows\System\cFlzpLS.exe2⤵
- Executes dropped EXE
PID:2632
-
-
C:\Windows\System\mLAGNuy.exeC:\Windows\System\mLAGNuy.exe2⤵
- Executes dropped EXE
PID:2560
-
-
C:\Windows\System\XOhWrlW.exeC:\Windows\System\XOhWrlW.exe2⤵
- Executes dropped EXE
PID:2512
-
-
C:\Windows\System\VhjLvwx.exeC:\Windows\System\VhjLvwx.exe2⤵
- Executes dropped EXE
PID:2572
-
-
C:\Windows\System\uGdnmAF.exeC:\Windows\System\uGdnmAF.exe2⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\System\KQytjBi.exeC:\Windows\System\KQytjBi.exe2⤵
- Executes dropped EXE
PID:564
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5af6fb51512a626b416b284bbe48ec92a
SHA1be77c73ae373a0e2916200e9d239df784878030c
SHA2569e10cd9a2deed9ad89001ca4c85e1c8f35df8ac8311ec4c6b74dd1a3c41a03cc
SHA5120124f610eaa68b55092f5a9d722d3e0afd83445740ccd629880edf4bd77fad8672d9500efad7251f39fca3b6ab7928a40e4fab57ab3e3e393cc255f2eaeec7d9
-
Filesize
5.2MB
MD5da43c3e997d2194576fa701a548983d8
SHA1872729bad82b910454833e3696c6e8a94acd798c
SHA256d2ff29464414e804a279fd0d843ee1889899727a74189b500a43546204520293
SHA512b1fa1d06c04a86a9febbc5d6e8107ce682f6fb1634b6c20c8c5076bb2bdfc37eb233e1a5dd8104cdb505a7b3c3a46116255d482b02b1f05b92fa53bf44788569
-
Filesize
5.2MB
MD5c9d1a6db4f2c687b9ee7fb8b2fd84407
SHA1f17c1b0396b60644178de34cdc76f2f5b53bb19a
SHA2563b47d44a46cd03fcbf7d78ecbace79ba1838d76a16e762544998625752240481
SHA512d3bd30c890030aab864d5fd615dc72706c3ba01e5055b64464fbe70dccd39aa305c637ca6b65c4504a3fc37e50c45e2b7cc51bfa36bf9f12d2cdeb47ef411cd6
-
Filesize
5.2MB
MD574257ca37b69cd8939e7648018e727bf
SHA1cf4598b75b8b387dfe4753010fd352f524a3a176
SHA256ca7fab838cf50cfbce223d7b9284e8111f48b68e43ec8129a92a654c48c820f5
SHA5126028507c6bbe689114f0782ef0744075e91a22072ebb621fe6fc6207e5ae413823e106229aaa244ed39b3f9d2f4741e1ca2833c4480aff61b97793c0a11ede0a
-
Filesize
5.2MB
MD5ba4189a8b1f721642e5c6117ace640bc
SHA1e13c1cbb29f446a51f7f7b101f531f09eae940d1
SHA256ed984d8966248c9a3b0a9caaf960ba61fa426028eb620c406625979f0a21b1c2
SHA5123ae16e0a3e256b299181c6e780fa5fd1b04674deb47773f0dc9702dd085fe18b91eabb9e612ed1efa8ca3918b8e2f454c24f65e5229fb40c59363c1ab7404a9c
-
Filesize
5.2MB
MD532bf994f3314905c4a45bc78e8758cd7
SHA1a23a4febcd5f984af7f893f09118308cf6a2f932
SHA256b75cdbbf49c2f2b74329043c4aa97f1341101641a2059963ecd3a3f65170eb8e
SHA512c6153dffebc94c8ace5da588dd1e64ed56bba0629432040ddbc4ce33fa36c9fce9410cfabfdfc8e413a50094f254da9ad945c26c9299425048184a63235b9e35
-
Filesize
5.2MB
MD5d43dddecb96438c2c270e7f3f5ffe8b6
SHA1a801d16058f75823ebf73592176ad674a5a42530
SHA256fed125c0e0914db0dcf74fab0d29c9bf14159709c9f10d196f63897473c33638
SHA51275956c96b8597af8dd8730202174488325a000f38f15f0461d3352d65428681f14fad224ef74ec985b9289d5672c2ee889e591b2f6d37e09e3fdb1d016660c1d
-
Filesize
5.2MB
MD507156cfdb1c08a003013e30dee9a3a39
SHA1af32afcd4c82f707157389f9c0a8bd05b1ecf6fb
SHA25699171ae3e072498a099364e4c8fd811c2b5dc88dfebe24b70cec0b72e3725ced
SHA512633b78180aa4bdd9fe599a13eff897c9d304a245da013ef4dca552949d79532d777b9741cbd44212ca04d194365ff52ba954253ddf2e337aaeefd865d499c278
-
Filesize
5.2MB
MD51dacca90c6c3c39691a55cf77f5e77b1
SHA14eaa397d1e4bf00a0397e0c7bc823a2636833d51
SHA256a65b00d1195a66badea1020b130f51b393db780e87de63b42feb4ef8393aabad
SHA512a4664ccff64585dee81a68d6a205318425c492c3655c82e26ee9dc2c7139a480ffcf48b38eb91c61c0b4283552e1d830e5e46d17cc0709eb7f7c722e706fc9ee
-
Filesize
5.2MB
MD5fe8b72a4d7b97e41067d3e290780720a
SHA171270bd6be92ceab7d98b862dde965b0f401a165
SHA25699bc1e9b4fbf3bfd5724b58cee7a58c92cac4d3918032c351ca7bba537429daa
SHA5120853feec1a68d8cdaafff34f413dba045e1c53b40596df78df5bfc9190b7b4a498140e8322a7f5b1a95107a5a38804375d7bbb6ab8a2e64afb939558b3c0d09f
-
Filesize
5.2MB
MD50ecf63c79129f652497e80738c2af6fc
SHA1674f942e368a375d8b8956778bbf9bc18a3df244
SHA2568c231fda2d8e5060e7007e930b71c5fe10bf30879f9f89f9563407b55b49d11d
SHA5128a0cc20b859b52615ecdff3b97f0cae16b2804f0136b73989ee5f9c8f3c6cc303d2455bf5e9a49ab749fd61adb75440c144cb78c25ee17da8017bb23dc116860
-
Filesize
5.2MB
MD57ce954f7f1455cf2a60f2a5130b67630
SHA1358fe9a1ffb78a77ce7e67c91024c485b1457d21
SHA256da2d73a514147dbdb677ab7dd30bd73667505083a51451fb9282a11b4545bae7
SHA5122c584cd9d639276976bf029fd2cc9b8a380ed627310eef36b781ad6abf7b24c6e2cc36408831fed06b0e922f57054cfd235af3015058bf4aafe66279234e1e27
-
Filesize
5.2MB
MD5e08a0e28ad491ba53fc52425020dd268
SHA1211ce4310bcfbd8da4ab175e0379d48cd1d4f3b0
SHA2569455bbed00843d64babc2f7222971cf65723393b36b177c37905b4653ee856ef
SHA51269a8f5000ba9802ef74d6a9bc640f58ffb17e91f68ff0c423be16bd657655c8b6f4b5987d721b9af93de50bf7fce2b2fd29670e73cb77736ab6d20e0cc8fa784
-
Filesize
5.2MB
MD571e0d42cdc3afd21c4f53aa5f90ad2a2
SHA14d9316707882df8eaff70ccfa4bf3b30072bc0f2
SHA256cb41c0e396cebfbeab8d93677acbb0e3a67c41537ee97bcaf618d690acb65f2c
SHA512f1354722b74553b0129f17d1313028e20cf683126160196bf5c9bb25bb1763e9fa619317f93493d1a06cc05e823e6478e2fbc07d26f483faf45d3f6b77425e67
-
Filesize
5.2MB
MD5b35a1b27d350ee2784ba1a07d0dd4ff0
SHA19a7b8fd0e533b246f24c9dfc17a9d111833bb21f
SHA256e8f22ed647aca1662ee94ef780e01c7d8a147a64c1b942eeb4247291199e321c
SHA512637018d97aeeeaffb6103b306eb12e0e3d11c27c028b9ff80d093363988b1f6e75632572b557d369eb2acd47df5e92de82591fc10ba992b35096336698c6c927
-
Filesize
5.2MB
MD5207f67b5783cf49254aafeb6ae2f71ec
SHA1872f90b22bbde8645014973bcd3ce3d18e782951
SHA25667345099cf9d01a1ce95957c552a09deec3975136f08fcc52b730b1aba43dcac
SHA51291e92dbee0c75ba7ce36761fc73bb4d7bd80755f931d051023d15eef790f7e438765a43ac8d488dc456d0b3dacd44b8f8914188c5d354366c1dbefd96964a399
-
Filesize
5.2MB
MD59a81f6c839ac113329452392e7054895
SHA1d4eacbdf1dd93bfff6c352970233e43d0226692d
SHA256becaec44230d38a2c6018cf2ceb28d612fd3891d96df25971fc8f2185a55f28e
SHA5127d030ea895cf23007b2f330de4f562febbe8f59e935e04d7fffe54c411dfbde2aecbab270b0ef0baf0876f7fe48ada4dd27c77b05b594ae463b8d600c24ec1d3
-
Filesize
5.2MB
MD55bdd8c815e5ff3c64e53fbda1771bcf9
SHA113a9efb409450971b5d562212ded57bdf607d5c2
SHA25692ef1ae4025ed2bab0f74edfd61ee412e8e9f651bdf4a86b0a55981df3e65f1d
SHA5128badd66506acbb4e846dabdf014e9493ab9a9a81c16ce40e590b1adae111aecec9ab0ad271b07914d00f2af76f9263be3d649be206a755aa09b6ca4685785202
-
Filesize
5.2MB
MD566766dff4a1788949c11868aca7f9ef8
SHA1185e243b9ebf24707be57b713400428ac86f45ba
SHA256940fdcb9a1b87e6b4216c2ba77ca47a02831f1031904f19771748c7a6aaf99f0
SHA5124917346d796788d86508db8162e15ca949b96910e49d1c78d74d72ac15b05bf07186c46cd526eb63afbb86db61a9056e0d48904fb90558bc6f4fb36d71c8fd95
-
Filesize
5.2MB
MD526a61a9f07bcd6f5c018fbdfe64f314c
SHA1bea605197b15ddc643c4b04892c0bdb0e3981b0b
SHA256bd255431a9840c21ecbc204c3a210e9c6495d5adcd7b826915078e890e377fa9
SHA51240fc56c95295e55d5ef0a60e2ee50106ac04e306b98920fc9550e79a98cd424729f194b2d6e853c9d57bfc8dcee434091ea87a1dc193bc4f8e6c07c7330990c9
-
Filesize
5.2MB
MD5b0fe780ee924607fb845deaac435d8c0
SHA1c3b178b0e3cb96f4980ff7b96f58eaeb52d2b4ab
SHA25605f2d53fe92515949e87c79f1e6a46f89e7da97c803eede8822b56ddeacf9cc1
SHA512d0673ddf2b6d0998a864cb65f76011d0b03dddaa87408571ac07b1f4618c4d1fb6fd4ee3e3fb3efdb97846bbc39098e6a8b8e55b8ebf0fa50c826176fe0d5830