agenttesla | 08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53

Analysis

max time kernel
35s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
Size

59.1MB
MD5

3c0086e9a2673adca00e903795ded6b4
SHA1

f39a8ac3a16d7723b2a1e91cd4ed0ebd491ca2a3
SHA256

08b2f51ca9ebb29909c9d5281992554d548a9f4f0ce4b32d0ef5f9ec80281f53
SHA512

bb708052eea814a90fd3e356933bc144a59fbc4d8b1975b67c8297514ac75d01a6f54e11cc3cf996624e46a49c95a7c82995ee1ee3dda81c7f03639a6071a42b
SSDEEP

1572864:yLOrJXzVU0mzSuu2etPQiWmoh8rbu8CQG2Y:yLqJXBU0/uu3IDmnrbRY

Score

10^/10

agenttesla cobaltstrike modiloader raccoon xmrig 2ca5558c9ec8037d24a611513d7bd076 aspackv2 backdoor discovery evasion execution keylogger miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Extracted

Family

raccoon

Botnet

2ca5558c9ec8037d24a611513d7bd076

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0003000000022ea7-2390.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\eyplorer.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,"	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

resource	yara_rule
behavioral2/memory/4928-2385-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4928-2384-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/5268-2370-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral2/memory/5268-2501-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral2/memory/6608-2449-0x00007FF6B1950000-0x00007FF6B1CA1000-memory.dmp	xmrig
behavioral2/memory/4832-2466-0x00007FF7F8E80000-0x00007FF7F91D1000-memory.dmp	xmrig
behavioral2/memory/3496-2467-0x00007FF7DDE80000-0x00007FF7DE1D1000-memory.dmp	xmrig
behavioral2/memory/5556-2469-0x00007FF64EBF0000-0x00007FF64EF41000-memory.dmp	xmrig
behavioral2/memory/5340-2468-0x00007FF63CB20000-0x00007FF63CE71000-memory.dmp	xmrig
behavioral2/memory/1480-2471-0x00007FF6CB560000-0x00007FF6CB8B1000-memory.dmp	xmrig
behavioral2/memory/6424-2474-0x00007FF610210000-0x00007FF610561000-memory.dmp	xmrig
behavioral2/memory/6516-2475-0x00007FF7C6530000-0x00007FF7C6881000-memory.dmp	xmrig
behavioral2/memory/5692-2473-0x00007FF75A4E0000-0x00007FF75A831000-memory.dmp	xmrig
behavioral2/memory/3628-2477-0x00007FF768540000-0x00007FF768891000-memory.dmp	xmrig
behavioral2/memory/6464-2476-0x00007FF651A40000-0x00007FF651D91000-memory.dmp	xmrig
behavioral2/memory/6192-2472-0x00007FF73B9E0000-0x00007FF73BD31000-memory.dmp	xmrig
behavioral2/memory/2792-2500-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp	xmrig
behavioral2/memory/6568-2517-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp	xmrig
behavioral2/memory/5232-2518-0x00007FF7C9960000-0x00007FF7C9CB1000-memory.dmp	xmrig
behavioral2/memory/4812-2519-0x00007FF775960000-0x00007FF775CB1000-memory.dmp	xmrig
behavioral2/memory/6604-2520-0x00007FF625670000-0x00007FF6259C1000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5904	powershell.exe
860	powershell.exe
4936	powershell.exe
3744	powershell.exe
5476	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5904	attrib.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00070000000234bb-99.dat	aspack_v212_v242

Executes dropped EXE 6 IoCs

pid	Process
940	i.exe
3448	stopwatch.exe
1228	anti.exe
4336	neurosafe.exe
740	screenscrew.exe
3152	PurchaseOrder.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2792-2369-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp	upx
behavioral2/files/0x0003000000022ea7-2390.dat	upx
behavioral2/memory/5688-2434-0x00007FF65B860000-0x00007FF65BBB1000-memory.dmp	upx
behavioral2/memory/6604-2432-0x00007FF625670000-0x00007FF6259C1000-memory.dmp	upx
behavioral2/memory/4812-2437-0x00007FF775960000-0x00007FF775CB1000-memory.dmp	upx
behavioral2/memory/6852-2441-0x00007FF6AC990000-0x00007FF6ACCE1000-memory.dmp	upx
behavioral2/memory/6608-2449-0x00007FF6B1950000-0x00007FF6B1CA1000-memory.dmp	upx
behavioral2/memory/4832-2466-0x00007FF7F8E80000-0x00007FF7F91D1000-memory.dmp	upx
behavioral2/memory/3496-2467-0x00007FF7DDE80000-0x00007FF7DE1D1000-memory.dmp	upx
behavioral2/memory/5556-2469-0x00007FF64EBF0000-0x00007FF64EF41000-memory.dmp	upx
behavioral2/memory/5340-2468-0x00007FF63CB20000-0x00007FF63CE71000-memory.dmp	upx
behavioral2/memory/1480-2471-0x00007FF6CB560000-0x00007FF6CB8B1000-memory.dmp	upx
behavioral2/memory/6424-2474-0x00007FF610210000-0x00007FF610561000-memory.dmp	upx
behavioral2/memory/6516-2475-0x00007FF7C6530000-0x00007FF7C6881000-memory.dmp	upx
behavioral2/memory/5692-2473-0x00007FF75A4E0000-0x00007FF75A831000-memory.dmp	upx
behavioral2/memory/3628-2477-0x00007FF768540000-0x00007FF768891000-memory.dmp	upx
behavioral2/memory/6464-2476-0x00007FF651A40000-0x00007FF651D91000-memory.dmp	upx
behavioral2/memory/6192-2472-0x00007FF73B9E0000-0x00007FF73BD31000-memory.dmp	upx
behavioral2/memory/6468-2464-0x00007FF7794E0000-0x00007FF779831000-memory.dmp	upx
behavioral2/memory/6020-2447-0x00007FF796FF0000-0x00007FF797341000-memory.dmp	upx
behavioral2/memory/6032-2446-0x00007FF728D10000-0x00007FF729061000-memory.dmp	upx
behavioral2/memory/5232-2422-0x00007FF7C9960000-0x00007FF7C9CB1000-memory.dmp	upx
behavioral2/memory/6568-2405-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp	upx
behavioral2/memory/2792-2500-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp	upx
behavioral2/memory/6568-2517-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp	upx
behavioral2/memory/5232-2518-0x00007FF7C9960000-0x00007FF7C9CB1000-memory.dmp	upx
behavioral2/memory/4812-2519-0x00007FF775960000-0x00007FF775CB1000-memory.dmp	upx
behavioral2/memory/6604-2520-0x00007FF625670000-0x00007FF6259C1000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
219	raw.githubusercontent.com
220	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
186	api.ipify.org
187	api.ipify.org

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stopwatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neurosafe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PurchaseOrder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenscrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
3968	timeout.exe
5664	timeout.exe
5876	timeout.exe
6708	timeout.exe
1728	timeout.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
5544	taskkill.exe
5764	taskkill.exe
5824	taskkill.exe
5192	taskkill.exe
5832	taskkill.exe
5256	taskkill.exe
5884	taskkill.exe
1488	taskkill.exe
3332	taskkill.exe
5836	taskkill.exe
6092	taskkill.exe
2832	taskkill.exe
5524	taskkill.exe
3928	taskkill.exe
3992	taskkill.exe
5192	taskkill.exe
5396	taskkill.exe
5160	taskkill.exe
5548	taskkill.exe
5856	taskkill.exe
928	taskkill.exe
4680	taskkill.exe
5764	taskkill.exe
6100	taskkill.exe
5360	taskkill.exe
5436	taskkill.exe
6088	taskkill.exe
5336	taskkill.exe
6108	taskkill.exe
2528	taskkill.exe
5556	taskkill.exe
6056	taskkill.exe
6112	taskkill.exe
6028	taskkill.exe
5852	taskkill.exe
2056	taskkill.exe
4804	taskkill.exe
5780	taskkill.exe
592	taskkill.exe
4784	taskkill.exe
5412	taskkill.exe
5928	taskkill.exe
6584	taskkill.exe
7108	taskkill.exe
5176	taskkill.exe
6140	taskkill.exe
6076	taskkill.exe
5452	taskkill.exe
5900	taskkill.exe
4464	taskkill.exe
5740	taskkill.exe
4496	taskkill.exe
5852	taskkill.exe
5792	taskkill.exe
5904	taskkill.exe
5520	taskkill.exe
6460	taskkill.exe
5128	taskkill.exe
6080	taskkill.exe
5652	taskkill.exe
3180	taskkill.exe
6244	taskkill.exe
6804	taskkill.exe
556	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
8	NOTEPAD.EXE
5680	notepad.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5436	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3128	explorer.exe
1116	explorer.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	220	AUDIODG.EXE
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3448	stopwatch.exe
1228	anti.exe
4752	efsui.exe
4752	efsui.exe
4752	efsui.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3448	stopwatch.exe
1228	anti.exe
4752	efsui.exe
4752	efsui.exe
4752	efsui.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3128	explorer.exe
3128	explorer.exe
1116	explorer.exe
1116	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 4836	760	2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	82
PID 760 wrote to memory of 4836	760	2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	82
PID 760 wrote to memory of 4836	760	2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	82
PID 4836 wrote to memory of 1832	4836	cmd.exe	84
PID 4836 wrote to memory of 1832	4836	cmd.exe	84
PID 4836 wrote to memory of 1832	4836	cmd.exe	84
PID 4836 wrote to memory of 940	4836	cmd.exe	85
PID 4836 wrote to memory of 940	4836	cmd.exe	85
PID 4836 wrote to memory of 3448	4836	cmd.exe	86
PID 4836 wrote to memory of 3448	4836	cmd.exe	86
PID 4836 wrote to memory of 3448	4836	cmd.exe	86
PID 4836 wrote to memory of 1228	4836	cmd.exe	87
PID 4836 wrote to memory of 1228	4836	cmd.exe	87
PID 4836 wrote to memory of 1228	4836	cmd.exe	87
PID 4836 wrote to memory of 804	4836	cmd.exe	88
PID 4836 wrote to memory of 804	4836	cmd.exe	88
PID 4836 wrote to memory of 804	4836	cmd.exe	88
PID 4836 wrote to memory of 624	4836	cmd.exe	90
PID 4836 wrote to memory of 624	4836	cmd.exe	90
PID 4836 wrote to memory of 624	4836	cmd.exe	90
PID 4836 wrote to memory of 2376	4836	cmd.exe	91
PID 4836 wrote to memory of 2376	4836	cmd.exe	91
PID 4836 wrote to memory of 2376	4836	cmd.exe	91
PID 4836 wrote to memory of 4788	4836	cmd.exe	92
PID 4836 wrote to memory of 4788	4836	cmd.exe	92
PID 4836 wrote to memory of 4788	4836	cmd.exe	92
PID 4836 wrote to memory of 4336	4836	cmd.exe	93
PID 4836 wrote to memory of 4336	4836	cmd.exe	93
PID 4836 wrote to memory of 4336	4836	cmd.exe	93
PID 4836 wrote to memory of 3192	4836	cmd.exe	94
PID 4836 wrote to memory of 3192	4836	cmd.exe	94
PID 4836 wrote to memory of 3192	4836	cmd.exe	94
PID 4836 wrote to memory of 1728	4836	cmd.exe	96
PID 4836 wrote to memory of 1728	4836	cmd.exe	96
PID 4836 wrote to memory of 1728	4836	cmd.exe	96
PID 4836 wrote to memory of 2580	4836	cmd.exe	106
PID 4836 wrote to memory of 2580	4836	cmd.exe	106
PID 4836 wrote to memory of 2580	4836	cmd.exe	106
PID 4836 wrote to memory of 740	4836	cmd.exe	107
PID 4836 wrote to memory of 740	4836	cmd.exe	107
PID 4836 wrote to memory of 740	4836	cmd.exe	107
PID 4836 wrote to memory of 3152	4836	cmd.exe	109
PID 4836 wrote to memory of 3152	4836	cmd.exe	109
PID 4836 wrote to memory of 3152	4836	cmd.exe	109
PID 4836 wrote to memory of 4636	4836	cmd.exe	110
PID 4836 wrote to memory of 4636	4836	cmd.exe	110
PID 4836 wrote to memory of 4636	4836	cmd.exe	110
PID 4836 wrote to memory of 4812	4836	cmd.exe	112
PID 4836 wrote to memory of 4812	4836	cmd.exe	112
PID 4836 wrote to memory of 4812	4836	cmd.exe	112
PID 2580 wrote to memory of 4680	2580	cmd.exe	113
PID 2580 wrote to memory of 4680	2580	cmd.exe	113
PID 2580 wrote to memory of 4680	2580	cmd.exe	113
PID 2580 wrote to memory of 1484	2580	cmd.exe	114
PID 2580 wrote to memory of 1484	2580	cmd.exe	114
PID 2580 wrote to memory of 1484	2580	cmd.exe	114
PID 2580 wrote to memory of 3528	2580	cmd.exe	116
PID 2580 wrote to memory of 3528	2580	cmd.exe	116
PID 2580 wrote to memory of 3528	2580	cmd.exe	116
PID 2580 wrote to memory of 4296	2580	cmd.exe	119
PID 2580 wrote to memory of 4296	2580	cmd.exe	119
PID 2580 wrote to memory of 4296	2580	cmd.exe	119
PID 2580 wrote to memory of 2544	2580	cmd.exe	251
PID 2580 wrote to memory of 2544	2580	cmd.exe	251

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5904	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\!m.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:940
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\stopwatch.exe
    stopwatch.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1228
- - C:\Windows\SysWOW64\reg.exe
    reg import font.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:804
- - C:\Windows\SysWOW64\reg.exe
    reg import eee.reg
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:624
- - C:\Windows\SysWOW64\reg.exe
    reg import nosearch.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\explorer.exe
    explorer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\neurosafe.exe
    neurosafe.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4336
- - C:\Windows\SysWOW64\reg.exe
    reg import color.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3192
- - C:\Windows\SysWOW64\timeout.exe
    timeout 30
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4680
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5868
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:7100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:6584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:7152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:7108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1504
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\screenscrew.exe
    screenscrew.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:740
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\PurchaseOrder.exe
    PurchaseOrder.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3152
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\PurchaseOrder.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:860
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44E4.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5872
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5940
- - C:\Windows\SysWOW64\cipher.exe
    cipher /k /h /e C:\Users\Admin\Desktop\*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4636
- - C:\Windows\SysWOW64\cipher.exe
    cipher C:\Users\Admin\Desktop\*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\doc.html
    3⤵
    PID:336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffc794c46f8,0x7ffc794c4708,0x7ffc794c4718
      4⤵
      PID:4452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,6454936078008822224,17127293523522920179,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 /prefetch:2
      4⤵
      PID:4516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,6454936078008822224,17127293523522920179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:4496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\infected.html
    3⤵
    PID:2272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc794c46f8,0x7ffc794c4708,0x7ffc794c4718
      4⤵
      PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
      4⤵
      PID:3460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:4396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
      4⤵
      PID:644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
      4⤵
      PID:3484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
      4⤵
      PID:3560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
      4⤵
      PID:624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
      4⤵
      PID:3632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
      4⤵
      PID:5300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
      4⤵
      PID:5528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
      4⤵
      PID:5700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
      4⤵
      PID:3312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
      4⤵
      PID:5288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
      4⤵
      PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16856170355712625162,12931261423859648492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
      4⤵
      PID:4388
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:3968
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\butdes.exe
    butdes.exe
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\is-PAOM3.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PAOM3.tmp\butdes.tmp" /SL5="$4010A,2719719,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\butdes.exe"
      4⤵
      PID:2484
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\flydes.exe
    flydes.exe
    3⤵
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\is-4GFOT.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4GFOT.tmp\flydes.tmp" /SL5="$40108,595662,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\flydes.exe"
      4⤵
      PID:5344
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:5664
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\gx.exe
    gx.exe
    3⤵
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\7zS0FCCB658\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS0FCCB658\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\7zS0FCCB658\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0FCCB658\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x6e3a1b54,0x6e3a1b60,0x6e3a1b6c
        5⤵
        
        PID:4076
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
        5⤵
        
        PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409160149041\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409160149041\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
        5⤵
        
        PID:1868
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409160149041\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409160149041\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:6732
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409160149041\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409160149041\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x704f48,0x704f58,0x704f64
        6⤵
        
        PID:6512
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\bundle.exe
    bundle.exe
    3⤵
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\rckdck.exe
    rckdck.exe
    3⤵
    PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\is-NNDNH.tmp\is-57DHS.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NNDNH.tmp\is-57DHS.tmp" /SL4 $10306 "C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\rckdck.exe" 6123423 52736
      4⤵
      PID:1036
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\avg.exe
    avg.exe
    3⤵
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\aj76D4.exe
      "C:\Users\Admin\AppData\Local\Temp\aj76D4.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      PID:5852
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\telamon.exe
    telamon.exe
    3⤵
    PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\is-T2S7B.tmp\telamon.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-T2S7B.tmp\telamon.tmp" /SL5="$10332,1520969,918016,C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\telamon.exe"
      4⤵
      PID:5440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-1F9OM.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-1F9OM.tmp\~execwithresult.txt""
        5⤵
        
        PID:5900
      - C:\Users\Admin\AppData\Local\Temp\is-1F9OM.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1F9OM.tmp\tt-installer-helper.exe" --getuid
        6⤵
        
        PID:3700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-1F9OM.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-1F9OM.tmp\~execwithresult.txt""
        5⤵
        
        PID:1496
      - C:\Users\Admin\AppData\Local\Temp\is-1F9OM.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1F9OM.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\telamon.exe
        6⤵
        
        PID:4880
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:5876
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\gadget.msi"
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K des.bat
    3⤵
    PID:5756
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\g_.exe
    g_.exe
    3⤵
    PID:5160
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\t.exe
    t.exe
    3⤵
    PID:6076
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\g.exe
    g.exe
    3⤵
    PID:2244
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\e.exe
    e.exe
    3⤵
    PID:892
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\GAB
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5904
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\Bootstraper.exe
    Bootstraper.exe
    3⤵
    PID:5000
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SalaNses'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5476
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4936
  - - C:\SalaNses\soles.exe
      "C:\SalaNses\soles.exe"
      4⤵
      PID:6252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\dng.html
    3⤵
    PID:6100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc794c46f8,0x7ffc794c4708,0x7ffc794c4718
      4⤵
      PID:5328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:6708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K proxy.bat
    3⤵
    PID:5876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:6804
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\GAB\11963.CompositeFont"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5680
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\GAB\11963.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:8
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\11963.ttc
    3⤵
    PID:6928
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\11963.TTF
    3⤵
    PID:3756
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\cobstrk.exe
    cobstrk.exe
    3⤵
    PID:2792
  - - C:\Windows\System\PsxBcYk.exe
      C:\Windows\System\PsxBcYk.exe
      4⤵
      PID:6568
  - - C:\Windows\System\vHMtwrQ.exe
      C:\Windows\System\vHMtwrQ.exe
      4⤵
      PID:5232
  - - C:\Windows\System\DxbmsvR.exe
      C:\Windows\System\DxbmsvR.exe
      4⤵
      PID:6604
  - - C:\Windows\System\fQewJbs.exe
      C:\Windows\System\fQewJbs.exe
      4⤵
      PID:5688
  - - C:\Windows\System\KRuMfJm.exe
      C:\Windows\System\KRuMfJm.exe
      4⤵
      PID:4812
  - - C:\Windows\System\uELXihv.exe
      C:\Windows\System\uELXihv.exe
      4⤵
      PID:6852
  - - C:\Windows\System\hpWHqJj.exe
      C:\Windows\System\hpWHqJj.exe
      4⤵
      PID:6032
  - - C:\Windows\System\lTJNxBI.exe
      C:\Windows\System\lTJNxBI.exe
      4⤵
      PID:6020
  - - C:\Windows\System\SKISBYY.exe
      C:\Windows\System\SKISBYY.exe
      4⤵
      PID:6464
  - - C:\Windows\System\lxagqKL.exe
      C:\Windows\System\lxagqKL.exe
      4⤵
      PID:6608
  - - C:\Windows\System\TRMNgzt.exe
      C:\Windows\System\TRMNgzt.exe
      4⤵
      PID:6468
  - - C:\Windows\System\gQiQXDj.exe
      C:\Windows\System\gQiQXDj.exe
      4⤵
      PID:3628
  - - C:\Windows\System\MjmkHPL.exe
      C:\Windows\System\MjmkHPL.exe
      4⤵
      PID:4832
  - - C:\Windows\System\LTtqdTy.exe
      C:\Windows\System\LTtqdTy.exe
      4⤵
      PID:3496
  - - C:\Windows\System\PivVVgU.exe
      C:\Windows\System\PivVVgU.exe
      4⤵
      PID:5340
  - - C:\Windows\System\fUapaYk.exe
      C:\Windows\System\fUapaYk.exe
      4⤵
      PID:6516
  - - C:\Windows\System\gmWmPjX.exe
      C:\Windows\System\gmWmPjX.exe
      4⤵
      PID:5556
  - - C:\Windows\System\FkqSBzt.exe
      C:\Windows\System\FkqSBzt.exe
      4⤵
      PID:1480
  - - C:\Windows\System\hwOavPF.exe
      C:\Windows\System\hwOavPF.exe
      4⤵
      PID:6192
  - - C:\Windows\System\SrVlbfn.exe
      C:\Windows\System\SrVlbfn.exe
      4⤵
      PID:5692
  - - C:\Windows\System\CqefvgE.exe
      C:\Windows\System\CqefvgE.exe
      4⤵
      PID:6424
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\jaf.exe
    jaf.exe
    3⤵
    PID:5268
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\file.exe
    file.exe
    3⤵
    PID:5320
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4928
- - C:\Windows\SysWOW64\reg.exe
    reg import oobe.reg
    3⤵
    PID:5720
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\OHSHIT!.exe
    OHSHIT!.exe
    3⤵
    PID:6892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d0 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5160

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GAB\11963.CompositeFont

Filesize
42KB

MD5
8f64a583b0823bfc2fdf7277e67b5e16

SHA1
f8029c828d0aef58f8818b866f1f7f1ec2f095b8

SHA256
b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91

SHA512
e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2

Download Submit
C:\GAB\11963.TTF

Filesize
206KB

MD5
8be30e033b2067f0fc5f382af5298d7c

SHA1
c093a9eabcf4e3c233afef89285f1662798d2086

SHA256
3f9e512f82eaf6f1b7869b82013fb79f6eaf1a41e75a0e7b96f31f35b1022ae4

SHA512
3a010d704a8ddea277ea8a842653f490856a39dc734af04f05de160693842c7dae967c3178503781dc70b7a20d00d9f36b01721f8ced0b5dfffc167a019e1d11

Download Submit
C:\GAB\11963.TTF

Filesize
855KB

MD5
da91ebf6e2aef600590f37ed9dfea009

SHA1
d202f76a963bc60c637b0bb9f3e9cf5d71acf077

SHA256
399fea80c0be94aeba22b778e85f326ea7ee030325d2ca2be40ff76182bc5115

SHA512
99c486901bd15816539b36651e5a5ebf8824b958218cf1f131240f3314488239fead07ef3c9eb907059cc551d778a12783f7990cf91b5460fe20c9b07419e207

Download Submit
C:\GAB\11963.TTF

Filesize
448KB

MD5
75bd5dd28c088f0fe37d6a769dbc4f90

SHA1
7a08fedb7650fa90ac52cd028bfcd3a51779f380

SHA256
e26b15670ead794dee440417c9afc61513eb9cac6981c326f1793f17e940f531

SHA512
db0cdb57db55a59fde0bc92931eee9fedae70ea87c9629765a3d01205f19144c1b43615cb8b085dd279468c9b11d8b04b89259bd459a193149fd7f0d2720da27

Download Submit
C:\GAB\11963.TTF

Filesize
217KB

MD5
0723999ddc6b4b922ec011b475f07d9d

SHA1
03aafc4a9496cd07d35952efd101312f6328bb16

SHA256
1da9b5ace583a0a52e85280264d84917630ff6d600caea9a1b99cbd7e8b7c07f

SHA512
0b1d1b2b994368d391195aa3d59c4ff647d6744f4f2240dcbc059c0a444e3a1b22b397c8c146349fa5b4beab9ff3cae5ce09d5464d0e6b71fbda593be822b711

Download Submit
C:\GAB\11963.TTF

Filesize
192KB

MD5
4544144b6f2b565a318a7bbf3a81d59a

SHA1
412c4b71eb75392e224cf319911de5d71d73ee1f

SHA256
d3e725f7fe00538acb05170fe68b02dca3f04dc9ca5cc80489a229b23513e54f

SHA512
3060b8dfc66f9a3538775e188a7e870dd2f8a53499c79edeab7a184fa8909937bda6a008530b53a63b33bde6bae912006a3bd8974be983ba4f4492e59eaa7290

Download Submit
C:\GAB\11963.TTF

Filesize
1.9MB

MD5
3582ea8ebea037a76fdeb123fca83488

SHA1
8502bb1dfd24d91200d1719523475e8790786c2c

SHA256
e94491d9cf644e6b6c3e683e4ac6818d938501c604be63239923fbbcca90a1b9

SHA512
11afcd9a00dae831271d244a8c165fd1c115f7710f49b5af1e5e98cc39cac5ee7dc9e3d181deeace36fcc309ea5ab280d5f42a9a618700573cad9893f952cf2b

Download Submit
C:\GAB\11963.TTF

Filesize
1.8MB

MD5
c9067943a655375cedce728a5f01848e

SHA1
741b74ce1aed749f4f56da72a0ff98135cc5182c

SHA256
f3a87b2d8791c76374d6a910930eac1005da43d3d21aba62e251ca0aa4423dda

SHA512
7b0ef4de75f850bb40d4a717999d98f3afa641a29a60d10dc0cd9fa6e95ee0b2432efab297336c1521dfccc82a4c98ea9b07405b7011bfefe581d7e6b16785f6

Download Submit
C:\GAB\11963.TTF

Filesize
192KB

MD5
7b35b72b174b01788aa317ba04bf97f0

SHA1
3a2c0c9cb4a6146e634986304976395ab17e55ef

SHA256
331acb696110e5f1f93e1df46f711b0d08a0f2ee2d9c4404598d29fb94ae4a66

SHA512
ff3952ee3e7d29893e20c54de64d5ddac1dbb341d34dc381ec7f6100c2cbcc7b93b3e57e629ded9868228f8860d037e0a9616358c83e62149408b1b5808e96eb

Download Submit
C:\GAB\11963.TTF

Filesize
34KB

MD5
9e2ee65661bee40438d514fe592bfcf8

SHA1
140a77e69329638a5c53dc01fbcfe0ce9ab93423

SHA256
ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69

SHA512
3b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612

Download Submit
C:\GAB\11963.TTF

Filesize
145KB

MD5
23ed00385dab0f612e66eb0d4ac947ab

SHA1
acc115c0f9f6a25bee5ff37f8af4fdd695d8b596

SHA256
6b00590bd7a52a94e9e90e35a28c1d2fa03f83f458d2f2dfbced70a9c1ea0c80

SHA512
8f5d6d8f888f92be698a1d96824e3c735eb847bc8b1ae5835b9da65d4b6bb7c1690636873565e643d7ea6a19107d40e3a267c89bcfd4a896f356d90b38ecb039

Download Submit
C:\GAB\11963.fon

Filesize
4KB

MD5
9d2bf033acde5a212f6f5404d490e169

SHA1
a0e28adf40a9d06710d20071dcaba2569b91b1dd

SHA256
93e7c6c123d9b53a2d933f63093b4b85302023517f56abf057f9ef8a94d83b8b

SHA512
8dcb0dd9dc72c2de61e26932b72d5923a43b0f512e8d2df5334f478a78ee80f492bb8cb193dd3a314a6a19dd95e4899b40e7b76c3b1f767f5e8b46d1b1b3c00d

Download Submit
C:\GAB\11963.fon

Filesize
5KB

MD5
21475b17405b86f37a2c15a1df2733b3

SHA1
e640903a5fa2a800a27b74c73a02ea855dcbd953

SHA256
6e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc

SHA512
5752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0

Download Submit
C:\GAB\11963.fon

Filesize
7KB

MD5
ad75fb38d57de96a18fd5fcad4a282cb

SHA1
2689835e7573d1ea8cfdf6ae7fd77b671baccbc7

SHA256
c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb

SHA512
ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2

Download Submit
C:\GAB\11963.fon

Filesize
12KB

MD5
dcfe71d27bf49ba16fde0d1945bfb4a2

SHA1
86b3d8696b5da354ef42c8ab4a9d21cdaaf0dda1

SHA256
eacbfca9a5ef05a108ef5337c773d82a43398bb8ea177e5ebeef62934dd75811

SHA512
4da8efcfd4a77e230c61a527eb96b5193b9f5ddc0d476dfca8ce6ba7143ac5c8a1fd8b673cc2c7b554dae42ec01364a178f64532b6de17d44dce07b3089869c3

Download Submit
C:\GAB\11963.fon

Filesize
82KB

MD5
5972eeea7971170eb72cab2fc85c2b17

SHA1
d327d96bd78c5e851e065d053829abbb370c0c09

SHA256
9677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41

SHA512
c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3

Download Submit
C:\GAB\11963.fon

Filesize
12KB

MD5
40f8022c3fe4e1cc97bb794e1b519b3f

SHA1
7ff107451b67b2d432db4706c697a9391c13a6f4

SHA256
6b16818c057024f588f4f423cb1f50d24e092fca3c9b5c8c1943cf5b3ea70759

SHA512
08a85d0203a0534067538ba0c1f40273409f61f212269cb3095df1defc114ff007efcb4c3c4897a345cda17db16c98b88ae61100b9e4636862d26edb8a402ba3

Download Submit
C:\GAB\11963.fon

Filesize
5KB

MD5
75acaed877b0384b034d920ac8953866

SHA1
8abf03747a44bb62fe6730fb7ee052549863a99b

SHA256
23855e29f60dc2cc50279a3dd2a5e3aa376b1f4504a1c48132d82e4f33960888

SHA512
0fc3bd053f0bf521f0728b9f959a21b993fdddeeaf5b78b4eb6ed0d3567314e18eef8c932abe37028c4c624ca8b47a324858c45335a22f9514980b9aabf2e6c1

Download Submit
C:\GAB\11963.fon

Filesize
6KB

MD5
8a5dbabcb9b11e3e0c527b93e69d5e4d

SHA1
c47add614ece5ed16ca456bac08b1f2cbaccfec9

SHA256
824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241

SHA512
ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0

Download Submit
C:\GAB\11963.fon

Filesize
35KB

MD5
160dd2233c267e06ff5b8486bab29bf2

SHA1
efe0947e080458a6f02ae0b42002cb411a09ca44

SHA256
a3679106209bccc2649f328b6d155c226a3f748750830e30ef024e02676b277a

SHA512
e84ecfec8a10bc7ea1323545e8246fad012dca53f3c7c3196635ff5d93301a08bfb8c1ff485b17816e395d539bab77f9c132a994ec5c628daa7d05796929a860

Download Submit
C:\GAB\11963.fon

Filesize
35KB

MD5
32aa40b05f3b9f0c3c5a519c2355fdd2

SHA1
91fabebe46ebd21d2ca329ce33ab7eb2e633f5ab

SHA256
f5920991ef1bddb00d4ae09f844d0ba04672a5f26936567547815725a439e3fc

SHA512
5b7e46d8153a42a935df33d21e8512fdc087637c1490896d27d37f405c79dc11a4c7fd1b1089cfeacb10b541d3d8842b75e204d190f10a6cebe553f0d76fd4d6

Download Submit
C:\GAB\11963.ttc

Filesize
13.0MB

MD5
30604a102b28c38f9183597f62274fdc

SHA1
3879d542b622682b88094cc38416d241f4e65150

SHA256
dc90b3850f1276d5067a06c2f2fdadacc2f22ee0726db3fcb871516a180e3493

SHA512
162a99ce7daf8633a01c57276ede5673ca9f1b8b4b1e1135a17540df08fa57f4eb48c402c5490eb328b4c9de584914b8e464476709b0145c3b826e20845cdeaa

Download Submit
C:\GAB\11963.ttc

Filesize
13.0MB

MD5
d1a7cb2d5fd9e72ad3e13be77c7c302b

SHA1
7807b5b3c35b0dd0ba28935d20af57fd7ff4df37

SHA256
1361ec92c7877bb4c138131c59a234dd00911a344fd05bca6ca8c780fac6a654

SHA512
3b0d7917784880ca699264399303f45aa5086de24f5a55d83413e9477abcec52418640606fdc8917b2ff78fb6be1936bb3f98d8a2d8e62f7faee7662cbb24da9

Download Submit
C:\GAB\11963.ttc

Filesize
13.0MB

MD5
e868c731ec770c425dbc74881b3ca936

SHA1
a8dc99a2e0bc3360f8441243aab13fe7279a759a

SHA256
1e5a4b342c6417bb9352e8c29cb839413987a06438e7b48fd0320925827f289c

SHA512
51bbdbcd06bc41c1ef6a589ca2b6300f1f9350d11b8bfa60605c7a68a0d6a714998bec6060cbc3b27dd2d1485d57f344890b0278d7313dbdb5593334ceea3b49

Download Submit
C:\SalaNses\soles.exe

Filesize
1.2MB

MD5
acebc69ae67997867002990dae3f699d

SHA1
8483b45b2faaa21ad548e72fb49ae3a08143334e

SHA256
f545fbcf52e694eaed07f7869ee67d1dffea29a3769e2482f5eccb3c21148442

SHA512
6c9f88407ffbf228f44270c28d0eeba804a8f3198454becebdd5f2d13eda5c1f0407f1e98569bbcd490225a10ba6e1917c1af1971bd1f636a71250b602dcbf28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
a9173efb257f998642bc51c414e92129

SHA1
70805be6799b9de253d3ba6e8328027d94fe15f8

SHA256
5e2565b9081f776e734a87d175fe75cdd6a87919950f129b1b5893d1647d64b6

SHA512
631ef155250fa508b90de1024352fe578c5e84f560740a9b8166987658c0301fa2ac0ed91e21df6c860bebfdee680fc97df2798f0dc432519679abfe7f0f38f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
0a4afad3b1e864779e40ffd1b5bf8379

SHA1
7c9c1fb2a392a22b149f07dc193fc50c62fb529d

SHA256
51aecb86fba6bebccb2fe2993a59fab229c22f871c10b935807ccd3d2b359d11

SHA512
204fff9ebd89c65b7ac5af128cffa5f10c1dcbd1a6004ba462d1a69933daa114562623cb99c828bbb4f72eb2d105760eee076011ed15c980887c7a2f2c8583d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
896748f9af791ff3e9befa544dd5dc86

SHA1
f17031d8ec68fac39aa4012603e75bcf24256c45

SHA256
ec3c99bdae05f7817daf47c51e6e94ce1038f70d1b1fd85fd655892f98d3d7f2

SHA512
12aa267159ab25c0e43714fed859e0a1e1f56e1725aa1fb28f8547e75bb11d24b73e82997180e3aef3414521604883fe90a85ec7574c2259513aa6c039ba86ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3a42b30a509314113c5911d0f4383b4e

SHA1
75952e67dd502d45c007ec9eaa0f3d1425f627d1

SHA256
0e2b1b21fb1ddde069aec8c515f8fa1c522755ff12a812b394fcdfa745b4db00

SHA512
181bddc89375262a7a5ac5cd5f4b603aac8ffa4bb22120206e56174e28654decdc9209444d9766dfac41207f872cfac9617e1e6da45762c7ff20c6a8c85477a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af2231c32d5236328641e646b9d55542

SHA1
3ab25279e645ba0cea54a688c978e096d06ca6ff

SHA256
410b6511183c4436515d3142a319d0eafacbaf0eb4bb80facbeb65b5055e61b0

SHA512
c48f69a24606280b9f8a0909e15071ae9c483d0c9f856b6f1b7de0ef3ff2ada6568916db19597f7675b0106d55b34bc9090f7d72d63c426cae5e1cdac1a71572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ea6c8e13-169a-4fe3-8f1c-34a6a654747b.tmp

Filesize
5KB

MD5
5d12af6c2d8d710a5cb716129a6efd2a

SHA1
a8a610ee207c520af1005f1552fea1a705c17c8c

SHA256
10e6415a06b55bd2998b708c3b7dd81e8664031121ea716b6c0b42478cbb2c45

SHA512
305f49a14f2dcc93b7d793ced090080b2bc820be057b7cb1de63f236680ff0709700e3a86173ba651c9430754a9d17a6b07bb4379112c444b07e53f8f20b68c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d4e36ba35d9e5c62e8ad438a5f24677e

SHA1
8cd86ffc1f60938a14b3a95680afe8ec330d5720

SHA256
9657319aa97958a74c934ba4b2e690f8b86b2b5fd74a52ba7ca175fdfc19f831

SHA512
a51105837304d8077259488d642a2f2e21c8e087d288a0fc34c44bd424b774e79bb7ba5c08fdc243be71db73665f1e62f6a588cb477a80db304af865502186a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
57ceb217ef1bebbbc84c4210b7bdf7a3

SHA1
7f2b353cf48266be66fc3e3f4d3c358eb63f1e6a

SHA256
2b28470a96fd8640f3f33e81531ef3b3c8be0447b3dc4b75fd6504745dfb02c0

SHA512
3621f63f2c192b474f2a23c47389240076f641bab799e24b522f6b91d8db5a5fc5f3f2c5a9b4740a4c40cdb770b5fab0d80f9ee59a7b55e215e271ede3fb874b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f5ebce3f0ba46afd01a8cf152b7517ca

SHA1
a9c2bea133b7300948d67a1c9d6408254bd6477e

SHA256
bec2fe6afbeeeb5c531f7004e665dabe642c220075c941236f3ba5b4e27305e6

SHA512
79357d597458cb42ab70dd3173afb88b931940615ac4c7344b2063c8358794a7f337a2f73bfcc40598b0895219e0be3afb84c78c919724d37eb313f903330f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f802a6862aa557cbb11d6047e4ae765e

SHA1
1a496e53acdd0d2813ca02fad2d4300f95d85c91

SHA256
f55d75260f132be3492251ce53eb09151ad01f51ee35bf1a32ab8742c61ab014

SHA512
5f2307fb5ced3d437845aabe037346425dbf9e224169466be4729764d1718a711ad14c793254bdb8dd1022ced68c4785bc73af0b6715e85f7c25c8041e0efdbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9f1dc6259613523f75eb6371d7af707d

SHA1
076036c5b06977541ea40b79dc2be47e3dae02d7

SHA256
5bbdcccf34a8957022ba861dd0ca4902d887b81741fde3337a2ea03fd796d542

SHA512
3083ec1a97f26d3203e5014b967f9cb0349625268d7eeb3cd2037631ce8f298f3097342792205e58eaf81f540e303557545ef4dd46e9bb5c742aa3611f3aaad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409160149041\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\!m.bat

Filesize
1KB

MD5
9a406b8d8364842f6820ca4356a4c450

SHA1
153c67b38d3d6d391bd7d3b0fb7a68571ea74125

SHA256
e984a5d7fe4d4f0fa8c9d1acb99b76ca60b69ea5d373fc4ffa403678206943a3

SHA512
72721fb0689a8f7ebd057828a9e8bd1806f43f652f5d9b2026daf6de087b70a086693766f870dfd36619ee7ded4baee46ed5d4493a25814eda357d18e46664e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\PurchaseOrder.exe

Filesize
934KB

MD5
f7f32729079353000cd97b90aa314cc1

SHA1
21dbddeea2b634263c8fbf0d6178a9751d2467b8

SHA256
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212

SHA512
2c40c12b81e7c377ddf0a6691ebeedc895dcf02c9211a1563b840de735fab77968565b1d3d0c40cc0b2b583fd4bfa1c69f995fca758ea85f548bf5797b5bf847

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\color.reg

Filesize
1KB

MD5
a2441cc58179194cb45e0668e9b09cfe

SHA1
eb01b9b82ec0d46ff6f46236923cce26d017c109

SHA256
65e3f61a4c680ab23243ea3765b3cf0fc5414d34c9070cbe6f11c2cbc75ba4b0

SHA512
08644e315bd71acb452b05beb499174022095ae4b231f91c67792997394f13d7c9ec21b8caa97ba1bcf88dd484031a10c939f27f853b4ac943496d54f6452eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\eee.reg

Filesize
33KB

MD5
ad39d3ee72df4b32d48ce5aef0cf359f

SHA1
125b495b74a6ea49d3c8f3343a9b17b33332fd68

SHA256
ebd1cfc4d28f97d8c3044d305bcae6e8e2402fc7483c0be891619cd02c8dcc2e

SHA512
c3dc49882e4434ab06738e4786de3e79b0e44d12ad60276492bf7475d7f3408d7451b69a753aae273c05857fc2093e6f4ed2cacbd6e79f2e38296e3b7efafa29

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\favicon.ico

Filesize
5KB

MD5
e0c7cc30d8f9a3cf0140bf838198571b

SHA1
2494a9ab234b90ff0a3cc2dbc152483fb540afd3

SHA256
73bb7f4a70650054fb42f4c7ab85d9a683253a0df26703ecd4a2bb3155d93cb4

SHA512
7b87a3296fd984d89dacfa70bdc274ed9faf553c3e086d3e865ed7a2e55f92fbb55bd270a5863ebb6b95f3ce26d321b5936665741300676863f40111b95a6e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\fence.bat

Filesize
187B

MD5
f1a53c52c034352ad3efc4d7efb9bdf6

SHA1
ab9a74fbde28de0e0579266cb2547dcad77adce8

SHA256
27bfdeea2850a4336f69b840d3dc5dd800e530e0a52b22eee4d9c43cd544a13a

SHA512
6fe862a0151f80b82088cea9b965fe8b2aeb2efb0ab16b4fce442a11756a2896f32b96dbb480aba9b4266a516ff4ffbe47def17273cdc7113d700694e87dee67

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\font.reg

Filesize
16KB

MD5
f99019a747df87574971ff5d788cd8d6

SHA1
51f59c63c22c6524c00462ac136bae4395e9196e

SHA256
c71187aae9aa77964b19db391eb96132262b3912c54aaf830c4cc7a836404ecb

SHA512
625e88f5e45322e8da1d9e2a83b7e4abc4431d6022d20fc279a67d4404e099c8adabf643c9591e47fe592c5ef27d662e6bea2ceb62b99ebde2b1f86f8a40a9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\infected.html

Filesize
972B

MD5
f48be9db7436f1c53508f1ad70064459

SHA1
16b20d3933cc6398859f1334a848982cccfd8501

SHA256
f79460fad80962fabe51f271a2ad33fd54c418fbb0a8646c1d78654696d7d7b2

SHA512
c7870b4fd16827817fa16c68f9d1a51270cfd9dc052861977a12ffcbc91a1668c82f168f8b33661d68579cfed766e15d0e436794d0eed164946eb9927355b638

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\neurosafe.exe

Filesize
289KB

MD5
f0d99e475391a9ef4be431c987af9ef7

SHA1
f2da513c5da93019f07b077459c6165b02c3f1ec

SHA256
d4e57d24203e6224043042f44a4c98a64d6f0783116ca229fcc6e5a2971c9e79

SHA512
417be9f77602de3d8d6ed43398455827ebe44411b17bca304707efb6194ba10b2f41b0f42581ac36e1558673403a16baaa65f5d16f1ff71c8a169b5fda1e3912

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\nosearch.reg

Filesize
210KB

MD5
f68d38e0570e426038ff1a1e43afe037

SHA1
0d13a96502394de36608da595e7b95fe65273275

SHA256
51f2ba3572185d138fcc40cfb83c26657c4b3c9fcb19f866abad81c75b0b8b20

SHA512
a4fe35709fc8c7ff28b8ad105d907624fd807c8d2f53b7dedc20f3003e72515b430a38e891e344c21910381b307e438607b50cd56045779e260b97fc2cce41e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\rckdck.exe

Filesize
6.2MB

MD5
a79fb1a90fb3d92cf815f2c08d3ade6d

SHA1
25e5e553af5e2d21b5cfc70ba41afb65202f6fd5

SHA256
43759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16

SHA512
82aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_3c0086e9a2673adca00e903795ded6b4_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_a3c1ddca-2919-4a30-9531-8a4d37a7aefd\stopwatch.exe

Filesize
68KB

MD5
338a4b68d3292aa22049a22e9292e2a2

SHA1
9595e6f6d5e18a3e71d623ac4012e7633b020b29

SHA256
490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f

SHA512
06bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409160149041434076.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jrewsjj.z1p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4GFOT.tmp\flydes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NNDNH.tmp\is-57DHS.tmp

Filesize
659KB

MD5
5aa68bb2bf3b994bda93834ad34e7963

SHA1
0156732d5dd48feacfab3aa07764061d73b9116c

SHA256
a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa

SHA512
e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77FC.tmp\CR.History.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77FC.tmp\CR.History.tmp

Filesize
124KB

MD5
03ed2e6e4016b6c6ab4142d79103a0ff

SHA1
be75f92158362efbbb385e7ae2083e18df5533be

SHA256
49511239b82b817d2a3f4c366acbccf4e680bdfbdce72e00071b8e6da5ba609f

SHA512
ed5a1036004253937cb054b760b04bb32ec1758ad57e8d857867768613082149256129325824d42703cd2d74c4296f7c108f322c3cf5345a12dcada632052f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77FC.tmp\FF.places.tmp

Filesize
5.0MB

MD5
81412f7f844b75a6c65ed71eac0b9e61

SHA1
39b14eb48e13daaf94023482666fc9e13118ba72

SHA256
e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019

SHA512
63f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77FC.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77FC.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77FC.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77FC.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77FC.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77FC.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp44E4.tmp

Filesize
1KB

MD5
d65368fc6eab129858ab83d1d31c4bb0

SHA1
ff026854b460d8dd3e2c7a498249d8a8f96cfe18

SHA256
0b1f69b97c316b3f39a09c7aa1c11c517bf576a5e1a1dbb9ea9260067362c864

SHA512
5814fd2e2bb58d88654db3f80d9e13e5d7f5398678b090a29cb1e8270a3bc03f3dc572e03e8327a2ce59ec0bf492802e2820e4310941d44d4c63044160be37ad

Download Submit
C:\Windows\System\vHMtwrQ.exe

Filesize
5.2MB

MD5
2820591c0309d3f3c989f93dc1470e98

SHA1
9a17362764ec58fa790c8001abc2d648c628512f

SHA256
ebf9495f11378ddd80d42a195cf3a081cb44378606cd569bf5e9f06324d3d6e2

SHA512
2df745f293a32a805eeec27dbbdc9b13dfacb8ea24f4ea4af6dd3ae4b54852719a5fff149622d9730345d4d61ede26f76e909209ffdda39ea5d60c03341390c5

Download Submit
memory/740-336-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/760-4-0x00000000052B0000-0x0000000005854000-memory.dmp

Filesize
5.6MB

Download
memory/760-1-0x00000000002D0000-0x000000000031A000-memory.dmp

Filesize
296KB

Download
memory/760-94-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/760-95-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/760-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/760-2-0x0000000000E30000-0x0000000000E54000-memory.dmp

Filesize
144KB

Download
memory/760-3-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/760-2486-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/860-422-0x000000006FE10000-0x000000006FE5C000-memory.dmp

Filesize
304KB

Download
memory/892-627-0x00007FF782480000-0x00007FF7824A6000-memory.dmp

Filesize
152KB

Download
memory/892-819-0x00007FF782480000-0x00007FF7824A6000-memory.dmp

Filesize
152KB

Download
memory/1104-445-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1104-340-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1228-85-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/1228-84-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/1228-81-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/1228-80-0x0000000000A40000-0x0000000000C32000-memory.dmp

Filesize
1.9MB

Download
memory/1228-82-0x0000000005460000-0x00000000054FC000-memory.dmp

Filesize
624KB

Download
memory/1228-87-0x0000000005800000-0x0000000005856000-memory.dmp

Filesize
344KB

Download
memory/1228-96-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/1228-86-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/1480-2471-0x00007FF6CB560000-0x00007FF6CB8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-628-0x00007FF67B070000-0x00007FF67B096000-memory.dmp

Filesize
152KB

Download
memory/2244-852-0x00007FF67B070000-0x00007FF67B096000-memory.dmp

Filesize
152KB

Download
memory/2484-481-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2792-2369-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp

Filesize
3.3MB

Download
memory/2792-2387-0x0000015854A30000-0x0000015854A40000-memory.dmp

Filesize
64KB

Download
memory/2792-2500-0x00007FF7FAC40000-0x00007FF7FAF91000-memory.dmp

Filesize
3.3MB

Download
memory/3088-455-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3152-355-0x0000000007260000-0x00000000072E2000-memory.dmp

Filesize
520KB

Download
memory/3152-103-0x0000000000F50000-0x000000000103A000-memory.dmp

Filesize
936KB

Download
memory/3152-107-0x0000000005E40000-0x0000000005E50000-memory.dmp

Filesize
64KB

Download
memory/3496-2467-0x00007FF7DDE80000-0x00007FF7DE1D1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-2477-0x00007FF768540000-0x00007FF768891000-memory.dmp

Filesize
3.3MB

Download
memory/3744-902-0x0000000007230000-0x00000000072D3000-memory.dmp

Filesize
652KB

Download
memory/3744-888-0x0000000065F70000-0x0000000065FBC000-memory.dmp

Filesize
304KB

Download
memory/4296-346-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4296-480-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4788-474-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4788-479-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4788-512-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4812-2437-0x00007FF775960000-0x00007FF775CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-2519-0x00007FF775960000-0x00007FF775CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-2466-0x00007FF7F8E80000-0x00007FF7F91D1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-2385-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4928-2384-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4936-816-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/4936-689-0x0000000005CD0000-0x0000000006024000-memory.dmp

Filesize
3.3MB

Download
memory/4936-903-0x0000000065F70000-0x0000000065FBC000-memory.dmp

Filesize
304KB

Download
memory/4936-956-0x00000000077B0000-0x00000000077C1000-memory.dmp

Filesize
68KB

Download
memory/4936-998-0x00000000077E0000-0x00000000077F4000-memory.dmp

Filesize
80KB

Download
memory/5000-657-0x0000000009C30000-0x0000000009C38000-memory.dmp

Filesize
32KB

Download
memory/5000-659-0x0000000009B90000-0x0000000009B9E000-memory.dmp

Filesize
56KB

Download
memory/5000-637-0x0000000000F30000-0x0000000000F4C000-memory.dmp

Filesize
112KB

Download
memory/5000-658-0x0000000009BB0000-0x0000000009BE8000-memory.dmp

Filesize
224KB

Download
memory/5160-625-0x00007FF6E70C0000-0x00007FF6E70E9000-memory.dmp

Filesize
164KB

Download
memory/5160-817-0x00007FF6E70C0000-0x00007FF6E70E9000-memory.dmp

Filesize
164KB

Download
memory/5232-2422-0x00007FF7C9960000-0x00007FF7C9CB1000-memory.dmp

Filesize
3.3MB

Download
memory/5232-2518-0x00007FF7C9960000-0x00007FF7C9CB1000-memory.dmp

Filesize
3.3MB

Download
memory/5268-2501-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5268-2370-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5320-2373-0x0000000004B00000-0x0000000004BE2000-memory.dmp

Filesize
904KB

Download
memory/5320-2372-0x0000000000060000-0x0000000000202000-memory.dmp

Filesize
1.6MB

Download
memory/5320-2374-0x0000000004BE0000-0x0000000004C02000-memory.dmp

Filesize
136KB

Download
memory/5340-2468-0x00007FF63CB20000-0x00007FF63CE71000-memory.dmp

Filesize
3.3MB

Download
memory/5344-482-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5476-920-0x0000000065F70000-0x0000000065FBC000-memory.dmp

Filesize
304KB

Download
memory/5556-2469-0x00007FF64EBF0000-0x00007FF64EF41000-memory.dmp

Filesize
3.3MB

Download
memory/5688-2434-0x00007FF65B860000-0x00007FF65BBB1000-memory.dmp

Filesize
3.3MB

Download
memory/5692-2473-0x00007FF75A4E0000-0x00007FF75A831000-memory.dmp

Filesize
3.3MB

Download
memory/5904-404-0x00000000072F0000-0x0000000007322000-memory.dmp

Filesize
200KB

Download
memory/5904-370-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/5904-415-0x00000000072B0000-0x00000000072CE000-memory.dmp

Filesize
120KB

Download
memory/5904-435-0x0000000007970000-0x0000000007978000-memory.dmp

Filesize
32KB

Download
memory/5904-416-0x0000000007330000-0x00000000073D3000-memory.dmp

Filesize
652KB

Download
memory/5904-434-0x0000000007990000-0x00000000079AA000-memory.dmp

Filesize
104KB

Download
memory/5904-433-0x0000000007890000-0x00000000078A4000-memory.dmp

Filesize
80KB

Download
memory/5904-418-0x0000000007650000-0x000000000766A000-memory.dmp

Filesize
104KB

Download
memory/5904-367-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/5904-417-0x0000000007CA0000-0x000000000831A000-memory.dmp

Filesize
6.5MB

Download
memory/5904-403-0x0000000006350000-0x000000000639C000-memory.dmp

Filesize
304KB

Download
memory/5904-402-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/5904-419-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/5904-366-0x0000000002A30000-0x0000000002A66000-memory.dmp

Filesize
216KB

Download
memory/5904-432-0x0000000007880000-0x000000000788E000-memory.dmp

Filesize
56KB

Download
memory/5904-380-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/5904-420-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/5904-369-0x0000000005BA0000-0x0000000005BC2000-memory.dmp

Filesize
136KB

Download
memory/5904-382-0x0000000005D20000-0x0000000006074000-memory.dmp

Filesize
3.3MB

Download
memory/5904-405-0x000000006FE10000-0x000000006FE5C000-memory.dmp

Filesize
304KB

Download
memory/5904-421-0x0000000007850000-0x0000000007861000-memory.dmp

Filesize
68KB

Download
memory/5940-443-0x0000000006320000-0x0000000006370000-memory.dmp

Filesize
320KB

Download
memory/5940-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6020-2447-0x00007FF796FF0000-0x00007FF797341000-memory.dmp

Filesize
3.3MB

Download
memory/6032-2446-0x00007FF728D10000-0x00007FF729061000-memory.dmp

Filesize
3.3MB

Download
memory/6076-626-0x00007FF6C90E0000-0x00007FF6C9107000-memory.dmp

Filesize
156KB

Download
memory/6076-818-0x00007FF6C90E0000-0x00007FF6C9107000-memory.dmp

Filesize
156KB

Download
memory/6192-2472-0x00007FF73B9E0000-0x00007FF73BD31000-memory.dmp

Filesize
3.3MB

Download
memory/6252-853-0x0000000000340000-0x00000000006FB000-memory.dmp

Filesize
3.7MB

Download
memory/6252-1044-0x0000000000340000-0x00000000006FB000-memory.dmp

Filesize
3.7MB

Download
memory/6252-993-0x0000000000340000-0x00000000006FB000-memory.dmp

Filesize
3.7MB

Download
memory/6424-2474-0x00007FF610210000-0x00007FF610561000-memory.dmp

Filesize
3.3MB

Download
memory/6464-2476-0x00007FF651A40000-0x00007FF651D91000-memory.dmp

Filesize
3.3MB

Download
memory/6468-2464-0x00007FF7794E0000-0x00007FF779831000-memory.dmp

Filesize
3.3MB

Download
memory/6516-2475-0x00007FF7C6530000-0x00007FF7C6881000-memory.dmp

Filesize
3.3MB

Download
memory/6568-2405-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp

Filesize
3.3MB

Download
memory/6568-2517-0x00007FF61C670000-0x00007FF61C9C1000-memory.dmp

Filesize
3.3MB

Download
memory/6604-2432-0x00007FF625670000-0x00007FF6259C1000-memory.dmp

Filesize
3.3MB

Download
memory/6604-2520-0x00007FF625670000-0x00007FF6259C1000-memory.dmp

Filesize
3.3MB

Download
memory/6608-2449-0x00007FF6B1950000-0x00007FF6B1CA1000-memory.dmp

Filesize
3.3MB

Download
memory/6852-2441-0x00007FF6AC990000-0x00007FF6ACCE1000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads