agenttesla | b092df938c83fe5f929d53a2f449f54de2ee7156881b72932b42d6127f9e6df6

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
Size

58.1MB
MD5

09dc1da297f4981397cc9a9854cc0339
SHA1

73f45544088fe01663494b109acf61b4c2d3c081
SHA256

b092df938c83fe5f929d53a2f449f54de2ee7156881b72932b42d6127f9e6df6
SHA512

bbf165224365ff6999ce9e4395000007940c9670abec686a9bba742dceb0bd630f83c5a8afce4931b739d930e4951e9fa4cc5227a8248e12097060208edda9ac
SSDEEP

1572864:rLOrJXzVo0mz3uu2etPQiWmoh8rb28CQG2Y:rLqJXBo0kuu3IDmnrb5Y

Score

10^/10

agenttesla cobaltstrike modiloader raccoon xmrig 2ca5558c9ec8037d24a611513d7bd076 backdoor bootkit credential_access discovery evasion execution keylogger miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

2ca5558c9ec8037d24a611513d7bd076

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0009000000017472-2741.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral1/memory/1624-2782-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/1624-2781-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/1624-2778-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/3336-2770-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/832-2854-0x000000013FE40000-0x0000000140191000-memory.dmp	modiloader_stage2

XMRig Miner payload 26 IoCs

miner

resource	yara_rule
behavioral1/memory/1580-2747-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/1560-2755-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/692-2763-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/3164-2768-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/832-2771-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/832-2769-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/1480-2786-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/3648-2792-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/1224-2804-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/1432-2798-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/3668-2846-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/3244-2849-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/3812-2852-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/832-2854-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/832-2860-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/1580-2923-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/1560-2929-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/692-2931-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/3164-2933-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/1480-2935-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/3648-2937-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/1432-2939-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/1224-2941-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/3668-2943-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/3244-2945-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/3812-2947-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3200	powershell.exe
3192	powershell.exe
3184	powershell.exe
1308	powershell.exe
2624	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1432	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	avg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	ajECD2.exe

Executes dropped EXE 48 IoCs

pid	Process
3068	anti.exe
556	butdes.exe
2916	flydes.exe
2956	i.exe
1776	butdes.tmp
2808	flydes.tmp
2276	gx.exe
1980	bundle.exe
1196	avg.exe
2336	rckdck.exe
1996	telamon.exe
3044	stopwatch.exe
2972	is-9NP3O.tmp
1700	setup.exe
1012	g_.exe
1548	telamon.tmp
2064	t.exe
340	g.exe
876	e.exe
2456	Bootstraper.exe
1588	tt-installer-helper.exe
3740	tt-installer-helper.exe
3120	ajECD2.exe
832	cobstrk.exe
3336	jaf.exe
3208	file.exe
2724	PurchaseOrder.exe
1580	IYxejPc.exe
1560	AsVwsVG.exe
692	ocfYfxL.exe
3164	VaMyFux.exe
1480	fJkpBPI.exe
3648	rdaedGX.exe
1432	muERLfe.exe
1224	mpckmTG.exe
3668	ylpdzib.exe
3244	jeAcbZK.exe
3812	CgpvIPj.exe
764	vDjNSZX.exe
1312	jiqcJLL.exe
3644	rqqSXuu.exe
3888	xMzIHpS.exe
2132	VMHHSKn.exe
3808	YLZllXO.exe
1684	xIBfKyO.exe
2440	lpsNkcT.exe
1604	reuSRMs.exe
4012	fsJPfXz.exe

Loads dropped DLL 64 IoCs

pid	Process
2836	cmd.exe
2836	cmd.exe
2836	cmd.exe
2836	cmd.exe
2836	cmd.exe
2916	flydes.exe
556	butdes.exe
2836	cmd.exe
2836	cmd.exe
2836	cmd.exe
2836	cmd.exe
2836	cmd.exe
2336	rckdck.exe
2836	cmd.exe
1196	avg.exe
1196	avg.exe
1996	telamon.exe
2836	cmd.exe
2836	cmd.exe
2060	Process not Found
2064	t.exe
2836	cmd.exe
2836	cmd.exe
1012	g_.exe
340	g.exe
1012	g_.exe
340	g.exe
2064	t.exe
876	e.exe
876	e.exe
1548	telamon.tmp
2836	cmd.exe
1196	avg.exe
1452	cmd.exe
3540	cmd.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
3120	ajECD2.exe
3120	ajECD2.exe
3120	ajECD2.exe
3120	ajECD2.exe
3120	ajECD2.exe
3120	ajECD2.exe
3120	ajECD2.exe
3120	ajECD2.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
2836	cmd.exe
2836	cmd.exe
2836	cmd.exe
2836	cmd.exe
2836	cmd.exe
2724	PurchaseOrder.exe
2724	PurchaseOrder.exe
2724	PurchaseOrder.exe
3416	Process not Found
832	cobstrk.exe
832	cobstrk.exe
832	cobstrk.exe
832	cobstrk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/832-2722-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/files/0x0009000000017472-2741.dat	upx
behavioral1/memory/1580-2747-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/1560-2755-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/692-2763-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/3164-2768-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/832-2769-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/1480-2786-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/3648-2792-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/1224-2804-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/1432-2798-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/3668-2846-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/3244-2849-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/3812-2852-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/memory/832-2860-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/1580-2923-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/1560-2929-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/692-2931-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/3164-2933-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/1480-2935-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/3648-2937-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/1432-2939-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/1224-2941-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/3668-2943-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/3244-2945-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/3812-2947-0x000000013F820000-0x000000013FB71000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	ajECD2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\AVAST Software\Avast	ajECD2.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jaf.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	api.ipify.org
67	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ajECD2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3208 set thread context of 1624	3208	file.exe	468
PID 2724 set thread context of 4008	2724	PurchaseOrder.exe	492

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\settings.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\drag.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\drag.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CgpvIPj.exe	cobstrk.exe
File created	C:\Windows\System\VaMyFux.exe	cobstrk.exe
File created	C:\Windows\System\muERLfe.exe	cobstrk.exe
File created	C:\Windows\System\ylpdzib.exe	cobstrk.exe
File created	C:\Windows\System\VMHHSKn.exe	cobstrk.exe
File created	C:\Windows\System\lpsNkcT.exe	cobstrk.exe
File created	C:\Windows\System\mpckmTG.exe	cobstrk.exe
File created	C:\Windows\System\rqqSXuu.exe	cobstrk.exe
File created	C:\Windows\System\jeAcbZK.exe	cobstrk.exe
File created	C:\Windows\System\YLZllXO.exe	cobstrk.exe
File created	C:\Windows\System\vDjNSZX.exe	cobstrk.exe
File created	C:\Windows\System\IYxejPc.exe	cobstrk.exe
File created	C:\Windows\System\AsVwsVG.exe	cobstrk.exe
File created	C:\Windows\System\ocfYfxL.exe	cobstrk.exe
File created	C:\Windows\System\fJkpBPI.exe	cobstrk.exe
File created	C:\Windows\System\xMzIHpS.exe	cobstrk.exe
File created	C:\Windows\System\fsJPfXz.exe	cobstrk.exe
File created	C:\Windows\System\rdaedGX.exe	cobstrk.exe
File created	C:\Windows\System\xIBfKyO.exe	cobstrk.exe
File created	C:\Windows\System\jiqcJLL.exe	cobstrk.exe
File created	C:\Windows\System\reuSRMs.exe	cobstrk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1740	2456	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butdes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2148	timeout.exe
3348	timeout.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
952	taskkill.exe
2832	taskkill.exe
3988	taskkill.exe
2736	taskkill.exe
3780	taskkill.exe
2364	taskkill.exe
2764	taskkill.exe
2440	taskkill.exe
3080	taskkill.exe
3696	taskkill.exe
2088	taskkill.exe
4044	taskkill.exe
3892	taskkill.exe
3464	taskkill.exe
4028	taskkill.exe
3528	taskkill.exe
988	taskkill.exe
2888	taskkill.exe
3360	taskkill.exe
1184	taskkill.exe
1292	taskkill.exe
2360	taskkill.exe
3884	taskkill.exe
784	taskkill.exe
1848	taskkill.exe
2072	taskkill.exe
2428	taskkill.exe
4028	taskkill.exe
2252	taskkill.exe
3292	taskkill.exe
3964	taskkill.exe
2880	taskkill.exe
3328	taskkill.exe
2280	taskkill.exe
3864	taskkill.exe
3880	taskkill.exe
956	taskkill.exe
1492	taskkill.exe
2340	taskkill.exe
2084	taskkill.exe
1624	taskkill.exe
692	taskkill.exe
2784	taskkill.exe
2904	taskkill.exe
2460	taskkill.exe
620	taskkill.exe
2988	taskkill.exe
3848	taskkill.exe
2432	taskkill.exe
3792	taskkill.exe
984	taskkill.exe
2072	taskkill.exe
3712	taskkill.exe
3860	taskkill.exe
4032	taskkill.exe
840	taskkill.exe
2524	taskkill.exe
2304	taskkill.exe
2572	taskkill.exe
2112	taskkill.exe
3704	taskkill.exe
3420	taskkill.exe
1576	taskkill.exe
3240	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000663670fe64a7c0708567e65ce852f553c50afb50568dbdabd409cbd784c1ca53000000000e8000000002000020000000c45ee811bce4853f4e345f7a9cf84116e7723f0b5a8431b53424c3aff2914207200000008a5db5444ee6953ec2978f3961a8f728d78fe7102e19acd9425db4596fc1a11c400000001e830a8f6bd617a8b39a5412ae829b24cd2605fd32ef72da3bc49b8dca6d017304bb7c701f25e45f692a4146dfef88f7dd9791e81e0ef7e07e77eb0ca4d6b686	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 900de8c41108db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000aebcd10833357482db1bc8fa07c8d1d3f4c2b190c418d395360a9678ecc575d4000000000e8000000002000020000000562a0539a0e70920de15b06e68d1c5ef0a33e938a78e6f2d5b8f82464fa648b0900000002b8d68d4f0397fadc7f054d1568cb540f6dd83f585f701bbbc938272bc3aa3faf86ca1e9cbb307f180c33e4af80865486998774bb0273d05750974d0e40861d11079977398534bf45f66c84af8fb7796587b718ae64b60af4618add38de6661aad851301ea5e61de2b63604b82c94477934c882e6c7247a8a1a18ef4a501bb4e6636d4cc3b2f2af14eb86a6eda35813e40000000c113be678e81d81689a7295c7e336fd0398e0222e22c21718ecc90abc971c2bbd30fbfdbed15918c5b8005b7587fbdeae33eaf0ca466a9bc95a7d432cfaec13d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432636894"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FDD8C5E1-7404-11EF-B525-D686196AC2C0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ajECD2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ajECD2.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4048	notepad.exe
3472	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
3200	powershell.exe
3184	powershell.exe
3192	powershell.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
3120	ajECD2.exe
1196	avg.exe
1196	avg.exe
3120	ajECD2.exe
1196	avg.exe
1196	avg.exe
3120	ajECD2.exe
3120	ajECD2.exe
3120	ajECD2.exe
3120	ajECD2.exe
3120	ajECD2.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe
1196	avg.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
2808	flydes.tmp
1776	butdes.tmp
1980	bundle.exe
2972	is-9NP3O.tmp
1548	telamon.tmp
1012	g_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	292	taskkill.exe
Token: SeDebugPrivilege	344	taskkill.exe
Token: SeDebugPrivilege	784	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2292	iexplore.exe
2292	iexplore.exe
3068	anti.exe
2292	iexplore.exe
2292	iexplore.exe
2292	iexplore.exe
2292	iexplore.exe
2292	iexplore.exe
2292	iexplore.exe
3044	stopwatch.exe
1696	msiexec.exe
2292	iexplore.exe
2292	iexplore.exe
2292	iexplore.exe
2292	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2292	iexplore.exe
2292	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1196	avg.exe
3308	IEXPLORE.EXE
3308	IEXPLORE.EXE
3120	ajECD2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2836	1904	2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	31
PID 1904 wrote to memory of 2836	1904	2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	31
PID 1904 wrote to memory of 2836	1904	2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	31
PID 1904 wrote to memory of 2836	1904	2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	31
PID 2836 wrote to memory of 3068	2836	cmd.exe	33
PID 2836 wrote to memory of 3068	2836	cmd.exe	33
PID 2836 wrote to memory of 3068	2836	cmd.exe	33
PID 2836 wrote to memory of 3068	2836	cmd.exe	33
PID 2836 wrote to memory of 2804	2836	cmd.exe	34
PID 2836 wrote to memory of 2804	2836	cmd.exe	34
PID 2836 wrote to memory of 2804	2836	cmd.exe	34
PID 2836 wrote to memory of 2804	2836	cmd.exe	34
PID 2804 wrote to memory of 2252	2804	cmd.exe	36
PID 2804 wrote to memory of 2252	2804	cmd.exe	36
PID 2804 wrote to memory of 2252	2804	cmd.exe	36
PID 2804 wrote to memory of 2252	2804	cmd.exe	36
PID 2836 wrote to memory of 2292	2836	cmd.exe	37
PID 2836 wrote to memory of 2292	2836	cmd.exe	37
PID 2836 wrote to memory of 2292	2836	cmd.exe	37
PID 2836 wrote to memory of 2292	2836	cmd.exe	37
PID 2836 wrote to memory of 556	2836	cmd.exe	38
PID 2836 wrote to memory of 556	2836	cmd.exe	38
PID 2836 wrote to memory of 556	2836	cmd.exe	38
PID 2836 wrote to memory of 556	2836	cmd.exe	38
PID 2836 wrote to memory of 556	2836	cmd.exe	38
PID 2836 wrote to memory of 556	2836	cmd.exe	38
PID 2836 wrote to memory of 556	2836	cmd.exe	38
PID 2836 wrote to memory of 2916	2836	cmd.exe	39
PID 2836 wrote to memory of 2916	2836	cmd.exe	39
PID 2836 wrote to memory of 2916	2836	cmd.exe	39
PID 2836 wrote to memory of 2916	2836	cmd.exe	39
PID 2836 wrote to memory of 2916	2836	cmd.exe	39
PID 2836 wrote to memory of 2916	2836	cmd.exe	39
PID 2836 wrote to memory of 2916	2836	cmd.exe	39
PID 2836 wrote to memory of 2956	2836	cmd.exe	40
PID 2836 wrote to memory of 2956	2836	cmd.exe	40
PID 2836 wrote to memory of 2956	2836	cmd.exe	40
PID 2836 wrote to memory of 2956	2836	cmd.exe	40
PID 2836 wrote to memory of 2148	2836	cmd.exe	41
PID 2836 wrote to memory of 2148	2836	cmd.exe	41
PID 2836 wrote to memory of 2148	2836	cmd.exe	41
PID 2836 wrote to memory of 2148	2836	cmd.exe	41
PID 2916 wrote to memory of 2808	2916	flydes.exe	42
PID 2916 wrote to memory of 2808	2916	flydes.exe	42
PID 2916 wrote to memory of 2808	2916	flydes.exe	42
PID 2916 wrote to memory of 2808	2916	flydes.exe	42
PID 2916 wrote to memory of 2808	2916	flydes.exe	42
PID 2916 wrote to memory of 2808	2916	flydes.exe	42
PID 2916 wrote to memory of 2808	2916	flydes.exe	42
PID 556 wrote to memory of 1776	556	butdes.exe	43
PID 556 wrote to memory of 1776	556	butdes.exe	43
PID 556 wrote to memory of 1776	556	butdes.exe	43
PID 556 wrote to memory of 1776	556	butdes.exe	43
PID 556 wrote to memory of 1776	556	butdes.exe	43
PID 556 wrote to memory of 1776	556	butdes.exe	43
PID 556 wrote to memory of 1776	556	butdes.exe	43
PID 2292 wrote to memory of 1944	2292	iexplore.exe	45
PID 2292 wrote to memory of 1944	2292	iexplore.exe	45
PID 2292 wrote to memory of 1944	2292	iexplore.exe	45
PID 2292 wrote to memory of 1944	2292	iexplore.exe	45
PID 2804 wrote to memory of 3024	2804	cmd.exe	108
PID 2804 wrote to memory of 3024	2804	cmd.exe	108
PID 2804 wrote to memory of 3024	2804	cmd.exe	108
PID 2804 wrote to memory of 3024	2804	cmd.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\!m.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\doc.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1944
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:930820 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3308
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\butdes.exe
    butdes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\is-7E1ML.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7E1ML.tmp\butdes.tmp" /SL5="$3017E,2719719,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\butdes.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:1776
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\flydes.exe
    flydes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\is-7E1MM.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7E1MM.tmp\flydes.tmp" /SL5="$3017A,595662,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\flydes.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2808
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:2956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\gx.exe
    gx.exe
    3⤵
    - Executes dropped EXE
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\7zS4E871EF6\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS4E871EF6\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      Executes dropped EXE
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\bundle.exe
    bundle.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\rckdck.exe
    rckdck.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\is-RI5SA.tmp\is-9NP3O.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RI5SA.tmp\is-9NP3O.tmp" /SL4 $20070 "C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\rckdck.exe" 6123423 52736
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2972
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\avg.exe
    avg.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\ajECD2.exe
      "C:\Users\Admin\AppData\Local\Temp\ajECD2.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3120
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\telamon.exe
    telamon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\is-A3N0L.tmp\telamon.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-A3N0L.tmp\telamon.tmp" /SL5="$2012A,1520969,918016,C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\telamon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-IF6G2.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-IF6G2.tmp\~execwithresult.txt""
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1452
      - C:\Users\Admin\AppData\Local\Temp\is-IF6G2.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IF6G2.tmp\tt-installer-helper.exe" --getuid
        6⤵
        Executes dropped EXE
        
        PID:1588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-IF6G2.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-IF6G2.tmp\~execwithresult.txt""
        5⤵
        Loads dropped DLL
        
        PID:3540
      - C:\Users\Admin\AppData\Local\Temp\is-IF6G2.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IF6G2.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\telamon.exe
        6⤵
        Executes dropped EXE
        
        PID:3740
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\stopwatch.exe
    stopwatch.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:3044
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\gadget.msi"
    3⤵
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\g_.exe
    g_.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1012
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\t.exe
    t.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\g.exe
    g.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:340
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\e.exe
    e.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:876
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\GAB
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\Bootstraper.exe
    Bootstraper.exe
    3⤵
    - Executes dropped EXE
    PID:2456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SalaNses'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3192
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1488
      4⤵
      Loads dropped DLL
      Program crash
      PID:1740
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K proxy.bat
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\GAB\10005.CompositeFont"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4048
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\GAB\10005.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3472
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\10005.ttc
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\10005.TTF
    3⤵
    PID:3344
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\cobstrk.exe
    cobstrk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:832
  - - C:\Windows\System\IYxejPc.exe
      C:\Windows\System\IYxejPc.exe
      4⤵
      Executes dropped EXE
      PID:1580
  - - C:\Windows\System\AsVwsVG.exe
      C:\Windows\System\AsVwsVG.exe
      4⤵
      Executes dropped EXE
      PID:1560
  - - C:\Windows\System\ocfYfxL.exe
      C:\Windows\System\ocfYfxL.exe
      4⤵
      Executes dropped EXE
      PID:692
  - - C:\Windows\System\VaMyFux.exe
      C:\Windows\System\VaMyFux.exe
      4⤵
      Executes dropped EXE
      PID:3164
  - - C:\Windows\System\fJkpBPI.exe
      C:\Windows\System\fJkpBPI.exe
      4⤵
      Executes dropped EXE
      PID:1480
  - - C:\Windows\System\rdaedGX.exe
      C:\Windows\System\rdaedGX.exe
      4⤵
      Executes dropped EXE
      PID:3648
  - - C:\Windows\System\muERLfe.exe
      C:\Windows\System\muERLfe.exe
      4⤵
      Executes dropped EXE
      PID:1432
  - - C:\Windows\System\mpckmTG.exe
      C:\Windows\System\mpckmTG.exe
      4⤵
      Executes dropped EXE
      PID:1224
  - - C:\Windows\System\rqqSXuu.exe
      C:\Windows\System\rqqSXuu.exe
      4⤵
      Executes dropped EXE
      PID:3644
  - - C:\Windows\System\ylpdzib.exe
      C:\Windows\System\ylpdzib.exe
      4⤵
      Executes dropped EXE
      PID:3668
  - - C:\Windows\System\VMHHSKn.exe
      C:\Windows\System\VMHHSKn.exe
      4⤵
      Executes dropped EXE
      PID:2132
  - - C:\Windows\System\jeAcbZK.exe
      C:\Windows\System\jeAcbZK.exe
      4⤵
      Executes dropped EXE
      PID:3244
  - - C:\Windows\System\YLZllXO.exe
      C:\Windows\System\YLZllXO.exe
      4⤵
      Executes dropped EXE
      PID:3808
  - - C:\Windows\System\CgpvIPj.exe
      C:\Windows\System\CgpvIPj.exe
      4⤵
      Executes dropped EXE
      PID:3812
  - - C:\Windows\System\xIBfKyO.exe
      C:\Windows\System\xIBfKyO.exe
      4⤵
      Executes dropped EXE
      PID:1684
  - - C:\Windows\System\vDjNSZX.exe
      C:\Windows\System\vDjNSZX.exe
      4⤵
      Executes dropped EXE
      PID:764
  - - C:\Windows\System\lpsNkcT.exe
      C:\Windows\System\lpsNkcT.exe
      4⤵
      Executes dropped EXE
      PID:2440
  - - C:\Windows\System\jiqcJLL.exe
      C:\Windows\System\jiqcJLL.exe
      4⤵
      Executes dropped EXE
      PID:1312
  - - C:\Windows\System\reuSRMs.exe
      C:\Windows\System\reuSRMs.exe
      4⤵
      Executes dropped EXE
      PID:1604
  - - C:\Windows\System\xMzIHpS.exe
      C:\Windows\System\xMzIHpS.exe
      4⤵
      Executes dropped EXE
      PID:3888
  - - C:\Windows\System\fsJPfXz.exe
      C:\Windows\System\fsJPfXz.exe
      4⤵
      Executes dropped EXE
      PID:4012
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\jaf.exe
    jaf.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K des.cmd
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\file.exe
    file.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\PurchaseOrder.exe
    PurchaseOrder.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\PurchaseOrder.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1308
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2624
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp512C.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2364
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1098311318-1047346000852568205-1137973053-8590581972043924734-2091981315314898252"
1⤵
PID:2648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
1⤵
PID:1268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:3248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "206233898814576953-672386471-1887854365-8075355361169058490-238903815-157975798"
1⤵
PID:620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "958347139638540730-77204883717923857881409962268-2091901313836197221945937661"
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GAB\10005.CompositeFont

Filesize
42KB

MD5
a25098b209687b9e53a607b8fba42c11

SHA1
d0980f5404820b14a24c6f7947cc7d910f9ac895

SHA256
9dc61ff5d2dc92eeecb7f53be2faed63aa039f30151ad909345a6acfe976430b

SHA512
2601c2ac5ce32e23184d0b19ad2fce9efffb9dcc7bcf734bf01ef626fc3e52891b0c2d95f28bf20744f941a8bb9039078c2163aea09e1dbbb7020b05d6a41614

Download Submit
C:\GAB\10005.CompositeFont

Filesize
42KB

MD5
8f64a583b0823bfc2fdf7277e67b5e16

SHA1
f8029c828d0aef58f8818b866f1f7f1ec2f095b8

SHA256
b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91

SHA512
e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2

Download Submit
C:\GAB\10005.TTF

Filesize
146KB

MD5
119688cc24c7a1c78a469b0ed365edd7

SHA1
c5af524353bfe2b99ee259e6ca4ad9a48147b8b1

SHA256
b9682c73a954f5a8a1b2a0ff88b4ff54cb20143a0330c3b1ccc2f9aede2838c7

SHA512
3012173d81d4d7c8c6fe862533d713b73b816c3c7165c0a44cf94211d13f674fc5230f097a005638e87bd10175959c07b709b4291c0ab6f0ace6449debadc964

Download Submit
C:\GAB\10005.TTF

Filesize
70KB

MD5
141449d91ea53b0c3f08600f47ecbc0c

SHA1
5b7bb7a58b050831d980e2db95688d608f837392

SHA256
962ebe317bfba70511c4f04ceb3a7160def7e3ce8cfcb035fddce7ef202ff9b4

SHA512
b30e109d23ba369cb9154418135505f11e50d3ed65353a9f0981b055ba79934d447958bf434dfa430fa27b20a272c7776939871d2295210b1f5522a83105e571

Download Submit
C:\GAB\10005.TTF

Filesize
200KB

MD5
e54b82b8f3d7f7dd8f65056641ca83e1

SHA1
f57f3056d76371c0fc3afb4bf445d92bf9415dab

SHA256
9761eac569ce7e2c88491bb50f36c5bccb78f005c3d89a5bf74b30f3976f6a64

SHA512
30009d3626ae0c2a728d08e4ddd834163ac3be1485134e693a3382bbe784f849f7f8d5553685c54a413ae39a99c6af0df4712501cf18f9cd4ff136e585a26b91

Download Submit
C:\GAB\10005.TTF

Filesize
61KB

MD5
564ddb14fbcb4963f390ed661a60cf1f

SHA1
b3c3b2315cdd66d2e06f4e101927354252321b7f

SHA256
8a9783e50f3bf892d958b7e61990d6ccaee65daaa0ffc246d3e1bd4fb0104b41

SHA512
29cf6cbead77aad30e53b27b27efbbd134290e1b52e31e76fbb075de6130faf9ce510a5b1ae7d3d28c13196289859caf1f5a2fae81e1f4d25ffc2a8bbe732fb5

Download Submit
C:\GAB\10005.TTF

Filesize
187KB

MD5
ded3b327a83ee6797e1e10bbf73e6529

SHA1
1fa9946971f8d12fff2ee3375a49ae79d5024945

SHA256
11dcff56471c018850a6f6b8e70c74448269c28e6c19a9d43dbddcc0eb681d2e

SHA512
cd34c1ffe418d019698489887f2ec3834cf60f3a36e8fca04243c50b7208dfc294c33cdff90ba936f9750f50d3efb0f38e9e8fe7e48dcbb7cb22d0d5b29173dc

Download Submit
C:\GAB\10005.TTF

Filesize
187KB

MD5
da4c7c05387041702c0a42f25b7cb451

SHA1
93395ccfc2e84befc756f200f070062ceb9a24ed

SHA256
f3062511dda30b2677983c546e604098a7764b6762dd18521b1ea9522815bf35

SHA512
5f412bff40b05f4cbed8f81639deff3d82e99e03e1705f8544c61412491a7735b407115ad53fd6786cb10a0987ae66c58aeed72a8b4dc0e841be6fc6e61e0766

Download Submit
C:\GAB\10005.TTF

Filesize
192KB

MD5
7cdb672689e1a665e0c453c2bb6a372c

SHA1
a4b633e6f0c3f930e3f75c444ccbcb8642814084

SHA256
0f41ab83f40023fd1e856cdf47aafe7a4287fa44d499d7a09abbea7d18f07178

SHA512
6309cc31e46d0566936955ac370785f315e3f865caa4a2b0aa29fc3d976d9bfa062eb37d6b4afb496d2243f84f21552fdbf251eb7f964b3da0f644ddabaa1cc3

Download Submit
C:\GAB\10005.TTF

Filesize
348KB

MD5
56e4e759fb62583d33bc499c76cccb55

SHA1
14b4f10bbc5119167d1be330de19c02c31f43cc1

SHA256
9e77dc1334b6cae5e3e0807d906ea4560f267f7ef93c23c838cfdfe702a3b9c8

SHA512
c157710cb1ba25a63d3a0a5d7007e09baa5b7c0379466b1e3b2a536835aac674a9c86c3dcae4ed1d2cb90c2d344a82cc1657aa3991ddaa2815b92e1d59a48493

Download Submit
C:\GAB\10005.TTF

Filesize
128KB

MD5
6b3fd758c1be9b5d686f4c92867e1114

SHA1
1677d3784eefacffd465a4ff847ad90e79ea76eb

SHA256
c996cb2bb24e1085affb1d09fb3db686897963cf58cf244a5e3567bed7efcaf2

SHA512
011e8272b2aef994fe8ab8723369e464cbd37fa6dd256008ff80c0eabc383823fab037d7a88da5645c15e74dea6e7061125b4b1f3978975829adcb206ce12867

Download Submit
C:\GAB\10005.TTF

Filesize
17KB

MD5
5a7765d47894bac732f1ed9beb1f7818

SHA1
cbf7bd8ece77093c5a72aff33c148cce80490b04

SHA256
1cc072157711f80296f3d013cec95093fc1be4e35a97406c46e76b14a97f41e1

SHA512
03a275efbbda8ed003b49ce7b708656f41361bb671286ddebd7c27238236df3a9faa983a1b1342444204cd0f146d1304367aba8a5008d0771ef104a10bfed8d1

Download Submit
C:\GAB\10005.TTF

Filesize
122KB

MD5
bb7185985c87f3a2641f6637530824fe

SHA1
94febe7ae8f224fccad0861941431f0a0f40df2d

SHA256
58a129849438028a8b01c7304c6346b9eb7a1170f4cb89b6d6e12b4c2a96e2fa

SHA512
9599223f38a233597011b4d5d409660298927b01c0eb23628f20da4abe980421747be3104a9e445a34d64a5edda81a92b17e9006cbc081a7a6879b0e7138dfb3

Download Submit
C:\GAB\10005.TTF

Filesize
45KB

MD5
9488a34c8f32f727a43f41e0d016e673

SHA1
1060eb7f915da2de3c4ff4867296ecfb7d783e4a

SHA256
673e9f49ace279c73711dd778037b5d435790be236c9e5892609794b0bb4377f

SHA512
395db44f81df7051785c20e62528db81ae2063a96a2ee8e33af8d883af6fd21f08c0edf9e644972672c251be6d7df380b302841dc366271d08a1b026ffde6c2f

Download Submit
C:\GAB\10005.TTF

Filesize
74KB

MD5
e1a957bd6bd4dab347b7f5bf97751543

SHA1
1e0f37a7b05f707f2df5f8453d307ea18bee3c29

SHA256
70af64a5bc061505e7a1cb1cd691811768a7cc84e53d48fcb526deb53f8c7a57

SHA512
329c3fab1ff1f51fd5c4acb37681c9111117bee6d505ab95c48fdd32e7ffebb554b74a3f93698a397c242b40c31a721b734e902e729b8ca7fa4b9b2099f1957b

Download Submit
C:\GAB\10005.TTF

Filesize
357KB

MD5
71cc40ef081e00440074dc97d032c8bf

SHA1
963611cbf61df85099f51c39eb5525a1dd652054

SHA256
ae3c7333bf547f38aae160a3b4f753e333be10756f33acdda99c4508154f6306

SHA512
d1ae58392d2f2263420f95537de3e05057d6800ebf726f5e03e434a694f5a011a58ba3f343fafa828a5f47b9021230ccedcb60c6a563c59b77fcd6270bbd4953

Download Submit
C:\GAB\10005.TTF

Filesize
697KB

MD5
83d6d8fa7c1d3d06ac90d51f2296f476

SHA1
5f9471c4bc7eec5911455ca12e7778a2dbd47f8c

SHA256
40b7dd1f83b4ceca86741e9719b62a9c86e83391eee4ce74d0de2b53c93f324a

SHA512
7885104f4f3605ad59d0a3961c4282fcbb4f280b8596df7ee7711df6b5090e169290285747df8c6d1a18553c3d11e15b494780bd56fe96d61f202b087667853d

Download Submit
C:\GAB\10005.TTF

Filesize
645KB

MD5
6b870736f5f3ca84a235a10c5f074c23

SHA1
9c30d8dcbcfd3944759bc2f91925b834f294dafb

SHA256
918ac50f8cf8d083a506becac73fd5419588b4d045548e44286a5c9a2263cf9e

SHA512
9676388eb4c6da7f811cf15a669e1a945c17fd38174a9d2f70e19c8708db1c23aa65e4dc590f16109e5943a1e752a995e41ba2c70ff59c1fd37d146e2891285f

Download Submit
C:\GAB\10005.TTF

Filesize
184KB

MD5
b5b56246ddadbc5f4f6e3c067c2e0898

SHA1
6ff6688a861d88d41d1b4ea928b7be67f1015881

SHA256
cc009516e3b3175d89281b12de2f15592228ee9aa17de26b8405d7a9e20527c0

SHA512
f8b0fa37e64206e95ab61308a89faeed864751167bbd9b450a7caf859680f1837f072922ac2b52f94a79755dcba848209380af4f098cb54cee67f89afe962213

Download Submit
C:\GAB\10005.TTF

Filesize
76KB

MD5
49ecce2669bcfd4f35fbaddc52a66bde

SHA1
37ba727d2748be9422ba6753175123b40368496e

SHA256
c07343c210d92caffc5655ab20b6c3d4f78db259036f3da505991c8836981c46

SHA512
b75c20cf71a967bdeb7958ba64f7728b39b6503ff720c5dcc58cef6ff6e5ada6a5f900cdec9f0f5bff884b0a0cacc090532e0daff844b692460fa2a38fdb2e5a

Download Submit
C:\GAB\10005.TTF

Filesize
180KB

MD5
2c2269e5f6da3e8dd9b42f01a2823f69

SHA1
2cce6f0a4255e142dde626383017800d8323660d

SHA256
eedd564fada9ead72a44c5cfca85cd7506ad46e2707fb5cee3971126b50405da

SHA512
4b0ce8707937406f6b6ee31b0cc822f860641ddbacac4b84adc23b2fbd6c434b3f20effe99cb3c4d16a3ee41e4bed6f6f10c65669d2140eb872ae8a8c7bb0fe4

Download Submit
C:\GAB\10005.TTF

Filesize
171KB

MD5
70ff615cf21e554114ff5c472abf91b0

SHA1
d31d5dade8d8dfbefcef615fb3143ade6670563a

SHA256
d48b0a4cadcedcc86822f8d90ab27ff45b8346fa705dcc1c4c161d1db7d6f6b8

SHA512
69cf908ec478f6976409cf9550200ac6826112efb1d5842fecb4d6c23aa78fffd52e50128f6aa52bd86166e5072492c91324bb6fe4f6580770d8e416c0f529c8

Download Submit
C:\GAB\10005.TTF

Filesize
171KB

MD5
b592a65e85d41f51230958c04130d340

SHA1
278a4278161a0a00a6af0d204d7876027fff8d2e

SHA256
bf2eb7af0acdedaf1984fe2e68c1eb5dcf69798c4161100272d086701e6b10cf

SHA512
f08c920f69764c1a07c1fa8a8e810a2b3930db45c5609043db240238581f423e8296a65d85d404ca2481e1a51ab52d47986c5144035d6187b149cf5ba6ce76c2

Download Submit
C:\GAB\10005.TTF

Filesize
251KB

MD5
26fa4973fc8ce04b381c4f5fa16ef4f5

SHA1
8610878440cdeb58d222bc1d4172426a66b6583d

SHA256
01eedd733f4c6c91e01ab97f5409c33c1987d09bc276fd6339ca8f20ecba2712

SHA512
3305cc23f2613a9fa0f6908049abe3c492390c9e041ba1a4cb411018698042647d36d2ef7c6805962ea9fb5fa7fc7ea2ac11c6a53a4666491f990bc7d478cfc6

Download Submit
C:\GAB\10005.TTF

Filesize
34KB

MD5
9e2ee65661bee40438d514fe592bfcf8

SHA1
140a77e69329638a5c53dc01fbcfe0ce9ab93423

SHA256
ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69

SHA512
3b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612

Download Submit
C:\GAB\10005.TTF

Filesize
238KB

MD5
db04aec613a9a134c6f2e6ccfec752f6

SHA1
3b6cdb19a28a4c5bb4356b6c136e12729163eb52

SHA256
94cc30a062bcdfc7edec03d996a046fec781e6f82d31bf5975428be90d943a37

SHA512
de83b805c07c04ef4dbdb9947cdabddbf1a291d111d28cffe55107f173389a35ce82858a139b47b0eda64e025ef46dc5dacaa31dce90d38ed1a36c7599f147b3

Download Submit
C:\GAB\10005.TTF

Filesize
254KB

MD5
7dc56917f40c89a45b1855ef9e0c8c93

SHA1
9fb0f60e6ad130b5fdd51b09f42e541f15561c83

SHA256
befa9c2053d57f9a96e7bfdf04a5b8c8f8752729f27db0fd309ec8e23013b810

SHA512
182ae09e7746714fa1d123ed09346e2718423a52ccc79bd351a860bb645e33b3ab8959e89a9a7156a18ae7c5dcae38dead8b4f3728577a8852c73448abf12dff

Download Submit
C:\GAB\10005.TTF

Filesize
128KB

MD5
e7fb20fafa59256f084a18d6dceb5f18

SHA1
2da57c3d712ab1afd6a6dfc33c4edb40bce1ccc4

SHA256
cf1b748c0d0db4dca7c48643a86ac59c1ee03613619fa03e81f8ae9702edc5de

SHA512
54a60744453275fa255df17ba3778b419116adaf20526f632e918e893a755ba164a44cf249ecd16b6bee9852cb35ff4ec23ba4d3b2c307dc54f979546832c5d1

Download Submit
C:\GAB\10005.TTF

Filesize
254KB

MD5
3bdf562cba22429eeeb93a3b30fd3898

SHA1
127f14b2b263b87278d384db5349ce7cc352cea5

SHA256
f5fc968e2f567f429f8804b48a141e039ba64a692786b87019054778f2161dbd

SHA512
08acd922a4b9c8139659f0b9e231f5789858ded3ea0009c1936802aa4c582c716042a9da64b0a6eba35509a877413e6a306e56509fb163beca16886f24bb5196

Download Submit
C:\GAB\10005.TTF

Filesize
517KB

MD5
b316e6e81afb08c60b3683173d20800f

SHA1
c2a2839fb7380987833ae0b39b7fdc274b8c7ed1

SHA256
1adf63a30f8f79597b3a382bed13c4271d58a4cb1760b611da9177c309879fc2

SHA512
7f83b1ed1a84bf09e6e51975134e7f2aa83edfde502dd3aa82ce91484bcdfdc5e877f2cb3f3426e906b9117ddd4c670817a1aeabef2b4eccafe976e0738cd4ef

Download Submit
C:\GAB\10005.TTF

Filesize
603KB

MD5
50c9a999249d3324e528c7801c9bea27

SHA1
e19ba1204e4e6d178f45112a26b2bef822c0248e

SHA256
a819db3cbf5b7d7fbaa2bf99ca1dd385fe1c27f7b380d6b29d821cfb1f0dd71f

SHA512
fb19aa186001f60a050a05bddf473034f30aeecaba863fa00da02616f290087f94b7b64cabce64c9fcd2db81f5c6e3d83004e8475bb8d134fd01d5911ec2e52c

Download Submit
C:\GAB\10005.fon

Filesize
12KB

MD5
f319dbb4098519ac71cc776b06a88f66

SHA1
80f2d9b484d93e0e743b09e4666230d2059f75dd

SHA256
5ddc4fcbeeb13a81e3060ea62b1e168f447545012273bc2019940f47cff09c20

SHA512
33d949d412c0fecbdeac49d7e5ae8a621a28a5ba8e8d7a7bfe64ae8ec58ec777b8ab31379705b7fc0f04588ed72bf4e24b6ef4ee7628d11ca1e1fdc040271abb

Download Submit
C:\GAB\10005.fon

Filesize
35KB

MD5
8a5853ebfc046f428dd31c5f3ae217ef

SHA1
61dccd934eeaf49b9dfe4385e5ba12ea8eaaa35c

SHA256
0da0d4ed89fd1e8810c7f2cdb5372abfb02cb3d031acacc1a5bbc853f879c2bd

SHA512
b2427ec94402e06af2239277087376ebb5a4a231a2d9fd020e7eae557b865355f257d0fb3c2f2f306c132f919160b5b7d50e0f078f9e382a3ed9ceee3e285c32

Download Submit
C:\GAB\10005.fon

Filesize
8KB

MD5
9677def2615bdd222d0afbd6632a9b4c

SHA1
822a53a0347a69b6e5017d81c7da0bb64659aecd

SHA256
3fce229f5ff861231aa2f890bcb7bdc18a86cfb9735ecbc837d3244210ea8ac1

SHA512
c71eab052ecb90dffb7ef5fb17d3730196ccbb802e6d4999a06d1f7d7ceea6271d9bb50e4384b1fa9e4880d792061538551ca7ca3b7ad771f2bf0b6c2c7c472d

Download Submit
C:\GAB\10005.fon

Filesize
8KB

MD5
f59a1672fff992423c4f52bc0f2fda53

SHA1
1d9086afcfebd8d850f86785de90bd33fd1cf40a

SHA256
9beda2b5a9d4ad80cbb6b48867131a019f2bc669528c41700cac45806b970937

SHA512
64f7472a2ad5e62bb779a8cd1caf240bfdfd1cba6ad62770fe6e639148437bc319f05c406b8d553c72b7059c13864899ac1fbcc3d4993a958dd7e6afe10fe33d

Download Submit
C:\GAB\10005.fon

Filesize
5KB

MD5
21475b17405b86f37a2c15a1df2733b3

SHA1
e640903a5fa2a800a27b74c73a02ea855dcbd953

SHA256
6e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc

SHA512
5752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0

Download Submit
C:\GAB\10005.fon

Filesize
6KB

MD5
ac2aad216301bc75f750ac93543c941b

SHA1
0a9a8a43087b94e829801287c7bd44ae49553935

SHA256
b904000ce079d3a87698a1e16d82f944dd49fc77e9326e698c9c402f2287133a

SHA512
c9f113198a4e713141e80343ce38306899cc2df78373630215de2ac4acc80753bfb36395f66b7d28a7f1f28628903e01fc6f4925ad09e22f4b309cb83cf5f206

Download Submit
C:\GAB\10005.fon

Filesize
7KB

MD5
ad75fb38d57de96a18fd5fcad4a282cb

SHA1
2689835e7573d1ea8cfdf6ae7fd77b671baccbc7

SHA256
c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb

SHA512
ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2

Download Submit
C:\GAB\10005.fon

Filesize
82KB

MD5
5972eeea7971170eb72cab2fc85c2b17

SHA1
d327d96bd78c5e851e065d053829abbb370c0c09

SHA256
9677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41

SHA512
c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3

Download Submit
C:\GAB\10005.fon

Filesize
19KB

MD5
c43a956eed29048a78113d55fbfdc716

SHA1
56ee949385d257cc976f85bbfb1070e6e103c3db

SHA256
4f24ab635890d31f6ccad984754b7ae153e1634d11df7625615ad40c2b547a47

SHA512
2e8e7c01f60fc0f3ef4021e735a9fbab9cfde5e48153fdb0684fb9d659e48d5dcdd2b0c4e1df346c72aac157b604bb66eb4fc33dcebfc884ddb07ee01a8febf3

Download Submit
C:\GAB\10005.fon

Filesize
63KB

MD5
a116c782b3abc72b4b0864a99ca60ec4

SHA1
c0ddcfb8c9a4fe98cf80f86d95dd5bfe5e3a52c1

SHA256
213046f7ca679673d6b11955bfa5aa7166bb69d739ca9368903f2b9c3d34bfdd

SHA512
ebf74d5b6e9110dfe0854dc429e57ae8d01c0b3fd58d4743316e2965b7ebaebb6605bd5961a57a4953f46c0993c8bb82757092b059fa122a2cd21e0df8067f68

Download Submit
C:\GAB\10005.fon

Filesize
12KB

MD5
40f8022c3fe4e1cc97bb794e1b519b3f

SHA1
7ff107451b67b2d432db4706c697a9391c13a6f4

SHA256
6b16818c057024f588f4f423cb1f50d24e092fca3c9b5c8c1943cf5b3ea70759

SHA512
08a85d0203a0534067538ba0c1f40273409f61f212269cb3095df1defc114ff007efcb4c3c4897a345cda17db16c98b88ae61100b9e4636862d26edb8a402ba3

Download Submit
C:\GAB\10005.fon

Filesize
6KB

MD5
d34b796aa1b990e597b379256d53d53e

SHA1
643cdfb6beed5a0c9d350f947b2d2b64324ce181

SHA256
fc00005ff7b93f5260cdd56fee9f8a06be02391c44aaa4ea4a23c27501375304

SHA512
e33e65476f54be4f3c52df843ee46e8ba475ea79d0245e3fc22a0d0c35c4c4cb5b5750b80443850fbd59cb57da00b6921d2d9f7e0ca1984937054746d6314f2f

Download Submit
C:\GAB\10005.fon

Filesize
6KB

MD5
cb0c5c52a03272adc0c3b32f566ec791

SHA1
160598938b693e80a834e4917c8bae5f4d9b1b94

SHA256
766b20cd7a4c905b91eea6d0782e71b852caa1531a6a1fc43921943d95f6aa8e

SHA512
b0c8364b7ec2453da8331e8f8b2e4f02d656ef3897313a03d95a5fdc10a410bbd085b272cf4cc1ca8fae2dc1f643eb3e6444451600937dfc24698b7db03044d8

Download Submit
C:\GAB\10005.fon

Filesize
7KB

MD5
bf453e9181eb96e86541dc4621249c68

SHA1
a50b7bf0c4acdcc3fb093d4454acd096e3455f3e

SHA256
9d9ad93cf4c0047f55e1e53183f65ba7b033988de119a92dcd21b9fc375d2f33

SHA512
cdb0e3d56a54fd84f2dab61c1249bbb8cc72a81402cb9a69b06664077744efe8093f41da9c3040c2cd06cca1adf7dc005c94cb7c571d8fa0298e733f5d75f70e

Download Submit
C:\GAB\10005.fon

Filesize
6KB

MD5
8a5dbabcb9b11e3e0c527b93e69d5e4d

SHA1
c47add614ece5ed16ca456bac08b1f2cbaccfec9

SHA256
824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241

SHA512
ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0

Download Submit
C:\GAB\10005.fon

Filesize
12KB

MD5
d141c73c523889bb1e6249a90eae35a5

SHA1
8bfcd39c1dc42cb98765892c0bbf3d63c1f9fb9e

SHA256
d8990dc5eee6c7f7168fabcfe7b334940434728de1367b061f52c4ed1f802f4f

SHA512
d01bb040cbfc05756148309ed22eeb51889ed9e0c06e3b66e6566e41ac8e3f13ffa3930f5cae2834fecef3f8a42e5890511553bcc16c3bddca28e4cc8c5582b2

Download Submit
C:\GAB\10005.fon

Filesize
68KB

MD5
bed30291132350abb7f33c6b641e80ee

SHA1
5880a420a8240a95d93ffa8a8674c309917d7466

SHA256
a2ffe700d2de9d07964a08a8645646c68f379e525db750b71dd245a110e5c5ff

SHA512
20415741507973e29c02dda40091518cf4d1b32ae93e4de5c798b54b9a966f93f6827784e3b47864140aa57296a95ed5ea5214182340bd75ada2ae9f84ee42e6

Download Submit
C:\GAB\10005.fon

Filesize
68KB

MD5
f882e058d9c07f67c7c3cdaaca6df2c0

SHA1
27d4bab70faed50eb6fc7e9e7a255d67e3ec0a08

SHA256
d6917d6c66277b602d63487720c73a459fd4262211d7d1b14235349178f2605c

SHA512
99e878cbd63b16bbc4e02166d2231af1e29a664856bcc1f3e591bfae5e906c6f59451ecac39e43004e5ad2f0b4b62881b4ce8c7bc55c0056c6540c283cab4481

Download Submit
C:\GAB\10005.fon

Filesize
17KB

MD5
08204b8185f06076e625401e4ad1dd40

SHA1
da572b8772aa5b717d481ede5550b402668e5da9

SHA256
81538026940fedac874529cf77980f0813c8a3ab3264e06bed007a280e224ce7

SHA512
0f6c45de3c40fd82b36c1535130501dc1221b75bedb9c9c1852065d9592dba301a1ab51f2c837cebfbc36b40c6ed41a5180f401b8561311522e24a805b37ce3e

Download Submit
C:\GAB\10005.fon

Filesize
4KB

MD5
9d2bf033acde5a212f6f5404d490e169

SHA1
a0e28adf40a9d06710d20071dcaba2569b91b1dd

SHA256
93e7c6c123d9b53a2d933f63093b4b85302023517f56abf057f9ef8a94d83b8b

SHA512
8dcb0dd9dc72c2de61e26932b72d5923a43b0f512e8d2df5334f478a78ee80f492bb8cb193dd3a314a6a19dd95e4899b40e7b76c3b1f767f5e8b46d1b1b3c00d

Download Submit
C:\GAB\10005.fon

Filesize
30KB

MD5
ed9da5c70dd15e35e1cf8f9bbde4f0f6

SHA1
628390de9ac415e13378ff678d642fe46b4eb189

SHA256
cd5169425701d19edc3d0c73f6974d1f77a28777fc079a4c09fdeee07484777d

SHA512
9dc83483b000f9d66af69b984a5e4cff4899125b93932833e9e1cd467612d00ad5665ecbe66c7c16579c8b5605bdf1d21d81b16931028b9420c9f237ba171715

Download Submit
C:\GAB\10005.ttc

Filesize
2.8MB

MD5
5a9b08a5aa3044696e3e3f4d39d99952

SHA1
3450a930230382a8c8541ef24b5572d15873abb3

SHA256
94d50a4d6546f463a0e99d302b36894e03b970b2cf41c09bcee3dcefdd270e13

SHA512
47f6fd8d0bcfe98503b11cae81738f8892f3866dea37c094543bf0f2d82b9c626a317931c25766a555c7343550596b22e8285cb2f834e0827861e4218669b9a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
76668c25ef3b1d390bacec53dae9638f

SHA1
c119af4a97f6187caea8e7f3f2336d175ec286b3

SHA256
f0017c00c22441d252206bebf7e819b05898666a79162eb2a194808ac8c6e8b7

SHA512
5318d8cc166c20fed5e3b31afbcf5e610f322ab5f2ea5f948832f8d2179b92bc4e951d71f0bdb934d669508f2634a54070ba752a4bee7cc7245508e86a7dc92d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a664a8c041802260b1dec185d2446589

SHA1
4712fa21754ba49d98248cc5e751086479879ad9

SHA256
4fb28c7a0c1d5bfb9e0b37d6e1c9a3fef5da9447b58a8c58234fa2fd19527816

SHA512
77f36bf0e522b8a000071cdcff5730a0057e304bb1bce92e28d68b3d0a8f90b7194197e3bbea3680416e8575e9d385ac6136f9f2fa84f453e263e040eb66258f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ef64d9d9868382b4d818f89799412ba

SHA1
9e7785285d5c3b936d7ba29a001d8ca86f449367

SHA256
e5db06ac5a2ee082621ef8e81ec045c6fbc60673622d86768c17a02a8151f6f0

SHA512
991b5f7ce489c97ce390f41fe09e8d4889430fd72eb33f62c44151aac1650cef7f95f4729c222d7eeca38f35f57c874959aae5e3ea32b1daa4dff989747f834c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11dfcc3bdc43510ab751ba17ab30163d

SHA1
2d28c57b4fd2d7ab747ab617bbcafaa7a715d1fe

SHA256
5b3e28b508c367ee2d380f456ee7d2a4eb5c8ece580563e2daeb6acc6c3521fc

SHA512
d5066b3af81a3acb0186d4bbed108376714c2545f2188209ef24e5925ff3690e13cd0b32ec2a38afa6b0048a6aaf7837b18c1292db7dd634e65169816c43b20e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca5cb4d1696be7dd06939a849b3448fe

SHA1
e8eeb9def93f8ed3203efad36a80000d09d20191

SHA256
3531818c9a6d28d036d68ad17bf64b8a6808c328b456361482aeca01fb9f91f8

SHA512
f78fe99fdf9c251b7a4f221ff7db3f9d0abf0f0e7c392b635798759183b7e3db4fd16a9aab180249f7c49c534ec09984dc204a38dd1715e0b19b0d806ac7d4fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb6eb580b63bfe3e6965f830288bd801

SHA1
16ded41bfde1fb694817836d9d53c86c96f6e38e

SHA256
8ead96b1698faa5a60e7cd0a053ae41b8c8ef12f4cbed8aa62bdca2f08b3d6c2

SHA512
6d7aa2918f1fc5d98dd73c00eabef08a9fd8368269bc961877853a2b4afbc553c3a910562102701c5f70c037950d9d7b1551ca1101b3c64fc1fbc3c11b0a0f47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4448b758d0ed71696fe1cf25c001dc81

SHA1
47fe5421048834ced1280c53e68fc0ec5a7e96be

SHA256
ac7e1ae17290ca65dbecc1ebacbd645afa78727f606dcf9f942327e44aaeff7b

SHA512
df236a31297f5d18b98fdbba2d0eaad891421a5709dc67b97228f5b54d6417d69696a1a78f3cbbba43ed09861455a0cb363a4ddeae601601a888160869763f3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fd8c28a04cde6d62e2d6dcdd6be7448

SHA1
4a03b2231f58b19c1bfe82639d8629f04940ae8e

SHA256
9717908c456c9c7b33dffc74ff9f99d5b297d9778c5150ae611f80a8205a6d17

SHA512
1158c4f180d0deffa19678b84e33f5ab90cedda79a62060e9bdd12c357d60f4f5ce57ebce988054e370ce4dd10f687eeea7734beb0a0e3428208b3bac48b2f07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd9c231dda28afa7f10e0e8fbfb515bb

SHA1
b454f0e54a1fda33a3b247cc15cdde665301eb53

SHA256
a898a458cea6bb05a51c5c63a831e95781013acbaaa6cb203ec3f30e9654f643

SHA512
2bb2bc2727ddda277e8c257721eefba877129198a4554f9b982d881d46a75c56be86ce5dd62d2c6c05e3a617f27a81faa9b76d606172d806d3e46055d1f28e0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3346dcf3dbf1b83166a33fd7278b5bd

SHA1
cb0527db6f8ae8cab87e667b8f06a175e1b736c2

SHA256
f46b1ec8aa714293d855710c58caef7fa366b9f490784c58f87c1b9606c85e2c

SHA512
59887947ef953f6804b0eb59b4b1a883d38e0c27feb32abacc3689a7010d2a6bdd7b0255e6bcda5a8fd36bcc33ab6105a830acd05ef183dba38143f7aef4aa6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fc33bf2b6fb3dc2458133b44c0b3e9d

SHA1
190d9bd69380a161beb23382d0abcbf1b861b8d9

SHA256
0b5e93f3c3715c32fd2307c2a8514a1a884654da67c1734174a3baed80058869

SHA512
e2db54021a8ba9903f164133f63eeff0902a78f44cf7c407b969a9915744720ffa4e314914be82baf95c0406a0a1cd3587d0c28ce5df2cb1ce9326128e299bb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61daa89a610ef382ae8b8b30dd62e0ba

SHA1
08dc05497ee215c77401eef1312d854e5bfb1fa1

SHA256
1effaf68edffa5d79e3e661c31ff7015142fe1a5ad2dcd8e31872ba486aae812

SHA512
2dba23fc3adf89400636c2090ac73a8df43f80fd0d4b02e51c0b3a674bd029c6a7157e04545c552ef4e59e75274bed5aa0b8b412a7f6cfce9d05d00a20916279

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccd36f61cefa73d9d4e319d2d48cdd1c

SHA1
dceb1d89d10021aba5ee05b389e366acbece5711

SHA256
f3828ad6e6157246f2629a42b105f3568b8daebbab4604ac67c90f13956ac819

SHA512
5d8775000243b7223dacfb674062b809fae2b1c29ea88a2cae64bfa72317048a78c037a256593383e9bc0aaac84ea4bd1275be105874155ba3fc27342530c400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1aee96a9386ad9ed0a8518d62659ca70

SHA1
55f4d78e6d740171968046bcc1f51d2ae4ff1f0b

SHA256
60e7409826021cb683908ad2cb7c12c0dca7f3a2110b7de0e01b8db2f95949e3

SHA512
89ef0ca0c54a20ab82477a892309caa924830b19c8e5a23ab8d6bec347ef4f25703db9d161545d37a2f44a5825f990ecb3b611b34be64a6a366114b31d231dce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9babee8764d4840ca4a1acc5491f9f8e

SHA1
f3efa88ba57b6c06d1ab02097039463b192a5e95

SHA256
edf0763123892eb88acdc5d7fde0e9493a3ae37e91bd051836fef586c93f2bf7

SHA512
d530ad62adcdcf128dd1fcc6e608d28b26032057ef78cadcf9c388d55f1d725a38edfe6903a18783a9831431825fac26ae24c1281ce208a99418f199acd43f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d88565f774741b2328bcec414c968b26

SHA1
b27edd3aba2f559fe826cdc58b8c3b433483eafd

SHA256
90a81c5f555cf6d243204e3a706c6f496c739603896d5e5a1866caa2424c9dd5

SHA512
9c5554bc968720c1b78e258c2af2db7c77c24636d4f6f61d8d0463b971451062db1b510dba855d71e80be687237d34279841be4edcd13553fd0f905330c16adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\!m.bat

Filesize
888B

MD5
64642da120c419155726108ec85d5967

SHA1
9576dd63e8fdbda9441f384ebbd8356c7e9b660c

SHA256
0bba9556b2b2688c2f441bc36f3ecb0ebf70d04c5c322b71072e998b4f750135

SHA512
cb99da0633c74a63be8a767cc70c6f488e5b3f987f8b64c46e5f4ec1777d3916e4f62b2db5e2d1b79d564f5a9df79fd3af81baf31fb06def7bf027a2e28ad519

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\avg.exe

Filesize
5.8MB

MD5
0dc93e1f58cbb736598ce7fa7ecefa33

SHA1
6e539aab5faf7d4ce044c2905a9c27d4393bae30

SHA256
4ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36

SHA512
73617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\fence.bat

Filesize
167B

MD5
6465a5431e01a80bf71aca9e9698e5b0

SHA1
d56ed108f13a6c49d57f05e2bf698778fd0b98dc

SHA256
1c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f

SHA512
db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\gadget.msi

Filesize
23.4MB

MD5
906ad3937f0abd2e5383dc162340496b

SHA1
d63fe621af79e1468ee0cf52e119ffd21775ca8a

SHA256
821e33cf757bd01bec6703796c01726e6674b8de3bc1e7ea834318039e46909e

SHA512
624d76f7905f57679b647cfc676aa8c55cac72d6baa60db7d5ae45662de5da55f856f64adca382b315810088e757903f6c051685fcc83fe330016a8a95754d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\rckdck.exe

Filesize
6.2MB

MD5
a79fb1a90fb3d92cf815f2c08d3ade6d

SHA1
25e5e553af5e2d21b5cfc70ba41afb65202f6fd5

SHA256
43759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16

SHA512
82aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\stopwatch.exe

Filesize
68KB

MD5
338a4b68d3292aa22049a22e9292e2a2

SHA1
9595e6f6d5e18a3e71d623ac4012e7633b020b29

SHA256
490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f

SHA512
06bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\t.exe

Filesize
62KB

MD5
9e0c60453cdea093fa4c6762f9b1fda9

SHA1
02dfa74e42739c4e8a9a0534273f6a89b51f1dd3

SHA256
269c6da90935306778f4f76005d1f00b49703f8819b60e2764cc14a5abc9a781

SHA512
fc499cb6b98529c7a856c9ec7198f2a6d00d0c0d6b16e826913ab8dca2602f6700e3956749d3316484b94e6867f54cf99aa77f23375ea6c5ea75daa88c91aa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\telamon.exe

Filesize
2.3MB

MD5
6a80889e81911157ca27df5bc5ac2e09

SHA1
02ac28dd7124317e294fac847a05b69411c9cdb2

SHA256
0b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff

SHA512
329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\ucrtbased.dll

Filesize
1.7MB

MD5
c3130cfb00549a5a92da60e7f79f5fc9

SHA1
56c2e8fb1af609525b0f732bb67b806bddab3752

SHA256
eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8

SHA512
29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E871EF6\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE311.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE47B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE0D0.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE0D0.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyEEB4.tmp\CR.History.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyEEB4.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyEEB4.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X3P5FIIFXVJ8AQBCZEEK.temp

Filesize
7KB

MD5
4135b59bab0a2f2ab307e01fd896fdb4

SHA1
7a8f8dd7fd64b4dcf0bb385bb7e6d0d0c7474e71

SHA256
f82b16e91bc33090e117a01c88c3d0d3d46896c4395cc44443fcdda41f96e257

SHA512
05d34e7b8bf902597da6dabc9151c26698730a235829aad283b5c1073b081413473db70d8e0f962907d0ca10a5e2a79df9be9ed3e9fb849fa3f402bf6394ee04

Download Submit
C:\Windows\system\IYxejPc.exe

Filesize
5.2MB

MD5
25183e870ae5b704401e8ebda27c0d09

SHA1
c8991783bc8c470992480adf5b621a0602efb429

SHA256
44f62e774eb37804fa73f0a58f93aba051e51ed9e8b55f220eb514e7fba66989

SHA512
399598e8abfd27a6ca5065d9568d471c2ec418ea73c3eda4b4b28fd89ff7f768b6b93c4a0b599a0f77898a0e27cf7c525d5aae8e97c8d858a5263d5821eaff9e

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\e.exe

Filesize
61KB

MD5
c085484b593c7089907af551de309a05

SHA1
f503ae9f559fd76073578686d2193a6956747fea

SHA256
b78b116d79d8f9613510dbde5aa4a8ca59913ee32df540d06defa214489972d2

SHA512
72b458179362a1bb2888213736e5731d0bafe094feaac11a44e78f7a5ed60a4d6f275aa32bbce41950852a31bc55ce19266f26cd3e66bec9f35dc5aafe97fba1

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\g.exe

Filesize
60KB

MD5
ea64d01d756080b86e8e5af63ed6eb50

SHA1
008634fbd4cd348165dbe540ea529f27bd39e5c0

SHA256
35fc36cdd77b1eae66fd02fec2f47cf06841365f6ab66160ed8cf522d71355f7

SHA512
7e7046017eb32e804fb213070997ef228a12426e0f157e959a97a4e27f816eb66b365850cc18ae8573519623db354740d7c008c09734f404d31775e79ead2bb0

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\g_.exe

Filesize
69KB

MD5
3cb72c753dd5e198792d1e0be81f7e2b

SHA1
8a55b72a998bf8362a12f68ee8c4801a5a24754c

SHA256
be9d8772b360ca8054929e5f057413b69932ca8e521e6c696e0fb6b371e8cb97

SHA512
008ed2e26fb4f41e9bb245130cc8f285744ccf737adeffc4c78cb11c03261f906cfd50b5b9e78f2c17dc2b8a01d83554e93f4960370064af87e84322cc78ee70

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-16_09dc1da297f4981397cc9a9854cc0339_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_34efa695-726b-4f1e-a63f-3535ee277664\vcruntime140d.dll

Filesize
130KB

MD5
ee7fbf8768a87ea64ad4890540ce48f9

SHA1
bcbc1ebd5a592c2df216d3211f309a79f9cd8a9b

SHA256
03eafdf65d672994e592b8acc8a1276ccae1218a5cb9685b9aa6a5ffe1a855fe

SHA512
0cbf346d46b5c0b09c1f3fb4837c8df662bf0c69de8c4ae292b994ec156c91b78dbaad733226d765b1ca3ee1695566dc90bf85086e438fa15b9eb32058abce80

Download Submit
\Users\Admin\AppData\Local\Temp\is-7E1ML.tmp\butdes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
\Users\Admin\AppData\Local\Temp\is-A3N0L.tmp\telamon.tmp

Filesize
3.1MB

MD5
292d91bef15a5a5d5f5c06425a96e0ee

SHA1
5f4400c94ceebf54825e94cb5d9f616850331e96

SHA256
b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373

SHA512
0aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200

Download Submit
\Users\Admin\AppData\Local\Temp\is-RI5SA.tmp\is-9NP3O.tmp

Filesize
659KB

MD5
5aa68bb2bf3b994bda93834ad34e7963

SHA1
0156732d5dd48feacfab3aa07764061d73b9116c

SHA256
a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa

SHA512
e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7

Download Submit
\Users\Admin\AppData\Local\Temp\nseE0D0.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
\Users\Admin\AppData\Local\Temp\nseE0D0.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
memory/340-234-0x000000013F3D0000-0x000000013F3F6000-memory.dmp

Filesize
152KB

Download
memory/556-103-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/556-2670-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/692-2763-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/692-2931-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/832-2797-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/832-2851-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2869-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/832-2867-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2866-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2870-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2762-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/832-2767-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2865-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/832-2769-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/832-2771-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/832-2860-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/832-2859-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/832-2854-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/832-2791-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2803-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2790-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/832-2843-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/832-2844-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2847-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2848-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/832-2746-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/832-2850-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/832-2868-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/832-2853-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2722-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/832-2796-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2802-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/832-2738-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/832-2752-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/832-2836-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/876-235-0x000000013FE00000-0x000000013FE26000-memory.dmp

Filesize
152KB

Download
memory/1012-2170-0x000000013F1D0000-0x000000013F1F9000-memory.dmp

Filesize
164KB

Download
memory/1012-208-0x000000013F1D0000-0x000000013F1F9000-memory.dmp

Filesize
164KB

Download
memory/1224-2804-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1224-2941-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1432-2798-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/1432-2939-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/1480-2935-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/1480-2786-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/1548-2689-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/1560-2755-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/1560-2929-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/1580-2923-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1580-2747-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1624-2774-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1624-2772-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1624-2780-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-2782-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1624-2781-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1624-2776-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1624-2778-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1776-2673-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1904-3-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/1904-2-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/1904-1-0x0000000000E30000-0x0000000000E7A000-memory.dmp

Filesize
296KB

Download
memory/1904-226-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/1904-227-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/1904-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/1904-2736-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/1996-2687-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1996-157-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2064-224-0x000000013FA40000-0x000000013FA67000-memory.dmp

Filesize
156KB

Download
memory/2064-2674-0x000000013FA40000-0x000000013FA67000-memory.dmp

Filesize
156KB

Download
memory/2336-135-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2336-2686-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2456-2690-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2456-308-0x0000000001320000-0x000000000133C000-memory.dmp

Filesize
112KB

Download
memory/2456-1194-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2456-2691-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2456-1193-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2724-2871-0x0000000005590000-0x0000000005612000-memory.dmp

Filesize
520KB

Download
memory/2724-2745-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2724-2740-0x0000000000AB0000-0x0000000000B9A000-memory.dmp

Filesize
936KB

Download
memory/2808-2672-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2836-233-0x00000000022B0000-0x00000000022D6000-memory.dmp

Filesize
152KB

Download
memory/2836-207-0x00000000022B0000-0x00000000022D9000-memory.dmp

Filesize
164KB

Download
memory/2836-209-0x00000000022B0000-0x00000000022D7000-memory.dmp

Filesize
156KB

Download
memory/2836-2675-0x00000000022B0000-0x00000000022D6000-memory.dmp

Filesize
152KB

Download
memory/2836-2685-0x00000000022B0000-0x00000000022D6000-memory.dmp

Filesize
152KB

Download
memory/2836-225-0x00000000022B0000-0x00000000022D6000-memory.dmp

Filesize
152KB

Download
memory/2836-2169-0x00000000022B0000-0x00000000022D9000-memory.dmp

Filesize
164KB

Download
memory/2916-105-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2916-2671-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2972-2688-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3068-236-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/3068-69-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/3068-70-0x0000000000F20000-0x0000000001112000-memory.dmp

Filesize
1.9MB

Download
memory/3164-2768-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/3164-2933-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/3208-2756-0x0000000000660000-0x0000000000682000-memory.dmp

Filesize
136KB

Download
memory/3208-2737-0x0000000001150000-0x00000000012F2000-memory.dmp

Filesize
1.6MB

Download
memory/3208-2743-0x00000000050D0000-0x00000000051B2000-memory.dmp

Filesize
904KB

Download
memory/3244-2849-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/3244-2945-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/3336-2723-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3336-2770-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3648-2937-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/3648-2792-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/3668-2943-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/3668-2846-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/3812-2947-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/3812-2852-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/4008-2897-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-2884-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download