agenttesla | 85b9128c0f0e79af0a37b838ab8d97bd8d2cb11a2362c22b694bc1c9ba27ca66

Analysis

max time kernel
47s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
Size

58.2MB
MD5

80be5927fd12a2f3b00f8d66b0fb91b7
SHA1

97576ecdc61cc2c1b3b1ace805d6cda3636f71e2
SHA256

85b9128c0f0e79af0a37b838ab8d97bd8d2cb11a2362c22b694bc1c9ba27ca66
SHA512

b3400b47877d8fb1c7a22382b00cd26c1591f944a4673682179735fa4ffeba496861dfb27c6b197417b2beff0011247d500088c2dddede98f28720265342ac65
SSDEEP

1572864:tLOrJXzVj0mz3uu2etPQiWmoh8rb28CQV2Y:tLqJXBj0kuu3IDmnrb5r

Score

10^/10

agenttesla cobaltstrike modiloader raccoon xmrig 2ca5558c9ec8037d24a611513d7bd076 aspackv2 backdoor discovery evasion execution keylogger miner spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Extracted

Family

raccoon

Botnet

2ca5558c9ec8037d24a611513d7bd076

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0003000000000745-2365.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

resource	yara_rule
behavioral2/memory/6992-2359-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/6992-2361-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4200-2348-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral2/memory/4200-2490-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

XMRig Miner payload 21 IoCs

miner

resource	yara_rule
behavioral2/memory/3476-2424-0x00007FF767860000-0x00007FF767BB1000-memory.dmp	xmrig
behavioral2/memory/4012-2421-0x00007FF742490000-0x00007FF7427E1000-memory.dmp	xmrig
behavioral2/memory/6860-2427-0x00007FF77C2E0000-0x00007FF77C631000-memory.dmp	xmrig
behavioral2/memory/3772-2441-0x00007FF651480000-0x00007FF6517D1000-memory.dmp	xmrig
behavioral2/memory/6300-2442-0x00007FF6933C0000-0x00007FF693711000-memory.dmp	xmrig
behavioral2/memory/6488-2443-0x00007FF693BE0000-0x00007FF693F31000-memory.dmp	xmrig
behavioral2/memory/6692-2445-0x00007FF6C2F70000-0x00007FF6C32C1000-memory.dmp	xmrig
behavioral2/memory/4388-2447-0x00007FF6DCC90000-0x00007FF6DCFE1000-memory.dmp	xmrig
behavioral2/memory/2700-2446-0x00007FF795C60000-0x00007FF795FB1000-memory.dmp	xmrig
behavioral2/memory/1768-2449-0x00007FF77ACF0000-0x00007FF77B041000-memory.dmp	xmrig
behavioral2/memory/7060-2450-0x00007FF751050000-0x00007FF7513A1000-memory.dmp	xmrig
behavioral2/memory/5924-2451-0x00007FF6A5750000-0x00007FF6A5AA1000-memory.dmp	xmrig
behavioral2/memory/4540-2448-0x00007FF717590000-0x00007FF7178E1000-memory.dmp	xmrig
behavioral2/memory/6116-2444-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp	xmrig
behavioral2/memory/6948-2489-0x00007FF7714B0000-0x00007FF771801000-memory.dmp	xmrig
behavioral2/memory/6376-2491-0x00007FF67CC80000-0x00007FF67CFD1000-memory.dmp	xmrig
behavioral2/memory/4276-2492-0x00007FF7378A0000-0x00007FF737BF1000-memory.dmp	xmrig
behavioral2/memory/1776-2493-0x00007FF77A430000-0x00007FF77A781000-memory.dmp	xmrig
behavioral2/memory/6632-2494-0x00007FF69BE30000-0x00007FF69C181000-memory.dmp	xmrig
behavioral2/memory/6448-2495-0x00007FF607BD0000-0x00007FF607F21000-memory.dmp	xmrig
behavioral2/memory/4148-2496-0x00007FF75CE80000-0x00007FF75D1D1000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6952	powershell.exe
5392	powershell.exe
5816	powershell.exe
6968	powershell.exe
6960	powershell.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\49C9F4ED921B64155E77B3A77C940518B9338E5B\Blob = 0f0000000100000014000000e6ebe2f666c34bc1eef18d2ff372c04b2154915e0200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000620033003800370039003600310062002d0061006500640035002d0034003300370039002d0062003400300035002d0062003000310039003300640032006600640031006300660000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000003000000010000001400000049c9f4ed921b64155e77b3a77c940518b9338e5b200000000100000000030000308202fc308201e4a00302010202101210176ce202c4bd4f22b7bfda61d2e8300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303931373034303032395a180f32313234303832343034303032395a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a9c9a648c0d66680e8bf22ef82435c5a775df09242f92869d0853ad47879569d6fa5b55dea6b8e84232cd49572e85a2660c41fb13dd535861c90375b603f048080a635e7cf2a05707f628e9706594bf44d4adb432c01179d8ea8902df786cd6d3874819652b8b434e30ac6c70c7b27d3e1cb1028a3890b2ec82346d15b8bb800fba2e37a8bbcc445fe0d62909085676d9bc94041467ab2c91cb57ac34a288fd52f86092a2e05b9414e2586db5487a2d79759e02c8a0f9f2871c957ac7a90c0f9616662a9a21411694b44ea8a15fe986192c4959352928351b2bc4331679ae7d10f8b6223b66dea10afed354bb68383b855c84a748e0cd96de52d40ac910860390203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e405a455559465359440030090603551d1304023000300d06092a864886f70d01010505000382010100550e37345d2dca06deb92dbb972a4882f72ba6471ee55b1fb6bb55fe5f47e1ce45fe31406d0ac55cdc6ed16d350cf2ad2d4fa6fce622e4616e42abbebf36a51dec578c47905b95150eb648cbbe37c8669a9f49de2c8d71152b563b7ecc0be326264e7cb4ae591ad59751b20afee13e30249f1ff75f3b21bf7d5b2b53cf83e7d9bb9a310298b99701726a751f04a6efb557241023200e3abe0fc21865e236e614d8fe8d0f1209b85063baf317079eca5afdb06ab3629df914ce0076943324cdff7ad9b1828fd16f400b76815a0a87971d7d2babacee1091e5178df1c93f1e57d1a098798990c3b2c430fb34165f21f87e128b7dc153b6e81ccf6df52d61bef523	msedge.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5460	attrib.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023473-71.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	PurchaseOrder.exe

Executes dropped EXE 9 IoCs

pid	Process
4332	stopwatch.exe
928	anti.exe
3532	screenscrew.exe
3420	PurchaseOrder.exe
336	butdes.exe
1580	flydes.exe
5920	i.exe
4228	butdes.tmp
4308	flydes.tmp

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/6948-2347-0x00007FF7714B0000-0x00007FF771801000-memory.dmp	upx
behavioral2/files/0x0003000000000745-2365.dat	upx
behavioral2/memory/1776-2400-0x00007FF77A430000-0x00007FF77A781000-memory.dmp	upx
behavioral2/memory/6632-2414-0x00007FF69BE30000-0x00007FF69C181000-memory.dmp	upx
behavioral2/memory/6376-2382-0x00007FF67CC80000-0x00007FF67CFD1000-memory.dmp	upx
behavioral2/memory/4276-2419-0x00007FF7378A0000-0x00007FF737BF1000-memory.dmp	upx
behavioral2/memory/3476-2424-0x00007FF767860000-0x00007FF767BB1000-memory.dmp	upx
behavioral2/memory/4012-2421-0x00007FF742490000-0x00007FF7427E1000-memory.dmp	upx
behavioral2/memory/4148-2430-0x00007FF75CE80000-0x00007FF75D1D1000-memory.dmp	upx
behavioral2/memory/6448-2428-0x00007FF607BD0000-0x00007FF607F21000-memory.dmp	upx
behavioral2/memory/6860-2427-0x00007FF77C2E0000-0x00007FF77C631000-memory.dmp	upx
behavioral2/memory/3772-2441-0x00007FF651480000-0x00007FF6517D1000-memory.dmp	upx
behavioral2/memory/6300-2442-0x00007FF6933C0000-0x00007FF693711000-memory.dmp	upx
behavioral2/memory/6428-2440-0x00007FF766030000-0x00007FF766381000-memory.dmp	upx
behavioral2/memory/6488-2443-0x00007FF693BE0000-0x00007FF693F31000-memory.dmp	upx
behavioral2/memory/6692-2445-0x00007FF6C2F70000-0x00007FF6C32C1000-memory.dmp	upx
behavioral2/memory/4388-2447-0x00007FF6DCC90000-0x00007FF6DCFE1000-memory.dmp	upx
behavioral2/memory/2700-2446-0x00007FF795C60000-0x00007FF795FB1000-memory.dmp	upx
behavioral2/memory/1768-2449-0x00007FF77ACF0000-0x00007FF77B041000-memory.dmp	upx
behavioral2/memory/7060-2450-0x00007FF751050000-0x00007FF7513A1000-memory.dmp	upx
behavioral2/memory/5924-2451-0x00007FF6A5750000-0x00007FF6A5AA1000-memory.dmp	upx
behavioral2/memory/4540-2448-0x00007FF717590000-0x00007FF7178E1000-memory.dmp	upx
behavioral2/memory/6116-2444-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp	upx
behavioral2/memory/6948-2489-0x00007FF7714B0000-0x00007FF771801000-memory.dmp	upx
behavioral2/memory/6376-2491-0x00007FF67CC80000-0x00007FF67CFD1000-memory.dmp	upx
behavioral2/memory/4276-2492-0x00007FF7378A0000-0x00007FF737BF1000-memory.dmp	upx
behavioral2/memory/1776-2493-0x00007FF77A430000-0x00007FF77A781000-memory.dmp	upx
behavioral2/memory/6632-2494-0x00007FF69BE30000-0x00007FF69C181000-memory.dmp	upx
behavioral2/memory/6448-2495-0x00007FF607BD0000-0x00007FF607F21000-memory.dmp	upx
behavioral2/memory/4148-2496-0x00007FF75CE80000-0x00007FF75D1D1000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
285	raw.githubusercontent.com
286	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
251	api.ipify.org
252	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3420 set thread context of 5900	3420	PurchaseOrder.exe	490

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stopwatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butdes.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flydes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
840	timeout.exe
3100	timeout.exe
5848	timeout.exe
6000	timeout.exe
6468	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
5048	taskkill.exe
6488	taskkill.exe
2720	taskkill.exe
4252	taskkill.exe
560	taskkill.exe
4896	taskkill.exe
5356	taskkill.exe
5424	taskkill.exe
4724	taskkill.exe
4612	taskkill.exe
6444	taskkill.exe
4388	taskkill.exe
1760	taskkill.exe
4124	taskkill.exe
3788	taskkill.exe
5220	taskkill.exe
4136	taskkill.exe
1600	taskkill.exe
3076	taskkill.exe
2848	taskkill.exe
6640	taskkill.exe
884	taskkill.exe
4564	taskkill.exe
2208	taskkill.exe
1436	taskkill.exe
4492	taskkill.exe
4544	taskkill.exe
4532	taskkill.exe
1512	taskkill.exe
1852	taskkill.exe
2060	taskkill.exe
4100	taskkill.exe
5392	taskkill.exe
3100	taskkill.exe
2892	taskkill.exe
5340	taskkill.exe
4744	taskkill.exe
1516	taskkill.exe
4244	taskkill.exe
3628	taskkill.exe
864	taskkill.exe
2732	taskkill.exe
5620	taskkill.exe
2404	taskkill.exe
1768	taskkill.exe
5460	taskkill.exe
5932	taskkill.exe
1440	taskkill.exe
3184	taskkill.exe
2320	taskkill.exe
5424	taskkill.exe
5900	taskkill.exe
5576	taskkill.exe
1900	taskkill.exe
352	taskkill.exe
1580	taskkill.exe
4436	taskkill.exe
5596	taskkill.exe
2628	taskkill.exe
6300	taskkill.exe
4988	taskkill.exe
1436	taskkill.exe
2360	taskkill.exe
2960	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	explorer.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5412	notepad.exe
6584	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2684	msedge.exe
2684	msedge.exe
1560	msedge.exe
1560	msedge.exe
2820	msedge.exe
2820	msedge.exe
5516	identity_helper.exe
5516	identity_helper.exe
5816	powershell.exe
5816	powershell.exe
5392	powershell.exe
5392	powershell.exe
5900	RegSvcs.exe
5900	RegSvcs.exe
5900	RegSvcs.exe
5392	powershell.exe
5816	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	3828	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	4252	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	4236	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	3484	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeDebugPrivilege	3464	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4332	stopwatch.exe
928	anti.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4332	stopwatch.exe
928	anti.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2088	4604	2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	84
PID 4604 wrote to memory of 2088	4604	2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	84
PID 4604 wrote to memory of 2088	4604	2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	84
PID 2088 wrote to memory of 4020	2088	cmd.exe	86
PID 2088 wrote to memory of 4020	2088	cmd.exe	86
PID 2088 wrote to memory of 4020	2088	cmd.exe	86
PID 2088 wrote to memory of 4332	2088	cmd.exe	87
PID 2088 wrote to memory of 4332	2088	cmd.exe	87
PID 2088 wrote to memory of 4332	2088	cmd.exe	87
PID 2088 wrote to memory of 928	2088	cmd.exe	88
PID 2088 wrote to memory of 928	2088	cmd.exe	88
PID 2088 wrote to memory of 928	2088	cmd.exe	88
PID 2088 wrote to memory of 3532	2088	cmd.exe	89
PID 2088 wrote to memory of 3532	2088	cmd.exe	89
PID 2088 wrote to memory of 3532	2088	cmd.exe	89
PID 2088 wrote to memory of 3120	2088	cmd.exe	90
PID 2088 wrote to memory of 3120	2088	cmd.exe	90
PID 2088 wrote to memory of 3120	2088	cmd.exe	90
PID 2088 wrote to memory of 1768	2088	cmd.exe	92
PID 2088 wrote to memory of 1768	2088	cmd.exe	92
PID 2088 wrote to memory of 1768	2088	cmd.exe	92
PID 2088 wrote to memory of 840	2088	cmd.exe	93
PID 2088 wrote to memory of 840	2088	cmd.exe	93
PID 2088 wrote to memory of 840	2088	cmd.exe	93
PID 3120 wrote to memory of 4012	3120	cmd.exe	94
PID 3120 wrote to memory of 4012	3120	cmd.exe	94
PID 3120 wrote to memory of 4012	3120	cmd.exe	94
PID 3120 wrote to memory of 3828	3120	cmd.exe	97
PID 3120 wrote to memory of 3828	3120	cmd.exe	97
PID 3120 wrote to memory of 3828	3120	cmd.exe	97
PID 3120 wrote to memory of 1588	3120	cmd.exe	98
PID 3120 wrote to memory of 1588	3120	cmd.exe	98
PID 3120 wrote to memory of 1588	3120	cmd.exe	98
PID 3120 wrote to memory of 216	3120	cmd.exe	99
PID 3120 wrote to memory of 216	3120	cmd.exe	99
PID 3120 wrote to memory of 216	3120	cmd.exe	99
PID 3120 wrote to memory of 2408	3120	cmd.exe	100
PID 3120 wrote to memory of 2408	3120	cmd.exe	100
PID 3120 wrote to memory of 2408	3120	cmd.exe	100
PID 3120 wrote to memory of 2968	3120	cmd.exe	101
PID 3120 wrote to memory of 2968	3120	cmd.exe	101
PID 3120 wrote to memory of 2968	3120	cmd.exe	101
PID 3120 wrote to memory of 4440	3120	cmd.exe	102
PID 3120 wrote to memory of 4440	3120	cmd.exe	102
PID 3120 wrote to memory of 4440	3120	cmd.exe	102
PID 3120 wrote to memory of 4748	3120	cmd.exe	103
PID 3120 wrote to memory of 4748	3120	cmd.exe	103
PID 3120 wrote to memory of 4748	3120	cmd.exe	103
PID 3120 wrote to memory of 3824	3120	cmd.exe	104
PID 3120 wrote to memory of 3824	3120	cmd.exe	104
PID 3120 wrote to memory of 3824	3120	cmd.exe	104
PID 3120 wrote to memory of 3336	3120	cmd.exe	105
PID 3120 wrote to memory of 3336	3120	cmd.exe	105
PID 3120 wrote to memory of 3336	3120	cmd.exe	105
PID 3120 wrote to memory of 1356	3120	cmd.exe	106
PID 3120 wrote to memory of 1356	3120	cmd.exe	106
PID 3120 wrote to memory of 1356	3120	cmd.exe	106
PID 3120 wrote to memory of 4764	3120	cmd.exe	109
PID 3120 wrote to memory of 4764	3120	cmd.exe	109
PID 3120 wrote to memory of 4764	3120	cmd.exe	109
PID 3120 wrote to memory of 1804	3120	cmd.exe	110
PID 3120 wrote to memory of 1804	3120	cmd.exe	110
PID 3120 wrote to memory of 1804	3120	cmd.exe	110
PID 3120 wrote to memory of 3100	3120	cmd.exe	111

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5460	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\!m.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4020
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\stopwatch.exe
    stopwatch.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4332
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\screenscrew.exe
    screenscrew.exe
    3⤵
    - Executes dropped EXE
    PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5868
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:5220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:7092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:7012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:7028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:6300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6196
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:7052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:6488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:5340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:6108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:6792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:6400
- - C:\Windows\SysWOW64\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:1768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 30
    3⤵
    - Delays execution with timeout.exe
    PID:840
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\PurchaseOrder.exe
    PurchaseOrder.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\PurchaseOrder.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5816
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10F3.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5900
- - C:\Windows\SysWOW64\cipher.exe
    cipher /k /h /e C:\Users\Admin\Desktop\*
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cipher.exe
    cipher C:\Users\Admin\Desktop\*
    3⤵
    PID:4660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\doc.html
    3⤵
    PID:1476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd076446f8,0x7ffd07644708,0x7ffd07644718
      4⤵
      PID:3500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6490235603523734379,10347293732392244260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
      4⤵
      PID:2228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,6490235603523734379,10347293732392244260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\infected.html
    3⤵
    - Manipulates Digital Signatures
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd076446f8,0x7ffd07644708,0x7ffd07644718
      4⤵
      PID:864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
      4⤵
      PID:2808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      PID:3908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:4216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
      4⤵
      PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
      4⤵
      PID:4444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
      4⤵
      PID:2024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
      4⤵
      PID:5816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
      4⤵
      PID:5824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
      4⤵
      PID:5308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
      4⤵
      PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8
      4⤵
      PID:6076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
      4⤵
      PID:5508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
      4⤵
      PID:3904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
      4⤵
      PID:6092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
      4⤵
      PID:1152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14616981213333545954,10951507062041195841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
      4⤵
      PID:6724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:3100
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\butdes.exe
    butdes.exe
    3⤵
    - Executes dropped EXE
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\is-N5EEC.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-N5EEC.tmp\butdes.tmp" /SL5="$20190,2719719,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\butdes.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4228
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\flydes.exe
    flydes.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\is-N5EED.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-N5EED.tmp\flydes.tmp" /SL5="$20180,595662,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\flydes.exe"
      4⤵
      Executes dropped EXE
      PID:4308
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:5920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5848
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\gx.exe
    gx.exe
    3⤵
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\7zS43D4AB08\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS43D4AB08\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\7zS43D4AB08\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS43D4AB08\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x6e271b54,0x6e271b60,0x6e271b6c
        5⤵
        
        PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
        5⤵
        
        PID:3628
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170400521\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170400521\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
        5⤵
        
        PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170400521\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170400521\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:6424
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170400521\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170400521\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0xbe4f48,0xbe4f58,0xbe4f64
        6⤵
        
        PID:4504
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\bundle.exe
    bundle.exe
    3⤵
    PID:4156
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\rckdck.exe
    rckdck.exe
    3⤵
    PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\is-BCGL9.tmp\is-E3MH3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BCGL9.tmp\is-E3MH3.tmp" /SL4 $30280 "C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\rckdck.exe" 6123423 52736
      4⤵
      PID:5468
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\avg.exe
    avg.exe
    3⤵
    PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\aj417C.exe
      "C:\Users\Admin\AppData\Local\Temp\aj417C.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      PID:3304
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\telamon.exe
    telamon.exe
    3⤵
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\is-B263M.tmp\telamon.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-B263M.tmp\telamon.tmp" /SL5="$40208,1520969,918016,C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\telamon.exe"
      4⤵
      PID:4596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-U5VU4.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-U5VU4.tmp\~execwithresult.txt""
        5⤵
        
        PID:5404
      - C:\Users\Admin\AppData\Local\Temp\is-U5VU4.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-U5VU4.tmp\tt-installer-helper.exe" --getuid
        6⤵
        
        PID:6076
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-U5VU4.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-U5VU4.tmp\~execwithresult.txt""
        5⤵
        
        PID:3992
      - C:\Users\Admin\AppData\Local\Temp\is-U5VU4.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-U5VU4.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\telamon.exe
        6⤵
        
        PID:4444
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:6000
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\gadget.msi"
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K des.bat
    3⤵
    PID:2360
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\g_.exe
    g_.exe
    3⤵
    PID:3796
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\t.exe
    t.exe
    3⤵
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\g.exe
    g.exe
    3⤵
    PID:3628
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\e.exe
    e.exe
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\GAB
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5460
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\Bootstraper.exe
    Bootstraper.exe
    3⤵
    PID:5660
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SalaNses'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6960
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6968
  - - C:\SalaNses\soles.exe
      "C:\SalaNses\soles.exe"
      4⤵
      PID:4872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\dng.html
    3⤵
    PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ffd076446f8,0x7ffd07644708,0x7ffd07644718
      4⤵
      PID:6384
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:6468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K proxy.bat
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      PID:3784
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\GAB\5341.CompositeFont"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5412
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\GAB\5341.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:6584
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\5341.ttc
    3⤵
    PID:6592
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\5341.TTF
    3⤵
    PID:7144
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\cobstrk.exe
    cobstrk.exe
    3⤵
    PID:6948
  - - C:\Windows\System\kyKbdwC.exe
      C:\Windows\System\kyKbdwC.exe
      4⤵
      PID:6376
  - - C:\Windows\System\HExiWLv.exe
      C:\Windows\System\HExiWLv.exe
      4⤵
      PID:7060
  - - C:\Windows\System\xYULzhJ.exe
      C:\Windows\System\xYULzhJ.exe
      4⤵
      PID:1776
  - - C:\Windows\System\TBXffzN.exe
      C:\Windows\System\TBXffzN.exe
      4⤵
      PID:6632
  - - C:\Windows\System\HRCUEGV.exe
      C:\Windows\System\HRCUEGV.exe
      4⤵
      PID:4276
  - - C:\Windows\System\vTRZgNy.exe
      C:\Windows\System\vTRZgNy.exe
      4⤵
      PID:4012
  - - C:\Windows\System\dFZIDLV.exe
      C:\Windows\System\dFZIDLV.exe
      4⤵
      PID:4148
  - - C:\Windows\System\WMtsTIn.exe
      C:\Windows\System\WMtsTIn.exe
      4⤵
      PID:3476
  - - C:\Windows\System\idrvIOe.exe
      C:\Windows\System\idrvIOe.exe
      4⤵
      PID:6860
  - - C:\Windows\System\zZbmjyg.exe
      C:\Windows\System\zZbmjyg.exe
      4⤵
      PID:6448
  - - C:\Windows\System\PZKjspf.exe
      C:\Windows\System\PZKjspf.exe
      4⤵
      PID:6428
  - - C:\Windows\System\TJmnsym.exe
      C:\Windows\System\TJmnsym.exe
      4⤵
      PID:3772
  - - C:\Windows\System\UXDnxCY.exe
      C:\Windows\System\UXDnxCY.exe
      4⤵
      PID:6300
  - - C:\Windows\System\RAUUDKE.exe
      C:\Windows\System\RAUUDKE.exe
      4⤵
      PID:6488
  - - C:\Windows\System\SxHSNYm.exe
      C:\Windows\System\SxHSNYm.exe
      4⤵
      PID:6116
  - - C:\Windows\System\jcAFavo.exe
      C:\Windows\System\jcAFavo.exe
      4⤵
      PID:6692
  - - C:\Windows\System\SphpHXa.exe
      C:\Windows\System\SphpHXa.exe
      4⤵
      PID:2700
  - - C:\Windows\System\lUdHbTQ.exe
      C:\Windows\System\lUdHbTQ.exe
      4⤵
      PID:4388
  - - C:\Windows\System\DShqCku.exe
      C:\Windows\System\DShqCku.exe
      4⤵
      PID:5924
  - - C:\Windows\System\ryfmKnC.exe
      C:\Windows\System\ryfmKnC.exe
      4⤵
      PID:4540
  - - C:\Windows\System\rdlqQeq.exe
      C:\Windows\System\rdlqQeq.exe
      4⤵
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\jaf.exe
    jaf.exe
    3⤵
    PID:4200
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\file.exe
    file.exe
    3⤵
    PID:6252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6992

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
PID:1716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1428

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:3552

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x150
1⤵
PID:5236

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GAB\5341.CompositeFont

Filesize
42KB

MD5
8f64a583b0823bfc2fdf7277e67b5e16

SHA1
f8029c828d0aef58f8818b866f1f7f1ec2f095b8

SHA256
b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91

SHA512
e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2

Download Submit
C:\GAB\5341.TTF

Filesize
241KB

MD5
719f116eabf1519e5b749a0dec4e324e

SHA1
5f275b1df1746a3775dbf21db78fc9d369d8efef

SHA256
c9edfdbc8ddaacbd7bed330c1f17543b567f15c3985ce29b0696158356a51851

SHA512
5ed3a5dbcb10cd78215b6d555cfd41ded1f62fd0109c2dca508f08500bb50d8f5cee91aad0d1315da15c6148d74baf295fe0ed16096351d8cd08c71a5ad2a0a7

Download Submit
C:\GAB\5341.TTF

Filesize
256KB

MD5
67b49a0cbf65b63363db39231af150c0

SHA1
5d80b42b2a23273d313c33c4bb064a22dfc75237

SHA256
fe81959c297f8b631958074004fa956226e6d9c07197b405eb7154803821f686

SHA512
0395d9e31b78f63bd361ac85f9c78e7a2d85a398f6aa84425b20f97a3f052d5341c5a422e7ed3041722415da207f2c3d6c9024bd04a6e3fc34045d13003a78d9

Download Submit
C:\GAB\5341.TTF

Filesize
512KB

MD5
0fd71368914a27a861dfc9313b6d261f

SHA1
ab997d94cde6de44b0e8828a327260ca41a2cc4c

SHA256
a49f382e290a9382cbbbe3b90336c347a98deeea8a84b06250e8eb5bcbeceb0b

SHA512
1c8061c3f2cde5475df4314a97065bc50cfbf91e9299dab63d076f1d084445bdd61e97f6be9d066b9abc7e5af3033489e827e4f6f8d3901cdc2696f34c976271

Download Submit
C:\GAB\5341.TTF

Filesize
282KB

MD5
e7967f8efafafaadcf3db1e09cffce45

SHA1
42c72af4bc6d6f9076073567d1654c7c64db25de

SHA256
707585b9acfc1507d9bd943bb5435f75768274b1a12b1f71de76ad78be4d7e7b

SHA512
4bac5ea1c5f909a07664b5365a0eadf567ce5ede65ece262c45f285946276b7cbce83729f7830f1e3d8c8d0fbd15c63e6508e2e588843427011f58895980de64

Download Submit
C:\GAB\5341.TTF

Filesize
960KB

MD5
b7a55d262d73ad9805bb9350c2013046

SHA1
9a5a69521cfceea052c3dca4736ff7e3f008bbec

SHA256
b635419177afa4928bb579f3e671963e105348eace94780c6231be6b7f7fa6d4

SHA512
d24a2c5487e4b24830c1f464638d11189fbecc9a626358f05be1c39b97cdbce21035d5dbd9a16fb9902d7da4b507bcaa1370e67b99982539541401c7d8a97bea

Download Submit
C:\GAB\5341.TTF

Filesize
5.9MB

MD5
8988e61c6542e0d4e634509a0509e30c

SHA1
ecefb876174badaefee30f48d8193a707de5421e

SHA256
274e5522d8e88884c4c4b72473c69d86a68e4616e2239b1a937e0c5ce729e74c

SHA512
be2d4d3d6d0cb3d0751c4dc773fe4891f13efede2a950400147159287311dbc061edfab4cb6f170222d8cbd091f7a49c466c5fa1a2bf2f243c3629485ba3c66f

Download Submit
C:\GAB\5341.TTF

Filesize
2.3MB

MD5
c34e3e28c24e78dcd55b0a83c643d574

SHA1
b39bc7bb71982b36154d554d7899cffd28af2dda

SHA256
d2f8326a354456d93e78b0537c58793e7072c3617af7d9ee187f10d6d595f510

SHA512
1378e9fb799fb53b1289b8368c0a61f14fcb30bf14060de84022ac0f8075ba3a20da2603b7fc8ab09370e4d7dbecb2bea09306154cfcf8842332c5ad37888de5

Download Submit
C:\GAB\5341.TTF

Filesize
832KB

MD5
5b89f6219ecabddd834effa09a82fe84

SHA1
791f3bf7c315f71f7c40dd557607d59f1a419444

SHA256
1e1cc17e05af9aa024413d876a475acaf53a2b0de1f5a396b06ed299518db98e

SHA512
74b2ebcf8de56497e866a256c1d2c98f01252d459246ed0bc80fe786c77877a07b4b90a9e84697b63221dbdc772dd884062f56068aeefba517cde5d34bfef083

Download Submit
C:\GAB\5341.TTF

Filesize
224KB

MD5
8924123111f4a88ec9a4541aa713db53

SHA1
342cd5a4ce1d036d72ead842478d3ac2514760f9

SHA256
d71f81c83ec63eaa32d36d5df7be1d9e71d3ea9150f47cebda2924923cbbf18a

SHA512
c02ee1f193fb9f5bf1adee4bf6fea02db1f718ec74c6900419cccdc52e4d1ad6e5c540716c717655153f69b0a4daa6b3832ec9222f803efb181ac8954a032c8f

Download Submit
C:\GAB\5341.TTF

Filesize
34KB

MD5
9e2ee65661bee40438d514fe592bfcf8

SHA1
140a77e69329638a5c53dc01fbcfe0ce9ab93423

SHA256
ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69

SHA512
3b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612

Download Submit
C:\GAB\5341.TTF

Filesize
145KB

MD5
23ed00385dab0f612e66eb0d4ac947ab

SHA1
acc115c0f9f6a25bee5ff37f8af4fdd695d8b596

SHA256
6b00590bd7a52a94e9e90e35a28c1d2fa03f83f458d2f2dfbced70a9c1ea0c80

SHA512
8f5d6d8f888f92be698a1d96824e3c735eb847bc8b1ae5835b9da65d4b6bb7c1690636873565e643d7ea6a19107d40e3a267c89bcfd4a896f356d90b38ecb039

Download Submit
C:\GAB\5341.TTF

Filesize
157KB

MD5
5464ae3df57d2c0d20ea1c03486fc859

SHA1
78e91a736e54b94612e123a4a018cef3eb68e229

SHA256
3fcb8fec007b70df2168616a9fb5eb92d25c70729febb59681eb177a18fc74ee

SHA512
688212a73d3bebc0482a3aef86b09507d6a880b53b39427f746f8946756cbaa3a9acc3c0a2de72d5ea4e0d104b8670e0886d99651f175dd1c578d29dd096cca7

Download Submit
C:\GAB\5341.TTF

Filesize
871KB

MD5
2a55f8dd03ff48c2e4df39d7e095d8ea

SHA1
d6be699dba0287f7fd4be9dd8044826ef5abf425

SHA256
4cd6bc2dc330103caf1df18a18b0b0d6679e1485c007866260d538869343a94f

SHA512
58cc0fbc31c2a9da4ab49a0f2e55892537e539baab0fb198cbd988c6f9972bc168c8072c4696a0cc676892bbf1355ab305c978b6bc5832d6811fa1ff95b29315

Download Submit
C:\GAB\5341.fon

Filesize
8KB

MD5
b0ac2d09abc0efc32b28b7e364659a15

SHA1
33738efa553c7dcb30a94055b24fd1a16616bc27

SHA256
a0e5dbe96d1cae29501b481cd98a1eac5f0f662aa367aa9712a419c3c32f4284

SHA512
25853b53eb7c6115546cf59c276142f5aa2e54718f18f98402fa7267cd685601280b2e9f903a4c4e16c74e531bf591f0355fee29b0c702e0c15ba6e00899329f

Download Submit
C:\GAB\5341.fon

Filesize
5KB

MD5
21475b17405b86f37a2c15a1df2733b3

SHA1
e640903a5fa2a800a27b74c73a02ea855dcbd953

SHA256
6e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc

SHA512
5752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0

Download Submit
C:\GAB\5341.fon

Filesize
7KB

MD5
ad75fb38d57de96a18fd5fcad4a282cb

SHA1
2689835e7573d1ea8cfdf6ae7fd77b671baccbc7

SHA256
c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb

SHA512
ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2

Download Submit
C:\GAB\5341.fon

Filesize
58KB

MD5
2b715a1f340a4704fe4c6f48bdf2aa26

SHA1
927d2e65a46200c75348a24f78ee4561474a1abf

SHA256
3aed0f6ec1e924e669df63b57619656c45814ae8f7bfa481066ccb291c3f8f5c

SHA512
6eb2975cb4a3de4eab7d3808e38a9821de5994490302767ad531fd31144116264878d709f131e3e99d26c41208fc0ebee3bd6779766bc92e8c9aa10d4f19a672

Download Submit
C:\GAB\5341.fon

Filesize
82KB

MD5
5972eeea7971170eb72cab2fc85c2b17

SHA1
d327d96bd78c5e851e065d053829abbb370c0c09

SHA256
9677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41

SHA512
c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3

Download Submit
C:\GAB\5341.fon

Filesize
12KB

MD5
40f8022c3fe4e1cc97bb794e1b519b3f

SHA1
7ff107451b67b2d432db4706c697a9391c13a6f4

SHA256
6b16818c057024f588f4f423cb1f50d24e092fca3c9b5c8c1943cf5b3ea70759

SHA512
08a85d0203a0534067538ba0c1f40273409f61f212269cb3095df1defc114ff007efcb4c3c4897a345cda17db16c98b88ae61100b9e4636862d26edb8a402ba3

Download Submit
C:\GAB\5341.fon

Filesize
8KB

MD5
991a9300e46c0c263cc9037e48c991dc

SHA1
b57ce6e0c54b7d179ec57f9fc68fdd2c1cc02398

SHA256
5f65c9a7bcf68c5eaa5fcd11a48ce27be79360efb5a7c6ab7def24c9138fef94

SHA512
74c3c7485b328db151282071945489e403cfd9de9bae1605c1401b68bbd461004f45c1de6f6d4c4835b6c37e0fa1425a9de0b184aadea4e70123ef671b8647e1

Download Submit
C:\GAB\5341.fon

Filesize
6KB

MD5
8a5dbabcb9b11e3e0c527b93e69d5e4d

SHA1
c47add614ece5ed16ca456bac08b1f2cbaccfec9

SHA256
824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241

SHA512
ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0

Download Submit
C:\GAB\5341.fon

Filesize
79KB

MD5
05dec8bd7dcfd336fbaec1d7990c2a6c

SHA1
b4282de627e9b658d99e298116a2614c7c6f9820

SHA256
f880eac4ec426f6055fd82434d4a0f2eba62b9e62103a09b772acbeba3ec0b50

SHA512
cfbf50f33428e1feae572da739fbf822518cb692d72e7cd08e9fdfb0528fd659f227a7981e980128c91a7f855aa39c06e6bb6bcd922295e063333d1c4f03ed01

Download Submit
C:\GAB\5341.fon

Filesize
68KB

MD5
5e142e4d090d689cd44fa8fe9882a743

SHA1
0301f8c9422f933c9d7a65bbe4f7c45feb4fef24

SHA256
a23e6b523d0e3d16cd197e5a525e3f299144577dbdb860ab91e7c14652aad3d4

SHA512
23f77ca93a178d4fdecf54ca1cb6cbc8d6c816deddc630d90fcaa5f3d028a9db29301d32b200c70bcbeb94c8491bd44ffeef51233cfeb011e2081825b167ba16

Download Submit
C:\GAB\5341.fon

Filesize
4KB

MD5
9d2bf033acde5a212f6f5404d490e169

SHA1
a0e28adf40a9d06710d20071dcaba2569b91b1dd

SHA256
93e7c6c123d9b53a2d933f63093b4b85302023517f56abf057f9ef8a94d83b8b

SHA512
8dcb0dd9dc72c2de61e26932b72d5923a43b0f512e8d2df5334f478a78ee80f492bb8cb193dd3a314a6a19dd95e4899b40e7b76c3b1f767f5e8b46d1b1b3c00d

Download Submit
C:\GAB\5341.ttc

Filesize
4.8MB

MD5
04b9b47c0780c7ebb6583586a0f13e32

SHA1
d2fb453fd9a8d8103163c7d322198e8669e768c6

SHA256
00d8d10409fbd3597e4ba52e26e3dc87808a6364d2bf0e2a6d9226bfbf4b1e2a

SHA512
37374f4dfe86b4aa7d477c25906107d9145b03876ca2b5e6d36ea00d0a41db7b488eb44ec24c475d09bdd02fc144219293304049be60162da1f2140dfc9586b6

Download Submit
C:\GAB\5341.ttc

Filesize
957KB

MD5
34d86bf9a98bacadc4a8020f49ddfc50

SHA1
26461f5443f6fc2bc46b6d6dd1a877edf9a1ce68

SHA256
eb249cc7781608d57ed6c7f777b5b78e44e9d0303df0f3486699717cbbbb6dcb

SHA512
123c0e32fdd309150d8ec193faa35e721d68b9739ed8e75247d68346d6a8eaeb7cc2262cda4ae55d8e5e5d9fc75fa248bcebbccb2180ab4fbee0f7652607f23c

Download Submit
C:\GAB\5341.ttc

Filesize
13.0MB

MD5
e868c731ec770c425dbc74881b3ca936

SHA1
a8dc99a2e0bc3360f8441243aab13fe7279a759a

SHA256
1e5a4b342c6417bb9352e8c29cb839413987a06438e7b48fd0320925827f289c

SHA512
51bbdbcd06bc41c1ef6a589ca2b6300f1f9350d11b8bfa60605c7a68a0d6a714998bec6060cbc3b27dd2d1485d57f344890b0278d7313dbdb5593334ceea3b49

Download Submit
C:\SalaNses\soles.exe

Filesize
1.2MB

MD5
acebc69ae67997867002990dae3f699d

SHA1
8483b45b2faaa21ad548e72fb49ae3a08143334e

SHA256
f545fbcf52e694eaed07f7869ee67d1dffea29a3769e2482f5eccb3c21148442

SHA512
6c9f88407ffbf228f44270c28d0eeba804a8f3198454becebdd5f2d13eda5c1f0407f1e98569bbcd490225a10ba6e1917c1af1971bd1f636a71250b602dcbf28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
1af420c5e8c31accc87e1dee1ef4e9c9

SHA1
8d702bedb68c719407ec1c08255cbcc1ffb25ad3

SHA256
d858cac08b499964a4fbdc3671484e7e1edbf4b714e712881f949cd2f40856e4

SHA512
fbc1d7e77a74a4db711366ca5f89e1f3c04036475e0d756131d2d3106f5aab3800b2eefb0423bf63bf972bdf91368bdd07292270d5739de242ea4a1ca54e845b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
7e9ddc6cf89ddd88847c7d025595a5ae

SHA1
4d8a10d095bf392808f53300ddc43d0b683110b6

SHA256
d086a3a4b963043a80ee117c09153c288527d1f0ace705b46ac0df86c7d0a156

SHA512
df0c922a3b5f1328663bd4d4ecf21e2080501ae9478aa16766c75e30fdbb735566ae3133b332596e9085499a0904cc692e0c3c3110409cafbbe4b7c673498991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
acadf6b66c0ce9341c2ad08eef48d626

SHA1
39cc85e6e914cfcf0ff2d2f85c47a5b13dde04b8

SHA256
fdff8e8971fbb344225e275f66a379809a53e351327331af71253abb509013f9

SHA512
9bb4cf5bededb4eaa944b3aacd21cb66c1b2421663b179a62bebd5b2db6286b5bb237f98d3fb2f814f34e3e23768432344bcc5f42802a9cec3b2a071eb961254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9660584e399a89242cbf3b492fb67392

SHA1
3b757590aaf3671e5490c15a34f212264978a9c9

SHA256
27cb90a69ff8b2675fb0dc72c1183ccbd97a487ed8600f8f81e5fb3451f337f0

SHA512
a67ae8a616ee3c75aa66d822d731b6f05d047611b25c83ca50218a4c7924b93a5c6c57867755283a24865500e35a4aebcb781850a3696121af5ae9f9eb03dc4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dfa846a6807fd1b7ce68f2b80e4396c1

SHA1
548b14e92dcaf97ae81dccb8dc0996ef353e7734

SHA256
fca035fd8cb3097b175a83aaada0b4751d1ccfdc3993cdd0edec5d454525162d

SHA512
04834150413d1a1182766942d74fb4398b24639facbd52a3fa67165ad410ba534b3afb3c31740649395731d2f202b1a3464c09675fef33d927bee48c7e220dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6875f35c084d777668658df457871ac8

SHA1
7d8ba907f2e0c372e1e174061128030429d12a4b

SHA256
84e900744b74f7a461677a8feac1f7bad6edb7a2384c5debd1a31b5f5cfbdfec

SHA512
d9382961c93ca09a7b5544f3b35b47fd132d573a8bbf36a16fa3ae11d14f189cb1e0b3f0ac75155ed7eead7a70fcb12b77290edc40dfd7b22d19f0f5512e7353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fefa210503177d960d55a78cd33416b7

SHA1
8cba7f1a77998a3242152dd6b5e63fb41058938e

SHA256
85cbba4a596b7b6e8a60daa4adaad0a52ebb9a538cd848a5e3160ee64bc9f424

SHA512
e5d212b720885688d76adbbbf25e5ed21b4fedae505e56a2d246f0d62b3f8249cefdc94443c95ea748b492bd358222d7d6b3230aeebd67ec4e2fcd7284af8d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1d8051ceaa3464d04641cb44646188d7

SHA1
e1f1331b03ba1004cca4279a2f9c5c287e6f2751

SHA256
d9f53e666bb87ab88d375bbcaae822aabb31a7fb7df807e0d19a659b1fd8d2a4

SHA512
7121246b365cfaa300d8b9dd27efbdb465f767556e011028a44ec92af36da7310188fe93cce05797765c97eba4f8b0c6726f0bbfaea796b38364dbdb4f90daf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
334263f17120de890c8a7cbc2cba734b

SHA1
f1c44979ffe8e6ab8653f5ad93fa7c182566a17d

SHA256
c2f80110e5c4ca4d807f57c22c2dd27980d7a4d75d1ddac30bad324a0a4a64ea

SHA512
75f453de96a588b86d3e872b9e140c0a64bbae7e31d5872a8e1efa1776b423347bd358a8fc8af3cfa1049148ce7225d7a18dd93eea7b5dd2bc83ec739bdf583a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
13266b314436bfd6f7958405c9014551

SHA1
dc442f4de16ae91f4680856e1eebda85fa6dadb9

SHA256
e5f3cf9fe047e4fffca9c59e6d1aa0e26d18e77419fd61446268bae10745da57

SHA512
302b5de3602c1b329910bcb57775c6dae9fa4c20fcb9bbe99e798c70c940e0558166696d7a41539164d1c4e3d08da6310d0be1852ac80cf737cc53c98703bf0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
406fdfeed795fa9a94d07a2563aff122

SHA1
9f445a86470a7726828d94c6b04855f7305d1d1c

SHA256
e092bcd3404ebbeda81ff09e28ba19c643f4388a05c409e91784a970b905f073

SHA512
39e75af9b28f92c18251f7f81caecd0546108fb1d195c427751775bcb78e845c5394f4edf95504180a28181532d8b04857ff8b4e99359d11f79dcaf6be1ab264

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170400521\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\!m.bat

Filesize
1KB

MD5
b3bc9de5b2d1fc6997532ffc8cef44a7

SHA1
59d711d68d222d2e8091535e6ceb8deccd549785

SHA256
cc11089fbc22f48af01af3814eb7660ed135398ed55414fa4810882f2db84202

SHA512
ab195f85e1935edd242e1f040a3409dde85d218062479bfe61ec7fbf64ecc69a413dc7be16faa141c5b180415cd4de943d6e0284467c79a737d18c7720079e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\PurchaseOrder.exe

Filesize
934KB

MD5
f7f32729079353000cd97b90aa314cc1

SHA1
21dbddeea2b634263c8fbf0d6178a9751d2467b8

SHA256
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212

SHA512
2c40c12b81e7c377ddf0a6691ebeedc895dcf02c9211a1563b840de735fab77968565b1d3d0c40cc0b2b583fd4bfa1c69f995fca758ea85f548bf5797b5bf847

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\avg.exe

Filesize
5.8MB

MD5
0dc93e1f58cbb736598ce7fa7ecefa33

SHA1
6e539aab5faf7d4ce044c2905a9c27d4393bae30

SHA256
4ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36

SHA512
73617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\favicon.ico

Filesize
5KB

MD5
e0c7cc30d8f9a3cf0140bf838198571b

SHA1
2494a9ab234b90ff0a3cc2dbc152483fb540afd3

SHA256
73bb7f4a70650054fb42f4c7ab85d9a683253a0df26703ecd4a2bb3155d93cb4

SHA512
7b87a3296fd984d89dacfa70bdc274ed9faf553c3e086d3e865ed7a2e55f92fbb55bd270a5863ebb6b95f3ce26d321b5936665741300676863f40111b95a6e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\fence.bat

Filesize
167B

MD5
6465a5431e01a80bf71aca9e9698e5b0

SHA1
d56ed108f13a6c49d57f05e2bf698778fd0b98dc

SHA256
1c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f

SHA512
db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\infected.html

Filesize
972B

MD5
f48be9db7436f1c53508f1ad70064459

SHA1
16b20d3933cc6398859f1334a848982cccfd8501

SHA256
f79460fad80962fabe51f271a2ad33fd54c418fbb0a8646c1d78654696d7d7b2

SHA512
c7870b4fd16827817fa16c68f9d1a51270cfd9dc052861977a12ffcbc91a1668c82f168f8b33661d68579cfed766e15d0e436794d0eed164946eb9927355b638

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\rckdck.exe

Filesize
6.2MB

MD5
a79fb1a90fb3d92cf815f2c08d3ade6d

SHA1
25e5e553af5e2d21b5cfc70ba41afb65202f6fd5

SHA256
43759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16

SHA512
82aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_80be5927fd12a2f3b00f8d66b0fb91b7_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_dd7d90ca-b2ac-44db-8555-4013d9ea4aee\stopwatch.exe

Filesize
68KB

MD5
338a4b68d3292aa22049a22e9292e2a2

SHA1
9595e6f6d5e18a3e71d623ac4012e7633b020b29

SHA256
490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f

SHA512
06bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409170400521915448.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2gjp2jd2.qer.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BCGL9.tmp\is-E3MH3.tmp

Filesize
659KB

MD5
5aa68bb2bf3b994bda93834ad34e7963

SHA1
0156732d5dd48feacfab3aa07764061d73b9116c

SHA256
a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa

SHA512
e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N5EEC.tmp\butdes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4265.tmp\CR.History.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4265.tmp\CR.History.tmp

Filesize
124KB

MD5
5f71487f6312775c482616b57ca83a82

SHA1
f180cfc0f86fa895fc0ef5f6a816e87184cd2fac

SHA256
5761061eb8a1f44e601b64bd534fec8ac5f17f34764ebb4924073ab36f48c4a9

SHA512
20a35b56d13b247202e1d70595baf35e494dada366231ea297860848433b167650d581c57847a517f9268f7b7c07d4a57885f70017b3fe2c53e07cb20804459e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4265.tmp\FF.places.tmp

Filesize
5.0MB

MD5
9a819f204acf10eaba4d3e5aae8afd0a

SHA1
3d48f4d5e04ca1f82207b8d486476baf890cee5b

SHA256
b602703e04c7fd7786f8b2e581657725ddac7de1d76cd72f3d14f44c128508ab

SHA512
3331e8b7f7029bdfad95d0f84e29856a809294e4aa7834e72ca31082513f9c5a09e9f2964ce831b3ba10671d783bb72d71a269483e4e1d96a5f304a5337ce5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4265.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4265.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4265.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4265.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4265.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj4265.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp10F3.tmp

Filesize
1KB

MD5
1f091f8ab5972b4f9c5117a96b035d30

SHA1
d05f7a603873b55e91dc0ad48575078dcdde7cf9

SHA256
4098514a5aff1f338d03c3a6207bbb223cb33116ef09c083277cf021842dfd3f

SHA512
5813563e18b9b092c207c5e879a7eb04ed7f457deaae670c7aeb5a318aa0187ed7664120585cdc8cc49b4b00762aff659c31cfd813a1f8602dbf442a709adb70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\49C9F4ED921B64155E77B3A77C940518B9338E5B

Filesize
1KB

MD5
540ccd8f58b21d21e047b38baa605cf0

SHA1
dd2316e99cefda7f0af8b8fa2cc1a5a28aa93858

SHA256
48be0ce03a1f13b6e95af33e3e1b1d19c064f42be5475550fced649fd625e4eb

SHA512
2e0cf30cb1b32be0e0edde87b9121bbccf17b4e74f57b5d77ee6f835a4b9302e4e3f76c43c16c9e4b98629146f7edb5126944a93522954f7125dc6877cf4c353

Download Submit
C:\Windows\System\kyKbdwC.exe

Filesize
5.2MB

MD5
b069c48957b3a87939efef636e219062

SHA1
cea1be93bd58a128b1269af4f97f6f68ba2a83ca

SHA256
157704902af88389e7d3296e33cf3e6ce2e3222925490555fc74436982c160f1

SHA512
107fe42745ef4cbd6cbd47115f5dd55f953125a84de0fcf5de0dca22975e3b559a5f241ea872af34821c9bced87ac6d1d376cbd8f6bfb8a49b41fb9bcf8fce48

Download Submit
memory/336-345-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/336-471-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/928-69-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/928-73-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/928-81-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/928-72-0x0000000000B00000-0x0000000000CF2000-memory.dmp

Filesize
1.9MB

Download
memory/928-75-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/928-77-0x0000000005860000-0x00000000058B6000-memory.dmp

Filesize
344KB

Download
memory/928-76-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/1336-612-0x00007FF730FD0000-0x00007FF730FF7000-memory.dmp

Filesize
156KB

Download
memory/1580-347-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1580-472-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1768-2449-0x00007FF77ACF0000-0x00007FF77B041000-memory.dmp

Filesize
3.3MB

Download
memory/1776-2400-0x00007FF77A430000-0x00007FF77A781000-memory.dmp

Filesize
3.3MB

Download
memory/1776-2493-0x00007FF77A430000-0x00007FF77A781000-memory.dmp

Filesize
3.3MB

Download
memory/2504-458-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2504-1071-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2700-2446-0x00007FF795C60000-0x00007FF795FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-469-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3224-625-0x00007FF6C7590000-0x00007FF6C75B6000-memory.dmp

Filesize
152KB

Download
memory/3420-374-0x00000000065A0000-0x0000000006622000-memory.dmp

Filesize
520KB

Download
memory/3420-88-0x0000000000280000-0x000000000036A000-memory.dmp

Filesize
936KB

Download
memory/3420-92-0x0000000006570000-0x0000000006580000-memory.dmp

Filesize
64KB

Download
memory/3476-2424-0x00007FF767860000-0x00007FF767BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3532-82-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3532-83-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/3532-74-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/3628-613-0x00007FF7F4040000-0x00007FF7F4066000-memory.dmp

Filesize
152KB

Download
memory/3772-2441-0x00007FF651480000-0x00007FF6517D1000-memory.dmp

Filesize
3.3MB

Download
memory/3796-1097-0x00007FF7A9D50000-0x00007FF7A9D79000-memory.dmp

Filesize
164KB

Download
memory/3796-610-0x00007FF7A9D50000-0x00007FF7A9D79000-memory.dmp

Filesize
164KB

Download
memory/4012-2421-0x00007FF742490000-0x00007FF7427E1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-2496-0x00007FF75CE80000-0x00007FF75D1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4148-2430-0x00007FF75CE80000-0x00007FF75D1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-2348-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4200-2490-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4228-473-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4276-2492-0x00007FF7378A0000-0x00007FF737BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-2419-0x00007FF7378A0000-0x00007FF737BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4308-474-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4388-2447-0x00007FF6DCC90000-0x00007FF6DCFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-2448-0x00007FF717590000-0x00007FF7178E1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-2-0x0000000005240000-0x0000000005264000-memory.dmp

Filesize
144KB

Download
memory/4604-2362-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4604-4-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/4604-3-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4604-80-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4604-0-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/4604-1-0x00000000008A0000-0x00000000008EA000-memory.dmp

Filesize
296KB

Download
memory/4604-79-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/4872-1346-0x0000000000EF0000-0x00000000012AB000-memory.dmp

Filesize
3.7MB

Download
memory/4872-1201-0x0000000000EF0000-0x00000000012AB000-memory.dmp

Filesize
3.7MB

Download
memory/5392-438-0x00000000072B0000-0x00000000072CA000-memory.dmp

Filesize
104KB

Download
memory/5392-439-0x0000000007290000-0x0000000007298000-memory.dmp

Filesize
32KB

Download
memory/5392-407-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

Filesize
304KB

Download
memory/5392-419-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

Filesize
120KB

Download
memory/5392-408-0x0000000006DF0000-0x0000000006E22000-memory.dmp

Filesize
200KB

Download
memory/5392-409-0x0000000070850000-0x000000007089C000-memory.dmp

Filesize
304KB

Download
memory/5392-406-0x0000000005C40000-0x0000000005C5E000-memory.dmp

Filesize
120KB

Download
memory/5392-436-0x00000000071A0000-0x00000000071AE000-memory.dmp

Filesize
56KB

Download
memory/5392-420-0x0000000006E40000-0x0000000006EE3000-memory.dmp

Filesize
652KB

Download
memory/5392-435-0x0000000007170000-0x0000000007181000-memory.dmp

Filesize
68KB

Download
memory/5468-2367-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5660-636-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/5660-842-0x00000000094F0000-0x0000000009528000-memory.dmp

Filesize
224KB

Download
memory/5660-843-0x00000000094B0000-0x00000000094BE000-memory.dmp

Filesize
56KB

Download
memory/5660-841-0x0000000005A50000-0x0000000005A58000-memory.dmp

Filesize
32KB

Download
memory/5816-431-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/5816-379-0x0000000000CD0000-0x0000000000D06000-memory.dmp

Filesize
216KB

Download
memory/5816-433-0x0000000006E00000-0x0000000006E0A000-memory.dmp

Filesize
40KB

Download
memory/5816-396-0x0000000005440000-0x0000000005794000-memory.dmp

Filesize
3.3MB

Download
memory/5816-432-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/5816-437-0x0000000006FD0000-0x0000000006FE4000-memory.dmp

Filesize
80KB

Download
memory/5816-384-0x0000000004AA0000-0x0000000004AC2000-memory.dmp

Filesize
136KB

Download
memory/5816-385-0x0000000004B40000-0x0000000004BA6000-memory.dmp

Filesize
408KB

Download
memory/5816-386-0x0000000004BB0000-0x0000000004C16000-memory.dmp

Filesize
408KB

Download
memory/5816-381-0x0000000004C50000-0x0000000005278000-memory.dmp

Filesize
6.2MB

Download
memory/5816-421-0x0000000070850000-0x000000007089C000-memory.dmp

Filesize
304KB

Download
memory/5816-434-0x0000000007010000-0x00000000070A6000-memory.dmp

Filesize
600KB

Download
memory/5900-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5900-447-0x0000000006A20000-0x0000000006A70000-memory.dmp

Filesize
320KB

Download
memory/5924-2451-0x00007FF6A5750000-0x00007FF6A5AA1000-memory.dmp

Filesize
3.3MB

Download
memory/6116-2444-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp

Filesize
3.3MB

Download
memory/6252-2357-0x0000000004AB0000-0x0000000004B92000-memory.dmp

Filesize
904KB

Download
memory/6252-2350-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/6252-2358-0x0000000004B90000-0x0000000004BB2000-memory.dmp

Filesize
136KB

Download
memory/6300-2442-0x00007FF6933C0000-0x00007FF693711000-memory.dmp

Filesize
3.3MB

Download
memory/6376-2491-0x00007FF67CC80000-0x00007FF67CFD1000-memory.dmp

Filesize
3.3MB

Download
memory/6376-2382-0x00007FF67CC80000-0x00007FF67CFD1000-memory.dmp

Filesize
3.3MB

Download
memory/6428-2440-0x00007FF766030000-0x00007FF766381000-memory.dmp

Filesize
3.3MB

Download
memory/6448-2428-0x00007FF607BD0000-0x00007FF607F21000-memory.dmp

Filesize
3.3MB

Download
memory/6448-2495-0x00007FF607BD0000-0x00007FF607F21000-memory.dmp

Filesize
3.3MB

Download
memory/6488-2443-0x00007FF693BE0000-0x00007FF693F31000-memory.dmp

Filesize
3.3MB

Download
memory/6632-2494-0x00007FF69BE30000-0x00007FF69C181000-memory.dmp

Filesize
3.3MB

Download
memory/6632-2414-0x00007FF69BE30000-0x00007FF69C181000-memory.dmp

Filesize
3.3MB

Download
memory/6692-2445-0x00007FF6C2F70000-0x00007FF6C32C1000-memory.dmp

Filesize
3.3MB

Download
memory/6860-2427-0x00007FF77C2E0000-0x00007FF77C631000-memory.dmp

Filesize
3.3MB

Download
memory/6948-2363-0x0000026D462B0000-0x0000026D462C0000-memory.dmp

Filesize
64KB

Download
memory/6948-2489-0x00007FF7714B0000-0x00007FF771801000-memory.dmp

Filesize
3.3MB

Download
memory/6948-2347-0x00007FF7714B0000-0x00007FF771801000-memory.dmp

Filesize
3.3MB

Download
memory/6952-1158-0x0000000065E70000-0x0000000065EBC000-memory.dmp

Filesize
304KB

Download
memory/6960-1187-0x0000000065E70000-0x0000000065EBC000-memory.dmp

Filesize
304KB

Download
memory/6968-1268-0x0000000007C70000-0x0000000007C84000-memory.dmp

Filesize
80KB

Download
memory/6968-862-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/6968-1148-0x0000000065E70000-0x0000000065EBC000-memory.dmp

Filesize
304KB

Download
memory/6968-1159-0x0000000007980000-0x0000000007A23000-memory.dmp

Filesize
652KB

Download
memory/6968-1219-0x0000000007C30000-0x0000000007C41000-memory.dmp

Filesize
68KB

Download
memory/6968-1084-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/6992-2361-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/6992-2359-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/7060-2450-0x00007FF751050000-0x00007FF7513A1000-memory.dmp

Filesize
3.3MB

Download