cobaltstrike | 3245088846756009e9827fcda64556aca75b64d8b05fd63241f4ea6b7f20f540

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
Size

54.8MB
MD5

8799c59f0eb8cbb37c386c0d5a39d520
SHA1

b5b40996731bf002a1434d1b59cb02961db3ea1a
SHA256

3245088846756009e9827fcda64556aca75b64d8b05fd63241f4ea6b7f20f540
SHA512

16ce94cdb2482a49513ce92b81f120ba256fced7ff0d097656900305a3af0161d687d77397f0d2364c87fbb287caa9607a3c3334fca50711909d09411dd24f3f
SSDEEP

786432:ALOrbJjdcRWz/9kl3uu2F0tA+6liWmP3YhMfuwSk+D3wBCQXrzu2Y:ALOrJpzVA3uu2etPQiWmoh8r+78CQG2Y

Score

10^/10

cobaltstrike modiloader xmrig backdoor bootkit discovery evasion miner persistence spyware stealer trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0006000000019508-2852.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/3644-2948-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/3644-2957-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

XMRig Miner payload 27 IoCs

miner

resource	yara_rule
behavioral1/memory/556-2870-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/1372-2867-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/3636-2875-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2104-2921-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/1756-2929-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/3824-2925-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/3780-2924-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/3856-2923-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/3868-2922-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/3576-2919-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/3764-2866-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2436-2943-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/3500-2950-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2436-2956-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2436-2973-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/3500-2996-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/556-2998-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/1372-3000-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/3764-3002-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/3636-3004-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/3576-3007-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2104-3015-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/3856-3017-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/3824-3019-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/3780-3013-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/1756-3012-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/3868-3009-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1812	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	avg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	ajC555.exe

Executes dropped EXE 45 IoCs

pid	Process
2612	anti.exe
1504	butdes.exe
332	flydes.exe
536	i.exe
2820	flydes.tmp
1508	butdes.tmp
2736	gx.exe
2768	bundle.exe
2148	rckdck.exe
2620	avg.exe
2080	telamon.exe
2060	stopwatch.exe
1276	is-DN1FR.tmp
1628	telamon.tmp
1140	setup.exe
2068	tt-installer-helper.exe
2392	t.exe
836	g_.exe
1708	e.exe
2284	g.exe
2528	tt-installer-helper.exe
3192	ajC555.exe
2436	cobstrk.exe
3644	jaf.exe
3500	YuoGEkd.exe
556	eybcNFs.exe
3764	BiZjGBi.exe
1372	RBwPEID.exe
3636	NhDEFqR.exe
3576	WsfmEqr.exe
2104	KPIZzxq.exe
3868	JVxdDlk.exe
3856	lWhdYBY.exe
3780	VBPFfiY.exe
1756	sucROfI.exe
3824	AsXwyFi.exe
2608	nZhpHvE.exe
2580	wXfNBrq.exe
4060	ywbwJkG.exe
3844	dVrqAfA.exe
3036	KunVVbm.exe
2676	aIfcQlh.exe
1580	LOzzyZP.exe
1636	uIoskMz.exe
2300	MfipOVJ.exe

Loads dropped DLL 64 IoCs

pid	Process
2892	cmd.exe
2892	cmd.exe
2892	cmd.exe
2892	cmd.exe
2892	cmd.exe
332	flydes.exe
1504	butdes.exe
2892	cmd.exe
2892	cmd.exe
2892	cmd.exe
2892	cmd.exe
2892	cmd.exe
2892	cmd.exe
2148	rckdck.exe
2080	telamon.exe
1628	telamon.tmp
2892	cmd.exe
908	cmd.exe
2892	cmd.exe
2892	cmd.exe
2392	t.exe
2620	avg.exe
2892	cmd.exe
1708	e.exe
2284	g.exe
2392	t.exe
1708	e.exe
2284	g.exe
2620	avg.exe
1592	Process not Found
836	g_.exe
836	g_.exe
1832	cmd.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
2892	cmd.exe
2892	cmd.exe
2892	cmd.exe
3464	Process not Found
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe
2436	cobstrk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2436-2832-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/3500-2859-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/files/0x0006000000019508-2852.dat	upx
behavioral1/memory/556-2870-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/1372-2867-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/3636-2875-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2104-2921-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/1756-2929-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/3824-2925-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/3780-2924-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/3856-2923-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/3868-2922-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/3576-2919-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/3764-2866-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2436-2943-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/3500-2950-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2436-2956-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2436-2973-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/3500-2996-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/556-2998-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/1372-3000-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/3764-3002-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/3636-3004-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/3576-3007-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/2104-3015-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/3856-3017-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/3824-3019-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/3780-3013-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/1756-3012-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/3868-3009-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	ajC555.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\AVAST Software\Avast	ajC555.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jaf.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ajC555.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\back_lrg.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\settings.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_hover.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VBPFfiY.exe	cobstrk.exe
File created	C:\Windows\System\aIfcQlh.exe	cobstrk.exe
File created	C:\Windows\System\LOzzyZP.exe	cobstrk.exe
File created	C:\Windows\System\uIoskMz.exe	cobstrk.exe
File created	C:\Windows\System\MfipOVJ.exe	cobstrk.exe
File created	C:\Windows\System\eybcNFs.exe	cobstrk.exe
File created	C:\Windows\System\BiZjGBi.exe	cobstrk.exe
File created	C:\Windows\System\AsXwyFi.exe	cobstrk.exe
File created	C:\Windows\System\KunVVbm.exe	cobstrk.exe
File created	C:\Windows\System\NhDEFqR.exe	cobstrk.exe
File created	C:\Windows\System\sucROfI.exe	cobstrk.exe
File created	C:\Windows\System\lWhdYBY.exe	cobstrk.exe
File created	C:\Windows\System\YuoGEkd.exe	cobstrk.exe
File created	C:\Windows\System\RBwPEID.exe	cobstrk.exe
File created	C:\Windows\System\wXfNBrq.exe	cobstrk.exe
File created	C:\Windows\System\nZhpHvE.exe	cobstrk.exe
File created	C:\Windows\System\dVrqAfA.exe	cobstrk.exe
File created	C:\Windows\System\ywbwJkG.exe	cobstrk.exe
File created	C:\Windows\System\WsfmEqr.exe	cobstrk.exe
File created	C:\Windows\System\KPIZzxq.exe	cobstrk.exe
File created	C:\Windows\System\JVxdDlk.exe	cobstrk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rckdck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1716	timeout.exe
3692	timeout.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1496	taskkill.exe
1808	taskkill.exe
1864	taskkill.exe
2992	taskkill.exe
1544	taskkill.exe
2808	taskkill.exe
1676	taskkill.exe
2824	taskkill.exe
3088	taskkill.exe
1184	taskkill.exe
1512	taskkill.exe
3468	taskkill.exe
2184	taskkill.exe
3352	taskkill.exe
3948	taskkill.exe
2928	taskkill.exe
3764	taskkill.exe
1796	taskkill.exe
1828	taskkill.exe
3156	taskkill.exe
1300	taskkill.exe
2692	taskkill.exe
2220	taskkill.exe
1924	taskkill.exe
3304	taskkill.exe
468	taskkill.exe
3988	taskkill.exe
2268	taskkill.exe
3268	taskkill.exe
1968	taskkill.exe
3152	taskkill.exe
3984	taskkill.exe
2812	taskkill.exe
1512	taskkill.exe
2236	taskkill.exe
1512	taskkill.exe
1096	taskkill.exe
2564	taskkill.exe
1184	taskkill.exe
1680	taskkill.exe
3624	taskkill.exe
836	taskkill.exe
3060	taskkill.exe
3152	taskkill.exe
3824	taskkill.exe
4088	taskkill.exe
3148	taskkill.exe
1664	taskkill.exe
2824	taskkill.exe
2992	taskkill.exe
3468	taskkill.exe
2564	taskkill.exe
3312	taskkill.exe
1400	taskkill.exe
1536	taskkill.exe
3356	taskkill.exe
3584	taskkill.exe
2248	taskkill.exe
3536	taskkill.exe
3972	taskkill.exe
3268	taskkill.exe
1932	taskkill.exe
2992	taskkill.exe
1792	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432707601"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9F000B51-74A9-11EF-94A4-62CAC36041A9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000373d12fd6009bc63eaaf0286b295c61274a7239fa6db83ed38e002623e374c03000000000e8000000002000020000000e058364d99e2882dfc52b00f6e78982643999b4b0cf47635eff6301ba25c8ba120000000e8c410e7da05abe676466b75752b0286c1f41f07f5388b1963b1645b66b15d6740000000fd06bf7f93393b60bdfbbac996e46718216584ae5bd9ec813592847c972bb33c649e97104fa8b41b4405a8e3f51bbd06dcb4d9c66d8204c57599ad1558bed080	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000005fe43b09ea0e05956266eb864f376b20ac9cbd9f574915b211e7eeded64deb47000000000e8000000002000020000000ec66f4d5eec0ea555ac411f78e7086ff13c721cf9c931824f57cbeb1f847155890000000c4a61cf424c87e653b840bc76f0e2400cf8f92aa03125982ecd62c808ed7710c35682c224aec00a6a14c844d9007f2a64235fd701df2c05f57e9f28555d006a6bb5ec6bc81694ca6364f0e6d69e461d94ba7c1b7a8b030e0b1a38b28bde404c7d61767b6782a9cae8dfd02d040288c67a62bfdc8466dfed40dee4c2e3d705448f3392a1f9298e47033c2feca0746982c4000000010e1498b4a5533f13f693b638e5693df22e3a5785daa61ec06750995adfaeafce4ac59023604d09a477cc45ea921ea63c8556a7ac5a54f95bb7262348fdae6b1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ac9266b608db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ajC555.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ajC555.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3504	notepad.exe
3676	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
3192	ajC555.exe
2620	avg.exe
2620	avg.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
3192	ajC555.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe
2620	avg.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2820	flydes.tmp
2768	bundle.exe
1276	is-DN1FR.tmp
1628	telamon.tmp
836	g_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	476	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	280	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeShutdownPrivilege	1996	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1996	msiexec.exe
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeSecurityPrivilege	2160	msiexec.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1608	iexplore.exe
2612	anti.exe
2060	stopwatch.exe
1996	msiexec.exe
1608	iexplore.exe
1608	iexplore.exe
1608	iexplore.exe
1608	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1608	iexplore.exe
1608	iexplore.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2620	avg.exe
3192	ajC555.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2892	1288	2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	30
PID 1288 wrote to memory of 2892	1288	2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	30
PID 1288 wrote to memory of 2892	1288	2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	30
PID 1288 wrote to memory of 2892	1288	2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	30
PID 2892 wrote to memory of 2612	2892	cmd.exe	32
PID 2892 wrote to memory of 2612	2892	cmd.exe	32
PID 2892 wrote to memory of 2612	2892	cmd.exe	32
PID 2892 wrote to memory of 2612	2892	cmd.exe	32
PID 2892 wrote to memory of 2764	2892	cmd.exe	33
PID 2892 wrote to memory of 2764	2892	cmd.exe	33
PID 2892 wrote to memory of 2764	2892	cmd.exe	33
PID 2892 wrote to memory of 2764	2892	cmd.exe	33
PID 2764 wrote to memory of 2616	2764	cmd.exe	35
PID 2764 wrote to memory of 2616	2764	cmd.exe	35
PID 2764 wrote to memory of 2616	2764	cmd.exe	35
PID 2764 wrote to memory of 2616	2764	cmd.exe	35
PID 2892 wrote to memory of 1608	2892	cmd.exe	36
PID 2892 wrote to memory of 1608	2892	cmd.exe	36
PID 2892 wrote to memory of 1608	2892	cmd.exe	36
PID 2892 wrote to memory of 1608	2892	cmd.exe	36
PID 2892 wrote to memory of 1504	2892	cmd.exe	37
PID 2892 wrote to memory of 1504	2892	cmd.exe	37
PID 2892 wrote to memory of 1504	2892	cmd.exe	37
PID 2892 wrote to memory of 1504	2892	cmd.exe	37
PID 2892 wrote to memory of 1504	2892	cmd.exe	37
PID 2892 wrote to memory of 1504	2892	cmd.exe	37
PID 2892 wrote to memory of 1504	2892	cmd.exe	37
PID 2892 wrote to memory of 332	2892	cmd.exe	38
PID 2892 wrote to memory of 332	2892	cmd.exe	38
PID 2892 wrote to memory of 332	2892	cmd.exe	38
PID 2892 wrote to memory of 332	2892	cmd.exe	38
PID 2892 wrote to memory of 332	2892	cmd.exe	38
PID 2892 wrote to memory of 332	2892	cmd.exe	38
PID 2892 wrote to memory of 332	2892	cmd.exe	38
PID 2892 wrote to memory of 536	2892	cmd.exe	39
PID 2892 wrote to memory of 536	2892	cmd.exe	39
PID 2892 wrote to memory of 536	2892	cmd.exe	39
PID 2892 wrote to memory of 536	2892	cmd.exe	39
PID 2892 wrote to memory of 1716	2892	cmd.exe	40
PID 2892 wrote to memory of 1716	2892	cmd.exe	40
PID 2892 wrote to memory of 1716	2892	cmd.exe	40
PID 2892 wrote to memory of 1716	2892	cmd.exe	40
PID 332 wrote to memory of 2820	332	flydes.exe	41
PID 332 wrote to memory of 2820	332	flydes.exe	41
PID 332 wrote to memory of 2820	332	flydes.exe	41
PID 332 wrote to memory of 2820	332	flydes.exe	41
PID 332 wrote to memory of 2820	332	flydes.exe	41
PID 332 wrote to memory of 2820	332	flydes.exe	41
PID 332 wrote to memory of 2820	332	flydes.exe	41
PID 1504 wrote to memory of 1508	1504	butdes.exe	42
PID 1504 wrote to memory of 1508	1504	butdes.exe	42
PID 1504 wrote to memory of 1508	1504	butdes.exe	42
PID 1504 wrote to memory of 1508	1504	butdes.exe	42
PID 1504 wrote to memory of 1508	1504	butdes.exe	42
PID 1504 wrote to memory of 1508	1504	butdes.exe	42
PID 1504 wrote to memory of 1508	1504	butdes.exe	42
PID 1608 wrote to memory of 2572	1608	iexplore.exe	43
PID 1608 wrote to memory of 2572	1608	iexplore.exe	43
PID 1608 wrote to memory of 2572	1608	iexplore.exe	43
PID 1608 wrote to memory of 2572	1608	iexplore.exe	43
PID 2764 wrote to memory of 2336	2764	cmd.exe	45
PID 2764 wrote to memory of 2336	2764	cmd.exe	45
PID 2764 wrote to memory of 2336	2764	cmd.exe	45
PID 2764 wrote to memory of 2336	2764	cmd.exe	45

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\!m.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:904
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\doc.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2572
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:209935 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2400
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\butdes.exe
    butdes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\is-HA6DS.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HA6DS.tmp\butdes.tmp" /SL5="$401F2,2719719,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\butdes.exe"
      4⤵
      Executes dropped EXE
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\flydes.exe
    flydes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Users\Admin\AppData\Local\Temp\is-1CAHT.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-1CAHT.tmp\flydes.tmp" /SL5="$301D2,595662,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\flydes.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2820
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\gx.exe
    gx.exe
    3⤵
    - Executes dropped EXE
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\7zS0BA67C96\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS0BA67C96\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      Executes dropped EXE
      PID:1140
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\bundle.exe
    bundle.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\rckdck.exe
    rckdck.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\is-BHRCU.tmp\is-DN1FR.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BHRCU.tmp\is-DN1FR.tmp" /SL4 $200A0 "C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\rckdck.exe" 6123423 52736
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\avg.exe
    avg.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\ajC555.exe
      "C:\Users\Admin\AppData\Local\Temp\ajC555.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3192
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\telamon.exe
    telamon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\is-LUF6R.tmp\telamon.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LUF6R.tmp\telamon.tmp" /SL5="$200A4,1520969,918016,C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\telamon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\~execwithresult.txt""
        5⤵
        Loads dropped DLL
        
        PID:908
      - C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\tt-installer-helper.exe" --getuid
        6⤵
        Executes dropped EXE
        
        PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\~execwithresult.txt""
        5⤵
        Loads dropped DLL
        
        PID:1832
      - C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\telamon.exe
        6⤵
        Executes dropped EXE
        
        PID:2528
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\stopwatch.exe
    stopwatch.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:2060
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\gadget.msi"
    3⤵
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\g_.exe
    g_.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:836
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\t.exe
    t.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\g.exe
    g.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2284
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\e.exe
    e.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1708
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\GAB
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1812
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K proxy.bat
    3⤵
    PID:2332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2808
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\GAB\11532.CompositeFont"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3504
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\GAB\11532.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3676
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\11532.ttc
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\11532.TTF
    3⤵
    PID:3596
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\cobstrk.exe
    cobstrk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2436
  - - C:\Windows\System\YuoGEkd.exe
      C:\Windows\System\YuoGEkd.exe
      4⤵
      Executes dropped EXE
      PID:3500
  - - C:\Windows\System\eybcNFs.exe
      C:\Windows\System\eybcNFs.exe
      4⤵
      Executes dropped EXE
      PID:556
  - - C:\Windows\System\RBwPEID.exe
      C:\Windows\System\RBwPEID.exe
      4⤵
      Executes dropped EXE
      PID:1372
  - - C:\Windows\System\BiZjGBi.exe
      C:\Windows\System\BiZjGBi.exe
      4⤵
      Executes dropped EXE
      PID:3764
  - - C:\Windows\System\NhDEFqR.exe
      C:\Windows\System\NhDEFqR.exe
      4⤵
      Executes dropped EXE
      PID:3636
  - - C:\Windows\System\WsfmEqr.exe
      C:\Windows\System\WsfmEqr.exe
      4⤵
      Executes dropped EXE
      PID:3576
  - - C:\Windows\System\KPIZzxq.exe
      C:\Windows\System\KPIZzxq.exe
      4⤵
      Executes dropped EXE
      PID:2104
  - - C:\Windows\System\sucROfI.exe
      C:\Windows\System\sucROfI.exe
      4⤵
      Executes dropped EXE
      PID:1756
  - - C:\Windows\System\JVxdDlk.exe
      C:\Windows\System\JVxdDlk.exe
      4⤵
      Executes dropped EXE
      PID:3868
  - - C:\Windows\System\AsXwyFi.exe
      C:\Windows\System\AsXwyFi.exe
      4⤵
      Executes dropped EXE
      PID:3824
  - - C:\Windows\System\lWhdYBY.exe
      C:\Windows\System\lWhdYBY.exe
      4⤵
      Executes dropped EXE
      PID:3856
  - - C:\Windows\System\nZhpHvE.exe
      C:\Windows\System\nZhpHvE.exe
      4⤵
      Executes dropped EXE
      PID:2608
  - - C:\Windows\System\VBPFfiY.exe
      C:\Windows\System\VBPFfiY.exe
      4⤵
      Executes dropped EXE
      PID:3780
  - - C:\Windows\System\dVrqAfA.exe
      C:\Windows\System\dVrqAfA.exe
      4⤵
      Executes dropped EXE
      PID:3844
  - - C:\Windows\System\wXfNBrq.exe
      C:\Windows\System\wXfNBrq.exe
      4⤵
      Executes dropped EXE
      PID:2580
  - - C:\Windows\System\KunVVbm.exe
      C:\Windows\System\KunVVbm.exe
      4⤵
      Executes dropped EXE
      PID:3036
  - - C:\Windows\System\ywbwJkG.exe
      C:\Windows\System\ywbwJkG.exe
      4⤵
      Executes dropped EXE
      PID:4060
  - - C:\Windows\System\aIfcQlh.exe
      C:\Windows\System\aIfcQlh.exe
      4⤵
      Executes dropped EXE
      PID:2676
  - - C:\Windows\System\LOzzyZP.exe
      C:\Windows\System\LOzzyZP.exe
      4⤵
      Executes dropped EXE
      PID:1580
  - - C:\Windows\System\uIoskMz.exe
      C:\Windows\System\uIoskMz.exe
      4⤵
      Executes dropped EXE
      PID:1636
  - - C:\Windows\System\MfipOVJ.exe
      C:\Windows\System\MfipOVJ.exe
      4⤵
      Executes dropped EXE
      PID:2300
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\jaf.exe
    jaf.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K des.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10843404498304624-483452234-94880340327279917130314250814097504941192648920"
1⤵
PID:2384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "36136602841804037620981897891064782735468899628-934115544-13627776181181879446"
1⤵
PID:3864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
1⤵
PID:1680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GAB\11532.CompositeFont

Filesize
42KB

MD5
8f64a583b0823bfc2fdf7277e67b5e16

SHA1
f8029c828d0aef58f8818b866f1f7f1ec2f095b8

SHA256
b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91

SHA512
e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2

Download Submit
C:\GAB\11532.TTF

Filesize
129KB

MD5
c379b03bb3feeb76b9e05ed70791b22f

SHA1
b7ca37f01d8c80281eb46e586637f723fdb656ff

SHA256
1861e0824e53ca60a04ea1bc7bdb159131448fec711ed079ebccbf645dd345d1

SHA512
cf116a922af87d48230b258bf850e5c898aae5eaf23fb698f83f91d24421558ea5ccbc03536e3b1128eee94dcde3df75a6aa8bb5b36f063c7d624ec7b3a346cd

Download Submit
C:\GAB\11532.TTF

Filesize
126KB

MD5
6d8f36dea41040449657122081d59027

SHA1
2ced2846ad34e2ae81903362e20a7f919fdbffc7

SHA256
83301b85fb1239c587a4193208cbb0aa4a66e890276bf198aef6e34423d461d6

SHA512
26cbe7290a69221a15d66c8ef1d24d9a415d1750df3a2f96574d42cabd0681b5cfc18d91632bd2fcc44aa2c1d82d7b4c17afd3701e7e7ae98f15b4beec308d15

Download Submit
C:\GAB\11532.TTF

Filesize
106KB

MD5
33bbf1ba8c61d1cb4f0fbca9a008bf33

SHA1
d9082daa40ee8c4fcc9773f2aa48820947b5427c

SHA256
2e77809b706dd13f9fa98cb5639fd96f46e361998e9ae580dc8c331c084150d9

SHA512
f9307186319b298ebb380af9de031c0c777e949dea10edf58756a4339f43567de0cedded5e73d32bfb22eb2f94c726a790ab88169ba7d16912c6ad3f58e631d6

Download Submit
C:\GAB\11532.TTF

Filesize
360KB

MD5
9fa9a9adb55307a8a5b24363a37ecd67

SHA1
7b5068ee3fa45efb53764352a3c1898b95712742

SHA256
79ba77bfa3ee93be7ea55e78f5fc30187f74c32ae632a46501ee6f27c52c3caa

SHA512
f1b31b3fb02dba109196954ec3fef7985998fc439902b9156bf63630fa6e001950f8758e624210178d0bcaf7c1e97a6b99dfda133a6459185e20ca50a3405626

Download Submit
C:\GAB\11532.TTF

Filesize
360KB

MD5
43e8db732d9f27ea32febef0c85d4df4

SHA1
ba5beefef0faf5d48efa32d5d078674ac12f8f61

SHA256
70d0ab5792c852c7892d12d61f1b608611a6beb8d336cdf1c5e156b20289a398

SHA512
c924e4d4de4e03c7cdf0dcd7b25347e2a0484341fec2493b70766c964e0a8589c21103022168ab749599805206b1688e5c5ff279ebf1cd3ce9015bf88a8d4ead

Download Submit
C:\GAB\11532.TTF

Filesize
128KB

MD5
a76700aac6f6baaecf31399288695c1a

SHA1
25b4368e522a8941b6e8c592cc8d85ce9633bda3

SHA256
6d7c4e72d6709dfc8114de8a70ae97f047dcb9e12a6f135decbffc126ac168cf

SHA512
d51f6d35de63380e0442f57ea57ff4c80625b45282575309711c3b8a00a7d0168fcba6558305d2792ebee859e0d3d4578af5e7ebd0fc3beeadea9f12f0c26cbb

Download Submit
C:\GAB\11532.TTF

Filesize
128KB

MD5
42b5402e83dc84d410b12360631a85f7

SHA1
c057620fe9e63868c924a1ee1713708eb5db24c1

SHA256
85d49ea796f9f4fa1f5135ae872a6ac5a67b0b64104cd1619551cd0ceb27fea9

SHA512
530404e5fd48407363dbcf55211a796726488b4c3120bd3e26f069a663c79fa25c96ccd5bff0ed8e850bbee6f8fcd20b78c0e3314aa2d2763b20cd7cf2e03a9a

Download Submit
C:\GAB\11532.TTF

Filesize
64KB

MD5
24da2cfc4c75ecf3fcb9c80049350184

SHA1
15c513019a184e52111a172da93ffaac79ea0d64

SHA256
9edf145c830666ec9c13190d79769c917a0723669150d7dd222f1414f9adbf17

SHA512
48d9f88ef3e795d19905ded60a3ae0518e54083b760c6821f144107ed63f8a1af0ccb69436b454ccf49f18931469b9955a1193666c3607c997cd94f861373143

Download Submit
C:\GAB\11532.TTF

Filesize
64KB

MD5
1c63cfd8d043f4ddb1968d464a1e58bc

SHA1
040853c2c1be8070a8166918b75f4f7f7429fc65

SHA256
3b17a797b333c6d545495a6dc1d3bcd64b212838e41a03ee3dbd6dd58e6e91d1

SHA512
0e769e01f8c19297f7af6de6ad0cdd5af4bef0ff5cf461018bf84e92ebed95e284338793f1924601cd396fc564b3fd0741e7da73d12f643fe8f57f4f21c9c590

Download Submit
C:\GAB\11532.TTF

Filesize
60KB

MD5
113ecf48e1eae740220b9827df027f25

SHA1
7580058d3f9faefa6eb3ed7e4cd5d070a168bdbc

SHA256
25b23e0e8ba977da78fd0f6c13b76e561756010a73cb5a8187dd817496e25fec

SHA512
dd969c5469ddf615c37f425063df5fa38078b96406adb59068c5ceb6cf179c725f3c40c49e6cc5790e9f48793356e8ae45290dae860de408574289491e6b7e64

Download Submit
C:\GAB\11532.TTF

Filesize
384KB

MD5
ac2d6b45d7acae53fc729cfc6480cb0b

SHA1
a6c77de1dc1405a73908ae4c343e2a6d33666747

SHA256
795b025e1336727722272955c0b8487ce0d614b61246768e3fb527507a0a63b0

SHA512
40cc3f34151c050127b134145cf217bfe31f831d279b7eac9a8d4f30ee38fa1feab97b4c25baed7dda50a76b6c3d6ea2169895ea42a05bcbeed185165fe538c2

Download Submit
C:\GAB\11532.TTF

Filesize
55KB

MD5
d1fcc5ac64e9b52c6e63f53f59ac8d80

SHA1
ae7c788a99f2f01d9fd130645f08c4b560f808a9

SHA256
b8adec9fe72180fba8ee7a9c6598cfeb12970fedec2e77045f28c3b502c81d6e

SHA512
ab3ac0d9bc8b18ad554113ae2485d380d1a2b173f0630f72e3d450a159a7fd952eada81d7abe3a19ca671311ba27c88ac2b8a2b5ea8a17b1c0df307b795579b7

Download Submit
C:\GAB\11532.TTF

Filesize
392KB

MD5
06477bcbb97da31d84f9f56b435addff

SHA1
9341665d807e54b2ab05b8e9f1f79df20d1dd4f5

SHA256
95164d36ea090dec0eb16c9f6b2f904f8fefefd12e0f1e23cfda8ee90a836c43

SHA512
ec51c38812a3d0be7b4eb568d571c7406ccf64f0803d89c16ac1ab02ba1d02511f9825286899ec0e84f3df029852ab6d528cb06011dfc9325645fd3eb024ea68

Download Submit
C:\GAB\11532.TTF

Filesize
320KB

MD5
6390da43845712c6f6796167f319f4c2

SHA1
8f341c6ed551a9f9ef015784f278fcbbcee37371

SHA256
99ae7d9a2d56de04e6e8b0898dd3f43f316dc3c7485f87ba3853b689152b9c28

SHA512
efdfdc9f2127e2a1239775970a24132a55656f70b1329634d9fe7ddf68e4883aa449d8389721491d0d8d472f7fe982e227ce480f2d2a59d6af2e575d0d4822cb

Download Submit
C:\GAB\11532.TTF

Filesize
80KB

MD5
1db416dc1213ed2be2073edd430ae4ef

SHA1
991525efb56a1c0adbe4258ca0c2561b86c0f2c0

SHA256
90927ff5837bb9cf2bb7ab7bafafd4838464b67b0bd1149c1b77711c45b4e231

SHA512
d8cb58d86891417f9a3da7cdadc4222d822e00f6e34c323c5f09b8c400fd97f768e53e4f8cb635d269792b78edec43927f9cbf3ef73ddde8eb92452b5224022a

Download Submit
C:\GAB\11532.TTF

Filesize
2.3MB

MD5
8f8ca53703c3550af9aef574e90e9265

SHA1
dd95d4837d1a7da403f134e5cc08a82c17145272

SHA256
d2cf31be96c0c1d4ab75b430539471f29296b817a210977dfedb0f4baa08f495

SHA512
2ac229cf062c0c2e3819b58c644372a7b9831065216786c5264e0c43cb11c73a066e56cb82a458b6b4f4a67d782daaa50c3ffe0a90e162c98519155926428cc6

Download Submit
C:\GAB\11532.TTF

Filesize
121KB

MD5
b29b175b6c63c702624f12b4d7fc4ec1

SHA1
b939fe1f8e81c16385e672c49e25c5d50aa6cc12

SHA256
8d92639d4ae13501f1a627aa5e2e00bb89b56334060e19697dc3e238e7212798

SHA512
dccf99729e5dff71b4ac32ab5a5b4f0175dcbdb36d089ca71b8c29bc8e2ad8f1419d1ffdc573f1599033195f78022447a4ccde5942b51dde45ac70b0d7331d89

Download Submit
C:\GAB\11532.TTF

Filesize
1.1MB

MD5
5866b2ad883a00ff98cd8875abb5fc2e

SHA1
e401fc1c0d160c1a5be88c96cdfca54cfe735ab4

SHA256
7a29f1ac38949aedd8a4241a81a11f888ed7773008526b012126492766ce5154

SHA512
da9e5d1906a6e5f0cd7ca24d323ea9fb2941d9898092b189b08680388085309469dfe62f82782dff0d02350d8d01c84bd949d784da453ea299ee3cade31352a2

Download Submit
C:\GAB\11532.TTF

Filesize
1024KB

MD5
fd99d698f43f9460f86af01076f9c1a1

SHA1
bc26549def3333e615233135d04e4e2237eb6338

SHA256
971f13017c8b8b15b05eb61c2719229bdc90b2f84df256e6a0e2327e0afec033

SHA512
2971fbe3efec6d9c89974a8cb0664ba9fb97ffe55f303fce064107c122eadeb54f73a13769c5e700c5a13536bfbaed4cf0bc7a16f0abbf64e28c51d2c0577aaa

Download Submit
C:\GAB\11532.TTF

Filesize
128KB

MD5
f6794bdb6e8bfbd3fefada23094d43ca

SHA1
25bdaf33e493bd49f9ccfe5be0beb587d6302fe2

SHA256
3e72d512fbba53a9dbcbf1d861533d20cf069cc0304f5fa6ab0761a22cb7011a

SHA512
44cb3729e2f2d7750172340285b545b54df5d8b6a8db368c6b49507e6e3c1c7c1bbd1ccd499ac089cad3ae1a851f2efc1c4008ea3a3beb4dcea408f0f50f9af4

Download Submit
C:\GAB\11532.TTF

Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\GAB\11532.TTF

Filesize
308KB

MD5
133ae2a69d2363ec170793a1fcb76bc9

SHA1
babcbba2c8d436bd75afaf0b723908200dc3bc8a

SHA256
49eb4715295aec9241d1fb095d302e51e9701c056cb5a3d2a277a7af3cb5b51e

SHA512
e2339fa3dea83c132277b609aedbaec78a08e05b591f98c6b3ea0cd94baf78790fec17d3924cfd7c54dedeaac82633867b15bc900be27f693fa0809eb47cc2fd

Download Submit
C:\GAB\11532.TTF

Filesize
161KB

MD5
24d80af243da9fb7c330996fc395d558

SHA1
debfeb04bfb47e8bdb18cf95af6d6261e250640e

SHA256
ca39aeafeb77b031a59f545b710c82efe6687b446dad754a505ce5053168560b

SHA512
8e76dbd768027765aadae4531f091273d611dc21e09466d16238923a90f37207f2c49faf4e9fb30ff7c2085ef1a8e0c46466290a94551c9d50ba938d44de0da9

Download Submit
C:\GAB\11532.TTF

Filesize
128KB

MD5
d7ad63fa70727885e8d1591a55bff657

SHA1
f40755b17cb2b9f3f0d4213ce95ae30fa7ce61fc

SHA256
8f0f342a56dc4124f7ce8580a76b190654f299aebd1a08b4472a452332442777

SHA512
6e0e21d60ba18b28614c286efcbf368a7dc9fd21d8fbe4b8238580beb30de091776a64939c2ff4e2d9e3d207aa0424114b10532cf4205e2c742f7883dcd8e327

Download Submit
C:\GAB\11532.TTF

Filesize
161KB

MD5
b3ee694812cd55e183d638f821d7ecdb

SHA1
4a9c9335c10f40079356ca5db4d1b08c3e4a415a

SHA256
f56d009b5f2746c4133d543ccf16e7aa0219d9838208b3d64cb755c31448e45b

SHA512
3afe4836b24528206d373cd2a0d8d5f8ee8d003408a2ef6121409515516c9b46be3aecc5896b2b2c2f56dab09b4ef2c11b20d3bb37420ddcda4eed6e06239d93

Download Submit
C:\GAB\11532.TTF

Filesize
157KB

MD5
c29c3007f607e0505da8d43931f2b9eb

SHA1
dba9733c432d5f128d911e586edb5b363efe2832

SHA256
6b0485366c5245fd0c60310db8e47317a19cc840a939a05a3e8a461782299cc6

SHA512
f8b0cefd9fae28c51dd0f8373ec95f32ceb45d148dd3cae6904988b46838d2115b6a7a19a1c1c3abd2481520f50a4f95aa039b3ac489dfc7931bcf5c8bda9cf1

Download Submit
C:\GAB\11532.TTF

Filesize
256KB

MD5
4f924ab9ec77a162de0a12785e909ce2

SHA1
2d3e640254c0652bec43d6e790faa01af595f8df

SHA256
2b4816b11611ee32d718e04b681ce72c147ea76480ac856b6d96307303efb9ab

SHA512
82f4918679ac4727addfd981e58cacdf665d326d06a4aca0a1b1302d52b4c9c045b5a2d74db33cbe2055b75995b542c08a6d2e9811f8b72487691777632424aa

Download Submit
C:\GAB\11532.TTF

Filesize
168KB

MD5
fe3fe689a568324d5e411883f0877041

SHA1
3a7579a77aa30129cd29d5eea16b6e323e4592b3

SHA256
bf714503751a208fc02ed77aeb7fa4d4bd079206142f76001cb1fc5bef6813af

SHA512
c790e4a9c4432ce7613d46d9e77dbc65de94ecc082a6e67f98a9ae9e6220d994cadf9b8dbb20594c6a9af75835b42d23a77cbec51e35b5ba6cf4b06934a15c51

Download Submit
C:\GAB\11532.TTF

Filesize
107KB

MD5
265742b61fa10d65fcb184dc9a4b74cc

SHA1
a98e8ae370277a5115b621e39a564d2a9bfeab3c

SHA256
0921a6f956cde89afd2389fb65d6086d14cebd35b2fb38e12291c6031ae02aa1

SHA512
c5fe3c31d1d5a95c144aa8e7ad6f3ef24caf89ceb9b84b6e1b69b7747d54898599fca301d0f12ac664f5651f565500df6a7a1723a361767862fd57fe564d7042

Download Submit
C:\GAB\11532.TTF

Filesize
129KB

MD5
e02b8546c6d2c75bf876188ee9720f8f

SHA1
fe800d74039dc3018c5806a05a3d3f545836e7f9

SHA256
b2e949ac1c89e038b6763b2f04ca6ca4816a19a2fca5ed85f9ecf37d745e0d71

SHA512
30457aefbbd7833b7a492c2f5bb221674bd2f5123e55f15523b29333c5f7556ac15125b7daa9d66cdf123c47c9d2208ef927cd015bfc14d6940077bdf814d64c

Download Submit
C:\GAB\11532.fon

Filesize
9KB

MD5
1df49bfe3f5b35cc4cb4065dd8ed51bc

SHA1
48e801336e740e7b8cc27dd130c4dd798d5c1ad1

SHA256
739f0b71bd23f0d242fdd42d63644a02df436425d147d7ad6aadd389874387fe

SHA512
b82ff80bc41eaca266610002082277032f3c5321ee5a278f826d975ba381e8bd7f78e6f70b36de2e10e967abb767f096b24fcc7dfff99521a18d4b748ff5ee6d

Download Submit
C:\GAB\11532.fon

Filesize
6KB

MD5
ac2aad216301bc75f750ac93543c941b

SHA1
0a9a8a43087b94e829801287c7bd44ae49553935

SHA256
b904000ce079d3a87698a1e16d82f944dd49fc77e9326e698c9c402f2287133a

SHA512
c9f113198a4e713141e80343ce38306899cc2df78373630215de2ac4acc80753bfb36395f66b7d28a7f1f28628903e01fc6f4925ad09e22f4b309cb83cf5f206

Download Submit
C:\GAB\11532.fon

Filesize
7KB

MD5
ad75fb38d57de96a18fd5fcad4a282cb

SHA1
2689835e7573d1ea8cfdf6ae7fd77b671baccbc7

SHA256
c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb

SHA512
ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2

Download Submit
C:\GAB\11532.fon

Filesize
12KB

MD5
dcfe71d27bf49ba16fde0d1945bfb4a2

SHA1
86b3d8696b5da354ef42c8ab4a9d21cdaaf0dda1

SHA256
eacbfca9a5ef05a108ef5337c773d82a43398bb8ea177e5ebeef62934dd75811

SHA512
4da8efcfd4a77e230c61a527eb96b5193b9f5ddc0d476dfca8ce6ba7143ac5c8a1fd8b673cc2c7b554dae42ec01364a178f64532b6de17d44dce07b3089869c3

Download Submit
C:\GAB\11532.fon

Filesize
82KB

MD5
5972eeea7971170eb72cab2fc85c2b17

SHA1
d327d96bd78c5e851e065d053829abbb370c0c09

SHA256
9677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41

SHA512
c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3

Download Submit
C:\GAB\11532.fon

Filesize
28KB

MD5
cc6bd6cc42cb4b557c2367fd37ad5050

SHA1
fe0dece889ca2b7875e991a6829dca4c77cdf554

SHA256
47996e5448a551445c6e455b5661f27fa783478a6fc15f4fbff8345cd9c252aa

SHA512
64c0810ff3765d2cc771885391466daec3c0775357cfb6090e23c7b9c895120e52fa241ac5de05daf034e1c354e03862d6cd8cdd35c9d1940b2e84263140eee3

Download Submit
C:\GAB\11532.fon

Filesize
67KB

MD5
a19e8a14787572c82b0a82dbbc477001

SHA1
bb7e368d1c266ed936fe41e1c68dd626d452329e

SHA256
a4fb1ca3b12da7856222f4225cd97cfbb4560d35f4ba4552b016c6105359f1db

SHA512
7e3c1da464da9614715b08d8dd7f8df47bf4054e3d76d529262efe6d1757d4c51c32d970598bbd27dfb469c03cd1c56f98106a042d4408226c511366cee6a0db

Download Submit
C:\GAB\11532.fon

Filesize
87KB

MD5
27a54add7f185dc0564d108a89ed24ad

SHA1
d0073d19534a837a4f79a10892ec4aff1f3cec67

SHA256
46d6346b77dba3d0bc9239a824ff48ce7bb8f652ac23f82d141408b018462d01

SHA512
619e250e4bef7df900b44f996f6a5aceffc457060a900a3a20fb7ddf04d2d8ce1a1bfd51dd9297b3c021dbf6c4633a2e6bf28768a5b8a639345ccd2e844fccea

Download Submit
C:\GAB\11532.fon

Filesize
87KB

MD5
0c1ebba1b7166839230ff07bb4633142

SHA1
a8beaa2df56769102a08e5a079ee0148b530d86e

SHA256
259a68b25c7549c96c10c6d657a384a9aa0769321be1211e9d3292756faf36f4

SHA512
7ec5dba908525938e58c90c6105a4b845fde5e978798ce5bd29079dc04eff326bc99e2c82b63fd67298a27203ca34db9da03785f71f77ce6f1da44f138e9edf3

Download Submit
C:\GAB\11532.fon

Filesize
95KB

MD5
a88c8cf32634073f465f3bd834187468

SHA1
8094cee4fc99bd7b449d35e803d979c676ba02f8

SHA256
770ee7e6b277155fbe0ad0c6f5c8365b16cbf7f7cd86c89ad1f04e0d81695558

SHA512
958b00792a30a2124f10e43b1eba4190438ee7b6a7a931f15a77906e03ee0604f9c3489a1c5218c88f2b173fa803dc3f9847a3ddfade393c929e3a6b14a5bf29

Download Submit
C:\GAB\11532.fon

Filesize
12KB

MD5
40f8022c3fe4e1cc97bb794e1b519b3f

SHA1
7ff107451b67b2d432db4706c697a9391c13a6f4

SHA256
6b16818c057024f588f4f423cb1f50d24e092fca3c9b5c8c1943cf5b3ea70759

SHA512
08a85d0203a0534067538ba0c1f40273409f61f212269cb3095df1defc114ff007efcb4c3c4897a345cda17db16c98b88ae61100b9e4636862d26edb8a402ba3

Download Submit
C:\GAB\11532.fon

Filesize
68KB

MD5
5e142e4d090d689cd44fa8fe9882a743

SHA1
0301f8c9422f933c9d7a65bbe4f7c45feb4fef24

SHA256
a23e6b523d0e3d16cd197e5a525e3f299144577dbdb860ab91e7c14652aad3d4

SHA512
23f77ca93a178d4fdecf54ca1cb6cbc8d6c816deddc630d90fcaa5f3d028a9db29301d32b200c70bcbeb94c8491bd44ffeef51233cfeb011e2081825b167ba16

Download Submit
C:\GAB\11532.fon

Filesize
5KB

MD5
1e23a19295b139e5319c004e047227a3

SHA1
824a605d69ee7885a2d1a2ca821a8780cf992374

SHA256
9259c1abdddfa27fbd8784a001bce9e55c424a7c6d74eb19f76493e48452cda8

SHA512
1e9a7404adc4127c989e489a32d2d8f7df93f906b9cdd087a71230f13d4a4cd9dadef63dd3f94525a1dea68191e59212c980eea1b7e55a51fb1fe730c3a400f0

Download Submit
C:\GAB\11532.fon

Filesize
7KB

MD5
dcf9b7db4189054c567167e6cb4a4c3f

SHA1
a2e608692c8090e2b5dfb77e2a7264e9321aa897

SHA256
7a2aeddf12b0f05e9e380138441d26118680779e4e3218cc09b81dabcf158135

SHA512
6416151070591f349116980ff3393b409afe6cdae5e1f5bf16448458758786dd1060cc13db3f07531307ce51b94b8f40e7e0d8d91832e2d12d20957fe6b5fe4b

Download Submit
C:\GAB\11532.fon

Filesize
5KB

MD5
fe27995198e55990067fff9168dd0e60

SHA1
8d3cb5ec01f711f0cecdc16b4f3976cf59e5df16

SHA256
1677f96c3d965a44953cb644796fd1137be5df37e38513fd5587e55751f23880

SHA512
dac6eb83223d89fae633c44d031e6b5244fbc2753a0b8a39a0e967252e05cbba8bbfab554e0a1fd0a71323b202dd87197255a51c7f5802a61f44ace42d14cfcd

Download Submit
C:\GAB\11532.fon

Filesize
7KB

MD5
073d5f375c33792d10bb7a94d7688131

SHA1
06b74be837f5d478442cd3f67b28d6f2a7508a95

SHA256
99f5dc76890ebff3fafbd16f15f319d544e0759628a903c8d223125a5c413fd7

SHA512
87ce83f98a5945497f5417446bcd4da04003ebee0c7656b92af7fb909faa9a8af0f39f4e4bd023b78a0feb470e0d1adc8feae810526188ad15e54ac0b1285675

Download Submit
C:\GAB\11532.fon

Filesize
6KB

MD5
8a5dbabcb9b11e3e0c527b93e69d5e4d

SHA1
c47add614ece5ed16ca456bac08b1f2cbaccfec9

SHA256
824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241

SHA512
ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0

Download Submit
C:\GAB\11532.fon

Filesize
64KB

MD5
e61028e28af3df8573ec12317d3f9c0e

SHA1
afb326720e7135ea9ee3593f6f05aecf1b40c3c9

SHA256
1c19aedc9306f436d4d35fc317412454f5507de05b361a29309afbd308f17e4b

SHA512
137c5bda1c68935f14b215a2f950230934a6cea72fa8b04265c211e422834476067d97442d74a82dd13bd549ebce595c01804faac1ddf8658e1bfad2db679ecf

Download Submit
C:\GAB\11532.fon

Filesize
35KB

MD5
2bc4b5a76222b3a119292ed8e279e77e

SHA1
6477bd07e7e06058c40511d9f166e283852ddbec

SHA256
5d49a0b3f3f99f7d3d49c6f385f948e804215f042520cbdd7d59640e649ae25e

SHA512
092364dd161e3430688a912636736cbb3e818fbfb3b96676839d721da6ca08de4351aee4a309fcf7ff8829c3a3a805babaca1fc2a181592620237561c869dfff

Download Submit
C:\GAB\11532.fon

Filesize
35KB

MD5
efee1f670d9554ba4d2e8be05f7a3ea0

SHA1
3cfb93fa76b1a9bfd87036db3b8840f20e2dcec2

SHA256
00b2df2e81fca756a899914783fc0f72d8491a12ae757a759cee10627d843113

SHA512
844b353324c4894b0eeeb4f5bcfd525e3515482e4e08ff2c0e3e8ffacc383ff64631318e7cd32fbf7368b8d5a14e7b888cd7ed445070896e6b00e1be7a483fea

Download Submit
C:\GAB\11532.fon

Filesize
35KB

MD5
8a5853ebfc046f428dd31c5f3ae217ef

SHA1
61dccd934eeaf49b9dfe4385e5ba12ea8eaaa35c

SHA256
0da0d4ed89fd1e8810c7f2cdb5372abfb02cb3d031acacc1a5bbc853f879c2bd

SHA512
b2427ec94402e06af2239277087376ebb5a4a231a2d9fd020e7eae557b865355f257d0fb3c2f2f306c132f919160b5b7d50e0f078f9e382a3ed9ceee3e285c32

Download Submit
C:\GAB\11532.fon

Filesize
5KB

MD5
21475b17405b86f37a2c15a1df2733b3

SHA1
e640903a5fa2a800a27b74c73a02ea855dcbd953

SHA256
6e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc

SHA512
5752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0

Download Submit
C:\GAB\11532.ttc

Filesize
9.6MB

MD5
985201235567a4dcf660a9218b31139c

SHA1
17124ccee84b1e58e8c948af8c5f976bafe051b0

SHA256
28641f4ea7653925f431371fb1f08eb11b4a6a382e18d343f186f47081d96fc3

SHA512
c9c56fce20feaf85a75b1e4d4a48a6d6ec6748ddbca8b149bab1ad1a3f8f94715732431d6b0f52bd74665c0276ca0c37f7e25f84003305c238774d31859b83af

Download Submit
C:\GAB\11532.ttc

Filesize
14.6MB

MD5
74813b5ab83e9920f92d6d4be42e107c

SHA1
51c4f52a9e0abf167964256b335a917cb5847bee

SHA256
d136c8b47adc90081fde814f8a4c4d6c8890613849d0de8e568168cbe180c52e

SHA512
0dad73c76c7b6a47c7e958cd9f6cfb4e0da0e74cb9fbb24821103309425573a49472b44e222afab49bd283516c999f34b3a347c0e71adaae1c680855c5ccc0b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
d138d12fe780c55fcd34a298811aa08a

SHA1
feee24de5a79bd239f1843d5b1531eb0f82f43aa

SHA256
8b1fae5af79c324463e05474740cf92fb943c98b70bf5da2c15a19c1d6f21bb1

SHA512
9653b33632ea778a21af13fb197c2868768c0dae59fcae3f0d2b545ccae081e3b3402ab8eabac7dbccfd09ec92e214996d03958cdd690b431c0e28a8fd99b5d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1134d5ca9ca410c33328e33a7d62f13

SHA1
5171913f4e679954b98248b7d200e8fba38856fc

SHA256
96961895de7c34193bfeb9c6f4a5a3cebecc1e75abf59f3199f942db27cab026

SHA512
51e108c5422f780b5496e95b4fb1f50138311c71d1d4e2749660807a633f6060b3eac72145b4362248e1d5cb878b0e2175694cd815e38ba1f26b41a9d7e0eea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
577f8c3fb2c62d8d6c53f11fda4654b2

SHA1
76d9626007e5a012f9ac3bdcf33c794e114a1823

SHA256
79fe93f554823ac773385fe4ce543c0d8bc02367a9433777a6b6d9a1ef89d532

SHA512
10cdeb75fcb5f7b9c0daca40cd3249d9d5ddd076ac8f61f8a33ffbd9b2cb3a381d93afbc27936c910da07d0256d1aee9c811d7bea126f62c080ccb52a131f30c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7493e625ecdc428e2388e8269a49be9f

SHA1
ce7ed9d2d4889aa618e0999049cac82581687f79

SHA256
aed047c2eac4009a223837f83d1cd690cc8812a3fe3d4be5349175d10c1321a7

SHA512
42f5594769000c890e67829e813c9b32ce17de11d5dccf910cdb4539f2668c704effceb83d29862d9582d926bfa18ea6b4d77a137f0dd70f9c142eba4ab482d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96bae14f4dfd5c20214692d6ecc1109f

SHA1
47077b2b1bb79b94581bd17749608b364d1ae2e4

SHA256
b045c4ef1646a85e6572653cc4b07d0d1c3c715eaa523d6525ca623586ccb4e6

SHA512
b262349a822ad868234c5cbd9c28c26e164b6dcd54789fb35f73d2e968b41332ce25b89a98047bbd56313f5e522210c7a1eb1d11fffac29758bbf3f9c3abaff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bde36bb08821318f4a238961a4c112ed

SHA1
6766d747893d31e884b2d58792934bf633b0eb41

SHA256
133da313b2aa68e52fb33b72b04a396251b2f028e65b54c91beb4103f3d65209

SHA512
85934b7d8c89c4ada04e5c9307b56900145de4057fa0cce1161aaa3137361c911658d3a5d920ee9495e9d0e3f07c50f297aa6537ecf190031cc658122ff2b1a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00a740ef0222378776f37a2a81cfbab0

SHA1
207d8cbf51d1d238cbbd9261dda3b6a04e38fc1a

SHA256
f5e83bd9d0d6840fe471d351e82e63b8d1bccec751c207ce9b17edb21311b950

SHA512
a02d9409d4862b5b7cfb0a565478270fdbc44b9cb2de8c62da2933d10fc63a78f34f5bd90c8cefbe4dac0880917af2c2bdea4c541cde28646618d2d30f76365b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba8d008b300304495e3d7f4686416095

SHA1
3edbd3ff914644cdc4e0a15a217e045967dd777f

SHA256
31782b3079e14276fcaaa73f85103c1a81d32d24c0fc487d66bc6050024cc009

SHA512
dc5f4af1ab2b44ff5925af37b731bfbcbb0ef042e6212282d4aa1742b853b64c8284edfcb128195b72bbf79443cedb0685ab8fc2d352c8bb4bfeec0f88ed3d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10df807bfdf0e972b6db2bbc51f56c2a

SHA1
56fb7e1aa07d112eada8c345ade54f7af6db4443

SHA256
c01749f6d27b5b0901b741d9b4413f94b5b1a67d769dbdc2a7c8f5c1e08162ae

SHA512
593f60935757fcf229fd9d369a1599f8c300cfc3c123a52417bda3812411a1a7008653f01fa22daad7f8219af3467142107a8f2a59ecc06dc3f3aef2816b6b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25c6f3d84ab941c77111436721e25d8f

SHA1
1212013e03ef6d0eb9e5e910f27150a5c5de886a

SHA256
48f62b07d62b54435f3ecf09cc1e9bf1f38e946436dff35df3fc30b3117abcc2

SHA512
bf54a128bb1b0854ea07e10fe8e248e70cabddea0d2e2a6e217cd49af73026b760b31dbb54e893fdb74c41bfade9d076f49b88d98b4a250780e7c8cc8226bdab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ea549f81572193aa4374a13ed1674b3

SHA1
95dc98c90523f27e2f970b81d282c4583eaed4ec

SHA256
ae6f4f1609899547f08c1d9dd3868010c2577c2321e0b120d27f78438fa16ab4

SHA512
c60715b5ea25ac2cbefbf8fd27e0cd4d64fa1c54c1cbe563ee650ade63a45fd3435626ba5bfaa6c78964201fd960e057367d34a2bba620162d6e9c8bcbf41a5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bef5a0a9ed382c025c5228693a5ec61

SHA1
04ffc3406f8bde15922387db63e5876ef81cd307

SHA256
31d26d4b767b3d615eafbda634875af73214ebea441bb60bd883fe448a986b89

SHA512
efb078232b5a68c872160b18685885739f398827ab8fcf7668800f9703f353f7ceb0184c22abde427f0b62a5ea2dea038160a0c887eae24d9a048a3c8be62ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12013a53679dd6953b4ac8e34ad18f9a

SHA1
a707aae3ff578606461f28691e917b1cf8f8fd5c

SHA256
15ae24ff5c0bb7f91b5cafe1a4f336bde9651d51f216fcf3508d1b6893f9b191

SHA512
fac77b564e13c0cc4760a9e38bfa9ca3a779be86ed0f52e0d5e08565584fca568d48febd33c4e8078e30d85707ffbfb58fab103a075c8b54b296ec7d1072bc89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db00fc60ecc2150da4a84df448ad2a79

SHA1
8e39a957d34b994d73720418239995fbc6680b6e

SHA256
baf4abc7a6676f6e3424f1bc8f3e64480a0e5d8a71c001d61d99540ce782d0ed

SHA512
4592e0c590cc8db3f3cec4b6f7cc5aed29be7f97ae7ce45f8c2996f4e8b07303fc8fd7f8cd4e5c73934516ffc72f9c498ef5c571db40912da92ef25058bd2e9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f6f3a8bab0908bc82e5df741f10a8ef

SHA1
a813464ed647025456d2ba309ee6b45169903003

SHA256
39d4c111169af3f6246bc365b1e78648ec29e33e03095122201bc71e2b04d18e

SHA512
0551aae2a37bb42cfd4f6ba6cc429165c342b7cbda4b7661752b5e92b44a51f054850a2b01a798e7b729cc0e9bfd1d6fd818a36f13802dd1fd42212abec518cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7e3b6913f6b6d9aee8e23d4057139a8

SHA1
d661b6b3ca3fff64ff2aeb83b52712f7ee5630dc

SHA256
3748b354bba3e1523646ddf7ea203661be817c00f5fa63efeaad41d480574710

SHA512
a6139d44714fdcbffdda737115f98eea50b905a978260dd714c49d4c9c1dc666df00ea78b40badbbfdaa20ac634b1a69266bfdc0a65404d5b3640c657a8a9e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e89f23efa48c934a166a712171097649

SHA1
b30b9aa36a537f262d16dbfcc24a94f2c2cc7a8a

SHA256
7981d5a90b95a94596b6a0a183785e21271d129aea7f7cca1fd7723fce592432

SHA512
c962e65e7f6b1b9eaa572142fa92e6f86c4a3e7ecc8735ce17b12c9f07c853cb13118e060ff9ac1f6abe6ebce97aa11f9515dbd2656045f4ee500d6815ff1f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c735175468179860299b58d46ab7c3e

SHA1
f6594dfeedd1df81aa53ec7384bb24aea7fa6c6e

SHA256
6032ca97796481825542fa1b9f739e3f596566bbbc04970f3f796fb93d2ce2ee

SHA512
6fb7f5518882bc702a044b85400ccf355cf06da03ebb44885617de127f66c87481f437234e99cd5ace104cf0de9c7b59ca3d303a0a27a5959723c7b4409c145f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97a911ec8fa01947cf3292e7d2d630a1

SHA1
3b48aba45cb1decbec8bec5be9eeea8b2d551a9a

SHA256
8c343582566283b1475b2e2c739800bdef6093c33b972715d3f137995874235f

SHA512
9ef51de4c609e77b54d02a69d2fe19dd70b1bc6d5b9617cf55e72638f26b67d13e45a702fd977ef7ca5840e46cbda19a6648391c0f32e338d8d7982839c31b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\!m.bat

Filesize
824B

MD5
34668f54b0b37f99ad7cac2b2dfc143c

SHA1
191f0593c1567e21d2bc3f6e426a6105b45fa048

SHA256
7073d936dcf38170c8d0d3ca33130c70920bfe304650621dd1ed18b9e2e1829f

SHA512
64313be755d28f660fcd27fb9e813e94d906b26f1451c9d8a5b4970b210e69b5d27f2e51d1b14f0574f349f29a5db498c3c9072e3a5bea7f86c2ad9f4856a892

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\VCRUNTIME140D.dll

Filesize
130KB

MD5
ee7fbf8768a87ea64ad4890540ce48f9

SHA1
bcbc1ebd5a592c2df216d3211f309a79f9cd8a9b

SHA256
03eafdf65d672994e592b8acc8a1276ccae1218a5cb9685b9aa6a5ffe1a855fe

SHA512
0cbf346d46b5c0b09c1f3fb4837c8df662bf0c69de8c4ae292b994ec156c91b78dbaad733226d765b1ca3ee1695566dc90bf85086e438fa15b9eb32058abce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\avg.exe

Filesize
5.8MB

MD5
0dc93e1f58cbb736598ce7fa7ecefa33

SHA1
6e539aab5faf7d4ce044c2905a9c27d4393bae30

SHA256
4ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36

SHA512
73617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\fence.bat

Filesize
167B

MD5
6465a5431e01a80bf71aca9e9698e5b0

SHA1
d56ed108f13a6c49d57f05e2bf698778fd0b98dc

SHA256
1c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f

SHA512
db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\gadget.msi

Filesize
23.4MB

MD5
906ad3937f0abd2e5383dc162340496b

SHA1
d63fe621af79e1468ee0cf52e119ffd21775ca8a

SHA256
821e33cf757bd01bec6703796c01726e6674b8de3bc1e7ea834318039e46909e

SHA512
624d76f7905f57679b647cfc676aa8c55cac72d6baa60db7d5ae45662de5da55f856f64adca382b315810088e757903f6c051685fcc83fe330016a8a95754d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\rckdck.exe

Filesize
6.2MB

MD5
a79fb1a90fb3d92cf815f2c08d3ade6d

SHA1
25e5e553af5e2d21b5cfc70ba41afb65202f6fd5

SHA256
43759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16

SHA512
82aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\stopwatch.exe

Filesize
68KB

MD5
338a4b68d3292aa22049a22e9292e2a2

SHA1
9595e6f6d5e18a3e71d623ac4012e7633b020b29

SHA256
490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f

SHA512
06bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\telamon.exe

Filesize
2.3MB

MD5
6a80889e81911157ca27df5bc5ac2e09

SHA1
02ac28dd7124317e294fac847a05b69411c9cdb2

SHA256
0b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff

SHA512
329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\ucrtbased.dll

Filesize
1.7MB

MD5
c3130cfb00549a5a92da60e7f79f5fc9

SHA1
56c2e8fb1af609525b0f732bb67b806bddab3752

SHA256
eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8

SHA512
29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0BA67C96\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBCBC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBCEE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BHRCU.tmp\is-DN1FR.tmp

Filesize
659KB

MD5
5aa68bb2bf3b994bda93834ad34e7963

SHA1
0156732d5dd48feacfab3aa07764061d73b9116c

SHA256
a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa

SHA512
e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HA6DS.tmp\butdes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LUF6R.tmp\telamon.tmp

Filesize
3.1MB

MD5
292d91bef15a5a5d5f5c06425a96e0ee

SHA1
5f4400c94ceebf54825e94cb5d9f616850331e96

SHA256
b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373

SHA512
0aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\tt-installer-helper.exe

Filesize
404KB

MD5
5b4c8e63be988b83b09e13e9d1d74bb9

SHA1
bcb242f54ee83f232df6b871aebc0f3d44e434c6

SHA256
8ae877bd5f45975d827280bee2e19021c3401b5ba069df0e556f6911798adb4d

SHA512
a31f9e24a4a27847516808b24f312d4df6b865eb421f84d8d4fc022bdb309e08e5648c52c13772a48456c578f3771d232539c7d30132a82a08e8ebbabcbffa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V388A.tmp\~execwithresult.txt

Filesize
77B

MD5
caa40693af4fffec3d3e8d6ee5113796

SHA1
b48b03f01452516474b0314d060b5b88949db97c

SHA256
6b760ec6b587e602e6637b81698ffa9f9e973d87706fc8cf562d8f3465f199e8

SHA512
d1880c96208f7663817082e65b34d3655a0d5f8048f5035c87cb58110b161b8fa41f12bfd10ca31a77939486e2506ed6ab779709ba2150b549d49216b92b8c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjBA8B.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjBA8B.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC6CA.tmp\FF.places.tmp

Filesize
5.0MB

MD5
37c0ccc36df7aacfa0ff975a51e0212d

SHA1
aacb3c8c982dc134909c078f9523418f8486b2e9

SHA256
d0ef7ee080e5bfa8c0f781f223b4f4c888689f34f41392f546b5bad891286280

SHA512
892d091d7b71da5ff556d80c3d8953eb60a62da6e2aeb26932483dafb5c7002fa56aef00b507e87f28aecfa6dc67793b558cb5ca639cb50c552162715710dcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC6CA.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC6CA.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC6CA.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Windows\system\eybcNFs.exe

Filesize
5.2MB

MD5
7d2935aa96dddffef1fcb541df50e03e

SHA1
e2532eceeb1c254411e08e2d7e3f590ebdca9773

SHA256
360b5a27c53dee094fe477274da988c6a5b5a4ebd28255ce2e235fa34bca6bb4

SHA512
c4b07d153b0e459601e8964686a9fc3dbddbd3e2139dbc036a00d8e99c67ece6319dabfd0fdd8c43e8af1bef31095c616be3e24a712cbdd91d2a9c8244847c46

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\e.exe

Filesize
61KB

MD5
c085484b593c7089907af551de309a05

SHA1
f503ae9f559fd76073578686d2193a6956747fea

SHA256
b78b116d79d8f9613510dbde5aa4a8ca59913ee32df540d06defa214489972d2

SHA512
72b458179362a1bb2888213736e5731d0bafe094feaac11a44e78f7a5ed60a4d6f275aa32bbce41950852a31bc55ce19266f26cd3e66bec9f35dc5aafe97fba1

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\g.exe

Filesize
60KB

MD5
ea64d01d756080b86e8e5af63ed6eb50

SHA1
008634fbd4cd348165dbe540ea529f27bd39e5c0

SHA256
35fc36cdd77b1eae66fd02fec2f47cf06841365f6ab66160ed8cf522d71355f7

SHA512
7e7046017eb32e804fb213070997ef228a12426e0f157e959a97a4e27f816eb66b365850cc18ae8573519623db354740d7c008c09734f404d31775e79ead2bb0

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\g_.exe

Filesize
69KB

MD5
3cb72c753dd5e198792d1e0be81f7e2b

SHA1
8a55b72a998bf8362a12f68ee8c4801a5a24754c

SHA256
be9d8772b360ca8054929e5f057413b69932ca8e521e6c696e0fb6b371e8cb97

SHA512
008ed2e26fb4f41e9bb245130cc8f285744ccf737adeffc4c78cb11c03261f906cfd50b5b9e78f2c17dc2b8a01d83554e93f4960370064af87e84322cc78ee70

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_2a31cfaa-51bd-4aff-bbba-d895ac2c411e\t.exe

Filesize
62KB

MD5
9e0c60453cdea093fa4c6762f9b1fda9

SHA1
02dfa74e42739c4e8a9a0534273f6a89b51f1dd3

SHA256
269c6da90935306778f4f76005d1f00b49703f8819b60e2764cc14a5abc9a781

SHA512
fc499cb6b98529c7a856c9ec7198f2a6d00d0c0d6b16e826913ab8dca2602f6700e3956749d3316484b94e6867f54cf99aa77f23375ea6c5ea75daa88c91aa96

Download Submit
\Users\Admin\AppData\Local\Temp\is-V388A.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBA8B.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
memory/332-102-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/332-2788-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/556-2998-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/556-2870-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/836-212-0x000000013F570000-0x000000013F599000-memory.dmp

Filesize
164KB

Download
memory/836-2791-0x000000013F570000-0x000000013F599000-memory.dmp

Filesize
164KB

Download
memory/1276-2798-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1288-2-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/1288-1-0x0000000000B30000-0x0000000000B7A000-memory.dmp

Filesize
296KB

Download
memory/1288-2849-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1288-3-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1288-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1288-211-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1288-220-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1372-3000-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/1372-2867-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/1504-2787-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1504-100-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1508-2790-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1628-2799-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/1708-222-0x000000013F180000-0x000000013F1A6000-memory.dmp

Filesize
152KB

Download
memory/1708-2793-0x000000013F180000-0x000000013F1A6000-memory.dmp

Filesize
152KB

Download
memory/1756-3012-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/1756-2929-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2080-140-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2080-2797-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2104-3015-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-2921-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-2796-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2148-128-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2284-2800-0x000000013F6A0000-0x000000013F6C6000-memory.dmp

Filesize
152KB

Download
memory/2284-224-0x000000013F6A0000-0x000000013F6C6000-memory.dmp

Filesize
152KB

Download
memory/2392-204-0x000000013F830000-0x000000013F857000-memory.dmp

Filesize
156KB

Download
memory/2392-2772-0x000000013F830000-0x000000013F857000-memory.dmp

Filesize
156KB

Download
memory/2436-2864-0x00000000023E0000-0x0000000002731000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2953-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2973-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2868-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2832-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2967-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2898-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2847-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2436-2966-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2928-0x00000000023E0000-0x0000000002731000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2927-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2926-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2961-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2956-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2959-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2960-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2920-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2958-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2918-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2917-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2916-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2915-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2893-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2874-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2955-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2865-0x00000000023E0000-0x0000000002731000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2954-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2943-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2858-0x00000000023E0000-0x0000000002731000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2949-0x00000000023E0000-0x0000000002731000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2952-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2436-2951-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2612-223-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-54-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-60-0x0000000000A50000-0x0000000000C42000-memory.dmp

Filesize
1.9MB

Download
memory/2820-2789-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2892-221-0x0000000000440000-0x0000000000466000-memory.dmp

Filesize
152KB

Download
memory/2892-195-0x0000000000440000-0x0000000000469000-memory.dmp

Filesize
164KB

Download
memory/2892-2831-0x0000000003460000-0x00000000037B1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-1693-0x0000000000440000-0x0000000000469000-memory.dmp

Filesize
164KB

Download
memory/2892-200-0x0000000000440000-0x0000000000467000-memory.dmp

Filesize
156KB

Download
memory/2892-209-0x0000000000440000-0x0000000000466000-memory.dmp

Filesize
152KB

Download
memory/2892-2833-0x00000000006F0000-0x0000000000741000-memory.dmp

Filesize
324KB

Download
memory/2892-2777-0x0000000000440000-0x0000000000466000-memory.dmp

Filesize
152KB

Download
memory/2892-2238-0x0000000000440000-0x0000000000467000-memory.dmp

Filesize
156KB

Download
memory/2892-2792-0x0000000000440000-0x0000000000466000-memory.dmp

Filesize
152KB

Download
memory/3500-2859-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/3500-2996-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/3500-2950-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/3576-3007-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/3576-2919-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/3636-3004-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/3636-2875-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/3644-2957-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3644-2834-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3644-2948-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3764-3002-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/3764-2866-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/3780-2924-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3780-3013-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3824-3019-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/3824-2925-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/3856-3017-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/3856-2923-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/3868-3009-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/3868-2922-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download