Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/09/2024, 04:01
Behavioral task
behavioral1
Sample
2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
-
Size
54.8MB
-
MD5
8799c59f0eb8cbb37c386c0d5a39d520
-
SHA1
b5b40996731bf002a1434d1b59cb02961db3ea1a
-
SHA256
3245088846756009e9827fcda64556aca75b64d8b05fd63241f4ea6b7f20f540
-
SHA512
16ce94cdb2482a49513ce92b81f120ba256fced7ff0d097656900305a3af0161d687d77397f0d2364c87fbb287caa9607a3c3334fca50711909d09411dd24f3f
-
SSDEEP
786432:ALOrbJjdcRWz/9kl3uu2F0tA+6liWmP3YhMfuwSk+D3wBCQXrzu2Y:ALOrJpzVA3uu2etPQiWmoh8r+78CQG2Y
Malware Config
Signatures
-
Cobalt Strike reflective loader 1 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000234b3-2005.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/6784-2110-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 -
XMRig Miner payload 44 IoCs
resource yara_rule behavioral2/memory/1216-2030-0x00007FF7CBCD0000-0x00007FF7CC021000-memory.dmp xmrig behavioral2/memory/6452-2035-0x00007FF6CCCC0000-0x00007FF6CD011000-memory.dmp xmrig behavioral2/memory/4520-2060-0x00007FF682110000-0x00007FF682461000-memory.dmp xmrig behavioral2/memory/6908-2080-0x00007FF6E3680000-0x00007FF6E39D1000-memory.dmp xmrig behavioral2/memory/6248-2056-0x00007FF6DE7B0000-0x00007FF6DEB01000-memory.dmp xmrig behavioral2/memory/5996-2085-0x00007FF7E3E80000-0x00007FF7E41D1000-memory.dmp xmrig behavioral2/memory/6616-2089-0x00007FF79A260000-0x00007FF79A5B1000-memory.dmp xmrig behavioral2/memory/4604-2090-0x00007FF68AD90000-0x00007FF68B0E1000-memory.dmp xmrig behavioral2/memory/6864-2091-0x00007FF7074F0000-0x00007FF707841000-memory.dmp xmrig behavioral2/memory/6712-2088-0x00007FF763330000-0x00007FF763681000-memory.dmp xmrig behavioral2/memory/6648-2087-0x00007FF63FCC0000-0x00007FF640011000-memory.dmp xmrig behavioral2/memory/6524-2084-0x00007FF7A10E0000-0x00007FF7A1431000-memory.dmp xmrig behavioral2/memory/6920-2083-0x00007FF7BD480000-0x00007FF7BD7D1000-memory.dmp xmrig behavioral2/memory/6208-2096-0x00007FF689460000-0x00007FF6897B1000-memory.dmp xmrig behavioral2/memory/6032-2111-0x00007FF722700000-0x00007FF722A51000-memory.dmp xmrig behavioral2/memory/6416-2112-0x00007FF71AB10000-0x00007FF71AE61000-memory.dmp xmrig behavioral2/memory/1216-2113-0x00007FF7CBCD0000-0x00007FF7CC021000-memory.dmp xmrig behavioral2/memory/6760-2114-0x00007FF6F83F0000-0x00007FF6F8741000-memory.dmp xmrig behavioral2/memory/6484-2118-0x00007FF6B8EF0000-0x00007FF6B9241000-memory.dmp xmrig behavioral2/memory/4340-2119-0x00007FF6FBCD0000-0x00007FF6FC021000-memory.dmp xmrig behavioral2/memory/6800-2120-0x00007FF7E04C0000-0x00007FF7E0811000-memory.dmp xmrig behavioral2/memory/3760-2121-0x00007FF6AEE30000-0x00007FF6AF181000-memory.dmp xmrig behavioral2/memory/6828-2122-0x00007FF678E20000-0x00007FF679171000-memory.dmp xmrig behavioral2/memory/6524-2179-0x00007FF7A10E0000-0x00007FF7A1431000-memory.dmp xmrig behavioral2/memory/1216-2183-0x00007FF7CBCD0000-0x00007FF7CC021000-memory.dmp xmrig behavioral2/memory/6416-2187-0x00007FF71AB10000-0x00007FF71AE61000-memory.dmp xmrig behavioral2/memory/5996-2189-0x00007FF7E3E80000-0x00007FF7E41D1000-memory.dmp xmrig behavioral2/memory/6248-2186-0x00007FF6DE7B0000-0x00007FF6DEB01000-memory.dmp xmrig behavioral2/memory/6452-2182-0x00007FF6CCCC0000-0x00007FF6CD011000-memory.dmp xmrig behavioral2/memory/6484-2191-0x00007FF6B8EF0000-0x00007FF6B9241000-memory.dmp xmrig behavioral2/memory/4340-2201-0x00007FF6FBCD0000-0x00007FF6FC021000-memory.dmp xmrig behavioral2/memory/4604-2205-0x00007FF68AD90000-0x00007FF68B0E1000-memory.dmp xmrig behavioral2/memory/3760-2203-0x00007FF6AEE30000-0x00007FF6AF181000-memory.dmp xmrig behavioral2/memory/6648-2199-0x00007FF63FCC0000-0x00007FF640011000-memory.dmp xmrig behavioral2/memory/4520-2198-0x00007FF682110000-0x00007FF682461000-memory.dmp xmrig behavioral2/memory/6712-2196-0x00007FF763330000-0x00007FF763681000-memory.dmp xmrig behavioral2/memory/6032-2193-0x00007FF722700000-0x00007FF722A51000-memory.dmp xmrig behavioral2/memory/6760-2211-0x00007FF6F83F0000-0x00007FF6F8741000-memory.dmp xmrig behavioral2/memory/6828-2215-0x00007FF678E20000-0x00007FF679171000-memory.dmp xmrig behavioral2/memory/6864-2217-0x00007FF7074F0000-0x00007FF707841000-memory.dmp xmrig behavioral2/memory/6616-2214-0x00007FF79A260000-0x00007FF79A5B1000-memory.dmp xmrig behavioral2/memory/6800-2219-0x00007FF7E04C0000-0x00007FF7E0811000-memory.dmp xmrig behavioral2/memory/6920-2212-0x00007FF7BD480000-0x00007FF7BD7D1000-memory.dmp xmrig behavioral2/memory/6908-2207-0x00007FF6E3680000-0x00007FF6E39D1000-memory.dmp xmrig -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 5860 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation avg.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ajD70A.exe -
Executes dropped EXE 25 IoCs
pid Process 1232 anti.exe 3880 butdes.exe 3148 butdes.tmp 408 flydes.exe 3876 i.exe 1784 flydes.tmp 2420 gx.exe 4164 bundle.exe 4368 rckdck.exe 4828 avg.exe 3672 is-35K99.tmp 4168 telamon.exe 3368 stopwatch.exe 4356 telamon.tmp 1132 setup.exe 5296 tt-installer-helper.exe 5544 g_.exe 5568 t.exe 5792 g.exe 5808 e.exe 5932 ajD70A.exe 5948 tt-installer-helper.exe 6552 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 5760 assistant_installer.exe 5672 assistant_installer.exe -
Loads dropped DLL 26 IoCs
pid Process 4828 avg.exe 4828 avg.exe 4756 setup.exe 3960 setup.exe 4356 telamon.tmp 1132 setup.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 5568 t.exe 5568 t.exe 5544 g_.exe 5544 g_.exe 5792 g.exe 5792 g.exe 5808 e.exe 5808 e.exe 4828 avg.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/6208-1990-0x00007FF689460000-0x00007FF6897B1000-memory.dmp upx behavioral2/memory/1216-2030-0x00007FF7CBCD0000-0x00007FF7CC021000-memory.dmp upx behavioral2/memory/6484-2036-0x00007FF6B8EF0000-0x00007FF6B9241000-memory.dmp upx behavioral2/memory/6452-2035-0x00007FF6CCCC0000-0x00007FF6CD011000-memory.dmp upx behavioral2/memory/6416-2023-0x00007FF71AB10000-0x00007FF71AE61000-memory.dmp upx behavioral2/files/0x00080000000234b3-2005.dat upx behavioral2/memory/4340-2063-0x00007FF6FBCD0000-0x00007FF6FC021000-memory.dmp upx behavioral2/memory/3760-2070-0x00007FF6AEE30000-0x00007FF6AF181000-memory.dmp upx behavioral2/memory/6800-2069-0x00007FF7E04C0000-0x00007FF7E0811000-memory.dmp upx behavioral2/memory/6828-2079-0x00007FF678E20000-0x00007FF679171000-memory.dmp upx behavioral2/memory/6760-2078-0x00007FF6F83F0000-0x00007FF6F8741000-memory.dmp upx behavioral2/memory/4520-2060-0x00007FF682110000-0x00007FF682461000-memory.dmp upx behavioral2/memory/6908-2080-0x00007FF6E3680000-0x00007FF6E39D1000-memory.dmp upx behavioral2/memory/6248-2056-0x00007FF6DE7B0000-0x00007FF6DEB01000-memory.dmp upx behavioral2/memory/5996-2085-0x00007FF7E3E80000-0x00007FF7E41D1000-memory.dmp upx behavioral2/memory/6616-2089-0x00007FF79A260000-0x00007FF79A5B1000-memory.dmp upx behavioral2/memory/4604-2090-0x00007FF68AD90000-0x00007FF68B0E1000-memory.dmp upx behavioral2/memory/6864-2091-0x00007FF7074F0000-0x00007FF707841000-memory.dmp upx behavioral2/memory/6712-2088-0x00007FF763330000-0x00007FF763681000-memory.dmp upx behavioral2/memory/6648-2087-0x00007FF63FCC0000-0x00007FF640011000-memory.dmp upx behavioral2/memory/6524-2084-0x00007FF7A10E0000-0x00007FF7A1431000-memory.dmp upx behavioral2/memory/6920-2083-0x00007FF7BD480000-0x00007FF7BD7D1000-memory.dmp upx behavioral2/memory/6032-2048-0x00007FF722700000-0x00007FF722A51000-memory.dmp upx behavioral2/memory/6208-2096-0x00007FF689460000-0x00007FF6897B1000-memory.dmp upx behavioral2/memory/6032-2111-0x00007FF722700000-0x00007FF722A51000-memory.dmp upx behavioral2/memory/6416-2112-0x00007FF71AB10000-0x00007FF71AE61000-memory.dmp upx behavioral2/memory/1216-2113-0x00007FF7CBCD0000-0x00007FF7CC021000-memory.dmp upx behavioral2/memory/6760-2114-0x00007FF6F83F0000-0x00007FF6F8741000-memory.dmp upx behavioral2/memory/6484-2118-0x00007FF6B8EF0000-0x00007FF6B9241000-memory.dmp upx behavioral2/memory/4340-2119-0x00007FF6FBCD0000-0x00007FF6FC021000-memory.dmp upx behavioral2/memory/6800-2120-0x00007FF7E04C0000-0x00007FF7E0811000-memory.dmp upx behavioral2/memory/3760-2121-0x00007FF6AEE30000-0x00007FF6AF181000-memory.dmp upx behavioral2/memory/6828-2122-0x00007FF678E20000-0x00007FF679171000-memory.dmp upx behavioral2/memory/6524-2179-0x00007FF7A10E0000-0x00007FF7A1431000-memory.dmp upx behavioral2/memory/1216-2183-0x00007FF7CBCD0000-0x00007FF7CC021000-memory.dmp upx behavioral2/memory/6416-2187-0x00007FF71AB10000-0x00007FF71AE61000-memory.dmp upx behavioral2/memory/5996-2189-0x00007FF7E3E80000-0x00007FF7E41D1000-memory.dmp upx behavioral2/memory/6248-2186-0x00007FF6DE7B0000-0x00007FF6DEB01000-memory.dmp upx behavioral2/memory/6452-2182-0x00007FF6CCCC0000-0x00007FF6CD011000-memory.dmp upx behavioral2/memory/6484-2191-0x00007FF6B8EF0000-0x00007FF6B9241000-memory.dmp upx behavioral2/memory/4340-2201-0x00007FF6FBCD0000-0x00007FF6FC021000-memory.dmp upx behavioral2/memory/4604-2205-0x00007FF68AD90000-0x00007FF68B0E1000-memory.dmp upx behavioral2/memory/3760-2203-0x00007FF6AEE30000-0x00007FF6AF181000-memory.dmp upx behavioral2/memory/6648-2199-0x00007FF63FCC0000-0x00007FF640011000-memory.dmp upx behavioral2/memory/4520-2198-0x00007FF682110000-0x00007FF682461000-memory.dmp upx behavioral2/memory/6712-2196-0x00007FF763330000-0x00007FF763681000-memory.dmp upx behavioral2/memory/6032-2193-0x00007FF722700000-0x00007FF722A51000-memory.dmp upx behavioral2/memory/6760-2211-0x00007FF6F83F0000-0x00007FF6F8741000-memory.dmp upx behavioral2/memory/6828-2215-0x00007FF678E20000-0x00007FF679171000-memory.dmp upx behavioral2/memory/6864-2217-0x00007FF7074F0000-0x00007FF707841000-memory.dmp upx behavioral2/memory/6616-2214-0x00007FF79A260000-0x00007FF79A5B1000-memory.dmp upx behavioral2/memory/6800-2219-0x00007FF7E04C0000-0x00007FF7E0811000-memory.dmp upx behavioral2/memory/6920-2212-0x00007FF7BD480000-0x00007FF7BD7D1000-memory.dmp upx behavioral2/memory/6908-2207-0x00007FF6E3680000-0x00007FF6E39D1000-memory.dmp upx -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\AVAST Software\Avast avg.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast ajD70A.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\AVAST Software\Avast ajD70A.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast avg.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 ajD70A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butdes.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rckdck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tt-installer-helper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ajD70A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flydes.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bundle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flydes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butdes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language telamon.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language telamon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-35K99.tmp -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ajD70A.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ajD70A.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 4072 timeout.exe 6804 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 64 IoCs
pid Process 7124 taskkill.exe 6572 taskkill.exe 4188 taskkill.exe 6828 taskkill.exe 6448 taskkill.exe 4464 taskkill.exe 4356 taskkill.exe 3768 taskkill.exe 3924 taskkill.exe 7120 taskkill.exe 6548 taskkill.exe 3344 taskkill.exe 3144 taskkill.exe 5780 taskkill.exe 6936 taskkill.exe 4188 taskkill.exe 6028 taskkill.exe 2384 taskkill.exe 1624 taskkill.exe 7016 taskkill.exe 5612 taskkill.exe 6960 taskkill.exe 3180 taskkill.exe 6960 taskkill.exe 4340 taskkill.exe 1444 taskkill.exe 7040 taskkill.exe 7112 taskkill.exe 6876 taskkill.exe 5592 taskkill.exe 5828 taskkill.exe 4252 taskkill.exe 6752 taskkill.exe 6864 taskkill.exe 7004 taskkill.exe 1928 taskkill.exe 4540 taskkill.exe 5752 taskkill.exe 6612 taskkill.exe 6352 taskkill.exe 6416 taskkill.exe 6088 taskkill.exe 2056 taskkill.exe 6672 taskkill.exe 6500 taskkill.exe 3704 taskkill.exe 4252 taskkill.exe 1300 taskkill.exe 6704 taskkill.exe 5636 taskkill.exe 6604 taskkill.exe 2712 taskkill.exe 6556 taskkill.exe 3924 taskkill.exe 6900 taskkill.exe 4852 taskkill.exe 2040 taskkill.exe 6716 taskkill.exe 6552 taskkill.exe 5948 taskkill.exe 6244 taskkill.exe 3008 taskkill.exe 5276 taskkill.exe 5204 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 5884 notepad.exe 6048 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 916 msedge.exe 916 msedge.exe 3872 msedge.exe 3872 msedge.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 5932 ajD70A.exe 5932 ajD70A.exe 4828 avg.exe 4828 avg.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 4828 avg.exe 4828 avg.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 5932 ajD70A.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe 4828 avg.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3008 taskkill.exe Token: SeDebugPrivilege 2712 taskkill.exe Token: 33 2300 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2300 AUDIODG.EXE Token: SeDebugPrivilege 3344 taskkill.exe Token: SeDebugPrivilege 2056 taskkill.exe Token: SeDebugPrivilege 3180 taskkill.exe Token: SeDebugPrivilege 4188 taskkill.exe Token: SeDebugPrivilege 4464 taskkill.exe Token: SeDebugPrivilege 2384 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 4356 taskkill.exe Token: SeDebugPrivilege 4904 taskkill.exe Token: SeDebugPrivilege 4188 taskkill.exe Token: SeDebugPrivilege 4540 taskkill.exe Token: SeDebugPrivilege 3768 taskkill.exe Token: SeDebugPrivilege 5276 taskkill.exe Token: SeShutdownPrivilege 5428 msiexec.exe Token: SeIncreaseQuotaPrivilege 5428 msiexec.exe Token: SeSecurityPrivilege 5720 msiexec.exe Token: SeCreateTokenPrivilege 5428 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5428 msiexec.exe Token: SeLockMemoryPrivilege 5428 msiexec.exe Token: SeIncreaseQuotaPrivilege 5428 msiexec.exe Token: SeMachineAccountPrivilege 5428 msiexec.exe Token: SeTcbPrivilege 5428 msiexec.exe Token: SeSecurityPrivilege 5428 msiexec.exe Token: SeTakeOwnershipPrivilege 5428 msiexec.exe Token: SeLoadDriverPrivilege 5428 msiexec.exe Token: SeSystemProfilePrivilege 5428 msiexec.exe Token: SeSystemtimePrivilege 5428 msiexec.exe Token: SeProfSingleProcessPrivilege 5428 msiexec.exe Token: SeIncBasePriorityPrivilege 5428 msiexec.exe Token: SeCreatePagefilePrivilege 5428 msiexec.exe Token: SeCreatePermanentPrivilege 5428 msiexec.exe Token: SeBackupPrivilege 5428 msiexec.exe Token: SeRestorePrivilege 5428 msiexec.exe Token: SeShutdownPrivilege 5428 msiexec.exe Token: SeDebugPrivilege 5428 msiexec.exe Token: SeAuditPrivilege 5428 msiexec.exe Token: SeSystemEnvironmentPrivilege 5428 msiexec.exe Token: SeChangeNotifyPrivilege 5428 msiexec.exe Token: SeRemoteShutdownPrivilege 5428 msiexec.exe Token: SeUndockPrivilege 5428 msiexec.exe Token: SeSyncAgentPrivilege 5428 msiexec.exe Token: SeEnableDelegationPrivilege 5428 msiexec.exe Token: SeManageVolumePrivilege 5428 msiexec.exe Token: SeImpersonatePrivilege 5428 msiexec.exe Token: SeCreateGlobalPrivilege 5428 msiexec.exe Token: SeDebugPrivilege 5828 taskkill.exe Token: SeDebugPrivilege 4252 taskkill.exe Token: SeDebugPrivilege 6028 taskkill.exe Token: SeDebugPrivilege 5752 taskkill.exe Token: SeDebugPrivilege 4252 taskkill.exe Token: SeDebugPrivilege 6716 taskkill.exe Token: SeDebugPrivilege 5204 taskkill.exe Token: SeDebugPrivilege 6612 taskkill.exe Token: SeDebugPrivilege 6880 taskkill.exe Token: SeDebugPrivilege 6552 taskkill.exe Token: SeDebugPrivilege 6672 taskkill.exe Token: SeDebugPrivilege 6828 taskkill.exe Token: SeDebugPrivilege 6876 taskkill.exe Token: SeDebugPrivilege 6960 taskkill.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1232 anti.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3368 stopwatch.exe 5428 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4756 setup.exe 4828 avg.exe 5932 ajD70A.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3780 wrote to memory of 4840 3780 2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe 82 PID 3780 wrote to memory of 4840 3780 2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe 82 PID 3780 wrote to memory of 4840 3780 2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe 82 PID 4840 wrote to memory of 1232 4840 cmd.exe 86 PID 4840 wrote to memory of 1232 4840 cmd.exe 86 PID 4840 wrote to memory of 1232 4840 cmd.exe 86 PID 4840 wrote to memory of 1428 4840 cmd.exe 87 PID 4840 wrote to memory of 1428 4840 cmd.exe 87 PID 4840 wrote to memory of 1428 4840 cmd.exe 87 PID 1428 wrote to memory of 3008 1428 cmd.exe 89 PID 1428 wrote to memory of 3008 1428 cmd.exe 89 PID 1428 wrote to memory of 3008 1428 cmd.exe 89 PID 4840 wrote to memory of 3872 4840 cmd.exe 90 PID 4840 wrote to memory of 3872 4840 cmd.exe 90 PID 3872 wrote to memory of 212 3872 msedge.exe 94 PID 3872 wrote to memory of 212 3872 msedge.exe 94 PID 4840 wrote to memory of 3880 4840 cmd.exe 93 PID 4840 wrote to memory of 3880 4840 cmd.exe 93 PID 4840 wrote to memory of 3880 4840 cmd.exe 93 PID 3880 wrote to memory of 3148 3880 butdes.exe 95 PID 3880 wrote to memory of 3148 3880 butdes.exe 95 PID 3880 wrote to memory of 3148 3880 butdes.exe 95 PID 4840 wrote to memory of 408 4840 cmd.exe 96 PID 4840 wrote to memory of 408 4840 cmd.exe 96 PID 4840 wrote to memory of 408 4840 cmd.exe 96 PID 4840 wrote to memory of 3876 4840 cmd.exe 97 PID 4840 wrote to memory of 3876 4840 cmd.exe 97 PID 4840 wrote to memory of 4072 4840 cmd.exe 99 PID 4840 wrote to memory of 4072 4840 cmd.exe 99 PID 4840 wrote to memory of 4072 4840 cmd.exe 99 PID 408 wrote to memory of 1784 408 flydes.exe 100 PID 408 wrote to memory of 1784 408 flydes.exe 100 PID 408 wrote to memory of 1784 408 flydes.exe 100 PID 1428 wrote to memory of 2712 1428 cmd.exe 102 PID 1428 wrote to memory of 2712 1428 cmd.exe 102 PID 1428 wrote to memory of 2712 1428 cmd.exe 102 PID 1428 wrote to memory of 3344 1428 cmd.exe 103 PID 1428 wrote to memory of 3344 1428 cmd.exe 103 PID 1428 wrote to memory of 3344 1428 cmd.exe 103 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 PID 3872 wrote to memory of 1496 3872 msedge.exe 104 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5860 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\!m.bat" "2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\anti.exeanti.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K fence.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5276
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5828
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6028
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6716
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5204
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6612
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6880
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6552
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6672
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6828
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6960
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:7016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6900
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:7124
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5612
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1300
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:3144
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵PID:6340
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6352
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6416
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6448
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:6500
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:5780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:6556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:6572
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:5592
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:4340
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:6704
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:6752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:6864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:1444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:6936
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:6960
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:7004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:7040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:7112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:7120
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:5636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:6604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:1928
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:6548
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:6088
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im werfault.exe4⤵
- Kills process with taskkill
PID:4852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im shutdown.exe4⤵
- Kills process with taskkill
PID:3924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:3704
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\doc.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff96f0446f8,0x7ff96f044708,0x7ff96f0447184⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:24⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:84⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:14⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:14⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:14⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:14⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:14⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:14⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,7505995292159982245,2233345671140342205,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3400 /prefetch:24⤵PID:3132
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\butdes.exebutdes.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\is-I4U5S.tmp\butdes.tmp"C:\Users\Admin\AppData\Local\Temp\is-I4U5S.tmp\butdes.tmp" /SL5="$501BE,2719719,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\butdes.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3148
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\flydes.exeflydes.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\is-ETUL3.tmp\flydes.tmp"C:\Users\Admin\AppData\Local\Temp\is-ETUL3.tmp\flydes.tmp" /SL5="$20194,595662,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\flydes.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\i.exei.exe3⤵
- Executes dropped EXE
PID:3876
-
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\gx.exegx.exe3⤵
- Executes dropped EXE
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\7zS479F5887\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS479F5887\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==4⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\7zS479F5887\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS479F5887\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x6f001b54,0x6f001b60,0x6f001b6c5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6552
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0xb94f48,0xb94f58,0xb94f646⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5672
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\bundle.exebundle.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4164
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\rckdck.exerckdck.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\is-F5JLQ.tmp\is-35K99.tmp"C:\Users\Admin\AppData\Local\Temp\is-F5JLQ.tmp\is-35K99.tmp" /SL4 $20162 "C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\rckdck.exe" 6123423 527364⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\avg.exeavg.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\ajD70A.exe"C:\Users\Admin\AppData\Local\Temp\ajD70A.exe" /relaunch=8 /was_elevated=1 /tagdata4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5932
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\telamon.exetelamon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\is-MT0FB.tmp\telamon.tmp"C:\Users\Admin\AppData\Local\Temp\is-MT0FB.tmp\telamon.tmp" /SL5="$200B2,1520969,918016,C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\telamon.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\~execwithresult.txt""5⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe"C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe" --getuid6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5296
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\~execwithresult.txt""5⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe"C:\Users\Admin\AppData\Local\Temp\is-BLEN7.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\telamon.exe6⤵
- Executes dropped EXE
PID:5948
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\stopwatch.exestopwatch.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3368
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\gadget.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5428
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\g_.exeg_.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5544
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\t.exet.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5568
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\g.exeg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5792
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\e.exee.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5808
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\GAB3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\dng.html3⤵PID:1132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96f0446f8,0x7ff96f044708,0x7ff96f0447184⤵PID:5136
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:6804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K proxy.bat3⤵PID:5888
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" "C:\GAB\11525.CompositeFont"3⤵
- Opens file in notepad (likely ransom note)
PID:5884
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\GAB\11525.ini3⤵
- Opens file in notepad (likely ransom note)
PID:6048
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\System32\fontview.exe" C:\GAB\11525.ttc3⤵PID:6288
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\System32\fontview.exe" C:\GAB\11525.TTF3⤵PID:6060
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\cobstrk.execobstrk.exe3⤵PID:6208
-
C:\Windows\System\lywFHjS.exeC:\Windows\System\lywFHjS.exe4⤵PID:6416
-
-
C:\Windows\System\UBCgEmo.exeC:\Windows\System\UBCgEmo.exe4⤵PID:1216
-
-
C:\Windows\System\jcpLlie.exeC:\Windows\System\jcpLlie.exe4⤵PID:6452
-
-
C:\Windows\System\PTVhtHJ.exeC:\Windows\System\PTVhtHJ.exe4⤵PID:6484
-
-
C:\Windows\System\wNPrARS.exeC:\Windows\System\wNPrARS.exe4⤵PID:6032
-
-
C:\Windows\System\oALCVPj.exeC:\Windows\System\oALCVPj.exe4⤵PID:6524
-
-
C:\Windows\System\kGnhgnP.exeC:\Windows\System\kGnhgnP.exe4⤵PID:5996
-
-
C:\Windows\System\QlZcvHh.exeC:\Windows\System\QlZcvHh.exe4⤵PID:6248
-
-
C:\Windows\System\RYiIwsj.exeC:\Windows\System\RYiIwsj.exe4⤵PID:6648
-
-
C:\Windows\System\FBQzIlg.exeC:\Windows\System\FBQzIlg.exe4⤵PID:6712
-
-
C:\Windows\System\nEFtMlb.exeC:\Windows\System\nEFtMlb.exe4⤵PID:4520
-
-
C:\Windows\System\OwrBaII.exeC:\Windows\System\OwrBaII.exe4⤵PID:4340
-
-
C:\Windows\System\VxOwNFO.exeC:\Windows\System\VxOwNFO.exe4⤵PID:6616
-
-
C:\Windows\System\ycOYiGw.exeC:\Windows\System\ycOYiGw.exe4⤵PID:6800
-
-
C:\Windows\System\nPAlkaL.exeC:\Windows\System\nPAlkaL.exe4⤵PID:3760
-
-
C:\Windows\System\HTUYWSl.exeC:\Windows\System\HTUYWSl.exe4⤵PID:6760
-
-
C:\Windows\System\LyygaSo.exeC:\Windows\System\LyygaSo.exe4⤵PID:4604
-
-
C:\Windows\System\CEjMuan.exeC:\Windows\System\CEjMuan.exe4⤵PID:6828
-
-
C:\Windows\System\OqWtcHq.exeC:\Windows\System\OqWtcHq.exe4⤵PID:6864
-
-
C:\Windows\System\MLxJfIV.exeC:\Windows\System\MLxJfIV.exe4⤵PID:6908
-
-
C:\Windows\System\QOTdIse.exeC:\Windows\System\QOTdIse.exe4⤵PID:6920
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\jaf.exejaf.exe3⤵PID:6784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K des.cmd3⤵PID:7012
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x338 0x40c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4556
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5720
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:6372
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD58f64a583b0823bfc2fdf7277e67b5e16
SHA1f8029c828d0aef58f8818b866f1f7f1ec2f095b8
SHA256b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91
SHA512e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2
-
Filesize
61KB
MD5e7bed05c30089838608b1c37988d78e7
SHA15da70eae06a01da6144f5b0d51d8c88d1f6b1de0
SHA256efef0fa6138c648f9b5694f11d3372cf2733ae6126c91dbc7b2327c00546a699
SHA5120140f75bc15b64f4f913715409febf4209e21b890cdce51f8e2246f6bf1e40ec9d0ae072db0fcdce1e613abc2ec1309f96651f9fb25665865c5c9829a4352307
-
Filesize
1.7MB
MD578ba0823d72b677b9a4b9a984d07a6ec
SHA19dbd43e3cbb9e69fcac79a78305da81fb29d4342
SHA2566d1c083814f13e844c6d9d8a0cabcc45d7179a72c4b08348f0deb4598f83fed0
SHA51231ced6aeab175e2bd14ff6478b0650f1571f94758b1506c9bb8d22062b59943cd25275bb76106e3d7b9b1e53107fa11c51e46a3138afd41531726dcfa1fc5a55
-
Filesize
128KB
MD5655b6c1f90a30e9b017f2e695d1327fb
SHA189c7a3dd9aa4c1dae61b8e6552a0d96bf49effda
SHA2563c0964cc4d549b6b87fe3ee61a4efa7ad60296d82cc6b900ad1c536e6a09513c
SHA512f5ec5effe68b6550c1ab10cf10360281876ea6b6cdf4caa7ba871b6389df4af6ce58c8628a6467d61857fea2942584021fc1a61c5747a3e5d3a6d9931f34649a
-
Filesize
327KB
MD564027c0cbe356632029a1e54542f12fe
SHA1a11e572ae82005c01cfba8fee2c90a869f47c575
SHA256f56f3c5a1c1896f83c977f90bf7ab39729f7ea2c39f4d7484b06635c7c6fc0bd
SHA512ffeaa54c97701240189e0a0cf50951d06999f99f6a9f7ad16db8268d711fa6bee0c2c6781791400e97fec592210f137646f02334cf17cb4769be24636954659c
-
Filesize
217KB
MD50723999ddc6b4b922ec011b475f07d9d
SHA103aafc4a9496cd07d35952efd101312f6328bb16
SHA2561da9b5ace583a0a52e85280264d84917630ff6d600caea9a1b99cbd7e8b7c07f
SHA5120b1d1b2b994368d391195aa3d59c4ff647d6744f4f2240dcbc059c0a444e3a1b22b397c8c146349fa5b4beab9ff3cae5ce09d5464d0e6b71fbda593be822b711
-
Filesize
456KB
MD54962baf0f08d7f7d8a55834867d89cd8
SHA138964cf6ffce458ef7b68e1cd70946d43aef9f7d
SHA2563ad16a936a5072c2237a627142ea82289673702802ef08818089dd76b94c7558
SHA512b3dfd353a375043b75b07c4155859878ca13257eff093b5305c6eeb7c0c96481383f0e8e66108931d4e3ec280dc8e6f2a39de880dc414a0d7214e523b81a57b2
-
Filesize
447KB
MD53f0b609427347ed7f9d60c8c2f0b2e14
SHA131537e64597f92de4c89355a684b379c12e358bc
SHA2569959977d9fcf8ebc5fe48f6ee418f05378132b47d21bd5dcc798ad7cff274006
SHA51214421c45776afb477b0a0200e591e2698518510ff906ad833b7a3b07416b8546af6042b2e9b6e81c0d6cba0da2ad5e5db671e9ebd99a4164e00c79c2898309a2
-
Filesize
224KB
MD58924123111f4a88ec9a4541aa713db53
SHA1342cd5a4ce1d036d72ead842478d3ac2514760f9
SHA256d71f81c83ec63eaa32d36d5df7be1d9e71d3ea9150f47cebda2924923cbbf18a
SHA512c02ee1f193fb9f5bf1adee4bf6fea02db1f718ec74c6900419cccdc52e4d1ad6e5c540716c717655153f69b0a4daa6b3832ec9222f803efb181ac8954a032c8f
-
Filesize
64KB
MD57125ae1839a5dfa2dd8b32e22928a5c0
SHA143a51052dc18372b9c7b122c6dec94646abc078d
SHA256b4cdcd98edd11806931a466f50f957b3f62278814927f506f708519d018deb83
SHA512c8d11a02411313030b265bbc2ac12ca9c984c8ca273172b0d194b8737a5087b6c943d91e0ee7b48c33a71146b5077c61275defbd784bc3778c2f0cc39bffb102
-
Filesize
34KB
MD59e2ee65661bee40438d514fe592bfcf8
SHA1140a77e69329638a5c53dc01fbcfe0ce9ab93423
SHA256ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69
SHA5123b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612
-
Filesize
151KB
MD53efd8e6a45b3f893f54399c6bf4aba68
SHA10252ba9399d4faac75b26f245905854f0b6cd9be
SHA256c019f155a0004760f32079c22c29ef0ddd223d0c2c79e2487122e66d38a53b32
SHA51206691ccf1014311ff1f06bad835db123abd726cb07da462967c2e1d6aa9cce63be40b426264861f7fdcb4e59c98ecc013074580bf57e72e1c782c0b2f9bf2c7b
-
Filesize
195KB
MD5e3dfc3b909e09b89da3297899d9035c3
SHA1fa576ba64e0c606b1900f9044a8390c8c2b725e1
SHA256d6d8dc12613c35149a4c693fdfe2fd8217fc622cbec4f9a1ea32f7bf943a98a1
SHA512d11d0cc5114ef589e69977123fbaa824ab2bf7b74fe537dc907c35485bcd1b14ad1c83a6407b8154e7d58b25656f3437634a6c3cf24c8f6b17756674ecebceb0
-
Filesize
37KB
MD5fdb4c5d869ccb8b4230a3f0e162dcb22
SHA13085fa5c2c6c42ded66f8ca77f3e366a0c1bb867
SHA2568f51432ddde758e386ac1c3f5c2a02278b1a0134ea30ffa879794087ff1d4d3f
SHA512babff722c300f752ec71c055ed89564c74c0188059033e13a9d529bdb4f23b5b399a97b5bf5f670d5ccf6b8dccddf91e0df3f5551436e5c9db4ac8288b0d9615
-
Filesize
7KB
MD5ad75fb38d57de96a18fd5fcad4a282cb
SHA12689835e7573d1ea8cfdf6ae7fd77b671baccbc7
SHA256c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb
SHA512ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2
-
Filesize
12KB
MD5dcfe71d27bf49ba16fde0d1945bfb4a2
SHA186b3d8696b5da354ef42c8ab4a9d21cdaaf0dda1
SHA256eacbfca9a5ef05a108ef5337c773d82a43398bb8ea177e5ebeef62934dd75811
SHA5124da8efcfd4a77e230c61a527eb96b5193b9f5ddc0d476dfca8ce6ba7143ac5c8a1fd8b673cc2c7b554dae42ec01364a178f64532b6de17d44dce07b3089869c3
-
Filesize
82KB
MD55972eeea7971170eb72cab2fc85c2b17
SHA1d327d96bd78c5e851e065d053829abbb370c0c09
SHA2569677467feb714a89de457e262ff6647708b7de66127671b77f7e1e92aa0c2f41
SHA512c55c5217271f29bd3a7a130daa5e5711eff65630127f90112a26bb4ba3dbf416059f9424606bc1998ff4eec874c18767a395e20c3dc516a00079b2c5a7221ed3
-
Filesize
12KB
MD540f8022c3fe4e1cc97bb794e1b519b3f
SHA17ff107451b67b2d432db4706c697a9391c13a6f4
SHA2566b16818c057024f588f4f423cb1f50d24e092fca3c9b5c8c1943cf5b3ea70759
SHA51208a85d0203a0534067538ba0c1f40273409f61f212269cb3095df1defc114ff007efcb4c3c4897a345cda17db16c98b88ae61100b9e4636862d26edb8a402ba3
-
Filesize
7KB
MD56ce87c9b9d03998f4492dab3c79f027b
SHA119647e5aebcd0f6fd23f15cc82863e25aa0d2c7b
SHA256b47e74ce7a0f656a9490b4522d3617b9977a941af72ff2cf66f6fb1251438e00
SHA5123e1bc371dcd2787c2b360049d654be2c206d6e5d9de75a642583e6a16d7b8aeaa1f0e08fc3dbc40a23bc3d88f0f34f9d37976a7a208b59f01a3dbe67219c5179
-
Filesize
6KB
MD58a5dbabcb9b11e3e0c527b93e69d5e4d
SHA1c47add614ece5ed16ca456bac08b1f2cbaccfec9
SHA256824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241
SHA512ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0
-
Filesize
35KB
MD51252c22a700c6c0319481971a05839fd
SHA1c88ad6672619e7a35c11d0a466329f7579016e46
SHA2568afa403942185a52a0a670f6ac09bc5b61a21280f2157dc7936b7cfe79bb6280
SHA5121f54864f01f7c4b501e028b6d708e798ac08c0539172945105f2cd9b36afd31dc61dd7bf4bacb159f2bdff05232727984a722f40ad0dafe6282a39e080fe5c17
-
Filesize
32KB
MD57a6a1e781b1716ec989a9c9d32db4f10
SHA1ea9c2fad201de94c08bc101f70707712544c1f10
SHA256051aa1902f28a005a4f39bb0ca9c907518c426de90f4a26e0f9026e37d8a8e08
SHA5129544b06d552015f844af7a4e59dad6296c2218dbd4247191a0fc1b078b3b92dcae50ecd426f016e82607f71c9ad5a3f17f73c2a2f48ce52fc0ad2b1f979679b7
-
Filesize
5KB
MD521475b17405b86f37a2c15a1df2733b3
SHA1e640903a5fa2a800a27b74c73a02ea855dcbd953
SHA2566e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc
SHA5125752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0
-
Filesize
13.0MB
MD5e868c731ec770c425dbc74881b3ca936
SHA1a8dc99a2e0bc3360f8441243aab13fe7279a759a
SHA2561e5a4b342c6417bb9352e8c29cb839413987a06438e7b48fd0320925827f289c
SHA51251bbdbcd06bc41c1ef6a589ca2b6300f1f9350d11b8bfa60605c7a68a0d6a714998bec6060cbc3b27dd2d1485d57f344890b0278d7313dbdb5593334ceea3b49
-
Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize230B
MD5b787ea97273cdbee9a70c1ac642b3303
SHA1040139946fd2dd5a3dd586d0feed36a0e60214cf
SHA25621f05c2346ab2f5b2f39aeb20753fd2fc7dc6448e6653f1c4665576075bb0c5b
SHA51207faebc46e8ae43f4262537976abac754f86cc5fa93f9bc5960fb31136616d4f68284c50a6d8b85e125052410e4ac59cf0e3bb7bf625a21bec818302f6efc5cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD50a7cd88a5712be8237fccfcceb9f8b47
SHA1b91ff681a7ce215bece07f7209be41391ecf4254
SHA25697993e1f50db41734ee879b439d401211de5de2ab3c09d0fb8ea6ca29836794e
SHA5125e115be046b0f98373b82b653656690aa9d78042d4927faeb679336e287435714321d28c1232e028c96a3b389b6386693065adb4fb9588600a29c40a125f2cf1
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD59bc04803f50bcacae5917478f383e2cd
SHA10df365367acee8efb079c05fcfec863086e22ce4
SHA256217eefdf454f634e5c1602fd0655ebc88a07e30c438d9478e5a25be4ffe8ef6a
SHA5128403dc8de85587572f684519803d116bc142ccc6c708716b2cc22cd01fa5822bac54cb9efdf693202ee6273030e0e6b7736ef5927bcf0df7d768d3068d023534
-
Filesize
3KB
MD5ff82e0413d6bd29d207a1023ae5794ce
SHA1e9dd169a105adef430b5b41ce31799632f528f96
SHA256c0afd216f80988cc449543a609107f14ccdaff2ac43ad0122aa6633499cffb82
SHA5129a1ab3fffacec0beb35747a03084061ce1dfeff2ed98c13cae0b15a494295f79e8fe4d119c2325dfc26018a45a7f706d3df092ababac9ef047c5786ecafe1d4c
-
Filesize
5KB
MD53f4cebfd19dd8768fc166a295f7a38f5
SHA135b867ee90e090f7b2c36ccd823ff98afd6c0c8c
SHA2568fa152b364c8312ce6c14fd41de0649f684ba2c76192a540d9af8b8b57cd3b45
SHA512804928bd3b878fc1bfadacace5509c2175fc8e05653baef9f286eee462d7939486a9a64f8846c4fa384f83c7fbd12368b4cb1bf6063de32d67ecfd6e0a15b07c
-
Filesize
6KB
MD5179908b417183f588a6d7420bd49d3e2
SHA17a6e8e0bf01ef6803ad564f536c4904db5ac3163
SHA2568d28084b6381fa6396c770bd6719cd3cf31ef731c7ade022d90892f02ed018cd
SHA5121e992b6d3f129edf288b4da80ebd266ac640866668430f636cc0feb05068dc478a442208d6d7a74b68c68a9d96e4f55e62ee5a274295acdabe70ff8cf07bbec0
-
Filesize
10KB
MD5f52265f5584e351b7e48328236fbdc2f
SHA1cf3823231d70e2d17df079dc06a7f5fe706cdc05
SHA2567e4ec1b259d9fee126ba14bce88315b65bdb4c6c15deae025b68dcf8a75d595c
SHA512d119fd551355d1744a9c325a9187d7628fd4d68406233cf65b8e5aea399850d8b9486de66d77a4976b1407ee8f841dc07b7c678ffa1e8f31715dbc6faee19cfc
-
Filesize
10KB
MD5e87235410e9340f68c99dc173076a42c
SHA14586b5ff83c81c317854593d427860547b06653b
SHA256ded64ea81aca74d6e0dceefdc4363a2ac5311b7151720f3429600039704ae5b1
SHA512032245653bb0b25657a62f0dc546dd02e314b0fbc3c0fe9642f539bf147285d2e2680623866f11aa575f6cb0e7e7ab0d3a22703086beb8a2eb628d2fc1aa8f3b
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409170402191\additional_file0.tmp
Filesize1.4MB
MD5e9a2209b61f4be34f25069a6e54affea
SHA16368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA51259e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5
-
Filesize
6.4MB
MD5defd30ea336650cc29c0c79fad6fa6b5
SHA1935d871ed86456c6dd3c83136dc2d1bda5988ff3
SHA256015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4
SHA5128c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\!m.bat
Filesize824B
MD534668f54b0b37f99ad7cac2b2dfc143c
SHA1191f0593c1567e21d2bc3f6e426a6105b45fa048
SHA2567073d936dcf38170c8d0d3ca33130c70920bfe304650621dd1ed18b9e2e1829f
SHA51264313be755d28f660fcd27fb9e813e94d906b26f1451c9d8a5b4970b210e69b5d27f2e51d1b14f0574f349f29a5db498c3c9072e3a5bea7f86c2ad9f4856a892
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\anti.exe
Filesize1.9MB
MD5cb02c0438f3f4ddabce36f8a26b0b961
SHA148c4fcb17e93b74030415996c0ec5c57b830ea53
SHA25664677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\avg.exe
Filesize5.8MB
MD50dc93e1f58cbb736598ce7fa7ecefa33
SHA16e539aab5faf7d4ce044c2905a9c27d4393bae30
SHA2564ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36
SHA51273617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\bundle.exe
Filesize429KB
MD5ae4581af98a5b38bce860f76223cb7c9
SHA16aa1e2cce517e5914a47816ef8ca79620e50e432
SHA2567c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267
SHA51211ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\butdes.exe
Filesize2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\code.js
Filesize4KB
MD5016bf2cf2bad527f1f1ea557408cb036
SHA123ab649b9fb99da8db407304ce9ca04f2b50c7b4
SHA25617bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0
SHA512ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\doc.html
Filesize15KB
MD55622e7755e5f6585a965396b0d528475
SHA1b059dc59658822334e39323b37082374e8eeaac4
SHA256080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147
SHA51262f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\download.jpg
Filesize8KB
MD501a5131931ef35acecbe557ba13f3954
SHA1c7afc7590d469432704d963ffcee31ad8bcfc175
SHA256d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0
SHA512ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\fence.bat
Filesize167B
MD56465a5431e01a80bf71aca9e9698e5b0
SHA1d56ed108f13a6c49d57f05e2bf698778fd0b98dc
SHA2561c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f
SHA512db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\flydes.exe
Filesize833KB
MD5b401505e8008994bf2a14fdf0deac874
SHA1e4f7f375b1e88dd71a0274a997ed5d9491bde068
SHA2566bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41
SHA5121bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\fries.jpg
Filesize12KB
MD5c4d9d3cd21ef4de91abc95f99c4bc7dc
SHA1b2cf457237c44c824068727b8440fe6a352a360c
SHA2566fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9
SHA512d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\g_.exe
Filesize69KB
MD53cb72c753dd5e198792d1e0be81f7e2b
SHA18a55b72a998bf8362a12f68ee8c4801a5a24754c
SHA256be9d8772b360ca8054929e5f057413b69932ca8e521e6c696e0fb6b371e8cb97
SHA512008ed2e26fb4f41e9bb245130cc8f285744ccf737adeffc4c78cb11c03261f906cfd50b5b9e78f2c17dc2b8a01d83554e93f4960370064af87e84322cc78ee70
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\gadget.msi
Filesize23.4MB
MD5906ad3937f0abd2e5383dc162340496b
SHA1d63fe621af79e1468ee0cf52e119ffd21775ca8a
SHA256821e33cf757bd01bec6703796c01726e6674b8de3bc1e7ea834318039e46909e
SHA512624d76f7905f57679b647cfc676aa8c55cac72d6baa60db7d5ae45662de5da55f856f64adca382b315810088e757903f6c051685fcc83fe330016a8a95754d79
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\gx.exe
Filesize3.1MB
MD580bf3bf3b76c80235d24f7c698239089
SHA17f6071b502df985580e7c469c6d092472e355765
SHA2562b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2
SHA512076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\i.exe
Filesize12KB
MD5cea5426da515d43c88132a133f83ce68
SHA10c224d0bb777f1e3b186fdf58cc82860d96805cc
SHA2562be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78
SHA5124c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\images.jpg
Filesize13KB
MD549f4fe0c8646909c7cf87adf68d896fd
SHA19193264c38e5ed9fa0f5be1d79f802cf946a74cf
SHA2569292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec
SHA5129df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\nuggets.webp
Filesize32KB
MD5e40209599b592630dcac551daeb6b849
SHA1851150b573f94f07e459c320d72505e52c3e74f0
SHA2563c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be
SHA5126da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\rckdck.exe
Filesize6.2MB
MD5a79fb1a90fb3d92cf815f2c08d3ade6d
SHA125e5e553af5e2d21b5cfc70ba41afb65202f6fd5
SHA25643759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16
SHA51282aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\stopwatch.exe
Filesize68KB
MD5338a4b68d3292aa22049a22e9292e2a2
SHA19595e6f6d5e18a3e71d623ac4012e7633b020b29
SHA256490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f
SHA51206bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\t.exe
Filesize62KB
MD59e0c60453cdea093fa4c6762f9b1fda9
SHA102dfa74e42739c4e8a9a0534273f6a89b51f1dd3
SHA256269c6da90935306778f4f76005d1f00b49703f8819b60e2764cc14a5abc9a781
SHA512fc499cb6b98529c7a856c9ec7198f2a6d00d0c0d6b16e826913ab8dca2602f6700e3956749d3316484b94e6867f54cf99aa77f23375ea6c5ea75daa88c91aa96
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\telamon.exe
Filesize2.3MB
MD56a80889e81911157ca27df5bc5ac2e09
SHA102ac28dd7124317e294fac847a05b69411c9cdb2
SHA2560b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff
SHA512329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\ucrtbased.dll
Filesize1.7MB
MD5c3130cfb00549a5a92da60e7f79f5fc9
SHA156c2e8fb1af609525b0f732bb67b806bddab3752
SHA256eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8
SHA51229bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748
-
C:\Users\Admin\AppData\Local\Temp\2024-09-17_8799c59f0eb8cbb37c386c0d5a39d520_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_8d8af918-4995-41b3-89b1-7c23ebbc8b6c\vcruntime140d.dll
Filesize130KB
MD5ee7fbf8768a87ea64ad4890540ce48f9
SHA1bcbc1ebd5a592c2df216d3211f309a79f9cd8a9b
SHA25603eafdf65d672994e592b8acc8a1276ccae1218a5cb9685b9aa6a5ffe1a855fe
SHA5120cbf346d46b5c0b09c1f3fb4837c8df662bf0c69de8c4ae292b994ec156c91b78dbaad733226d765b1ca3ee1695566dc90bf85086e438fa15b9eb32058abce80
-
Filesize
5.9MB
MD5640ed3115c855d32ee1731c54702eab7
SHA11ac749b52794cbadfec8d9219530e9a79fc9427c
SHA25629b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3
SHA512bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
404KB
MD55b4c8e63be988b83b09e13e9d1d74bb9
SHA1bcb242f54ee83f232df6b871aebc0f3d44e434c6
SHA2568ae877bd5f45975d827280bee2e19021c3401b5ba069df0e556f6911798adb4d
SHA512a31f9e24a4a27847516808b24f312d4df6b865eb421f84d8d4fc022bdb309e08e5648c52c13772a48456c578f3771d232539c7d30132a82a08e8ebbabcbffa0b
-
Filesize
77B
MD5e107314aed6c701cf1a69b729aa68ea6
SHA1278946e4ac0f58a5c4c213dfa5f5603bf24c817a
SHA2561961601fb2b16817ac82ffd472243e112538d8214231c244a3e7395c0279ff4d
SHA5123af27b0d1e705a5cdcad140af9175763b992dc6413eb5ba4f16129a2cad1ec8bc71c05316d3391920aa2634a1aae41feb01214953051335032b7f1be51e884a6
-
Filesize
659KB
MD55aa68bb2bf3b994bda93834ad34e7963
SHA10156732d5dd48feacfab3aa07764061d73b9116c
SHA256a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa
SHA512e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
3.1MB
MD5292d91bef15a5a5d5f5c06425a96e0ee
SHA15f4400c94ceebf54825e94cb5d9f616850331e96
SHA256b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373
SHA5120aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200
-
Filesize
2.1MB
MD5d21ae3f86fc69c1580175b7177484fa7
SHA12ed2c1f5c92ff6daa5ea785a44a6085a105ae822
SHA256a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450
SHA512eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f
-
Filesize
195KB
MD534939c7b38bffedbf9b9ed444d689bc9
SHA181d844048f7b11cafd7561b7242af56e92825697
SHA256b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0
SHA512bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953
-
Filesize
127KB
MD52027121c3cdeb1a1f8a5f539d1fe2e28
SHA1bcf79f49f8fc4c6049f33748ded21ec3471002c2
SHA2561dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1
SHA5125b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c
-
Filesize
36KB
MD5f840a9ddd319ee8c3da5190257abde5b
SHA13e868939239a5c6ef9acae10e1af721e4f99f24b
SHA256ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a
SHA5128e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
5.0MB
MD5199d82d11c3c57b35976685dd2c6135f
SHA1b95c80c6766745ca4049acd19d25e9e60d55871c
SHA256d1e83b9f571cdd8087d0ba5e2de31ad98ebf2c1156eea86de6ef8dea5fc2adcb
SHA512972db73c22a683a2a68043f53a388978b72f20b2c1411bc69b662b1e66c31dbcb60f142748c6960242da7c58dcabac46b056f6c612612d062b54e38dbf44c14b
-
Filesize
126KB
MD52597a829e06eb9616af49fcd8052b8bd
SHA1871801aba3a75f95b10701f31303de705cb0bc5a
SHA2567359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87
SHA5128e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35
-
Filesize
93KB
MD57b4bd3b8ad6e913952f8ed1ceef40cd4
SHA1b15c0b90247a5066bd06d094fa41a73f0f931cb8
SHA256a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754
SHA512d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2
-
Filesize
5.7MB
MD5f36f05628b515262db197b15c7065b40
SHA174a8005379f26dd0de952acab4e3fc5459cde243
SHA25667abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31
SHA512280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8
-
Filesize
5.2MB
MD525b8b9d7456b10a98f7229affa2f8b3f
SHA1367b8ba69755bb2e3664c2e489d65e6acfbb0323
SHA256644ecf2359ff362d124156f1c835fba76ba686b373703cc06dcf550e7298e3c0
SHA51251976520575fb0fc13469957f4f2654575a7f80a8e18d360bdb4cf1aaaa58520e899c9c9f2e99527e7fec26f3f4046a1e43ae9528b5e35d361778bec8d0844d3