agenttesla | f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
Size

58.1MB
MD5

a36ccf5fb6bc5c1342371a21b33a6f0c
SHA1

2daefc8e9d7a3f7d461a9cc7a2a69e9c87667c83
SHA256

f2c9caab1000afabc5efa9e2b1d25ddfdbebe5d9166b6bff130a501ff27df2c1
SHA512

80f3c9e56cd1f9ba596c93a0742e5f56e7a44fdc678d9c3a19f0e90db9a81ed1ce09e159f61c57c566e47c428986f96bc29b7e1f71941c86961e3f43ab4dcc78
SSDEEP

1572864:TLOrJXzVj0mz3uu2etPQiWmoh8rb28CQG2Y:TLqJXBj0kuu3IDmnrb5Y

Score

10^/10

agenttesla cobaltstrike modiloader raccoon xmrig 2ca5558c9ec8037d24a611513d7bd076 backdoor bootkit credential_access discovery evasion execution keylogger miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

raccoon

Botnet

2ca5558c9ec8037d24a611513d7bd076

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000018c31-3220.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral1/memory/3808-3319-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/3808-3323-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/3808-3322-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/3568-3298-0x0000000002190000-0x00000000024E1000-memory.dmp	modiloader_stage2
behavioral1/memory/3400-3297-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral1/memory/3724-3236-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/3944-3238-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/3912-3258-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/3568-3296-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/608-3282-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/3360-3262-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/3708-3237-0x000000013F1F0000-0x000000013F541000-memory.dmp	xmrig
behavioral1/memory/4548-3329-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/952-3336-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/1140-3338-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/4548-3397-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/3944-3401-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/3708-3403-0x000000013F1F0000-0x000000013F541000-memory.dmp	xmrig
behavioral1/memory/3724-3400-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/952-3406-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/1140-3408-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/3912-3414-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/608-3412-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/3360-3410-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1708	powershell.exe
3860	powershell.exe
4072	powershell.exe
3716	powershell.exe
3916	powershell.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\95AEC59446A064C31B9DC4EBAFA6842848CAE830\Blob = 0f0000000100000014000000dc80cb96b7724314598e085faf8693317c5eeab90200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000380063006400640063006400320030002d0031003200630063002d0034006200350065002d0061006500370066002d0038003800660062003800300038003200620063003900660000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000003000000010000001400000095aec59446a064c31b9dc4ebafa6842848cae830200000000100000000030000308202fc308201e4a00302010202106175b8dfe61269be47947a72a3d55a22300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303931373034303633325a180f32313234303832343034303633325a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a02820101009663fc6797a34e055101333c9c00b34dd02e1b88f3805b0d21e4f285ddffd842f21047ca3e2dc97317054dcfa194aad9fb8a34fbf4ab55fcb313625da8187a55debda2436fd7c27f8e9cc2b9add66c409d99d6fbe080e08bb7bdb19d4c174163e6b53233f96e3c352e1b77df8834dd62ebc62d69f81739ffefe30f91738e824923a058f18b8d63e9b1db24e4b3528b1dd1c20c1793a461e35164c73184079844a2af9470f7a17a1b1d25985a7e7f8a6ff2d4a7703aa4f41239c38938cde914fcac2dfee30f7b8e675c1f0158aff6bfc179d74c5b53c5fee451999b2fbeb53294b7f733a457a09b201ba708d6cfaf44d047096efda21b2df06e49bc748db8febf0203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404d555944444949530030090603551d1304023000300d06092a864886f70d010105050003820101002abbec417d1a1c799e8e05d430dc2ee5f8a7d1cca63ef2038fb3652419ae0de9c54306b03858d86da67c1680ea2e610ca62af486128fbf46e3a4b0ea31931e7893bc61791197bb63b0ad8b981f39d0ff2ad725eb19afee7568ef13003a13e4e01597241bab5b34b23e5f41b84e2f1a76ac915f562a0269dfc8d6daca524a7aefd8a7994bcbf28c9c366d38636c1eeddf8a31de828ea5b54b27c6d7c09e2945fd772157db28b251e1dfaef2e8b42cd0e0d13c0029f59db378dd44a74680686631b81c93b45e1bcbdefaf94d7a1f0e71d75cf18c3b3a13a0aa51dbb0ef8ac394b9f84a18d668d64169eb98459656b6e5954108bc8593482df6245a766c0fb0d753	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\95AEC59446A064C31B9DC4EBAFA6842848CAE830\Blob = 0f0000000100000014000000dc80cb96b7724314598e085faf8693317c5eeab903000000010000001400000095aec59446a064c31b9dc4ebafa6842848cae830200000000100000000030000308202fc308201e4a00302010202106175b8dfe61269be47947a72a3d55a22300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303931373034303633325a180f32313234303832343034303633325a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a02820101009663fc6797a34e055101333c9c00b34dd02e1b88f3805b0d21e4f285ddffd842f21047ca3e2dc97317054dcfa194aad9fb8a34fbf4ab55fcb313625da8187a55debda2436fd7c27f8e9cc2b9add66c409d99d6fbe080e08bb7bdb19d4c174163e6b53233f96e3c352e1b77df8834dd62ebc62d69f81739ffefe30f91738e824923a058f18b8d63e9b1db24e4b3528b1dd1c20c1793a461e35164c73184079844a2af9470f7a17a1b1d25985a7e7f8a6ff2d4a7703aa4f41239c38938cde914fcac2dfee30f7b8e675c1f0158aff6bfc179d74c5b53c5fee451999b2fbeb53294b7f733a457a09b201ba708d6cfaf44d047096efda21b2df06e49bc748db8febf0203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404d555944444949530030090603551d1304023000300d06092a864886f70d010105050003820101002abbec417d1a1c799e8e05d430dc2ee5f8a7d1cca63ef2038fb3652419ae0de9c54306b03858d86da67c1680ea2e610ca62af486128fbf46e3a4b0ea31931e7893bc61791197bb63b0ad8b981f39d0ff2ad725eb19afee7568ef13003a13e4e01597241bab5b34b23e5f41b84e2f1a76ac915f562a0269dfc8d6daca524a7aefd8a7994bcbf28c9c366d38636c1eeddf8a31de828ea5b54b27c6d7c09e2945fd772157db28b251e1dfaef2e8b42cd0e0d13c0029f59db378dd44a74680686631b81c93b45e1bcbdefaf94d7a1f0e71d75cf18c3b3a13a0aa51dbb0ef8ac394b9f84a18d668d64169eb98459656b6e5954108bc8593482df6245a766c0fb0d753	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\95AEC59446A064C31B9DC4EBAFA6842848CAE830\Blob = 0f0000000100000014000000dc80cb96b7724314598e085faf8693317c5eeab903000000010000001400000095aec59446a064c31b9dc4ebafa6842848cae8300200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000380063006400640063006400320030002d0031003200630063002d0034006200350065002d0061006500370066002d0038003800660062003800300038003200620063003900660000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000200000000100000000030000308202fc308201e4a00302010202106175b8dfe61269be47947a72a3d55a22300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303931373034303633325a180f32313234303832343034303633325a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a02820101009663fc6797a34e055101333c9c00b34dd02e1b88f3805b0d21e4f285ddffd842f21047ca3e2dc97317054dcfa194aad9fb8a34fbf4ab55fcb313625da8187a55debda2436fd7c27f8e9cc2b9add66c409d99d6fbe080e08bb7bdb19d4c174163e6b53233f96e3c352e1b77df8834dd62ebc62d69f81739ffefe30f91738e824923a058f18b8d63e9b1db24e4b3528b1dd1c20c1793a461e35164c73184079844a2af9470f7a17a1b1d25985a7e7f8a6ff2d4a7703aa4f41239c38938cde914fcac2dfee30f7b8e675c1f0158aff6bfc179d74c5b53c5fee451999b2fbeb53294b7f733a457a09b201ba708d6cfaf44d047096efda21b2df06e49bc748db8febf0203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404d555944444949530030090603551d1304023000300d06092a864886f70d010105050003820101002abbec417d1a1c799e8e05d430dc2ee5f8a7d1cca63ef2038fb3652419ae0de9c54306b03858d86da67c1680ea2e610ca62af486128fbf46e3a4b0ea31931e7893bc61791197bb63b0ad8b981f39d0ff2ad725eb19afee7568ef13003a13e4e01597241bab5b34b23e5f41b84e2f1a76ac915f562a0269dfc8d6daca524a7aefd8a7994bcbf28c9c366d38636c1eeddf8a31de828ea5b54b27c6d7c09e2945fd772157db28b251e1dfaef2e8b42cd0e0d13c0029f59db378dd44a74680686631b81c93b45e1bcbdefaf94d7a1f0e71d75cf18c3b3a13a0aa51dbb0ef8ac394b9f84a18d668d64169eb98459656b6e5954108bc8593482df6245a766c0fb0d753	IEXPLORE.EXE

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1420	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation	avg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation	ajB129.exe

Executes dropped EXE 48 IoCs

pid	Process
2716	anti.exe
2420	butdes.exe
2860	flydes.exe
1940	i.exe
556	flydes.tmp
584	butdes.tmp
1636	gx.exe
1944	bundle.exe
2728	rckdck.exe
2884	avg.exe
1736	is-N1Q2R.tmp
2872	telamon.exe
2836	stopwatch.exe
2816	g_.exe
2312	telamon.tmp
2056	t.exe
1916	e.exe
2136	g.exe
112	setup.exe
1008	Bootstraper.exe
4660	tt-installer-helper.exe
4812	tt-installer-helper.exe
4900	ajB129.exe
3568	cobstrk.exe
3400	jaf.exe
3640	PurchaseOrder.exe
3576	file.exe
4548	mPNkzDG.exe
3724	wueABeN.exe
3708	olrPwLC.exe
3944	CDZogjv.exe
952	paMTKzJ.exe
1140	kYUyQmW.exe
3912	ERiMfdf.exe
3360	iDEbkMm.exe
608	DgMoFtt.exe
3432	bsLKdwC.exe
4036	ZvpHgFR.exe
4080	AWBnmQX.exe
3608	JQPjWMx.exe
3904	vZXbtGz.exe
3984	yhLyiOc.exe
2984	POhExWi.exe
4024	xUBlPYQ.exe
2400	CYjglip.exe
4016	CsKYEFb.exe
4496	WcBJknS.exe
4116	BDLEBAE.exe

Loads dropped DLL 64 IoCs

pid	Process
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2860	flydes.exe
2420	butdes.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2728	rckdck.exe
2884	avg.exe
2840	cmd.exe
2884	avg.exe
2840	cmd.exe
2872	telamon.exe
2840	cmd.exe
2840	cmd.exe
2056	t.exe
2840	cmd.exe
2448	Process not Found
2884	avg.exe
2840	cmd.exe
1916	e.exe
1916	e.exe
2056	t.exe
2136	g.exe
2136	g.exe
2816	g_.exe
2816	g_.exe
2312	telamon.tmp
2884	avg.exe
2840	cmd.exe
2884	avg.exe
2884	avg.exe
1812	cmd.exe
4732	cmd.exe
2884	avg.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
3100	WerFault.exe
3100	WerFault.exe
3100	WerFault.exe
3100	WerFault.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
3640	PurchaseOrder.exe
3640	PurchaseOrder.exe
3640	PurchaseOrder.exe
2180	conhost.exe
3568	cobstrk.exe
3568	cobstrk.exe
3568	cobstrk.exe
3568	cobstrk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3568-3199-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/4548-3227-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/files/0x0008000000018c31-3220.dat	upx
behavioral1/memory/3724-3236-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/3944-3238-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/952-3245-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/3912-3258-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/3568-3296-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/608-3282-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/3360-3262-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/memory/1140-3250-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/3708-3237-0x000000013F1F0000-0x000000013F541000-memory.dmp	upx
behavioral1/memory/4548-3329-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/952-3336-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/1140-3338-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/4548-3397-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/3944-3401-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/3708-3403-0x000000013F1F0000-0x000000013F541000-memory.dmp	upx
behavioral1/memory/3724-3400-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/952-3406-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/1140-3408-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/3912-3414-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/608-3412-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/3360-3410-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	ajB129.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\SOFTWARE\AVAST Software\Avast	ajB129.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\SOFTWARE\AVAST Software\Avast	avg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jaf.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	api.ipify.org
86	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ajB129.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3576 set thread context of 3808	3576	file.exe	420
PID 3640 set thread context of 4368	3640	PurchaseOrder.exe	446

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\settings.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\back_lrg.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vZXbtGz.exe	cobstrk.exe
File created	C:\Windows\System\CsKYEFb.exe	cobstrk.exe
File created	C:\Windows\System\BDLEBAE.exe	cobstrk.exe
File created	C:\Windows\System\CDZogjv.exe	cobstrk.exe
File created	C:\Windows\System\JQPjWMx.exe	cobstrk.exe
File created	C:\Windows\System\bsLKdwC.exe	cobstrk.exe
File created	C:\Windows\System\POhExWi.exe	cobstrk.exe
File created	C:\Windows\System\WcBJknS.exe	cobstrk.exe
File created	C:\Windows\System\wueABeN.exe	cobstrk.exe
File created	C:\Windows\System\olrPwLC.exe	cobstrk.exe
File created	C:\Windows\System\ZvpHgFR.exe	cobstrk.exe
File created	C:\Windows\System\xUBlPYQ.exe	cobstrk.exe
File created	C:\Windows\System\paMTKzJ.exe	cobstrk.exe
File created	C:\Windows\System\DgMoFtt.exe	cobstrk.exe
File created	C:\Windows\System\ERiMfdf.exe	cobstrk.exe
File created	C:\Windows\System\iDEbkMm.exe	cobstrk.exe
File created	C:\Windows\System\yhLyiOc.exe	cobstrk.exe
File created	C:\Windows\System\AWBnmQX.exe	cobstrk.exe
File created	C:\Windows\System\CYjglip.exe	cobstrk.exe
File created	C:\Windows\System\mPNkzDG.exe	cobstrk.exe
File created	C:\Windows\System\kYUyQmW.exe	cobstrk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3100	1008	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butdes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rckdck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajB129.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tt-installer-helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2192	timeout.exe
3460	timeout.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1164	taskkill.exe
2820	taskkill.exe
3592	taskkill.exe
3364	taskkill.exe
1000	taskkill.exe
1480	taskkill.exe
4264	taskkill.exe
4408	taskkill.exe
4796	taskkill.exe
3652	taskkill.exe
3124	taskkill.exe
4436	taskkill.exe
4136	taskkill.exe
2796	taskkill.exe
4580	taskkill.exe
2252	taskkill.exe
1732	taskkill.exe
2012	taskkill.exe
4992	taskkill.exe
3048	taskkill.exe
3760	taskkill.exe
2248	taskkill.exe
2136	taskkill.exe
5012	taskkill.exe
4464	taskkill.exe
3444	taskkill.exe
2928	taskkill.exe
1804	taskkill.exe
2304	taskkill.exe
3740	taskkill.exe
112	taskkill.exe
960	taskkill.exe
3328	taskkill.exe
3160	taskkill.exe
3080	taskkill.exe
932	taskkill.exe
4980	taskkill.exe
4596	taskkill.exe
1532	taskkill.exe
4764	taskkill.exe
5024	taskkill.exe
2724	taskkill.exe
3992	taskkill.exe
4396	taskkill.exe
3796	taskkill.exe
3916	taskkill.exe
1500	taskkill.exe
480	taskkill.exe
4772	taskkill.exe
4496	taskkill.exe
3244	taskkill.exe
3108	taskkill.exe
1796	taskkill.exe
2804	taskkill.exe
1592	taskkill.exe
4084	taskkill.exe
2780	taskkill.exe
4828	taskkill.exe
4312	taskkill.exe
3684	taskkill.exe
4908	taskkill.exe
1936	taskkill.exe
3252	taskkill.exe
3288	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb000000000002000000000010660000000100002000000098dbee9eaf6da2388d37cd08b069729a731669bccff2de184d503432119110df000000000e800000000200002000000042eba2a1765cbd07420b593b054584eedc5254268a2a26cb1fc7acdfc10d283a20000000abf2973e28482c729f3c270ac88da3c1f634e7a382f907386bcd52ac18c92da2400000004991de7420e8df767488c2d35547e2d54f18ad7c1b852f9d5382caf0470618977f1d7d716ddc42208cb1a092f03ba2026958c301624942878107b0cfbfd51af4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f4e1ffb608db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb000000000002000000000010660000000100002000000036970f691ba39e2f2c74a56a710c41e98b9384c8baae345e2becb042b8d64d8b000000000e80000000020000200000002987adfdbc7bb7ef264f0b1271fb79763bc7905a7c42728d5898747987239c8e9000000028fdd151962550600fd10cea750ee0cf3a99b8617e69ecdcba5db4ad98eb63f4a55c2de43957b83494d7ec99dc4ef98e55f80202829010db9093c0dce9021f86695a107aa0e02b43b39d440a4011fdf7128580438675b05db9718acfa137bc5751809d3515270aff82ea963070f60cb329c8aee6eafe8d49a5c10acbd10ad617b80721354811ce12a606b6481ce099cb400000001f315f5b34a832cdc60c7b8ecb45e4d649cd2021a99df986bf4b2465becf799ec18c1b4eb0ad33a22a4090a428e5966924b0290c122caf20bfe7bcfaee7db3de	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{394A55D1-74AA-11EF-A817-DAEE53C76889} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432707860"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ajB129.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ajB129.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3444	notepad.exe
3076	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
4900	ajB129.exe
2884	avg.exe
2884	avg.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
4900	ajB129.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe
2884	avg.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
556	flydes.tmp
584	butdes.tmp
1944	bundle.exe
1736	is-N1Q2R.tmp
2312	telamon.tmp
2816	g_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: 33	2348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2348	AUDIODG.EXE
Token: 33	2348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2348	AUDIODG.EXE
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2648	efsui.exe
2716	anti.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe
2836	stopwatch.exe
2372	msiexec.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe
1048	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2648	efsui.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1048	iexplore.exe
1048	iexplore.exe
984	IEXPLORE.EXE
984	IEXPLORE.EXE
2884	avg.exe
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
4900	ajB129.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2840	2904	2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	29
PID 2904 wrote to memory of 2840	2904	2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	29
PID 2904 wrote to memory of 2840	2904	2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	29
PID 2904 wrote to memory of 2840	2904	2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe	29
PID 2840 wrote to memory of 2716	2840	cmd.exe	31
PID 2840 wrote to memory of 2716	2840	cmd.exe	31
PID 2840 wrote to memory of 2716	2840	cmd.exe	31
PID 2840 wrote to memory of 2716	2840	cmd.exe	31
PID 2840 wrote to memory of 2172	2840	cmd.exe	32
PID 2840 wrote to memory of 2172	2840	cmd.exe	32
PID 2840 wrote to memory of 2172	2840	cmd.exe	32
PID 2840 wrote to memory of 2172	2840	cmd.exe	32
PID 2840 wrote to memory of 2752	2840	cmd.exe	34
PID 2840 wrote to memory of 2752	2840	cmd.exe	34
PID 2840 wrote to memory of 2752	2840	cmd.exe	34
PID 2840 wrote to memory of 2752	2840	cmd.exe	34
PID 2172 wrote to memory of 2616	2172	cmd.exe	35
PID 2172 wrote to memory of 2616	2172	cmd.exe	35
PID 2172 wrote to memory of 2616	2172	cmd.exe	35
PID 2172 wrote to memory of 2616	2172	cmd.exe	35
PID 2840 wrote to memory of 2588	2840	cmd.exe	37
PID 2840 wrote to memory of 2588	2840	cmd.exe	37
PID 2840 wrote to memory of 2588	2840	cmd.exe	37
PID 2840 wrote to memory of 2588	2840	cmd.exe	37
PID 2172 wrote to memory of 1760	2172	cmd.exe	39
PID 2172 wrote to memory of 1760	2172	cmd.exe	39
PID 2172 wrote to memory of 1760	2172	cmd.exe	39
PID 2172 wrote to memory of 1760	2172	cmd.exe	39
PID 2172 wrote to memory of 1480	2172	cmd.exe	40
PID 2172 wrote to memory of 1480	2172	cmd.exe	40
PID 2172 wrote to memory of 1480	2172	cmd.exe	40
PID 2172 wrote to memory of 1480	2172	cmd.exe	40
PID 2172 wrote to memory of 932	2172	cmd.exe	41
PID 2172 wrote to memory of 932	2172	cmd.exe	41
PID 2172 wrote to memory of 932	2172	cmd.exe	41
PID 2172 wrote to memory of 932	2172	cmd.exe	41
PID 2172 wrote to memory of 2248	2172	cmd.exe	42
PID 2172 wrote to memory of 2248	2172	cmd.exe	42
PID 2172 wrote to memory of 2248	2172	cmd.exe	42
PID 2172 wrote to memory of 2248	2172	cmd.exe	42
PID 2172 wrote to memory of 2012	2172	cmd.exe	43
PID 2172 wrote to memory of 2012	2172	cmd.exe	43
PID 2172 wrote to memory of 2012	2172	cmd.exe	43
PID 2172 wrote to memory of 2012	2172	cmd.exe	43
PID 2172 wrote to memory of 1944	2172	cmd.exe	44
PID 2172 wrote to memory of 1944	2172	cmd.exe	44
PID 2172 wrote to memory of 1944	2172	cmd.exe	44
PID 2172 wrote to memory of 1944	2172	cmd.exe	44
PID 2172 wrote to memory of 2448	2172	cmd.exe	45
PID 2172 wrote to memory of 2448	2172	cmd.exe	45
PID 2172 wrote to memory of 2448	2172	cmd.exe	45
PID 2172 wrote to memory of 2448	2172	cmd.exe	45
PID 2172 wrote to memory of 1164	2172	cmd.exe	46
PID 2172 wrote to memory of 1164	2172	cmd.exe	46
PID 2172 wrote to memory of 1164	2172	cmd.exe	46
PID 2172 wrote to memory of 1164	2172	cmd.exe	46
PID 2172 wrote to memory of 2780	2172	cmd.exe	47
PID 2172 wrote to memory of 2780	2172	cmd.exe	47
PID 2172 wrote to memory of 2780	2172	cmd.exe	47
PID 2172 wrote to memory of 2780	2172	cmd.exe	47
PID 2172 wrote to memory of 2480	2172	cmd.exe	48
PID 2172 wrote to memory of 2480	2172	cmd.exe	48
PID 2172 wrote to memory of 2480	2172	cmd.exe	48
PID 2172 wrote to memory of 2480	2172	cmd.exe	48

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1420	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\!m.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2868
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:3252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3200
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3124
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:3760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:4084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:4764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:5096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:5024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3084
- - C:\Windows\SysWOW64\cipher.exe
    cipher /k /h /e C:\Users\Admin\Desktop\*
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cipher.exe
    cipher C:\Users\Admin\Desktop\*
    3⤵
    PID:2588
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\doc.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1048
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1048 CREDAT:275457 /prefetch:2
      4⤵
      Manipulates Digital Signatures
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:984
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1048 CREDAT:537607 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\butdes.exe
    butdes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\is-SR8NM.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SR8NM.tmp\butdes.tmp" /SL5="$30018,2719719,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\butdes.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:584
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\flydes.exe
    flydes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\is-BT8JE.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BT8JE.tmp\flydes.tmp" /SL5="$300EC,595662,54272,C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\flydes.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:556
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2192
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\gx.exe
    gx.exe
    3⤵
    - Executes dropped EXE
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\7zS466364B9\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS466364B9\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      Executes dropped EXE
      PID:112
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\bundle.exe
    bundle.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\rckdck.exe
    rckdck.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\is-LUH6E.tmp\is-N1Q2R.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LUH6E.tmp\is-N1Q2R.tmp" /SL4 $3019C "C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\rckdck.exe" 6123423 52736
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\avg.exe
    avg.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\ajB129.exe
      "C:\Users\Admin\AppData\Local\Temp\ajB129.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\telamon.exe
    telamon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\is-D8L6H.tmp\telamon.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-D8L6H.tmp\telamon.tmp" /SL5="$50192,1520969,918016,C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\telamon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-G1SGO.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-G1SGO.tmp\~execwithresult.txt""
        5⤵
        Loads dropped DLL
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\is-G1SGO.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-G1SGO.tmp\tt-installer-helper.exe" --getuid
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-G1SGO.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\telamon.exe > "C:\Users\Admin\AppData\Local\Temp\is-G1SGO.tmp\~execwithresult.txt""
        5⤵
        Loads dropped DLL
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\is-G1SGO.tmp\tt-installer-helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-G1SGO.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\telamon.exe
        6⤵
        Executes dropped EXE
        
        PID:4812
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\stopwatch.exe
    stopwatch.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:2836
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\gadget.msi"
    3⤵
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    PID:2372
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\g_.exe
    g_.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\t.exe
    t.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2056
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\g.exe
    g.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\e.exe
    e.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1916
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\GAB
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\Bootstraper.exe
    Bootstraper.exe
    3⤵
    - Executes dropped EXE
    PID:1008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SalaNses'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1708
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1484
      4⤵
      Loads dropped DLL
      Program crash
      PID:3100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K proxy.bat
    3⤵
    PID:3096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      PID:1604
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\GAB\13141.CompositeFont"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3444
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\GAB\13141.ini
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3076
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\13141.ttc
    3⤵
    PID:480
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\GAB\13141.TTF
    3⤵
    PID:3544
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\cobstrk.exe
    cobstrk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3568
  - - C:\Windows\System\mPNkzDG.exe
      C:\Windows\System\mPNkzDG.exe
      4⤵
      Executes dropped EXE
      PID:4548
  - - C:\Windows\System\wueABeN.exe
      C:\Windows\System\wueABeN.exe
      4⤵
      Executes dropped EXE
      PID:3724
  - - C:\Windows\System\CDZogjv.exe
      C:\Windows\System\CDZogjv.exe
      4⤵
      Executes dropped EXE
      PID:3944
  - - C:\Windows\System\olrPwLC.exe
      C:\Windows\System\olrPwLC.exe
      4⤵
      Executes dropped EXE
      PID:3708
  - - C:\Windows\System\paMTKzJ.exe
      C:\Windows\System\paMTKzJ.exe
      4⤵
      Executes dropped EXE
      PID:952
  - - C:\Windows\System\kYUyQmW.exe
      C:\Windows\System\kYUyQmW.exe
      4⤵
      Executes dropped EXE
      PID:1140
  - - C:\Windows\System\ERiMfdf.exe
      C:\Windows\System\ERiMfdf.exe
      4⤵
      Executes dropped EXE
      PID:3912
  - - C:\Windows\System\iDEbkMm.exe
      C:\Windows\System\iDEbkMm.exe
      4⤵
      Executes dropped EXE
      PID:3360
  - - C:\Windows\System\JQPjWMx.exe
      C:\Windows\System\JQPjWMx.exe
      4⤵
      Executes dropped EXE
      PID:3608
  - - C:\Windows\System\DgMoFtt.exe
      C:\Windows\System\DgMoFtt.exe
      4⤵
      Executes dropped EXE
      PID:608
  - - C:\Windows\System\yhLyiOc.exe
      C:\Windows\System\yhLyiOc.exe
      4⤵
      Executes dropped EXE
      PID:3984
  - - C:\Windows\System\bsLKdwC.exe
      C:\Windows\System\bsLKdwC.exe
      4⤵
      Executes dropped EXE
      PID:3432
  - - C:\Windows\System\POhExWi.exe
      C:\Windows\System\POhExWi.exe
      4⤵
      Executes dropped EXE
      PID:2984
  - - C:\Windows\System\ZvpHgFR.exe
      C:\Windows\System\ZvpHgFR.exe
      4⤵
      Executes dropped EXE
      PID:4036
  - - C:\Windows\System\xUBlPYQ.exe
      C:\Windows\System\xUBlPYQ.exe
      4⤵
      Executes dropped EXE
      PID:4024
  - - C:\Windows\System\AWBnmQX.exe
      C:\Windows\System\AWBnmQX.exe
      4⤵
      Executes dropped EXE
      PID:4080
  - - C:\Windows\System\CYjglip.exe
      C:\Windows\System\CYjglip.exe
      4⤵
      Executes dropped EXE
      PID:2400
  - - C:\Windows\System\vZXbtGz.exe
      C:\Windows\System\vZXbtGz.exe
      4⤵
      Executes dropped EXE
      PID:3904
  - - C:\Windows\System\CsKYEFb.exe
      C:\Windows\System\CsKYEFb.exe
      4⤵
      Executes dropped EXE
      PID:4016
  - - C:\Windows\System\BDLEBAE.exe
      C:\Windows\System\BDLEBAE.exe
      4⤵
      Executes dropped EXE
      PID:4116
  - - C:\Windows\System\WcBJknS.exe
      C:\Windows\System\WcBJknS.exe
      4⤵
      Executes dropped EXE
      PID:4496
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\jaf.exe
    jaf.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K des.bat
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\file.exe
    file.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:3808
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\PurchaseOrder.exe
    PurchaseOrder.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:3640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\PurchaseOrder.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3916
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp169C.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4368

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2036402443-6390603-173159161871003014010650477231250111797-16112177731367028838"
1⤵
- Loads dropped DLL
PID:2180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1711577314-1966266307-907246038-1505732087-2021131226-1782803464-11641121412018601842"
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GAB\13141.CompositeFont

Filesize
42KB

MD5
8f64a583b0823bfc2fdf7277e67b5e16

SHA1
f8029c828d0aef58f8818b866f1f7f1ec2f095b8

SHA256
b637a0f9031088d08147f397836fe1c16b15c70db696db4ddea05ec5b95b4f91

SHA512
e8c7941c8a42f6408b0071c7f0ea06a226757d3a07e3943738296c5dd5e5e60d682424182f0d788f42a5758f1c76ef1ec89901acc43799833234f09f3b4278a2

Download Submit
C:\GAB\13141.TTF

Filesize
216KB

MD5
1cb82c6f93c51aa8dd7c7ea82cd641eb

SHA1
96bded4a52b798f6e9191be53accac46798f1ac0

SHA256
80eccb06c696972ccbb52467dc5abd5fe4de1eeb14f4797580eea14ff50326b9

SHA512
8e45b17b961bf8d60a547355b6b5a69d82f405b791345c10b1c8db08a226c8db622014d91256ad033ae34464f3923e34d4ae45094a730f999d6c9fe3a6a3c45d

Download Submit
C:\GAB\13141.TTF

Filesize
72KB

MD5
4e123dc335f4c41671e597d37edcaffd

SHA1
edae483a09a9c2b919ec27749bfe4ca2d7e8e956

SHA256
8f7699a0fd02de79d565fbd5205be070b777b790f028c1fd7e6090e34ed81bda

SHA512
cf03c556c0f98827a5c5a8f4fd5c37f882325435570ba4d6761f6b0f4f41fec99e64d3d246ae7367b367f12e8b6cc3c38a120623343860cc99021b7638ff6fc8

Download Submit
C:\GAB\13141.TTF

Filesize
1.1MB

MD5
e1bd092a5bda86bd9703c7a822dde4da

SHA1
e2324cb38596d4e506c681ada6917be939e9cd1c

SHA256
6ac589d243cd7e66defe84c2cd024f12ff706da33aa6f9933dcae1f4c963177f

SHA512
435cbad7e0ed8cc8880927a84a81f0cda17d26eae41b0c99a80b2126f1200b7f624233a2251746dd103105b7be49a7db6d844f917e988f2dd8d27548d642b91c

Download Submit
C:\GAB\13141.TTF

Filesize
1.1MB

MD5
af5fea16dad09fead692c2f100f61337

SHA1
c8d5746d63460b2472b21735a2c50f01b222a18c

SHA256
fabac9a0f456ebef7d9c08af1cd6bde5bdad7f8fcc15ae1355f652a333b24f52

SHA512
9ec29760cc7199116d9ed89a20ca3c654f5e7df4ad7fbfc7d86135946506376747ed0bd0934c12a658443a774e20d0794a0f4c09d72a0352f04318f5a66acd98

Download Submit
C:\GAB\13141.TTF

Filesize
50KB

MD5
34a1156588649c61ea04538baaeef237

SHA1
3f3f5e77146f7ab00ab137e52fbeedaa82755aba

SHA256
e334bf287bdf4211fe5958c4926c8ad4ddd3f44f5fdcb2d9dcfa1394186d8132

SHA512
10b011cb0532aeb2fbb637cefe22649927c0b8176c3fa2ce76c0d5683a68de7ff9cb0b0c4c279241c88f7784d6b46b9ce71b23924fb706bd282e05a1c4829fcb

Download Submit
C:\GAB\13141.TTF

Filesize
1.6MB

MD5
58b368e6ecd5e157f235a5c6e0784cf9

SHA1
c9dfd137210fe70286158aef0d4da6cf3d7602b0

SHA256
38efc5c2827d82fe584edc72e9c785b9b27707b820e3ad83e608bf6e4a48ca8d

SHA512
941b2a477ddae11c7887255036c5329b3793e8962f12e15cb4606fdca98234f4a5bc842172ab4caaff7497a89a1c1fe1486aa1862b24be002de83631393e0e33

Download Submit
C:\GAB\13141.TTF

Filesize
1.1MB

MD5
a11965b70d73e610ded9423f04a7a748

SHA1
4763a6cec457317eb408e7f41c238a630e8a0f58

SHA256
4149b6bfd4ee0ea6d40c7555a268beb3f0da8450f4806a2105a319fb1b37fcf9

SHA512
cbb6764f86fc54cdd7700827ebb99d7198f824e7578daa49ce45b76cfcc8ba9f0cff6e93cac7bc846a625f34b3edda7e60d8d3bbad113b81be96f5ab2462ce53

Download Submit
C:\GAB\13141.TTF

Filesize
768KB

MD5
5592cd5c82fdf441f583f8acdfc1c3be

SHA1
24cd61b2155c91cf696fde2d8d149755552231a1

SHA256
ae7b8399cbd7ebec2aa77cda57fd14b390c9d8633d7dc80344d0ba282be500f8

SHA512
b799a3b67a7e02aab01c31e829263f75d048abe33deb415dca10401c00e835bf4d0ef05d8ed4482ff13d513baa6852bac55527953bb841d7b271e2aba7dd0742

Download Submit
C:\GAB\13141.TTF

Filesize
45KB

MD5
9488a34c8f32f727a43f41e0d016e673

SHA1
1060eb7f915da2de3c4ff4867296ecfb7d783e4a

SHA256
673e9f49ace279c73711dd778037b5d435790be236c9e5892609794b0bb4377f

SHA512
395db44f81df7051785c20e62528db81ae2063a96a2ee8e33af8d883af6fd21f08c0edf9e644972672c251be6d7df380b302841dc366271d08a1b026ffde6c2f

Download Submit
C:\GAB\13141.TTF

Filesize
64KB

MD5
a37a9d12d8e2f6057e0aa7f702948e74

SHA1
d6a06f51227c6b9b561cd62d17e5b34a4b5b30cf

SHA256
964d08affdd5a96899b4eed70de577c9ec1c48b7678b2f55a5154dd8be89e654

SHA512
da40d4e9385ea529f4bb7e368387f2afff716652fae17e71135e73a70fcd22c3c3dbd774e7323e51fd63850999cce65cfe818174bc93e4eba26745eb99cdb5ab

Download Submit
C:\GAB\13141.TTF

Filesize
384KB

MD5
eef5ee8c267db9fee27f0bde051295de

SHA1
99c1f8286f8e49afe1fd08897052b4b5b86009dc

SHA256
c746406a5986763a35ea156671d9f8d96bcec45e67d834e41e70a8ae89dece2d

SHA512
4c4acc931c3ce28709e8029a88eb7edd048d03dda63dbed477525e6fdf4c87fe4eeaad472a4977ea589b7396ca850addf41c12780aa2fcd73ad03c0040f32b7f

Download Submit
C:\GAB\13141.TTF

Filesize
172KB

MD5
e72271043a4e9371b387662165eb29dd

SHA1
e4fae11beeb5a63e73cdefdca6bbf8104f974267

SHA256
e18daedf97ed2f4ee854cfe640d2802f8979fc107018ee3b874f341d0aede44b

SHA512
b1818b10238074599388d51cfd82c684b6640d6640e198a8df2fab542248ee6906118a5283d772d92002996bc3bc0a0cdb88752b6073baffbd4c1f9bca2fef34

Download Submit
C:\GAB\13141.TTF

Filesize
68KB

MD5
5dd0ca869ca9ff081a7b1b55609a0da9

SHA1
12ae0004c2b23e6624648c4122c509f023b70b89

SHA256
ec259607f32c388f7367c47e50a2b46b1dbb754e4f3c859b723aff911282f10f

SHA512
fd309f03d4e052a200c2d3b411fdaff342ff6774d653bc89d67195c67fb386c73040e135fd81d0f4f4bffe8cb969231ca0ba6ec83b59a92193064272e7200637

Download Submit
C:\GAB\13141.TTF

Filesize
67KB

MD5
000075ce9ab0f6d20f92bc4d3f03f880

SHA1
658524ef605f92424083d179d2da4b4b54e15fb9

SHA256
e4e9441744a9012709e952d927bee2b787f862491ee5c8461586ff5c2a2eebe8

SHA512
5d1c6dfa68aad278f9048c14d84d3db99d2e28b379a763dc8ed0ecbbb90bad79e6923d13c35981d917bafd449c17a24301aceddf59fb206b4f07362cef4f2ebb

Download Submit
C:\GAB\13141.TTF

Filesize
71KB

MD5
7da4fdc36753d33597b56d84d69ad31b

SHA1
608da02b162521326914a74163ee9c6a4df877de

SHA256
6e3798ba30c7fb08383f45afe71cda0d196df300dd1c75c774cc9736724537ee

SHA512
3d52e648f1e18ed09b0b35c9960cbe158f454012b899d7edef6b958221dd2fd3e937333ceb5b89d5c71d8e58bccc6f1015faac10eaf3904ed5568efa2efa5ab1

Download Submit
C:\GAB\13141.TTF

Filesize
171KB

MD5
b592a65e85d41f51230958c04130d340

SHA1
278a4278161a0a00a6af0d204d7876027fff8d2e

SHA256
bf2eb7af0acdedaf1984fe2e68c1eb5dcf69798c4161100272d086701e6b10cf

SHA512
f08c920f69764c1a07c1fa8a8e810a2b3930db45c5609043db240238581f423e8296a65d85d404ca2481e1a51ab52d47986c5144035d6187b149cf5ba6ce76c2

Download Submit
C:\GAB\13141.TTF

Filesize
34KB

MD5
9e2ee65661bee40438d514fe592bfcf8

SHA1
140a77e69329638a5c53dc01fbcfe0ce9ab93423

SHA256
ac9ee085920a3d8b076d5e0c61dc9df42c4bac28d1fc968344f9ceddb3972f69

SHA512
3b3c7ff00d8f12cea48008a2e95c194f7fc64ee96425a3cfefb8b65a9f7dad66fa16104ec1cf96ac6892426e5e8ab59dab91e3d56d76f58753b80f8ac48f2612

Download Submit
C:\GAB\13141.TTF

Filesize
92KB

MD5
1a349dcf586cb7831dc32b69c175f4d5

SHA1
f56762e2b94aa54aa79f07239d4c94f6ce5bedf3

SHA256
5ab633686a3a3421bae107470d3eecff577b0a588ad758ffca8c4b766fce47cf

SHA512
4eea98dbcb094efbc0103c5ff65d3ce98262babc5666b78a2e360172867bbd186a0d91760dce3061a32aafff88dca8ab0a43498bd37c6013f1c49156908c3984

Download Submit
C:\GAB\13141.fon

Filesize
35KB

MD5
ed958318a8bcf72f0bccab280bcabe71

SHA1
0d60f50923dee10d13e9c7b815d78200a01633b5

SHA256
874e466930f025183614f3cf51f68dff799fa64dfe8fcc84f5b7fec528ae29e4

SHA512
47339e90753191b69e5d02abdb544a239c1b765eaf18ed30aa74a118895f4526367fe6f92de9101e10cbeae2df585b465563855b61bccc8b96492703d16e9b4e

Download Submit
C:\GAB\13141.fon

Filesize
32KB

MD5
6d5a3d1c7a9f69a392f4c78950195db5

SHA1
0c7d705e4480a48a1d721add903f19aedcf2a1f9

SHA256
327b9ca2a8e054fc955b88e3b34f71578789a23911cfa263aa8c59284f79a148

SHA512
2dd38693dfbcabb69a2cab607c2a879b39cf027ff6308497cceef21896e8570538b201aa75c43c0357e9b65bfa8c8eefe1dddd78b9994288231473d7a40290ae

Download Submit
C:\GAB\13141.fon

Filesize
5KB

MD5
21475b17405b86f37a2c15a1df2733b3

SHA1
e640903a5fa2a800a27b74c73a02ea855dcbd953

SHA256
6e7a86167874f989433a264345e5ea6c0e000861cbca8153858b23d7d35d5ecc

SHA512
5752f5cdd3d6e56de8d6382dced5b7425fead8cbdb21755fb504320157a4aad3a713fb8d5d4d52e843d60b0251b3c14ee6e7720824ace97b9fd8a5dbf7e0d8f0

Download Submit
C:\GAB\13141.fon

Filesize
7KB

MD5
ad75fb38d57de96a18fd5fcad4a282cb

SHA1
2689835e7573d1ea8cfdf6ae7fd77b671baccbc7

SHA256
c7b31d6d41b52ea093fc845bb51f5fc8bb772b278a0cd8d0dac980dc9e6b08eb

SHA512
ef3e09211a3e58428b94bda0f84d84e83e1e76f40b6f633a6a0e4121cfbdd4cf5253627be285e853d8c536a611f8abf6b2cfdff69033e596c56aaa5b625b6bc2

Download Submit
C:\GAB\13141.fon

Filesize
17KB

MD5
9ba842495668fe8d4cdc2a577d565506

SHA1
523d1c383975ceee22e922efd5399fafd58e2f38

SHA256
80d81e98bea979a33c2e0e72de623bf2d373e235b0f2f3d2d1883035143fd993

SHA512
ff22455bbde09bbf5e31cd40eb5132acbb8ac2893640037952169ab1df3e9084297553841575d684312fda9b42eaab81c8536ca254005a0a4d9ad3f5ca2d7571

Download Submit
C:\GAB\13141.fon

Filesize
28KB

MD5
24a48c36c7bf6eabcc86ab92d1220fe8

SHA1
a39646c9b09484fa9cce0df94241b169bab24e0e

SHA256
f58d2503d687451ff63c0e14f8bac21a3392e99ad2f1b28ee687ded017602a73

SHA512
a17a06e5f453c4e2c6d2609b6c1091920bd9e1eaad892d9c3b8fa4e6e63a26acddaaf0fc4e167a906f38c3adcb92a0a093212725d0ba093b08abc1805015265b

Download Submit
C:\GAB\13141.fon

Filesize
67KB

MD5
fac3ad1f06a7abf7befb8a8233f31d08

SHA1
91fd5acd6a39e7e20016d2041776ad6f717705f0

SHA256
d5c4dea16a298fc554acff3b33618b53b5a5485594dc5c4343c8aecbf1ce0d32

SHA512
3584384df086c89ddc054ed536e7f4107dd8561966b96b300baa72116ef9dea6d1ee62684f796f89f3ea353dda5087a723e9f0756f55cd1e368c38530fba52dc

Download Submit
C:\GAB\13141.fon

Filesize
63KB

MD5
d93a0fa24b28eed4edc938b97f279a88

SHA1
d16ee4319329093038976ad32581735bf97f0803

SHA256
293ff761817f2c94585de089eb5d35ac8f83a2edfb086e2bc233fcc9a1b9d360

SHA512
b08beb33272f67d629cfc32a1a2e70d3087186595cfae28d2301bde25db02c898c7eb172e0b34b356b5f83ce980e03871a90e8fdf295b83e62b1b4d72e01ad92

Download Submit
C:\GAB\13141.fon

Filesize
88KB

MD5
6e4de039b93800d72443ca1673f25eb2

SHA1
f33847ccb4b24e0ca6e8f6462ffe93e2fe2f40b7

SHA256
6ad05b5dafe23e41a2e914089e32b73ef1dad3cd0afce01a7e47fcf1097589ec

SHA512
6d8724b3066d2821517e67399b2ce7ba4d1ee5da9458aab335b08199736d614a67b64968ad9fe0c01998ba220d1edb683f9c364da96e64750f089d04c8eb43e3

Download Submit
C:\GAB\13141.fon

Filesize
87KB

MD5
9b81fd16158bffbcbf6cd88e49c9c027

SHA1
03bd46af221ba86ab3e01f27220f08a97afce50f

SHA256
7c963b968f286c5a4a9c9cd53be631d94a0315c4cce0c6af6839500fcebce454

SHA512
17b57180d7a33128ab591c22463e477783bf48033f664d8a59251e2dbd2509facf64fbd5805d56f7b536198a793cdb1a3eb3e8229bf2185a736b406315bb1e7f

Download Submit
C:\GAB\13141.fon

Filesize
12KB

MD5
40f8022c3fe4e1cc97bb794e1b519b3f

SHA1
7ff107451b67b2d432db4706c697a9391c13a6f4

SHA256
6b16818c057024f588f4f423cb1f50d24e092fca3c9b5c8c1943cf5b3ea70759

SHA512
08a85d0203a0534067538ba0c1f40273409f61f212269cb3095df1defc114ff007efcb4c3c4897a345cda17db16c98b88ae61100b9e4636862d26edb8a402ba3

Download Submit
C:\GAB\13141.fon

Filesize
5KB

MD5
75acaed877b0384b034d920ac8953866

SHA1
8abf03747a44bb62fe6730fb7ee052549863a99b

SHA256
23855e29f60dc2cc50279a3dd2a5e3aa376b1f4504a1c48132d82e4f33960888

SHA512
0fc3bd053f0bf521f0728b9f959a21b993fdddeeaf5b78b4eb6ed0d3567314e18eef8c932abe37028c4c624ca8b47a324858c45335a22f9514980b9aabf2e6c1

Download Submit
C:\GAB\13141.fon

Filesize
6KB

MD5
8a5dbabcb9b11e3e0c527b93e69d5e4d

SHA1
c47add614ece5ed16ca456bac08b1f2cbaccfec9

SHA256
824ea3f5eabd9c3b8e0041e78935feb65545f58760ce0c47a0d938ad75f8e241

SHA512
ddcb3520d68321e6372630cb34473c7b310ffed1263cde8e1059837e63e42e7a7e644537044dee774e9ea3e912e485f2630bc106233e039ea925355ec29921c0

Download Submit
C:\GAB\13141.fon

Filesize
12KB

MD5
430077b0065cb075748316c2bc3cb8c5

SHA1
157ef2a45f8abde1f74b3374e0c77d3e99e5be58

SHA256
59ec91dcb7dc65b5f928091cb0e25c26729a0a4453ebe7d8244fc1ceae7d9712

SHA512
806ba986f0dd4d80ca4a204f3cead1cf46f5f118b0e900f75947bf2142cdccb4ac8d7a84c133d250776e8bd43023e09f88caa5f095decb6d1966edd53e6c7b76

Download Submit
C:\GAB\13141.fon

Filesize
68KB

MD5
5e142e4d090d689cd44fa8fe9882a743

SHA1
0301f8c9422f933c9d7a65bbe4f7c45feb4fef24

SHA256
a23e6b523d0e3d16cd197e5a525e3f299144577dbdb860ab91e7c14652aad3d4

SHA512
23f77ca93a178d4fdecf54ca1cb6cbc8d6c816deddc630d90fcaa5f3d028a9db29301d32b200c70bcbeb94c8491bd44ffeef51233cfeb011e2081825b167ba16

Download Submit
C:\GAB\13141.fon

Filesize
35KB

MD5
1252c22a700c6c0319481971a05839fd

SHA1
c88ad6672619e7a35c11d0a466329f7579016e46

SHA256
8afa403942185a52a0a670f6ac09bc5b61a21280f2157dc7936b7cfe79bb6280

SHA512
1f54864f01f7c4b501e028b6d708e798ac08c0539172945105f2cd9b36afd31dc61dd7bf4bacb159f2bdff05232727984a722f40ad0dafe6282a39e080fe5c17

Download Submit
C:\GAB\13141.ttc

Filesize
1.5MB

MD5
530e4f16910be9010ccdda67146e8438

SHA1
3bda6f43cbe1b15ac92d264919dc4602d5f01cce

SHA256
d675f6efa6f39c92585a0499901593c2df7a1b61cdb6bf4185e3833f83b0106e

SHA512
fc60b89ae6c99facb3fc0de98288dd42cd569098ea02d319d7eca5822e85bcebcbfb6d38d94caa16d4b22d1476f349745a897ede40019a79a2b506b9957757d5

Download Submit
C:\GAB\13141.ttc

Filesize
14.6MB

MD5
cb2100e9c35b646d4807f208fba5c1d7

SHA1
c66a87a3afb4ddd57465ef3db773ae7610f12d6f

SHA256
f68cb69afaf28e54240817fe1e15ed88a7ecc493e5fa80b726f89f230d5f4e42

SHA512
886a872bc7adbb8d74cebf58d0799561a5de5741bac2c1b090f36f4b3e097b057df23d3c2e4df76ecb83bb233e89de64b0251382ee312840752da9b28cd703fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
c6c3dc73e1afc92b7586e881a9bfded0

SHA1
24d8722e04815d7289be391cbdbe007006129612

SHA256
b19f0a9ef73b454ab01569a778b9aa5fce58d33725e838ba759c0e3bd1d64aa9

SHA512
818144b3aec2cb1d54f363f474849b3353fa46e889b58b3cc99a364d185afa14ab58fadadee245495bb1b0c1c4f986a7e5c44cfe6bebe675ef0b93a8e56f4077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c05d7c5420a472d01d9058ac344bf3c6

SHA1
27daa0d62f351d666dd3ad0321c664f18f924675

SHA256
42d3cdfdab08060d3e22df1d8b87f6ea7abeb71ad0e1d7958b59dda1d02df5c2

SHA512
0dc82f2404620bcdc2eac2181bed192fbcc0035790fd0203d87333ab15a166545d0c98e1e57c38ae2f0d85c5439733cca6f8a2356db0bf754d0781471b5ff995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ce6c3ada64d2183664440f70ba52da1

SHA1
eae69ec87e1636aa48641f18737efd42ade49b9e

SHA256
ccec544afcf5f568d1a0c3babf516a936b5feafc895618080813d305d6a14aac

SHA512
887db1446ee2d24f353c266882573741f7b4342ad513f613ee348411aa423160d7d6069d2c4cf310624d18a00080770e7ae78a912da4b743bb0aa12588800596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61409fcb72b09fc6513ec1aee7f24a46

SHA1
852dde6f6493df40393fbfa17edd7e8427390cd9

SHA256
e80a87c8fc65789483980984d1dbd1aa0528dc589fe286a343e4cb27ba7c8963

SHA512
2592ebac631a3815549fa3fcf25e1246af349ad7d0eeeda59bbbca58ce685fb2b8382a0a1acbc82e29fb5dc50ab36e2144badf299e6ca15bfd5029a18cad4af6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
740a97a283ffd3b5a6cdff119bddd314

SHA1
551fc682626ba9e4a905f71826597752f7a2fca7

SHA256
206569c773f7c102ea59944757d21e92fe79a9598d93682b75fc9fd511108241

SHA512
0130dbfea0ed4ef0e05a26b6a3546c6367d977b4ac26a65049c641dafa7ee00fbb5350377304fc1acff66d3825c211cdefa32877ddec1e07b827519deed5a1a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a947dc63b45516669985a9b62e143a7

SHA1
26dd7095b427dc4b6d8bddaa78c5b8c7fa1892b8

SHA256
6f192cab736d650b4135fcd8c126ddcbee88ad331acd9786f7bcea6a47cd59a3

SHA512
e7d160995a19a611797f8404c1cf5344adbe35d8a01999262b09f01bdc66a4e6becb9eef300226e5e6e7db36b71679c0423026aecb4f4db9939618aa5e29bc5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e4bd17eed0c0780b4134175beccdb23

SHA1
1dda96768ae7fe2527920352341b4dc01eca99d4

SHA256
f4d8280eb57307698d05df1c2ca428200e1de0a6473db1ed76b602a1c3a3ea2a

SHA512
43008e1614fc66df2a1fc0284857a6edc72d08a2d6fb7de789dd84ea87fb8120965e57fdede086dd49257a09c28730583a97f1b7b363cb455bc9daa581950d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
798b42f8fe13df27d96dc61ac41e0a83

SHA1
8c6c25303e0136411a9f203ee979305bbb7b423b

SHA256
3d194dd3713cb006693dc63e398cd0213ef773aa0783cccce36d61c431ad4970

SHA512
88228946a1632d33b02b795ffb5a16e77175d8e725ed3036e5d942baaa3f01392748aa3e873ce892d4ddd6595a2c2b5f28cbe70eb7175721013d3c9c34a115e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb306e86a44d24e83e96e034d9aa75f8

SHA1
08286554a9a1d54af328e614c6671a704e3db5bc

SHA256
207aebae7f0507f5dd31fd128ebfc02606e53400484e569c1d2dc128dcf82bf6

SHA512
19cf4db2a4f3af39bc128943185b36043146be579f3aeea7036edd475dfaa92b63a6da59a54c45a66a1f31f5fcd7fa7ab3a213fc55d0a45f9329f2c9366f2437

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ae7f6401837e3a658ce139313dde75b

SHA1
733150599f9979b659b0e3a4ca5daed7801cd39f

SHA256
7b82cee7ab06c160f3de0870808640302a1a75f3d36d6b41a9946637eb82d1bf

SHA512
5c2ee17b447f9a92cb5a9b903bd43511af72f8642f4fb6559e0af70c13680cef46fbd98f40d7e01e033cc011240414476ce18dc85e25e248ba91b8b60e33872c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
412ff1282f98be3fb54b75fd47959fa4

SHA1
e4015670a7e9179fa671b3109a5154be835bb326

SHA256
0a130b07194c0712babd215af95392a16815355a41e781022f56b6600326d8b3

SHA512
29518d409edb2482890dff6963209423eb1fce2ea11a3db8dc10020c45f147d5016846ea1473482b6bb009ae7dd49f2ee5e3d75c666fc8ffedd2b13ce9f1be16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c086dccd87f065c9908332205dc78575

SHA1
7ca7938f032ab1775d2f418eb0e352f8d9e0d938

SHA256
6c68e72f3f34f2b03c24d2fd69662b84897a5f74a795ab7058eebabf6edd34a7

SHA512
401aae9af89e170f4e79eb426e96050ba652e5a432ce0245c05fbceb5383301e51b95ff94cff551fcc532aa411ba0278826b13ee41bb22b67f57852b1eb35c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2d30b593afe68608c168d074e05b9ea

SHA1
ce4e483c0200a2c63c85ae0eb8e4caf07c8844ac

SHA256
a46ea377b032aefa4a827b707e12702b8b41fe4d75a90e9dbb998d596a9019a4

SHA512
dd7cc2491538aa39738db3fcd2985081d293113f9e1f6e962cc4ca901113c14df4162c87fa7d1b6a8b5a8acb433b73f7b2a6abd51c3ac5b7d9107cc6c5042b75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39460d36aefd7d2697d386ee9f42f61f

SHA1
6b7f2db28457f134c0a8185af2ee3b10c7bf9e05

SHA256
38fa3d4f7687b67317bb52469c08834c2ce42fae17844e476000efac0aaffcd5

SHA512
f051a166fb7c13e95905c437a9654fc0d09934e0b718f78ef60a3503250005eb93e1854f9ac7025095d396de2e04256011b0160182916c68acd6edd96cb4a009

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09128a8143f9a324fad0da2c7ae162a9

SHA1
5d9e593df2685f0615899880175ca51894db8e00

SHA256
051c76867ddebb0e2523e2813ac07e4161da4a6447ee60e4f4266ce91e7cb940

SHA512
5a581cc1802a35e97d1b278796f1d57a34ee87f8bc4627a47801085c4187fe4010563c4752f92f56cf0f5cecd352ad6e6d5d764bd84ee28ad33e28e7495f4063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80cdc3e69149a2251d487654d7d66c13

SHA1
2835a5c58dea1922d2ffedffb9627a285cd83a80

SHA256
34bff4789ea1c35a59d49322485948a4e9814af57d9696ea84cc41026b55056d

SHA512
c92275ed5ea1e54fb225f90fe58e99a648f0274f0feba57ee681d5f2ededf558d3c9c8e2de72cd5d7488b202a08a42e6d78c3946d035f049cd43989d64ed822b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3558c8b31eb4729eb890c224e152abf

SHA1
08b0c508d4e5ef89c1d84826234b7caccdab5267

SHA256
c798484708b5884a3bc60ae2273aff66b42f5052d2ebb6b732d43a4a8769aaa7

SHA512
1f20e29edfd174fddb59eb4c72e3b8b41ff9aaaedcd7fd4672af27daa43714e6cae01a10b070d03b6943d4721940f85fbc9b9a65cb8f900571a29bb9b77367a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db83d0ea4f33c22ae3348de26ea416f9

SHA1
638bf712edb3208c5354d4d9687bd2246af22551

SHA256
d1ebc6a646b114fd7e70859c43e014a47d9ec446c74c45a0072b63df7da1f78a

SHA512
9077567eb8802f43d61d54a73b0b8727a258bb9c16e24dea5dd7765ae831ddab5adeb431f216f1dd83881ab4e4b7a7c974f3d2be176d78076f8be225c5903c65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a7981da5b155b22c7e1ef33991694a7

SHA1
a40e5d5fa3ba1ab5867cedc8080d11437fddb4a8

SHA256
3f1e7b27b69c7c310946e2afd58349f9abf9dad80e19331f2c7c79e34dc8fa44

SHA512
10dfef6ca8dc1909dbba0a62cfe4d63db2a50fe93ee7107c9991f677ec7cdbd9b121b53622c2a2deca12a71aa6f051ccd9c99e9cc09ceed379d3625ce0257820

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d0df9706e93952e5ed246a18a44666c

SHA1
df03431f2c69f6b689f2d559de09f10b3dec339c

SHA256
eebc9c2b4f2fdb2497e024e414c80d39bff7d2edf1332699afd7d41e495e0b7f

SHA512
5ae35c583bd51ac1eddbaba4aedcbc7bed6109b2ce4ef8fee87396d669a33d5678ac0928ca6171919f21e9277b26e59ae68df019634550af3e18317218de386a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b443c18ab4fcbab32cbc80d012fad80c

SHA1
dc5bfc1548488853211df45262579a90c7718318

SHA256
b6e77b1f214bb86f47992ab433f91667327b3ebcbe6fee05661c8d1d361ffc9d

SHA512
497b2ba98dab018e3e7faee7a5ed82fc800779be88b5461ba5b2ec4548fac851e17b465baab18de7121a4398b4aed9e8a4185f042b5dd96a175da78d9c493dcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
309f7c33fcbfe3339352fecbf724566c

SHA1
4662f7a91f60af4007c0b68c8b7d80d90f6d2c73

SHA256
0abb47a843cdd9f80414601743419c6d867e4d999da5df00f6cbc21e3ece5a1f

SHA512
9a11b3094a3382b900f959afe78e311ba6c5fecec02d1155dc7946807db57da30505baed19ec1094143baa29a93805713652de04626c71009b40114a64f8e43e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
430059ead18f39839aba4c8fdc3cdb54

SHA1
b5f88542e3300ba8ccf30cba190efb9b70b89c1d

SHA256
dfc6e2d0c076adcca53948702565aef59b07ab28b3f395ac0ad12481d3339892

SHA512
fa3762490488fb0ea73068c00d2a6b1136f421407fa43b887515343f1c31b5b7b9ec4a5e43d67ac2f40c5d07c14af95a495ac15cee025ffa63b549c357fe6982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5053b9b32b031a9e0355ccebeffcdf30

SHA1
f4c516bf3d3705476f892cc9a32a8daefee8a25d

SHA256
7f6d506428f858fd23ec4c4fd43426dce51157817e39f88fc6dec4969cfd9a89

SHA512
32650bc8a03e1ae784256758211cd0aa90c1fb480183effbcd594edbb449939e7ed01e3d038fceca952e744238251522dd15dae74f6ad8c348fdc56dd4b7fc06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
847059e55fc223a6c4bdb806f2bd0304

SHA1
c2b28281d8fd3ac87d1e1f73b5e1ccfdeeb819d5

SHA256
a53f81927bd531956d6d12c3fea1e360aa5cba98e2b73cd3333838e5a4f5a93e

SHA512
f03087abf419b97c1308c4eae58818b29607c3d722da8e18cf1a4db9270eb9ab04fddde227e8dc997bbe012899c7dbccd0ed4b8237b7f3e2601751683c2677ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf1b9a296a9c09c7addf6dfdad82da81

SHA1
ca985892a983b99ef932be6b1bde4f83a1d80302

SHA256
73436a269a1184f92d62f6a0b7970727a52bae07f5f6146773752959f3bfb863

SHA512
e0e2aa8a58b40f06c33f334c71f5b650316815781c02e5805481127354a426eb19d1b8f060684b2086576a03b2f3c763660e2106d6031ccca882daf1300c3a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
442067bbf83b1548f58c3f830d925ee2

SHA1
c693b270b0cf427e0497ade8178b78e3c9da1427

SHA256
df1d45145ba84e6764bd317b4b27ca301c97e944b16a4ef21c8f51163ea16b17

SHA512
1fae1b4c916f03f4ddf241310da60ee156abb0cd992ee4245e99f14c70c00ff3ef050d2ea26c287f27a36d1aa2f16da483cb4b50ec4dd14158d76276c91e8087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0739aa345daf08ad5290db31a1be94c9

SHA1
153b3aef01354b10f7f5f89d8ae857ca2b13784d

SHA256
e7427d93d85b841a7a4a9772770608428a85b7225d00a4dee12b877432887e09

SHA512
117c7ef898e8d2dc74ec3dbab2b916552dfedede033019cb4e8ddc968f58fca19fcefd3be21d6fb39163a97742cc1d412355b218bffecb179496a4747f8f0ee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78cf077c66e8f05205673eecbd6c1af3

SHA1
bc4e8d0d6fc1aa0fbcd83a5613809ec87963e3ec

SHA256
e3021f0aadbe8756c465d7b8b855867b3aad9501949ce3fb79871d378a02230b

SHA512
c539c710070796bdbfdadd883b765a648243f9f157775026d6aa9079bf57f7dfb048a9bae12c301c85c8a391882785efd097771d0632fcdc5bf6c29680153130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19fe967677ab55a28242edc721a47f62

SHA1
d9a8e7d3a0f82f26afd0f4442c4560c7952884c6

SHA256
dd81006d346861e041cf65a0ccaae5f42dbc058e5c5a6db7598ed4f1b36316e5

SHA512
42d59d5aebb6839c70a8b8200e0debd8835ca6591ec0ffdb07588a3b11efefeb312818a6140ccd279a39bc39b7b78244ddd1b8537bebfd35988033c358b75f26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9beee5c0388702c5c83f38fba9293e6

SHA1
79d01cd9eff585cd055531dd5a9d32431cd88b9f

SHA256
1091975c954100e0da43f6146ef29ad419e1850ef9f0ee1b39d2d26a19f58707

SHA512
3b0d262d26929a0b2dbf29fcf764522b38cb8b62b57fa5dde18087d1b839e08bd0e685089511ccbe7feb9c8b908795bf3414b3d1b75221e6ddbb6ded147bd5ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ffdfe9ce46a73f16bf127916a9a0e4f8

SHA1
ff66cf1575f46ea2b2043509dbc8134c4dc37109

SHA256
98a80194b6a96e682e7c7e15ad5f10171e0dfa5d0ec38dffd0c8e5dfc831d1fc

SHA512
40f21fb3673d6d1946a2015035f6528e6d50c4d56650e25290aca9660409afd2bf965db13c1c67d73267a4b7c7739521056a88a1a1c17d37624c0fd32ddb0e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\!m.bat

Filesize
1KB

MD5
d295fd5b892b165427abecd1b5aac987

SHA1
ec1bb8ab7bb5ffd6d1c971fde332dab00f78cf5b

SHA256
855a00d99d2cb67512ca1fb49a9954bc085ed9ada3a2d2226757bb347e2cad58

SHA512
800d97dfdb1ef9923c82bf31a77b4cad49bf886aa055d5ee7f4396bc6bcd597a9e638ccdd1cd4878de7d8d273d60228604f97ee6e5b07668002fb08e9636f289

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\avg.exe

Filesize
5.8MB

MD5
0dc93e1f58cbb736598ce7fa7ecefa33

SHA1
6e539aab5faf7d4ce044c2905a9c27d4393bae30

SHA256
4ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36

SHA512
73617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\e.exe

Filesize
61KB

MD5
c085484b593c7089907af551de309a05

SHA1
f503ae9f559fd76073578686d2193a6956747fea

SHA256
b78b116d79d8f9613510dbde5aa4a8ca59913ee32df540d06defa214489972d2

SHA512
72b458179362a1bb2888213736e5731d0bafe094feaac11a44e78f7a5ed60a4d6f275aa32bbce41950852a31bc55ce19266f26cd3e66bec9f35dc5aafe97fba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\fence.bat

Filesize
167B

MD5
6465a5431e01a80bf71aca9e9698e5b0

SHA1
d56ed108f13a6c49d57f05e2bf698778fd0b98dc

SHA256
1c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f

SHA512
db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\gadget.msi

Filesize
23.4MB

MD5
906ad3937f0abd2e5383dc162340496b

SHA1
d63fe621af79e1468ee0cf52e119ffd21775ca8a

SHA256
821e33cf757bd01bec6703796c01726e6674b8de3bc1e7ea834318039e46909e

SHA512
624d76f7905f57679b647cfc676aa8c55cac72d6baa60db7d5ae45662de5da55f856f64adca382b315810088e757903f6c051685fcc83fe330016a8a95754d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\rckdck.exe

Filesize
6.2MB

MD5
a79fb1a90fb3d92cf815f2c08d3ade6d

SHA1
25e5e553af5e2d21b5cfc70ba41afb65202f6fd5

SHA256
43759b0c441fd4f71fe5eeb69f548cd2eb40ac0abfa02ea3afc44fbddf28dc16

SHA512
82aa45337987c4f344361037c6ca8cf4fbf0fc1e5079ac03f54f3184354792965f6f3b28bd2ab7b511d21f29859e2832fc6b6122a49ddecde12afc7e26fd62dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\stopwatch.exe

Filesize
68KB

MD5
338a4b68d3292aa22049a22e9292e2a2

SHA1
9595e6f6d5e18a3e71d623ac4012e7633b020b29

SHA256
490d833205f9dfe4f1950d40c845489aa2d2039a77ab10473384986f8442ea6f

SHA512
06bc6463b65508d050c945d5bf08078eecd6982c74c7bab2a6722b99523189d24f530c10c05577e0dbd5b46e896d472112d036023ef5e576e2a8f9401b8668a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\t.exe

Filesize
62KB

MD5
9e0c60453cdea093fa4c6762f9b1fda9

SHA1
02dfa74e42739c4e8a9a0534273f6a89b51f1dd3

SHA256
269c6da90935306778f4f76005d1f00b49703f8819b60e2764cc14a5abc9a781

SHA512
fc499cb6b98529c7a856c9ec7198f2a6d00d0c0d6b16e826913ab8dca2602f6700e3956749d3316484b94e6867f54cf99aa77f23375ea6c5ea75daa88c91aa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\telamon.exe

Filesize
2.3MB

MD5
6a80889e81911157ca27df5bc5ac2e09

SHA1
02ac28dd7124317e294fac847a05b69411c9cdb2

SHA256
0b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff

SHA512
329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA066.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA134.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D8L6H.tmp\telamon.tmp

Filesize
3.1MB

MD5
292d91bef15a5a5d5f5c06425a96e0ee

SHA1
5f4400c94ceebf54825e94cb5d9f616850331e96

SHA256
b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373

SHA512
0aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LUH6E.tmp\is-N1Q2R.tmp

Filesize
659KB

MD5
5aa68bb2bf3b994bda93834ad34e7963

SHA1
0156732d5dd48feacfab3aa07764061d73b9116c

SHA256
a90bfd9874c3e60650dba4c286b97ccdb375a456b95556feb38f3cba214770aa

SHA512
e52fecbba96aa911552ef0e11d5d044ec44caf6e0947f64c9a17b04d846a3e86d19e4dfa5ac981fc98d44f941fda3a697c1d23ac6e8ef162f4bcdde9142f22f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA8CF.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA8CF.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspB1F3.tmp\CR.History.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspB1F3.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspB1F3.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\27498GYD693OOIAJP3MJ.temp

Filesize
7KB

MD5
d6c3246421e961e18d5a54ebfa19c273

SHA1
ffd2ada6b665a59ae5324aee8a1824d7bc97ca98

SHA256
df49b4a44e4d9b8ac564df4895d0bdca0d7076965daca489af8ee69e828b3398

SHA512
c2bef3e1dcd5d9c8f444ee048fb5692de344f57846a6aa2a9df85da7e889cde9f75591e32e8465693c155ac571f63f4e707d5f014b48f714a2b97af8e11b4cf6

Download Submit
C:\Windows\system\mPNkzDG.exe

Filesize
5.2MB

MD5
bd90b269bb0d0046771a5c965cbc08f4

SHA1
091d87c2e0dd55053d6dabfb577a085b3861d312

SHA256
51ee8675520087d26b466c3a92e9a8664c4948eb57f73d8b494d7396a64858a1

SHA512
9c0069cc8b697623fbc2ce4ac41d6d66919bbe14745af1ded884bd06b3dbbb800fba30be66e2fd40b194539defbdb72108c02f7f9f7dfcc85bb87ea43606cedc

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\g.exe

Filesize
60KB

MD5
ea64d01d756080b86e8e5af63ed6eb50

SHA1
008634fbd4cd348165dbe540ea529f27bd39e5c0

SHA256
35fc36cdd77b1eae66fd02fec2f47cf06841365f6ab66160ed8cf522d71355f7

SHA512
7e7046017eb32e804fb213070997ef228a12426e0f157e959a97a4e27f816eb66b365850cc18ae8573519623db354740d7c008c09734f404d31775e79ead2bb0

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\g_.exe

Filesize
69KB

MD5
3cb72c753dd5e198792d1e0be81f7e2b

SHA1
8a55b72a998bf8362a12f68ee8c4801a5a24754c

SHA256
be9d8772b360ca8054929e5f057413b69932ca8e521e6c696e0fb6b371e8cb97

SHA512
008ed2e26fb4f41e9bb245130cc8f285744ccf737adeffc4c78cb11c03261f906cfd50b5b9e78f2c17dc2b8a01d83554e93f4960370064af87e84322cc78ee70

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\ucrtbased.dll

Filesize
1.7MB

MD5
c3130cfb00549a5a92da60e7f79f5fc9

SHA1
56c2e8fb1af609525b0f732bb67b806bddab3752

SHA256
eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8

SHA512
29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748

Download Submit
\Users\Admin\AppData\Local\Temp\2024-09-17_a36ccf5fb6bc5c1342371a21b33a6f0c_cobalt-strike_cobaltstrike_hijackloader_karagany_mafia_poet-rat_5a4cf70d-bdb2-4738-b4bb-f0711abbba73\vcruntime140d.dll

Filesize
130KB

MD5
ee7fbf8768a87ea64ad4890540ce48f9

SHA1
bcbc1ebd5a592c2df216d3211f309a79f9cd8a9b

SHA256
03eafdf65d672994e592b8acc8a1276ccae1218a5cb9685b9aa6a5ffe1a855fe

SHA512
0cbf346d46b5c0b09c1f3fb4837c8df662bf0c69de8c4ae292b994ec156c91b78dbaad733226d765b1ca3ee1695566dc90bf85086e438fa15b9eb32058abce80

Download Submit
\Users\Admin\AppData\Local\Temp\is-BT8JE.tmp\flydes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
\Users\Admin\AppData\Local\Temp\nspA8CF.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
\Users\Admin\AppData\Local\Temp\nspA8CF.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
memory/556-3326-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/556-3059-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/584-3159-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/608-3412-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/608-3282-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/952-3336-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/952-3245-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/952-3406-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/1008-750-0x0000000000A80000-0x0000000000A9C000-memory.dmp

Filesize
112KB

Download
memory/1008-3166-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1008-2236-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1008-2235-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1008-3167-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1140-3250-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/1140-3408-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/1140-3338-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/1736-3163-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1916-710-0x000000013FE40000-0x000000013FE66000-memory.dmp

Filesize
152KB

Download
memory/2056-2768-0x000000013F820000-0x000000013F847000-memory.dmp

Filesize
156KB

Download
memory/2056-688-0x000000013F820000-0x000000013F847000-memory.dmp

Filesize
156KB

Download
memory/2136-711-0x000000013FE70000-0x000000013FE96000-memory.dmp

Filesize
152KB

Download
memory/2312-3165-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/2420-3057-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2420-102-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2716-56-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-1736-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-57-0x0000000000960000-0x0000000000B52000-memory.dmp

Filesize
1.9MB

Download
memory/2728-3162-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2728-613-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2816-686-0x000000013F100000-0x000000013F129000-memory.dmp

Filesize
164KB

Download
memory/2816-2767-0x000000013F100000-0x000000013F129000-memory.dmp

Filesize
164KB

Download
memory/2840-708-0x0000000002420000-0x0000000002446000-memory.dmp

Filesize
152KB

Download
memory/2840-2766-0x0000000002420000-0x0000000002449000-memory.dmp

Filesize
164KB

Download
memory/2840-3160-0x0000000002420000-0x0000000002446000-memory.dmp

Filesize
152KB

Download
memory/2840-3198-0x0000000003550000-0x00000000038A1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-685-0x0000000002420000-0x0000000002449000-memory.dmp

Filesize
164KB

Download
memory/2840-687-0x0000000002420000-0x0000000002447000-memory.dmp

Filesize
156KB

Download
memory/2840-3161-0x0000000002420000-0x0000000002446000-memory.dmp

Filesize
152KB

Download
memory/2840-3291-0x0000000003550000-0x00000000038A1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-709-0x0000000002420000-0x0000000002446000-memory.dmp

Filesize
152KB

Download
memory/2860-3058-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2860-106-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2872-637-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2872-3164-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2904-0-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/2904-712-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/2904-1283-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-1-0x00000000008E0000-0x000000000092A000-memory.dmp

Filesize
296KB

Download
memory/2904-2-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/2904-3-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-3216-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/3360-3410-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/3360-3262-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-3297-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3400-3200-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3568-3243-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3372-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3199-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3308-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3305-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3290-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3289-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3217-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/3568-3239-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3259-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3257-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3248-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3278-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3274-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3235-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3234-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3222-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3328-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3298-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3307-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3331-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3309-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3335-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3337-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3310-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3339-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3343-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3344-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3345-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3296-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3374-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/3568-3373-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/3576-3214-0x00000000001A0000-0x0000000000342000-memory.dmp

Filesize
1.6MB

Download
memory/3576-3218-0x0000000004820000-0x0000000004902000-memory.dmp

Filesize
904KB

Download
memory/3576-3240-0x0000000000510000-0x0000000000532000-memory.dmp

Filesize
136KB

Download
memory/3640-3346-0x0000000005580000-0x0000000005602000-memory.dmp

Filesize
520KB

Download
memory/3640-3215-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/3640-3202-0x0000000001250000-0x000000000133A000-memory.dmp

Filesize
936KB

Download
memory/3708-3237-0x000000013F1F0000-0x000000013F541000-memory.dmp

Filesize
3.3MB

Download
memory/3708-3403-0x000000013F1F0000-0x000000013F541000-memory.dmp

Filesize
3.3MB

Download
memory/3724-3236-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3724-3400-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3808-3319-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3808-3313-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3808-3315-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3808-3323-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3808-3322-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3808-3317-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3808-3321-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3912-3414-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/3912-3258-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-3401-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-3238-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/4368-3375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-3362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-3360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-3227-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/4548-3397-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/4548-3329-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download