formbook | f23077e00b4f301f5875c1d4aab2e5e781921564bb4bdd63f8c46b5163b379d1

Analysis

max time kernel
136s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2025, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17d1f9551ceb2dca9e0e2d3e494d35a5d010c3c491728719bcdf9c514a6db785.7z
Size

548KB
MD5

6063f11d14883ba895d09f19385723e4
SHA1

efbc2d4421f9d7ff5d17072880f7a61347d15e79
SHA256

17d1f9551ceb2dca9e0e2d3e494d35a5d010c3c491728719bcdf9c514a6db785
SHA512

ca6bf6f042519d4fa4f0908771647a7a1ee35a3d65cbbfd8a09db2c2edf98403451ae7d9d8d9ff61af82362dd73104bc598f45a4c840d4d61c8ea5ddd8a71886
SSDEEP

12288:SA5NGgFoQO+91tPwhxeGNX5f6+Vz7PV8/CHU5RqwfJ+sje1:FhoQO+ahTf6ozZ8/wsRqwfYsjI

Score

10^/10

formbook hi13 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hi13

Decoy

olidspot.shop

aise-your-voice.sbs

9ydygorig3l7z.xyz

netuzio.xyz

erspacehealthandwellness.info

hbnzk.cfd

uklor.shop

tudiofoti.pro

onety.skin

iralavinc.online

teelpath.shop

w-yudfjp.shop

betka.xyz

lx2cbhe5vee0e1.xyz

ndotoverf.pro

loud-sevice.click

enckubs.shop

anpack.shop

nity-3d-development.dev

iaolento12.sbs

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/5632-77-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2608-121-0x00000000008E0000-0x000000000090F000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4056	powershell.exe
6056	powershell.exe
6140	powershell.exe
4744	powershell.exe
4924	powershell.exe
6000	powershell.exe
2576	powershell.exe
2728	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	B1C90tuveZ9jFGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	B1C90tuveZ9jFGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	B1C90tuveZ9jFGZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	B1C90tuveZ9jFGZ.exe

Executes dropped EXE 4 IoCs

pid	Process
4644	B1C90tuveZ9jFGZ.exe
4948	B1C90tuveZ9jFGZ.exe
5588	B1C90tuveZ9jFGZ.exe
1876	B1C90tuveZ9jFGZ.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4644 set thread context of 5632	4644	B1C90tuveZ9jFGZ.exe	104
PID 5632 set thread context of 3556	5632	vbc.exe	56
PID 4948 set thread context of 768	4948	B1C90tuveZ9jFGZ.exe	115
PID 768 set thread context of 3556	768	vbc.exe	56
PID 5588 set thread context of 5220	5588	B1C90tuveZ9jFGZ.exe	125
PID 5220 set thread context of 3556	5220	vbc.exe	56
PID 2608 set thread context of 3556	2608	systray.exe	56
PID 1876 set thread context of 1788	1876	B1C90tuveZ9jFGZ.exe	137
PID 1788 set thread context of 3556	1788	vbc.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B1C90tuveZ9jFGZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B1C90tuveZ9jFGZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B1C90tuveZ9jFGZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B1C90tuveZ9jFGZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5644	ipconfig.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3828	schtasks.exe
5124	schtasks.exe
4968	schtasks.exe
3204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4644	B1C90tuveZ9jFGZ.exe
2576	powershell.exe
6000	powershell.exe
4644	B1C90tuveZ9jFGZ.exe
4644	B1C90tuveZ9jFGZ.exe
4644	B1C90tuveZ9jFGZ.exe
4644	B1C90tuveZ9jFGZ.exe
4644	B1C90tuveZ9jFGZ.exe
5824	7zFM.exe
5824	7zFM.exe
5632	vbc.exe
5632	vbc.exe
5632	vbc.exe
5632	vbc.exe
2576	powershell.exe
6000	powershell.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
2608	systray.exe
2608	systray.exe
2608	systray.exe
2608	systray.exe
4948	B1C90tuveZ9jFGZ.exe
4056	powershell.exe
4948	B1C90tuveZ9jFGZ.exe
2728	powershell.exe
768	vbc.exe
768	vbc.exe
768	vbc.exe
768	vbc.exe
5824	7zFM.exe
5824	7zFM.exe
2728	powershell.exe
4056	powershell.exe
5588	B1C90tuveZ9jFGZ.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
6056	powershell.exe
6140	powershell.exe
5588	B1C90tuveZ9jFGZ.exe
5588	B1C90tuveZ9jFGZ.exe
5588	B1C90tuveZ9jFGZ.exe
5824	7zFM.exe
5824	7zFM.exe
5220	vbc.exe
5220	vbc.exe
5220	vbc.exe
5220	vbc.exe
6056	powershell.exe
6140	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5824	7zFM.exe
3556	Explorer.EXE

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
5632	vbc.exe
5632	vbc.exe
5632	vbc.exe
2608	systray.exe
768	vbc.exe
5220	vbc.exe
768	vbc.exe
768	vbc.exe
2608	systray.exe
5220	vbc.exe
5220	vbc.exe
1788	vbc.exe
1788	vbc.exe
1788	vbc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5824	7zFM.exe
Token: 35	5824	7zFM.exe
Token: SeSecurityPrivilege	5824	7zFM.exe
Token: SeSecurityPrivilege	5824	7zFM.exe
Token: SeSecurityPrivilege	5824	7zFM.exe
Token: SeDebugPrivilege	4644	B1C90tuveZ9jFGZ.exe
Token: SeDebugPrivilege	6000	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	5632	vbc.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	2608	systray.exe
Token: SeDebugPrivilege	4948	B1C90tuveZ9jFGZ.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	768	vbc.exe
Token: SeSecurityPrivilege	5824	7zFM.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	5588	B1C90tuveZ9jFGZ.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	6056	powershell.exe
Token: SeDebugPrivilege	6140	powershell.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	5220	vbc.exe
Token: SeDebugPrivilege	5644	ipconfig.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	4104	rundll32.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	1876	B1C90tuveZ9jFGZ.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeShutdownPrivilege	3556	Explorer.EXE
Token: SeCreatePagefilePrivilege	3556	Explorer.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
5824	7zFM.exe
3556	Explorer.EXE
3556	Explorer.EXE
5824	7zFM.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5824 wrote to memory of 4644	5824	7zFM.exe	92
PID 5824 wrote to memory of 4644	5824	7zFM.exe	92
PID 5824 wrote to memory of 4644	5824	7zFM.exe	92
PID 5824 wrote to memory of 4948	5824	7zFM.exe	94
PID 5824 wrote to memory of 4948	5824	7zFM.exe	94
PID 5824 wrote to memory of 4948	5824	7zFM.exe	94
PID 5824 wrote to memory of 5588	5824	7zFM.exe	95
PID 5824 wrote to memory of 5588	5824	7zFM.exe	95
PID 5824 wrote to memory of 5588	5824	7zFM.exe	95
PID 4644 wrote to memory of 6000	4644	B1C90tuveZ9jFGZ.exe	96
PID 4644 wrote to memory of 6000	4644	B1C90tuveZ9jFGZ.exe	96
PID 4644 wrote to memory of 6000	4644	B1C90tuveZ9jFGZ.exe	96
PID 4644 wrote to memory of 2576	4644	B1C90tuveZ9jFGZ.exe	98
PID 4644 wrote to memory of 2576	4644	B1C90tuveZ9jFGZ.exe	98
PID 4644 wrote to memory of 2576	4644	B1C90tuveZ9jFGZ.exe	98
PID 4644 wrote to memory of 3204	4644	B1C90tuveZ9jFGZ.exe	100
PID 4644 wrote to memory of 3204	4644	B1C90tuveZ9jFGZ.exe	100
PID 4644 wrote to memory of 3204	4644	B1C90tuveZ9jFGZ.exe	100
PID 4644 wrote to memory of 2352	4644	B1C90tuveZ9jFGZ.exe	102
PID 4644 wrote to memory of 2352	4644	B1C90tuveZ9jFGZ.exe	102
PID 4644 wrote to memory of 2352	4644	B1C90tuveZ9jFGZ.exe	102
PID 4644 wrote to memory of 1888	4644	B1C90tuveZ9jFGZ.exe	103
PID 4644 wrote to memory of 1888	4644	B1C90tuveZ9jFGZ.exe	103
PID 4644 wrote to memory of 1888	4644	B1C90tuveZ9jFGZ.exe	103
PID 4644 wrote to memory of 5632	4644	B1C90tuveZ9jFGZ.exe	104
PID 4644 wrote to memory of 5632	4644	B1C90tuveZ9jFGZ.exe	104
PID 4644 wrote to memory of 5632	4644	B1C90tuveZ9jFGZ.exe	104
PID 4644 wrote to memory of 5632	4644	B1C90tuveZ9jFGZ.exe	104
PID 4644 wrote to memory of 5632	4644	B1C90tuveZ9jFGZ.exe	104
PID 4644 wrote to memory of 5632	4644	B1C90tuveZ9jFGZ.exe	104
PID 3556 wrote to memory of 2608	3556	Explorer.EXE	106
PID 3556 wrote to memory of 2608	3556	Explorer.EXE	106
PID 3556 wrote to memory of 2608	3556	Explorer.EXE	106
PID 2608 wrote to memory of 5732	2608	systray.exe	107
PID 2608 wrote to memory of 5732	2608	systray.exe	107
PID 2608 wrote to memory of 5732	2608	systray.exe	107
PID 4948 wrote to memory of 2728	4948	B1C90tuveZ9jFGZ.exe	109
PID 4948 wrote to memory of 2728	4948	B1C90tuveZ9jFGZ.exe	109
PID 4948 wrote to memory of 2728	4948	B1C90tuveZ9jFGZ.exe	109
PID 4948 wrote to memory of 4056	4948	B1C90tuveZ9jFGZ.exe	111
PID 4948 wrote to memory of 4056	4948	B1C90tuveZ9jFGZ.exe	111
PID 4948 wrote to memory of 4056	4948	B1C90tuveZ9jFGZ.exe	111
PID 4948 wrote to memory of 3828	4948	B1C90tuveZ9jFGZ.exe	112
PID 4948 wrote to memory of 3828	4948	B1C90tuveZ9jFGZ.exe	112
PID 4948 wrote to memory of 3828	4948	B1C90tuveZ9jFGZ.exe	112
PID 4948 wrote to memory of 768	4948	B1C90tuveZ9jFGZ.exe	115
PID 4948 wrote to memory of 768	4948	B1C90tuveZ9jFGZ.exe	115
PID 4948 wrote to memory of 768	4948	B1C90tuveZ9jFGZ.exe	115
PID 4948 wrote to memory of 768	4948	B1C90tuveZ9jFGZ.exe	115
PID 4948 wrote to memory of 768	4948	B1C90tuveZ9jFGZ.exe	115
PID 4948 wrote to memory of 768	4948	B1C90tuveZ9jFGZ.exe	115
PID 3556 wrote to memory of 5644	3556	Explorer.EXE	116
PID 3556 wrote to memory of 5644	3556	Explorer.EXE	116
PID 3556 wrote to memory of 5644	3556	Explorer.EXE	116
PID 5824 wrote to memory of 1876	5824	7zFM.exe	117
PID 5824 wrote to memory of 1876	5824	7zFM.exe	117
PID 5824 wrote to memory of 1876	5824	7zFM.exe	117
PID 5588 wrote to memory of 6056	5588	B1C90tuveZ9jFGZ.exe	118
PID 5588 wrote to memory of 6056	5588	B1C90tuveZ9jFGZ.exe	118
PID 5588 wrote to memory of 6056	5588	B1C90tuveZ9jFGZ.exe	118
PID 5588 wrote to memory of 6140	5588	B1C90tuveZ9jFGZ.exe	120
PID 5588 wrote to memory of 6140	5588	B1C90tuveZ9jFGZ.exe	120
PID 5588 wrote to memory of 6140	5588	B1C90tuveZ9jFGZ.exe	120
PID 5588 wrote to memory of 5124	5588	B1C90tuveZ9jFGZ.exe	122

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\17d1f9551ceb2dca9e0e2d3e494d35a5d010c3c491728719bcdf9c514a6db785.7z"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\7zO0C6D8608\B1C90tuveZ9jFGZ.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0C6D8608\B1C90tuveZ9jFGZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zO0C6D8608\B1C90tuveZ9jFGZ.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6000
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tKmAtmGcqvi.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tKmAtmGcqvi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DF1.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3204
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:2352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:1888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:5632
- - C:\Users\Admin\AppData\Local\Temp\7zO0C6D3128\B1C90tuveZ9jFGZ.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0C6D3128\B1C90tuveZ9jFGZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zO0C6D3128\B1C90tuveZ9jFGZ.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tKmAtmGcqvi.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4056
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tKmAtmGcqvi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6D8.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3828
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:768
- - C:\Users\Admin\AppData\Local\Temp\7zO0C6D8FD8\B1C90tuveZ9jFGZ.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0C6D8FD8\B1C90tuveZ9jFGZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zO0C6D8FD8\B1C90tuveZ9jFGZ.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tKmAtmGcqvi.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6140
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tKmAtmGcqvi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC0F9.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:5208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:5220
- - C:\Users\Admin\AppData\Local\Temp\7zO0C65E2E8\B1C90tuveZ9jFGZ.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0C65E2E8\B1C90tuveZ9jFGZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zO0C65E2E8\B1C90tuveZ9jFGZ.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tKmAtmGcqvi.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4924
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tKmAtmGcqvi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF78A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4968
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:5252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:1788
- - C:\Users\Admin\AppData\Local\Temp\7zO0C6469D9\B1C90tuveZ9jFGZ.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0C6469D9\B1C90tuveZ9jFGZ.exe"
    3⤵
    PID:436
- - C:\Users\Admin\AppData\Local\Temp\7zO0C6BCDD9\B1C90tuveZ9jFGZ.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0C6BCDD9\B1C90tuveZ9jFGZ.exe"
    3⤵
    PID:1984
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:5008
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5732
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:5644
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4180

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B1C90tuveZ9jFGZ.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
aa46c2e03b948a9371da77a72481b781

SHA1
f077d15e6782a4c376d27946338ec8cedc7ae0c7

SHA256
6dfaa9f992f62f4e4d94c09b3267fbb2ec15229e39d6c26c5a972dda96ec5a21

SHA512
15038eb78e4f01a106329edaf0a558611fd63ba264380461bacc7493f8a732c13247639b570f7e6902f31109f04e934a722531fb105179f9425fc7910d4d7e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b90caaed70419984f0558d4747564d5b

SHA1
5a0ff0507c5fb54bc6c6957ba1b1ff6db1a160c3

SHA256
2f2cb9cad1306d0adb6d2e3ea60646ff326886a503d6ab353bb7b01096cd7aca

SHA512
4bf6cb47fbc52dfdb780fe1530d47a6dc99e02b69d16cf91222ba63085d84511f19eb2978a868d4ee2c9709ac641b123d93337b6f3c4c3f4c34c08de9d9d3fdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
967ca554549956e39ce06d8266d35ea1

SHA1
32cbfb94218ae3505b9bf78d92ff56170dfe516c

SHA256
e4201c9a43a86f861f9127b133b17ff93d64a50af7b543ed21cd09d467ed2bd8

SHA512
1be8d29bb5b030721b84a71265ebc7001ecb4f27ad59ef167d1f5219fadc08eb29f08d99e5aeaf302866e58ac4190006dd1d43d47edf642f2fb8b8fcc1e74cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ba5e008bc0a86ef12ff909a41c25759a

SHA1
bd45b3db0f8a7a5ae2219eda8aae4edc64c119f6

SHA256
905549d1c13ec77df6c70e7b64abd992329ed23bcda4dcea4157cc45ba2fc5b6

SHA512
d9c4e46765eb9ffbf689cb45ce349ea12996476707e03b7f51d0e63a73905729da683ba2513bb89d0f24dd1d86b40e8d1afd7d354035fe8931fc967e21b9b601

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0C60EFF9\B1C90tuveZ9jFGZ.exe

Filesize
408KB

MD5
33140e7095e4e7e5d00bb89a1ebadb5b

SHA1
7ddf33998eb044ccb993e4b80a5a8eb347338598

SHA256
7c94fcc212749adebf1794f51105ea18626b5c9f1a8823f56820b51c8ea72c78

SHA512
a465bbae9caa5aa2b4e449ef5a40c74e3c3ca59597d14bf83fdc77a108d77a1c8c0c8198c9c0767019d7f03997e7c569c92728327ad0a28771575f1931a76b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0C6D8608\B1C90tuveZ9jFGZ.exe

Filesize
610KB

MD5
dfc7843f6e716725410adffe8c15848f

SHA1
5fb018743a74f72adceb85a27d8f1198482ccdc4

SHA256
6d0a73c255453a2539a63dbeae565abae36b527cd6154691b3c066f3815860ed

SHA512
48b67c99e1177be610a1ec7426e6d9dc11696ab1b86bad1a34d58561638d9b4a706ab1dd26cd653a7007c334d9cd479f6dd7cd998f68cb4483d8fc5fc2ce5c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mflofp5f.ski.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DF1.tmp

Filesize
1KB

MD5
9c6734aa6132fefb377e7fdd9544c4a4

SHA1
428f094c3ab64f0a4a7c47111d301d5d8f893cfe

SHA256
e0de3dae1be382c893567d6b03d5f0c388116b01395968fce04359871265a5c6

SHA512
e28cc8926c240b83006c01af1adacd9892ea166e0dec4f6ec0856322ca7fb4f54a5601afe848fe867008d4b052354e55f484eefb9d5a88f2ced28cbeab0539f9

Download Submit
memory/1984-332-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/2576-107-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/2576-112-0x00000000077D0000-0x00000000077E4000-memory.dmp

Filesize
80KB

Download
memory/2576-114-0x00000000078B0000-0x00000000078B8000-memory.dmp

Filesize
32KB

Download
memory/2576-113-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/2576-111-0x00000000077C0000-0x00000000077CE000-memory.dmp

Filesize
56KB

Download
memory/2576-110-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/2576-109-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/2576-108-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/2576-106-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/2576-104-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/2576-85-0x0000000070F80000-0x0000000070FCC000-memory.dmp

Filesize
304KB

Download
memory/2576-82-0x00000000067A0000-0x00000000067EC000-memory.dmp

Filesize
304KB

Download
memory/2576-81-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/2608-121-0x00000000008E0000-0x000000000090F000-memory.dmp

Filesize
188KB

Download
memory/2608-120-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2728-160-0x0000000070510000-0x000000007055C000-memory.dmp

Filesize
304KB

Download
memory/2728-125-0x00000000053E0000-0x0000000005734000-memory.dmp

Filesize
3.3MB

Download
memory/2728-182-0x00000000071E0000-0x00000000071F4000-memory.dmp

Filesize
80KB

Download
memory/2728-181-0x00000000071A0000-0x00000000071B1000-memory.dmp

Filesize
68KB

Download
memory/2728-179-0x0000000006EB0000-0x0000000006F53000-memory.dmp

Filesize
652KB

Download
memory/2728-147-0x0000000005C80000-0x0000000005CCC000-memory.dmp

Filesize
304KB

Download
memory/3556-270-0x0000000008C40000-0x0000000008CFE000-memory.dmp

Filesize
760KB

Download
memory/3556-243-0x0000000008C40000-0x0000000008CFE000-memory.dmp

Filesize
760KB

Download
memory/4056-161-0x0000000070510000-0x000000007055C000-memory.dmp

Filesize
304KB

Download
memory/4104-242-0x0000000000090000-0x00000000000A4000-memory.dmp

Filesize
80KB

Download
memory/4104-241-0x0000000000090000-0x00000000000A4000-memory.dmp

Filesize
80KB

Download
memory/4180-302-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/4180-300-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/4180-299-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/4644-14-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/4644-13-0x0000000000650000-0x00000000006EC000-memory.dmp

Filesize
624KB

Download
memory/4644-47-0x0000000006470000-0x00000000064EA000-memory.dmp

Filesize
488KB

Download
memory/4644-15-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/4644-46-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/4644-12-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/4644-79-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/4644-19-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/4644-17-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/4644-18-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/4644-33-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/4644-16-0x0000000005250000-0x00000000052EC000-memory.dmp

Filesize
624KB

Download
memory/4744-294-0x0000000007630000-0x0000000007641000-memory.dmp

Filesize
68KB

Download
memory/4744-273-0x00000000738C0000-0x000000007390C000-memory.dmp

Filesize
304KB

Download
memory/4744-272-0x0000000006130000-0x000000000617C000-memory.dmp

Filesize
304KB

Download
memory/4744-295-0x0000000007670000-0x0000000007684000-memory.dmp

Filesize
80KB

Download
memory/4744-250-0x0000000005A50000-0x0000000005DA4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-293-0x00000000072C0000-0x0000000007363000-memory.dmp

Filesize
652KB

Download
memory/4924-283-0x00000000738C0000-0x000000007390C000-memory.dmp

Filesize
304KB

Download
memory/4948-32-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/5632-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5644-211-0x0000000000390000-0x000000000039B000-memory.dmp

Filesize
44KB

Download
memory/6000-56-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/6000-83-0x00000000076F0000-0x0000000007722000-memory.dmp

Filesize
200KB

Download
memory/6000-52-0x0000000002ED0000-0x0000000002F06000-memory.dmp

Filesize
216KB

Download
memory/6000-53-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/6000-55-0x0000000005800000-0x0000000005822000-memory.dmp

Filesize
136KB

Download
memory/6000-57-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/6000-67-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/6000-84-0x0000000070F80000-0x0000000070FCC000-memory.dmp

Filesize
304KB

Download
memory/6000-105-0x0000000007730000-0x00000000077D3000-memory.dmp

Filesize
652KB

Download
memory/6056-224-0x00000000071C0000-0x0000000007263000-memory.dmp

Filesize
652KB

Download
memory/6056-197-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/6056-210-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/6056-214-0x0000000070B30000-0x0000000070B7C000-memory.dmp

Filesize
304KB

Download
memory/6056-237-0x00000000074E0000-0x00000000074F4000-memory.dmp

Filesize
80KB

Download
memory/6056-235-0x00000000074B0000-0x00000000074C1000-memory.dmp

Filesize
68KB

Download
memory/6140-225-0x0000000070B30000-0x0000000070B7C000-memory.dmp

Filesize
304KB

Download