gh0strat | e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d

Analysis

max time kernel
142s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
Size

2.3MB
MD5

5bd70186899c032e2f05fe9894c02698
SHA1

5a3a792a406f7a75c58e1b72fe24acffb8b088bd
SHA256

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d
SHA512

1049c54a7c2ccd36bef6cee5853da8e931889fbe045b0a189e6d13090df8b443ed228f3abe9ba4dc8338eee3a97fd6b6e2a5267e35f9a90a8b35cf109c0ea790
SSDEEP

49152:x1vKR2L2PzCOXeiBFuKqFt9yW3Dv5lju+AVJ366N5zr9pgNrZgX8IwQk0:v8TeEFuKqFtcWTRljuZj9pigX8If

Score

10^/10

gh0strat evasion rat trojan upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1768-17619-0x0000000000400000-0x000000000051F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

7zxvcc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7zxvcc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7zxvcc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7zxvcc.exe

Executes dropped EXE 4 IoCs

Processes:

7zxvcc.exe7z.exesvchost.exesvchost.exe

pid process

2344 7zxvcc.exe
2848 7z.exe
2524 svchost.exe
1768 svchost.exe

pid	process
2344	7zxvcc.exe
2848	7z.exe
2524	svchost.exe
1768	svchost.exe

Loads dropped DLL 10 IoCs

Processes:

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.execmd.exesvchost.exeWerFault.exe

pid	process
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2216	cmd.exe
2216	cmd.exe
2524	svchost.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe
1304	WerFault.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1768-17589-0x0000000000400000-0x000000000051F000-memory.dmp	upx
behavioral1/memory/1768-17592-0x0000000000400000-0x000000000051F000-memory.dmp	upx
behavioral1/memory/1768-17619-0x0000000000400000-0x000000000051F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7zxvcc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7zxvcc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

Processes:

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe7zxvcc.exe

pid	process
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2344	7zxvcc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2524 set thread context of 1768 2524 svchost.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1304 2524 WerFault.exe svchost.exe

description	pid	process	target process
PID 2524 set thread context of 1768	2524	svchost.exe	svchost.exe

pid	pid_target	process	target process
1304	2524	WerFault.exe	svchost.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

7zxvcc.exee8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	7zxvcc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	7zxvcc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

7z.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7z.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\0BC5E76773D2E44FC9903D4DFEFE451553BBEC4A	7z.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\0BC5E76773D2E44FC9903D4DFEFE451553BBEC4A\Blob = 0300000001000000140000000bc5e76773d2e44fc9903d4dfefe451553bbec4a1400000001000000140000000f2acb208728b8ec6f48ae2b54a629aa17a4cd0c040000000100000010000000e88a7f88dd89c62a2bb99cc988d2d2a40f00000001000000300000000eeb0f83c55ccaaf275cec9caaed00280b6dd9bd8e37bd8a191a5cf77a0e2d1298edb019e2a1e67e3f7bd4b1c7616dc01900000001000000100000002fe9fcbfd4aabc3251c32cffb9d3456a1800000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c20000000010000001e0600003082061a30820402a0030201020210621d6d0c52019e3b9079152089211c0a300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3336303332313233353935395a3054310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312b3029060355040313225365637469676f205075626c696320436f6465205369676e696e6720434120523336308201a2300d06092a864886f70d01010105000382018f003082018a02820181009b2b9d53fa353f8e6006436ac0cff57ff6c8535318c8ced36c7efc580795177965330b111e0046466c437840c802b092d950a8564e18ffc8fab2d22499857919e8f8360363550e016280e318cc1d8e2a176a7d6195a185b785a4f6f4f4936a1624c2632fd1bffcde76de1026e23178523ad6da9beff7e85d3d7f2d6db01f237bf455d26224f172ffb5f08ae9c3ee607136d79c33acad21d525874f13db3ee62445d90fd396709919939c03b9fdaae763cde378dce13f4e9285d9d1aad665579f7ef32bfe288844e482ccaa039960010d1cd5fd4890e6faac69e15aa9077315fe1e77ca5e35687539a6579d8bd94205b1fd25e2243452028951cd9119aae13a71b707ef8ec51e772cfcacdc9f409cbf68eb396f8b3e69cec81fad01f896bb4d533e10abf55ae4c6c1c2e6a14dc5a4e14c6e63e3f29cf8e0c3d9d5ff7e60440842dcbf35077fdb21a05beb9f7e5719fd913da3533b6b9267a9fda2dbfb8c496ca647caf6a1004c765ca1da7e478ab6388ca9c51fff6046f77e40e7dd46b2596f5b0203010001a382016430820160301f0603551d2304183016801432eb929aff3596482f284042702036915c1785e6301d0603551d0e041604140f2acb208728b8ec6f48ae2b54a629aa17a4cd0c300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff02010030130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c010401304b0603551d1f044430423040a03ea03c863a687474703a2f2f63726c2e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67526f6f745234362e63726c307b06082b06010505070101046f306d304606082b06010505073002863a687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67526f6f745234362e703763302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d300d06092a864886f70d01010c0500038202010006ff82e17763366e7ba115209b13ff04fe98754461c3569571d1913f85a1eb4040b1c8d6e072fd85ca64393cf98d4ba0da87ae9db600a306c50b600a2be70c7172010f465d39a593b32372041b0c2c7a9a7ef221ac2ca695a4bdf3e429a010b22a9a4fd0e731604754d21a6c6aa0412193ad05a8e3730e7ec3f29e16f3d87cb17f95d6299a51bebddd31aa5a9dd3df620a19f220cbd8e477b18ced809adb1ba559f43a135c59b583445ff7b01a7a7d65e1cfb0dc30be224c0592f8c55778d2e3d65273895284a2ba06b3d3258b38346d431b39a94e84e7c28a99f1f0268b65e5667b9c842e0d3d265a3c04c7bcd233b7ecf53c7a37e43fdfee3da93b54bc042cac4031c26cce4c9e89a7ab969870a0ac75b8747337213a6f1b9229cbad8acaa628be4e4ee9c0bed38d128b5e4a269b90f552676cfbea62a7cc07d9c4297fdddab7754370e2b837b130a08241d246a4ea94b312ee08eb853a819b3bb52fdd18d4a58dfd8e4929d1afb296cead37ce5f25ef98f2fa139db3d4d649e9cb6e305050647de9c16bea51147c02041d50b52faf18d461b1c78fde448f36badf376b11cc562c35fac5696cfc60e754db9e2a35941f77d3bf563c59d868ebdf1800347b4cdc7c5fccf605ebfa4a2bc104e1d8faeaa28ab66d834cbd4a14283f3982727eb74b26ad6adbf1d79ed82bd86570f995a1ad680c4e7f2fd528d9b0b96b8087d91c	7z.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692	7z.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c69214000000010000001400000032eb929aff3596482f284042702036915c1785e60400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a41900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8	7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	7z.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7z.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7z.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

mmc.exe

description	pid	process
Token: 33	2108	mmc.exe
Token: SeIncBasePriorityPrivilege	2108	mmc.exe
Token: 33	2108	mmc.exe
Token: SeIncBasePriorityPrivilege	2108	mmc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe7zxvcc.exemmc.exe

pid	process
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
2344	7zxvcc.exe
2344	7zxvcc.exe
2108	mmc.exe
2108	mmc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe7zxvcc.execmd.exemmc.exesvchost.exe

description	pid	process	target process
PID 2772 wrote to memory of 2344	2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe	7zxvcc.exe
PID 2772 wrote to memory of 2344	2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe	7zxvcc.exe
PID 2772 wrote to memory of 2344	2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe	7zxvcc.exe
PID 2772 wrote to memory of 2344	2772	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe	7zxvcc.exe
PID 2344 wrote to memory of 2216	2344	7zxvcc.exe	cmd.exe
PID 2344 wrote to memory of 2216	2344	7zxvcc.exe	cmd.exe
PID 2344 wrote to memory of 2216	2344	7zxvcc.exe	cmd.exe
PID 2344 wrote to memory of 2216	2344	7zxvcc.exe	cmd.exe
PID 2216 wrote to memory of 2848	2216	cmd.exe	7z.exe
PID 2216 wrote to memory of 2848	2216	cmd.exe	7z.exe
PID 2216 wrote to memory of 2848	2216	cmd.exe	7z.exe
PID 2216 wrote to memory of 2848	2216	cmd.exe	7z.exe
PID 2216 wrote to memory of 2628	2216	cmd.exe	WScript.exe
PID 2216 wrote to memory of 2628	2216	cmd.exe	WScript.exe
PID 2216 wrote to memory of 2628	2216	cmd.exe	WScript.exe
PID 2216 wrote to memory of 2628	2216	cmd.exe	WScript.exe
PID 2108 wrote to memory of 2524	2108	mmc.exe	svchost.exe
PID 2108 wrote to memory of 2524	2108	mmc.exe	svchost.exe
PID 2108 wrote to memory of 2524	2108	mmc.exe	svchost.exe
PID 2108 wrote to memory of 2524	2108	mmc.exe	svchost.exe
PID 2524 wrote to memory of 1768	2524	svchost.exe	svchost.exe
PID 2524 wrote to memory of 1768	2524	svchost.exe	svchost.exe
PID 2524 wrote to memory of 1768	2524	svchost.exe	svchost.exe
PID 2524 wrote to memory of 1768	2524	svchost.exe	svchost.exe
PID 2524 wrote to memory of 1768	2524	svchost.exe	svchost.exe
PID 2524 wrote to memory of 1768	2524	svchost.exe	svchost.exe
PID 2524 wrote to memory of 1304	2524	svchost.exe	WerFault.exe
PID 2524 wrote to memory of 1304	2524	svchost.exe	WerFault.exe
PID 2524 wrote to memory of 1304	2524	svchost.exe	WerFault.exe
PID 2524 wrote to memory of 1304	2524	svchost.exe	WerFault.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

7zxvcc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7zxvcc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7zxvcc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7zxvcc.exe

C:\Users\Admin\AppData\Local\Temp\e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
"C:\Users\Admin\AppData\Local\Temp\e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Programdata\7zxvcc.exe
C:\Programdata\7zxvcc.exe
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c unzip.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216

C:\Programdata\7z.exe
7z.exe sign /f cache.dat /p aa123123 /d 61110001 /v "glib.dll"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Programdata\2.vbe"
4⤵
PID:2628

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2524

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
3⤵
- Executes dropped EXE
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 60
3⤵
- Loads dropped DLL
- Program crash
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TASLoginBase.dll
Filesize
103KB

MD5
990cc3a1ae459170e0286b7472879ae8

SHA1
c7338a4ded118cf4ca2cda98a793afd856c2323e

SHA256
c48de908959a78ba70ecbf9793a6a37e7bba99615d7c15f4ec0102f1e04b2bb3

SHA512
f9143ed3548088e633c25507fdc9801e47bd7909e5300af71e5419ea9ef8538ffe8742e28aa96b203025069e9313e8aeb5cbc01062bb7d49a60afd31f0913d45

Download Submit
C:\ProgramData\Tencent.lnk
Filesize
897B

MD5
7ad1be0d3c8e0cba7f7d848aa49d7b23

SHA1
c62c42b497f08f951a623bd38eb828b6b552f672

SHA256
b5896994693d527b666248cd011581e2f54ce0b174ad7979319406d9a514988c

SHA512
a2040e23ce93698479cb9bc67f793f00922d3c6748cb3e15659b667d7346d6c9943e4faddf9d540c5ef58414a5986a45e282ae83cadca50243220965f0617e64

Download Submit
C:\ProgramData\cache.dat
Filesize
7KB

MD5
2dee19fb2b899134c3532687db5f9d3f

SHA1
f78098140f7de8158fdb683c31ab9b50b1b88454

SHA256
ae25561400fed84253d688af90e27670d12e1a9454f83f084d4137789eb0cbd0

SHA512
6d0adf805d152b4e0dc38f848383457e8185fc42d0a704fdf2b8a89ec96306843169ba96355b93f697ef0e3144ef13278226e4310d25b3e5463d144abd4ed8a8

Download Submit
C:\ProgramData\svchost.exe
Filesize
411KB

MD5
66557b2bd93e70a2804e983b279ab473

SHA1
4e58505689fd9643b5011880ce94b22cbfadf917

SHA256
a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31

SHA512
b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4

Download Submit
C:\ProgramData\unzip.bat
Filesize
229B

MD5
20fd99cc3bc7eb0ad9d421895fedc22b

SHA1
68b7782f08a29f3e7351f37122ae99220a062224

SHA256
fe6bc55e16ec1a889d344c9f09d8fce455cf26374f61df1086bdeb14d9d2a9bd

SHA512
bc8828e39a5886b91352db967eab2dcc99dc4c2610f49019710959d0dd741acc2c1e82c8b4f840be9f1037b26c0b542cb397caaeca2a855a43a79a40d348ed1e

Download Submit
C:\ProgramData\update.log
Filesize
462KB

MD5
36569f853d22511c06e013d3ea86979a

SHA1
40feb35f2ec315a269c41f55f2c3c36a4f15d674

SHA256
2f6a402c99acddf48110bce3df6a0c67277efbd0fa2bcdc71b8a7b73ba4f53e8

SHA512
94ac069f292d1a97f76e182387f1865b26831d626108e54477c5096d5d1f98b2806b38cc71deafdae779d046516e6775ad99f56608b17ba3539fd1352704a9c4

Download Submit
C:\Programdata\2.vbe
Filesize
170B

MD5
e354f56e782e7db68f958e2d8d4d1b96

SHA1
69d51ed0e772cdcb9435d2566871c9bc80d77dfd

SHA256
ec8a6021a9e01ccaa823231d593e78b13f512811fb83563bb8cdb444d2b0f55b

SHA512
95e2cc8332b0375702bdac36d09509857ab0ec8b8cd7dda537324961db1ed5b58981e2ac0f9b611612e71e0b201cb4846adcf63e1c832f888eccbd59e76287c2

Download Submit
C:\Programdata\glib.dll
Filesize
103KB

MD5
e1b24eca469ef69ff000d6e8cdcc420c

SHA1
b6ad626ecf620e6a496743215ad530837d90fd9d

SHA256
a13f7fddbcdfc95f784dadbb4a2d4c7bd95a6e67c96c0a06bc7617443cfc2c2d

SHA512
c2987f0f63d0a8c93b028ae54da6af1c99f62aba100d63ab17fb3fa9601faad01f0ca1761d605ff3f95e50d88c63fff7c22f9b39bdaad6611fa181ffc15b1145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fbdf6981c8aec16deb3a8303019aeff0

SHA1
5c7543aba2fdea2f06381f402c944f86ab31d99d

SHA256
a46d627516db0cf3c1b254b24e6e75e87f53b630a5e5c306d294e3ea8c3eb0da

SHA512
69d52d38ea1606cd582b43de658cbffcc7c7a74d916f55c134b6c2cf2989cc348ed95ac3bfcfbbe5b37c3ca5dfa4daae7c6c097cab86712ab852284308aabcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2543.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\ProgramData\7z.exe
Filesize
221KB

MD5
d4e274097855a46146d39e8401c13103

SHA1
c620c2f14ae43ebe358d0d7b69da4469279d236a

SHA256
34d192505952e5a11ec69ffc4a963764125996edba9eed26ec5662cf7948f8e8

SHA512
3f8b3e288a87be8024fa1beb3e5e96cff75fa6b52cfeb6d3b21b3ae32d3242bb89da7adb25602ee3130bae971b8ec25c84378c4d77b03171de699457d37fd834

Download Submit
\ProgramData\7zxvcc.exe
Filesize
2.3MB

MD5
5bd70186899c032e2f05fe9894c02698

SHA1
5a3a792a406f7a75c58e1b72fe24acffb8b088bd

SHA256
e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d

SHA512
1049c54a7c2ccd36bef6cee5853da8e931889fbe045b0a189e6d13090df8b443ed228f3abe9ba4dc8338eee3a97fd6b6e2a5267e35f9a90a8b35cf109c0ea790

Download Submit
memory/1768-17619-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1768-17592-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1768-17589-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2108-17572-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/2344-17581-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/2344-17400-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2344-17399-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/2344-17390-0x0000000002440000-0x0000000002551000-memory.dmp

Filesize
1.1MB

Download
memory/2344-11251-0x0000000002190000-0x0000000002311000-memory.dmp

Filesize
1.5MB

Download
memory/2344-8702-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/2524-17606-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2524-17577-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2772-840-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-856-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-860-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-864-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-862-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-866-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-868-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-870-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-872-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-2547-0x00000000021D0000-0x0000000002351000-memory.dmp

Filesize
1.5MB

Download
memory/2772-8686-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-8694-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/2772-8696-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2772-834-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-8701-0x0000000003090000-0x0000000003337000-memory.dmp

Filesize
2.7MB

Download
memory/2772-842-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-9471-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/2772-844-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-848-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-858-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-850-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-854-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-852-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-846-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-0-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/2772-836-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-838-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-828-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-830-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-832-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-822-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-824-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-826-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-818-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-820-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-811-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-814-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-816-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-812-0x0000000002480000-0x0000000002591000-memory.dmp

Filesize
1.1MB

Download
memory/2772-1-0x00000000759B0000-0x00000000759F7000-memory.dmp

Filesize
284KB

Download