xmrig | 7be84af94664fd42c740a31a89a82a51ede33cd3ce18bd42500d7d5345a0488d

Analysis

max time kernel
88s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7FAR - ZModeler 3.1.4 (build 1142).rar
Size

19.7MB
MD5

305574e146362152fdc3d3d5a86bd291
SHA1

26154d5487a726f92ab2a9ea0bc4f8f88c659f16
SHA256

7be84af94664fd42c740a31a89a82a51ede33cd3ce18bd42500d7d5345a0488d
SHA512

0987a9ee9dfcfd10ccac940b020940c1b67f74d284a4e13169a5ba35b2dff2b58e8940ce0e8f0132b08873c3fc733fd1ee683cf510817c1b224409cec4de3377
SSDEEP

393216:UQL36RFAdrEl6/laKIn0jWCmOwgot1jjYRpQM4hqSQCjDnC:U5addla1n0ieDovC20m2

Score

10^/10

xmrig discovery evasion execution miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1736-584-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-588-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-589-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-590-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-585-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-587-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-591-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2232	powershell.exe
3928	powershell.exe
2460	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ZModeler3.exe

Executes dropped EXE 5 IoCs

pid	Process
4364	ZModeler3.exe
1840	7FAR.exe
4432	ZModeler3.exe
2840	ZModeler.exe
208	UpdateServices.exe

Loads dropped DLL 64 IoCs

pid	Process
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe
4432	ZModeler3.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	UpdateServices.exe
File opened for modification	C:\Windows\system32\MRT.exe	ZModeler.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 208 set thread context of 1500	208	UpdateServices.exe	129
PID 208 set thread context of 1736	208	UpdateServices.exe	130

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-579-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-584-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-588-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-589-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-590-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-585-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-587-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-583-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-581-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-582-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-580-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-591-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3932	sc.exe
3620	sc.exe
4464	sc.exe
1088	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7FAR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZModeler3.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\DefaultIcon	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\7FAR - ZModeler 3.1.4 (build 1142)\\data\\ZModeler3.exe, 1"	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell\open	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z3d	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z3d\ = "ZModeler3.scene"	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\ = ".z3d scene"	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell\open\command	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell\open\command\ = "C:\\Users\\Admin\\Desktop\\7FAR - ZModeler 3.1.4 (build 1142)\\data\\ZModeler3.exe \"%1\""	ZModeler3.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2460	powershell.exe
2460	powershell.exe
2840	ZModeler.exe
2232	powershell.exe
2232	powershell.exe
2840	ZModeler.exe
2840	ZModeler.exe
2840	ZModeler.exe
2840	ZModeler.exe
2840	ZModeler.exe
208	UpdateServices.exe
3928	powershell.exe
3928	powershell.exe
208	UpdateServices.exe
208	UpdateServices.exe
208	UpdateServices.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe
1736	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4248	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4248	7zFM.exe
Token: 35	4248	7zFM.exe
Token: SeSecurityPrivilege	4248	7zFM.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeSystemEnvironmentPrivilege	4432	ZModeler3.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeLockMemoryPrivilege	1736	conhost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4248	7zFM.exe
4248	7zFM.exe
4432	ZModeler3.exe
4432	ZModeler3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4432	ZModeler3.exe
4432	ZModeler3.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 1840	4364	ZModeler3.exe	105
PID 4364 wrote to memory of 1840	4364	ZModeler3.exe	105
PID 4364 wrote to memory of 1840	4364	ZModeler3.exe	105
PID 4364 wrote to memory of 4432	4364	ZModeler3.exe	106
PID 4364 wrote to memory of 4432	4364	ZModeler3.exe	106
PID 4364 wrote to memory of 4432	4364	ZModeler3.exe	106
PID 4364 wrote to memory of 2460	4364	ZModeler3.exe	107
PID 4364 wrote to memory of 2460	4364	ZModeler3.exe	107
PID 4364 wrote to memory of 2840	4364	ZModeler3.exe	109
PID 4364 wrote to memory of 2840	4364	ZModeler3.exe	109
PID 5076 wrote to memory of 2992	5076	cmd.exe	120
PID 5076 wrote to memory of 2992	5076	cmd.exe	120
PID 208 wrote to memory of 1500	208	UpdateServices.exe	129
PID 208 wrote to memory of 1500	208	UpdateServices.exe	129
PID 208 wrote to memory of 1500	208	UpdateServices.exe	129
PID 208 wrote to memory of 1500	208	UpdateServices.exe	129
PID 208 wrote to memory of 1500	208	UpdateServices.exe	129
PID 208 wrote to memory of 1500	208	UpdateServices.exe	129
PID 208 wrote to memory of 1500	208	UpdateServices.exe	129
PID 208 wrote to memory of 1500	208	UpdateServices.exe	129
PID 208 wrote to memory of 1500	208	UpdateServices.exe	129
PID 208 wrote to memory of 1736	208	UpdateServices.exe	130
PID 208 wrote to memory of 1736	208	UpdateServices.exe	130
PID 208 wrote to memory of 1736	208	UpdateServices.exe	130
PID 208 wrote to memory of 1736	208	UpdateServices.exe	130
PID 208 wrote to memory of 1736	208	UpdateServices.exe	130
PID 392 wrote to memory of 3168	392	cmd.exe	132
PID 392 wrote to memory of 3168	392	cmd.exe	132

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\7FAR - ZModeler 3.1.4 (build 1142).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:812

C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\ZModeler3.exe
"C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\ZModeler3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\7FAR.exe
  "C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\7FAR.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\ZModeler3.exe
  "C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\ZModeler3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ZModeler.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\ZModeler.exe
  "C:\Users\Admin\AppData\Local\Temp\ZModeler.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2992
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "OneDriveUpdateService"
    3⤵
    - Launches sc.exe
    PID:3932
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "OneDriveUpdateService" binpath= "C:\ProgramData\OneDrive\update\UpdateServices.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3620
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4464
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "OneDriveUpdateService"
    3⤵
    - Launches sc.exe
    PID:1088

C:\ProgramData\OneDrive\update\UpdateServices.exe
C:\ProgramData\OneDrive\update\UpdateServices.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3168
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1500
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZModeler.exe

Filesize
5.0MB

MD5
3596233d6115726c0ba2804ea93bb0e3

SHA1
623864c5608edcb79a9cfbdd6f8fb9e88a069f8d

SHA256
b4ebf81d444789a92bfc390e407a79dc4b397711f246218d26df94563d71a8b3

SHA512
214064764c21bd0a6044864f11b6233ba70dba0dc88f8fbbfe340cd6091daa3350587265539b266454aa71c04b265f6e1c7d823648c33d17b1b7c975808b32bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01nfmmcc.tpx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\ZModeler3.exe

Filesize
5.0MB

MD5
de8c08a7b90c2507935cfffe495141cb

SHA1
87a09492feb515bc1d4b290e7ea0c075794e62f4

SHA256
58c437d56776dc78cc74491a46d82af9483c4c0296909bd5ccae6628a4942632

SHA512
c0af0f434c9a6ef2603d179df62685cffdaded0b3f059d6c107267cb7d84a608b617022f4f363212435bf2fac3323a4fe1338a28954e43377dbbeb987a2d0a26

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\7FAR.exe

Filesize
48KB

MD5
8ea6d5232b4d56d77038283739460821

SHA1
4be0c2506cf497bb650925a16ab3364adfb12a05

SHA256
ddc613cab77dce14d6210cf2e0e00658e55f6ba6bbe84cc6a495c1b64d295cc0

SHA512
acb7054720aa5ac5dd59676316c48fb57cd938f30703d16d6c16110edeffe9932cccde8855cc297acbc14da836a5ac359fd79f6a0188669da0164782a5033e87

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\D3DX9_42.dll

Filesize
1.8MB

MD5
c6a44fc3cf2f5801561804272217b14d

SHA1
a173e7007e0f522d47eb97068df0ca43563b22bc

SHA256
f8b9cfab7fffbc8f98e41aa439d72921dc180634a1febca2a9d41a0df35d3472

SHA512
2371844bc86cdce2d1933625b921b982c4d1b84a39698b51180b09a2d45732407d721fa01d294ca92a88777607a1bb00283f6bcdd4231137a388216d0b09dd5a

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Engine\D3D9.zme

Filesize
231KB

MD5
518b7e31ae972c713a1ed4e959667b12

SHA1
bf3423d91817bc642b69fb70ed1d4170a0f52d7e

SHA256
50c1f6c32c7642c37ad137899f8abc2703d4cae2cccef70b57dbe5ca8bf55369

SHA512
323d889ad5771d0ad4d327d44e0252bff44a313f450d66bf22127cb1e8bd52052aa4947bc5744f5d9aa787717231ad19ea57c74325d7af6cf263552187df0a5a

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\3ds.zmf

Filesize
100KB

MD5
7a50e61874f841083a0ff6d6a51a17f4

SHA1
aa6dd342b5dd731785402dc8a9e0fc1772dc20d6

SHA256
84e347397a2f47d4e4a94ae1f2a0e687a96f87e426874e6c0347e99121da9889

SHA512
060ce26e043d85cf92dafb433aa47cb5eba00f4811c42088c42c0c116b8ea591850a9f1311be49df22b034b4bf18ab939680923ae6c90f9ad675f3f9fe966dde

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\BiovisionBVH.zmf

Filesize
67KB

MD5
cc68d0662abb9a901c5e40819a644a33

SHA1
c07477992f03b736afb7967d9f81c32f8eeceaf3

SHA256
dd4a82a98be75ca58427dc1d364ac7716e44ca79d4ec5bca7f505d2e6ce17a7f

SHA512
3dd5ceb91c35b302988cec7c24825592ea8117447627aeec2dd006fb67ecfb5c542b4f44ed8076bcb375182e354466442fc25fce8e548af8fd96da74b0e1874d

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\ColladaDAE.zmf

Filesize
166KB

MD5
0c4b3b7a65f0f4970e3744a1aa94a081

SHA1
7a8a18062b4495d6b52f56963ca2f74d00279ea8

SHA256
1993f41a02e57629f112b36886a7ecbfd4565c5805b8c72cf018f3223f7cb31f

SHA512
d696b3002d2bc9740765496d6c4013e79e749ee6a2961effb4d92ef1769759ccb92fdd19b8f12dea991afb31f35570a6ebc54a1a06ac7720f5f47d364dddaf25

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\Emergency.zmf

Filesize
175KB

MD5
9fad0b3788e21efdaa603add3b1e01e3

SHA1
698afc3f092454bd0445039c02ba0bb4b17ca26b

SHA256
c92de16213502a11c86c52ada0d96c009caf9b85838c77c32e76e93f272eea36

SHA512
6061d8095fa5a5ff3c2073d5ab4fcbde3c66d4e66bca7d87c32ea897c3e30b8b7b5a1ea02683ce024af01dfe7b5311ad577339522abcb53622ea1a6027175074

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\ISIgMotorGMT.zmf

Filesize
155KB

MD5
bdde281c080176ad252d5dc4d1f2dceb

SHA1
66969e33bec8c62ef9fc7397b58f11a2dc920844

SHA256
aee84d02ba0b4454f9bd7a050c26bf9f2ac97af80570d85f62ead60f614b62e7

SHA512
88a4435858530458b253a0ef1da746a7d96d23dcf3978691647d341eb7f8f7458a4093d75763f093f08ff01e0d709b377c817b8698f46f1bb9fde3647a37ca3c

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\Mafia II.zmf

Filesize
319KB

MD5
245cebdb692ad38fdba2d450e17077f5

SHA1
3d6ddcc711e0616128367ebdec72e39e20636fc2

SHA256
935ce444ec0b059c8ce6efb6d3115fef6f5b65a170cdb550f93c9fb98130dc2e

SHA512
dbe8fd0262b7db137454a32590fbec566ee36cce5471d942133673c12f815f72352f81e5e85525f8da9494ce92b4c6deedacc7ab3a6eb5de41c22ecb8dbda8bf

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\NFSMostWanted2.zmf

Filesize
209KB

MD5
9cfaa185c722b2f5a46d9dac57921d6d

SHA1
45a883bf02fce56440bb7ff5d6f0211d6d1a7426

SHA256
0c42c40021b3f92ca99b5b9cf04a5bd71d57394e8f2ba439bdaf3bbbef64dd6a

SHA512
d2e483a4a6337d16809ea5557ded0cc1df8dd760c4a726e0bcfb57b446981e12e372582e13962de70a73800e6c89fee2f431a2fdd05e3910f1313152960d6f06

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\OMSI.zmf

Filesize
66KB

MD5
8aefca27f971646ea06a52dc46cd9571

SHA1
600ad498431c22800f1d57a0b2f0fa49e44c66aa

SHA256
36643fec62685de7c9a46163b7e0e49795e6ef55b10232f3779a645fac32d073

SHA512
ad061aea1a1a6eaec533945f8d574c67257771317b7e81bfa57da94a4f81570048a1900a624e8178cf2832a4c6ab4f9e667f2ed3886c51eae7ffd508fd632682

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\SCS Soft Prism3D.zmf

Filesize
355KB

MD5
21f94cba4dea1f7e9961d45a60b09f0d

SHA1
e9a18cd8aa4ae82027752b9ad4da517a170e533b

SHA256
3f83d7638a1c6fe130c4ee2aa2e77ac906a40f83a16c93f0bcb9c0dc4b629a7e

SHA512
fcb718e72129eab90ef48292cc045484acf543140c5e5258b688656eaf2d0dca893b3a529aa20b5d9abeaa2ba5d17d7ddcaf95dd366bd58db4d6694230c2d84e

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\Sims3Workshop.zmf

Filesize
100KB

MD5
48e1f7670bbb49ce5bb0dd594d1ea03c

SHA1
7ae307eff6e0f30587bfa11d9ea4cab8c16019d9

SHA256
1319bdb11df0bfa32ddbe4be5fc5177972da202cecd7c36b8e667b1cfaa8cfee

SHA512
80f6198b80968da663ef0f2a2164133e06c5ce8c4e7e689d86cb10fb4e856d25e3277bb8176c247b3a9502e70aa5e4b92b76a8eef2236af467c77549ed79a1ba

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\SlightlyMadStudios.zmf

Filesize
208KB

MD5
8d0950dca67b3b90bb74fa0cd729f74c

SHA1
2eeb066853f9d4711b8bb15349b67a8dc19e5d51

SHA256
8a3b000f914157deb34231dd83c7770134fe534adef29c16d4e0d741c3d9f804

SHA512
bf0216e275e86b49935516b0ca286a2ab477cfa65baa8b0625d0f4c5db3639b93a84238688d8012aacfc8db7bb984256590870a295e5c802b904631ef6494221

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\WatchDogs.zmf

Filesize
400KB

MD5
a07a8b762d9c244e27afb25aa9b0d032

SHA1
e25bb9de3ff1b5886f208acdb63757ac91c0c4b3

SHA256
d2f66b658d2adcc48024d84359aaa12b5fd999e2e7715351a29102cb4512078c

SHA512
e73e37180f9072065e4674a8f4257ade09df8c2839b17a6eba9369863534ec30355b636562e90cadc73b76593ab3a31d8cfd97410b30df3d1662c4b02449d316

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Filters\WaveFrontOBJ.zmf

Filesize
80KB

MD5
849fc9ff2e18ab5740b807556244e612

SHA1
6d72d1bc124de4a80d134891361d11d4ad9a4270

SHA256
c0e587400b5e4728355ae83b2bf031fb12003a2e8668a4b10cab3c51e0ba87f0

SHA512
887c2c2f40667ec9e48aaac51dd010c7cd92c4dc4f8d289da569332df6e0a101c86c695660becfd5c6365cf31275fa448888e688d06e4c8a53c55bd49fe05b8f

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Plugins\CreateTools.zmp

Filesize
148KB

MD5
b0f1d4f558d479dcc866ec2670896228

SHA1
8190ef27baab81543312898532219be876cf9710

SHA256
b0cb80f9984754a823ac6b368c3593d16943fb9620cd5d31d3fda964cb4c7176

SHA512
80206a2df8a1361f9bc8152f00913d8e95f9a2ac2e10b46d89956088632fdc787904009cabc752e4faa45a14fea4f70130d6bc316b5813ae79fb907d81939c93

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Plugins\DisplayTools.zmp

Filesize
124KB

MD5
61dc8cca1abf320b76d2ea7b2912b26f

SHA1
fe0c248da7c5c69270e49ff6deabb2cd106998e6

SHA256
181aa202250bc9e68f9e29cb46e496d3e953797cb546814c12348ec3734658f4

SHA512
1963b233fdac1c48a96aafd32943709f428d6c1a3032348f474f00e92d84d71bc2512a08d32aece02397b0f25334e56f3d4fba8f23da1ce17766209ed801f886

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Plugins\EditingLevels.zmp

Filesize
169KB

MD5
bc3826e9545de0e45db85ab007df9766

SHA1
30e113ac2eac3cfbfbc958871b632ee85b68ebfc

SHA256
4dcc50c1c496aeeeb7c51d384a4a4ac96f4212a3bc254d7562ae21e8a0bf3d89

SHA512
bfe301f800cf74916b632d6e6f28448a2dc044ad4891d17d7b31d0cc2211c8350b85835ab2792f70e159aa00dba8d411bae52891e5154527e26bd18a8663c158

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Plugins\Lights.zmp

Filesize
140KB

MD5
a4671d6afd94dc095477209066b85b77

SHA1
a1a6c851a8d87e378e6fbb317822f7765a6c4367

SHA256
b1f6b6ab14b5b37cd68e4e21d65926b44da68140bbfda27f4631577911fe025a

SHA512
e44ecce108ef4e144318c6fe962520db2abf43b44d8a6fc231b90cccf276f53db48ab6c2a8eb52cf5cd04b99fe4ff99ba5dbfc2a28f61f89b23dd86a1a9fae77

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Plugins\ModifyTools.zmp

Filesize
739KB

MD5
3c0db757dee655c0f1cb241029376269

SHA1
b425626c34344a1a7698d72c4ea4998b9ffaf809

SHA256
9cd029603f699ac8347f332a543dc8879b9c22d1e5708b8517df85bc65c1607f

SHA512
cf7365156de0b118834dd9d459a1f9cf4150c6443e12ee3c002cabf8bc1bf6d33b818045ff1c0f99b4a961f86f4edf4c0d309c6a7ce9731e1e67685090b7b05f

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Plugins\Parametric.zmp

Filesize
262KB

MD5
593d89e15f0fadf3faa34235a2313aa8

SHA1
a6f5211c9c55ebdca813d52b18d756c6e4c902f8

SHA256
e76a41f2bf10c9560f75419977ec090663fb7bd52c046a64cb0d76eb528035c5

SHA512
b977c6f3a46dd7a967a484ea39bbb6dd65c64bacd39f44088309ad471956ba6e9187bf329076c34e6232947a53983e15f5bc38f1779260c357fb2cabf763d432

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Plugins\SelectTools.zmp

Filesize
222KB

MD5
4870908473bfb0751988ae4cfa460f54

SHA1
715219fc1464bc903e075f0f0753e039dd6e67df

SHA256
f312c1e55ab480b1e78c85ff4b26eb38049051b232d0c159c4aeaf80a18cdf13

SHA512
0e57961ece657a66e76bb069eabdadc8762ec42ac659493011f4055878ddc574a005d8dc2aeb0ae14e378c0ef21c57abde81487cf8ab35116b1a0d1242333ac9

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\Plugins\Skeleton.zmp

Filesize
310KB

MD5
8dd581b032cfdf06344002c331d2ad62

SHA1
e891a26a08cbf8f4633305e03227cb963b36e76a

SHA256
4324ed88c9050d95cc2615d09e8b7a583062c5bfe5d3802916301184add54ea3

SHA512
b448285e672c12f43cd4dadc515a5185cdd28e98291f4764d777b6540adebcabb305d1037797ea30ab6a7230da87c227e0aeda62b6d73551fe5d6521e263a7e2

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\ZModeler3.exe

Filesize
1.5MB

MD5
1221ae8c232f68b76aa6a7af4a979736

SHA1
aa06f5ebc7824810f9eeb544dc4f70e6ad730393

SHA256
bf99ce07768933217b878f730c057a80f1cad43d452080f13a42c7dc7c44090f

SHA512
6bfa63f398374e2a36a55f581da773b22777d1e663d0eca9f0c9fd00ae51bba331b2f1f365b276e03894c075c378d9283fb677b1c7a7b64e5fbd9a7ec5e35b32

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\mfc100.dll

Filesize
4.1MB

MD5
07bccdcc337d393d7db0b2f8fe200b3f

SHA1
5a02b227cb0a22a8e7884cd138c3e8568d083d94

SHA256
bf38dda13b938b49a4df72b6477342373ee6e151be12c25cb0c17662fcb4bcd4

SHA512
e5637727a549cf7b88f13474097a71200f0dfa511ecd55c5a42e5f53e9f86ce8b7ce763448830fd073e232876f7537bad96f2ced8d3159558778460264d07639

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\msimg32.dll

Filesize
210KB

MD5
6aeff2bf298c25a341f2b625d277e464

SHA1
fb953cb27fd0a9db853442f861d4b1a9b638d1e3

SHA256
af9cf7efd16419b4c1d7f0643b75278a62413ad425dcea302777bc13d7633e86

SHA512
145da30b025ffd829e308ade2ef435348e17fe0ccff9092629aaa219d201f3923d84397cdb2c084cec50a3b0587de6be8b84e1f9b24bef3dc5983e9972cdd54d

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\msvcp100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Users\Admin\Desktop\7FAR - ZModeler 3.1.4 (build 1142)\data\msvcr100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
\??\c:\users\admin\desktop\7far - zmodeler 3.1.4 (build 1142)\data\filters\gtarage.zmf

Filesize
608KB

MD5
b40c686e5fb706ef4894db4e6d7022ff

SHA1
ff73102606c946071d894b7c7115dfc9b3a0b15c

SHA256
a2748dc057d54daf53bc7c66ef9809a9acfd516f69e632a06ecbfa5b6e1c5599

SHA512
b62db8849ce9fe49e56c5b594437f69902d28eb396b9f12c911cfc25d10a02d733d5bf3ece9797ca3c9949e80803f27574cceb1ef3c61fb2bef905224c2e0d79

Download Submit
memory/1500-578-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1500-575-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1500-574-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1500-572-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1500-571-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1500-573-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1736-588-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-589-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-590-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-586-0x000001D9F7ED0000-0x000001D9F7EF0000-memory.dmp

Filesize
128KB

Download
memory/1736-591-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-584-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-579-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-585-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-580-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-582-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-581-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-583-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-587-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1840-466-0x00000000008E0000-0x00000000008F2000-memory.dmp

Filesize
72KB

Download
memory/1840-483-0x00000000055A0000-0x00000000055F6000-memory.dmp

Filesize
344KB

Download
memory/1840-467-0x00000000052D0000-0x000000000536C000-memory.dmp

Filesize
624KB

Download
memory/1840-476-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/1840-480-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1840-482-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/2460-460-0x0000026D2F510000-0x0000026D2F532000-memory.dmp

Filesize
136KB

Download
memory/2460-463-0x0000026D47AC0000-0x0000026D47CDC000-memory.dmp

Filesize
2.1MB

Download
memory/3928-567-0x0000015162150000-0x0000015162156000-memory.dmp

Filesize
24KB

Download
memory/3928-568-0x0000015162160000-0x000001516216A000-memory.dmp

Filesize
40KB

Download
memory/3928-566-0x0000015162120000-0x0000015162128000-memory.dmp

Filesize
32KB

Download
memory/3928-565-0x0000015162170000-0x000001516218A000-memory.dmp

Filesize
104KB

Download
memory/3928-564-0x0000015162110000-0x000001516211A000-memory.dmp

Filesize
40KB

Download
memory/3928-563-0x0000015162130000-0x000001516214C000-memory.dmp

Filesize
112KB

Download
memory/3928-562-0x0000015149810000-0x000001514981A000-memory.dmp

Filesize
40KB

Download
memory/3928-561-0x0000015161F10000-0x0000015161FC5000-memory.dmp

Filesize
724KB

Download
memory/3928-560-0x0000015149830000-0x000001514984C000-memory.dmp

Filesize
112KB

Download
memory/4364-414-0x00007FFF25143000-0x00007FFF25145000-memory.dmp

Filesize
8KB

Download
memory/4364-415-0x0000000000990000-0x0000000000E92000-memory.dmp

Filesize
5.0MB

Download
memory/4364-416-0x00007FFF25140000-0x00007FFF25C01000-memory.dmp

Filesize
10.8MB

Download
memory/4364-481-0x00007FFF25140000-0x00007FFF25C01000-memory.dmp

Filesize
10.8MB

Download