44caliber | 37a2d60c1263d20fcbe71038314073e0c9b40cbc0eef31fd05eca9e53be93c75

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54b1da1c16d8dd8c121c95eaa705aa93.exe
Size

212KB
MD5

54b1da1c16d8dd8c121c95eaa705aa93
SHA1

95ea8c091e1550778ced92f61e795e071e3f25fe
SHA256

37a2d60c1263d20fcbe71038314073e0c9b40cbc0eef31fd05eca9e53be93c75
SHA512

570f620a7dade80891189dfad95c514da5f93ca2e650ebba6f72a18201db52252fc03b9bc77370445f2f62b5e903d68f39ba655b2ad453f22cb8ef243b853a2b
SSDEEP

6144:K8x1Nj/T9iK4Lpu6HPirxW+26NU7NBsp7:X1X4Lo6wxW+26NU7NBsp7

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 4 IoCs

pid	Process
2688	NeverInjector.exe
2888	1.exe
2596	svchost64.exe
1216	services64.exe

Loads dropped DLL 3 IoCs

pid	Process
2132	54b1da1c16d8dd8c121c95eaa705aa93.exe
2780	cmd.exe
2596	svchost64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\services64.exe	svchost64.exe
File opened for modification	C:\Windows\system32\services64.exe	svchost64.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2880	powershell.exe
2888	1.exe
2888	1.exe
2596	svchost64.exe
2888	1.exe
1416	powershell.exe
760	powershell.exe
1124	powershell.exe
2452	powershell.exe
2324	powershell.exe
2888	1.exe
1200	powershell.exe
1388	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2888	1.exe
Token: SeDebugPrivilege	2596	svchost64.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2688	2132	54b1da1c16d8dd8c121c95eaa705aa93.exe	28
PID 2132 wrote to memory of 2688	2132	54b1da1c16d8dd8c121c95eaa705aa93.exe	28
PID 2132 wrote to memory of 2688	2132	54b1da1c16d8dd8c121c95eaa705aa93.exe	28
PID 2132 wrote to memory of 2888	2132	54b1da1c16d8dd8c121c95eaa705aa93.exe	29
PID 2132 wrote to memory of 2888	2132	54b1da1c16d8dd8c121c95eaa705aa93.exe	29
PID 2132 wrote to memory of 2888	2132	54b1da1c16d8dd8c121c95eaa705aa93.exe	29
PID 2688 wrote to memory of 3016	2688	NeverInjector.exe	30
PID 2688 wrote to memory of 3016	2688	NeverInjector.exe	30
PID 2688 wrote to memory of 3016	2688	NeverInjector.exe	30
PID 3016 wrote to memory of 2880	3016	cmd.exe	31
PID 3016 wrote to memory of 2880	3016	cmd.exe	31
PID 3016 wrote to memory of 2880	3016	cmd.exe	31
PID 2688 wrote to memory of 2780	2688	NeverInjector.exe	34
PID 2688 wrote to memory of 2780	2688	NeverInjector.exe	34
PID 2688 wrote to memory of 2780	2688	NeverInjector.exe	34
PID 2780 wrote to memory of 2596	2780	cmd.exe	35
PID 2780 wrote to memory of 2596	2780	cmd.exe	35
PID 2780 wrote to memory of 2596	2780	cmd.exe	35
PID 2596 wrote to memory of 2456	2596	svchost64.exe	36
PID 2596 wrote to memory of 2456	2596	svchost64.exe	36
PID 2596 wrote to memory of 2456	2596	svchost64.exe	36
PID 2456 wrote to memory of 2944	2456	cmd.exe	38
PID 2456 wrote to memory of 2944	2456	cmd.exe	38
PID 2456 wrote to memory of 2944	2456	cmd.exe	38
PID 3016 wrote to memory of 1416	3016	cmd.exe	39
PID 3016 wrote to memory of 1416	3016	cmd.exe	39
PID 3016 wrote to memory of 1416	3016	cmd.exe	39
PID 3016 wrote to memory of 760	3016	cmd.exe	40
PID 3016 wrote to memory of 760	3016	cmd.exe	40
PID 3016 wrote to memory of 760	3016	cmd.exe	40
PID 3016 wrote to memory of 1124	3016	cmd.exe	41
PID 3016 wrote to memory of 1124	3016	cmd.exe	41
PID 3016 wrote to memory of 1124	3016	cmd.exe	41
PID 2596 wrote to memory of 1216	2596	svchost64.exe	42
PID 2596 wrote to memory of 1216	2596	svchost64.exe	42
PID 2596 wrote to memory of 1216	2596	svchost64.exe	42
PID 1216 wrote to memory of 2408	1216	services64.exe	43
PID 1216 wrote to memory of 2408	1216	services64.exe	43
PID 1216 wrote to memory of 2408	1216	services64.exe	43
PID 2596 wrote to memory of 2960	2596	svchost64.exe	46
PID 2596 wrote to memory of 2960	2596	svchost64.exe	46
PID 2596 wrote to memory of 2960	2596	svchost64.exe	46
PID 2408 wrote to memory of 2452	2408	cmd.exe	47
PID 2408 wrote to memory of 2452	2408	cmd.exe	47
PID 2408 wrote to memory of 2452	2408	cmd.exe	47
PID 2960 wrote to memory of 2836	2960	cmd.exe	48
PID 2960 wrote to memory of 2836	2960	cmd.exe	48
PID 2960 wrote to memory of 2836	2960	cmd.exe	48
PID 2408 wrote to memory of 2324	2408	cmd.exe	49
PID 2408 wrote to memory of 2324	2408	cmd.exe	49
PID 2408 wrote to memory of 2324	2408	cmd.exe	49
PID 2408 wrote to memory of 1200	2408	cmd.exe	51
PID 2408 wrote to memory of 1200	2408	cmd.exe	51
PID 2408 wrote to memory of 1200	2408	cmd.exe	51
PID 2408 wrote to memory of 1388	2408	cmd.exe	52
PID 2408 wrote to memory of 1388	2408	cmd.exe	52
PID 2408 wrote to memory of 1388	2408	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe
"C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1124
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
      C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:2944
    - - C:\Windows\system32\services64.exe
        
        "C:\Windows\system32\services64.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2836
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
450B

MD5
2194d49a898360543bd9c1aa99a540de

SHA1
0014313df2abb6ae0ceb6941529bac75f89ee837

SHA256
659082d3ea5969c5fa4205e8936ce8fe092b9234e0370be86ab541a56b8defa2

SHA512
3dd49d0b8d399819a5466da11e811fd8537ce4a0b97f1e84990a2c9bf409ee8b9238cf082bd8e2ffe006459fb3f7a614a4db526d0ed7b8750160dc1275ac2fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
274KB

MD5
c23dd6dcde8637fd537eb142665a4edf

SHA1
ac1d3a691cdd37a8935734270e62186ae0c8f563

SHA256
3cd8c058466febed909675da97645ff2c364562a2bab260402185896aea8be59

SHA512
b16a7badf694741ddfe519d96418c36a12a315523c8045c60ff1af68886f377d3818c0346fb2ab9292182831869207b7219aad3dc27e37ee95372e59fa886bb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\03GSILH71J2L2WPWFKLS.temp

Filesize
7KB

MD5
9a4a61f1e05d3507b470b494f966fb19

SHA1
84c76e57fa80d3deb2d49cb84eb2bd4a4aa8e26c

SHA256
2c9562da95936c311ca8abccc3627ea2c976626ecd454645f7318b7d35372f86

SHA512
9b6b2a652eb07b163531760f0a01e724d1da7436278702b9beb81cbcb86556e5517ba0fc5c3f0c608a8bbcefe460625754fd9821ed5f60d15bc26de1cd6b1a82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
1KB

MD5
f0d4039193f757be4e95ec5493570f3e

SHA1
4c8cbf97e20456830c33dea8db196c9dbbc625e0

SHA256
dce7c17e9ed7ea719b539f85d3921bc34a6827a8de6b3ac6c9330ceb282fa784

SHA512
4631d20aaf653884ac855478ccc5542d282741594333dba5ecd167fc9f58506b17dd36c906391a17fcf98d3c8fd1cdb968539dc74d408ae24fe117ac3021608d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
86584fa2b1ecd6e44d7b0f494a585ae7

SHA1
a841727527ce82f2a5e144381560fb698b8520a0

SHA256
793e3268e99bdc91df0e277d1d7a47ffc643a85ae199ba2824c57fed1890fc8a

SHA512
88d97775c02f9fc9758f0b6e396839b82a18169e1f5bfd57082997b036c2344ea147a8c5b12677a08ca8b1b0a07cdca4040206df9fd09a302488ee8eaf4a4c15

Download Submit
\Users\Admin\AppData\Local\Temp\NeverInjector.exe

Filesize
42KB

MD5
84cc0c40b8c1a3a5366d30e0c038bddc

SHA1
36a5f937988d9d2e8109885f1cc172abeca7c974

SHA256
5076d9fd2781dcfcb98b71ffa8b9bebab8c11499caf1af17a28e2b661853848c

SHA512
a23863de886c23df57dfd038dd7b9cc6a2c7ffcb48e555db8a71155de59f1dbb2fb412fdf1b5610e37e9011450d4adcf829947317901fd93ffa246f2aaac59a2

Download Submit
\Users\Admin\AppData\Local\Temp\svchost64.exe

Filesize
36KB

MD5
1aa155e87018118aa94dcdad5e8bb3ee

SHA1
f3d9f7935170538f4219731aa27664dfd5fb6cc0

SHA256
7ac2a4b82c31b61fb520f69c33674247e75acbf2c93b7357edb7a62e443e475e

SHA512
8df2f7accb24dee4b3acc73fad33fd2adfc3988766c995efb52f677b9b81baeea243aa5c8a1c8596cc68269795017c7903faa3c372a3d8e2da791b0c6d2e11be

Download Submit
\Windows\System32\services64.exe

Filesize
28KB

MD5
f477a1095aaea760a7a3b7ef86630e47

SHA1
5e170b58a4f21256c49880b73e1675b13b462901

SHA256
ec984f17a9701a32f6237f51ea837f785e5a8df7a63960a3b577a54adee2e628

SHA512
34bfe8e145fd6de148d6d74fc87b41b344115aad9b681d5612b4ad962d670205fd330236d2d314d18cd9210fc8a6996d20b011e914a5f4470603bf62792ea5ee

Download Submit
memory/760-87-0x000007FEF24A0000-0x000007FEF2E3D000-memory.dmp

Filesize
9.6MB

Download
memory/760-82-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/760-85-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/760-84-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/760-81-0x000007FEF24A0000-0x000007FEF2E3D000-memory.dmp

Filesize
9.6MB

Download
memory/760-86-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/760-83-0x000007FEF24A0000-0x000007FEF2E3D000-memory.dmp

Filesize
9.6MB

Download
memory/1124-105-0x000007FEEF5C0000-0x000007FEEFF5D000-memory.dmp

Filesize
9.6MB

Download
memory/1124-94-0x000007FEEF5C0000-0x000007FEEFF5D000-memory.dmp

Filesize
9.6MB

Download
memory/1124-109-0x000007FEEF5C0000-0x000007FEEFF5D000-memory.dmp

Filesize
9.6MB

Download
memory/1124-95-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1124-103-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1124-97-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1124-107-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1200-173-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/1216-102-0x000000013F7D0000-0x000000013F7E0000-memory.dmp

Filesize
64KB

Download
memory/1216-104-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1416-73-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1416-75-0x000007FEEF5C0000-0x000007FEEFF5D000-memory.dmp

Filesize
9.6MB

Download
memory/1416-69-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1416-68-0x000007FEEF5C0000-0x000007FEEFF5D000-memory.dmp

Filesize
9.6MB

Download
memory/1416-66-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/1416-65-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1416-72-0x000007FEEF5C0000-0x000007FEEFF5D000-memory.dmp

Filesize
9.6MB

Download
memory/1416-67-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/1416-74-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2132-21-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2132-0-0x0000000001140000-0x000000000117E000-memory.dmp

Filesize
248KB

Download
memory/2132-3-0x0000000000DD0000-0x0000000000E50000-memory.dmp

Filesize
512KB

Download
memory/2132-2-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2132-1-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-163-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2324-164-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2324-165-0x000007FEEF5C0000-0x000007FEEFF5D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-162-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2324-166-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2324-167-0x000007FEEF5C0000-0x000007FEEFF5D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-160-0x000007FEEF5C0000-0x000007FEEFF5D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-114-0x000007FEF24A0000-0x000007FEF2E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-116-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2452-117-0x000007FEF24A0000-0x000007FEF2E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-120-0x000007FEF24A0000-0x000007FEF2E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-119-0x0000000002A9B000-0x0000000002B02000-memory.dmp

Filesize
412KB

Download
memory/2452-118-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2596-106-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2596-34-0x000000013F4D0000-0x000000013F4DE000-memory.dmp

Filesize
56KB

Download
memory/2596-64-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2596-71-0x000000001BD20000-0x000000001BDA0000-memory.dmp

Filesize
512KB

Download
memory/2688-22-0x000000001BD60000-0x000000001BDE0000-memory.dmp

Filesize
512KB

Download
memory/2688-19-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2688-11-0x000000013FFB0000-0x000000013FFC0000-memory.dmp

Filesize
64KB

Download
memory/2688-28-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-55-0x000007FEF24A0000-0x000007FEF2E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-49-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/2880-32-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2880-159-0x000007FEF24A0000-0x000007FEF2E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-35-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2880-57-0x00000000024CB000-0x0000000002532000-memory.dmp

Filesize
412KB

Download
memory/2880-56-0x000007FEF24A0000-0x000007FEF2E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-115-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-20-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-161-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2888-18-0x0000000000E50000-0x0000000000E9A000-memory.dmp

Filesize
296KB

Download
memory/2888-70-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download