elysiumstealer | c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

Analysis

max time kernel
600s
max time network
550s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BTRSetp.exe
Size

258KB
MD5

1165ce455c6ff9ad6c27e49a8094b069
SHA1

3ba061200d28f39ce95a2d493d26c8eb54160e85
SHA256

c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
SHA512

dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Score

10^/10

elysiumstealer xmrig discovery evasion miner persistence spyware stealer themida trojan

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Payload 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\3318066.36	elysiumstealer
C:\ProgramData\3318066.36	elysiumstealer
behavioral3/memory/928-35-0x0000000001420000-0x0000000001426000-memory.dmp	elysiumstealer

ElysiumStealer Support DLL 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll	elysiumstealer_dll

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral3/memory/2732-74-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral3/memory/3556-81-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Executes dropped EXE 7 IoCs

Processes:

7859414.866731678.747359629.803318066.36Windows Host.exeDriver.exeDriver.exe

pid process

1204 7859414.86
808 6731678.74
3840 7359629.80
928 3318066.36
852 Windows Host.exe
2732 Driver.exe
3556 Driver.exe

pid	process
1204	7859414.86
808	6731678.74
3840	7359629.80
928	3318066.36
852	Windows Host.exe
2732	Driver.exe
3556	Driver.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7359629.80

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7359629.80
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7359629.80

Drops startup file 1 IoCs

Processes:

7359629.80

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 7359629.80
Loads dropped DLL 1 IoCs

Processes:

3318066.36

pid process

928 3318066.36
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	7359629.80

pid	process
928	3318066.36

themida 3 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\7359629.80	themida
C:\ProgramData\7359629.80	themida
behavioral3/memory/3840-27-0x0000000000E20000-0x0000000000E21000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7359629.806731678.74

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\7359629.80"	7359629.80
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	6731678.74

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7359629.80

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7359629.80
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7359629.80

pid process

3840 7359629.80
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1956 2732 WerFault.exe Driver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7359629.80

pid	pid_target	process	target process
1956	2732	WerFault.exe	Driver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7359629.807859414.863318066.36

pid	process
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
1204	7859414.86
928	3318066.36
1204	7859414.86
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80
3840	7359629.80

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

BTRSetp.exe7359629.807859414.863318066.36Driver.exeDriver.exe

description	pid	process
Token: SeDebugPrivilege	1456	BTRSetp.exe
Token: SeDebugPrivilege	3840	7359629.80
Token: SeDebugPrivilege	1204	7859414.86
Token: SeDebugPrivilege	928	3318066.36
Token: SeLockMemoryPrivilege	2732	Driver.exe
Token: SeLockMemoryPrivilege	2732	Driver.exe
Token: SeLockMemoryPrivilege	3556	Driver.exe
Token: SeLockMemoryPrivilege	3556	Driver.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

BTRSetp.exe6731678.747359629.80

description	pid	process	target process
PID 1456 wrote to memory of 1204	1456	BTRSetp.exe	7859414.86
PID 1456 wrote to memory of 1204	1456	BTRSetp.exe	7859414.86
PID 1456 wrote to memory of 1204	1456	BTRSetp.exe	7859414.86
PID 1456 wrote to memory of 808	1456	BTRSetp.exe	6731678.74
PID 1456 wrote to memory of 808	1456	BTRSetp.exe	6731678.74
PID 1456 wrote to memory of 808	1456	BTRSetp.exe	6731678.74
PID 1456 wrote to memory of 3840	1456	BTRSetp.exe	7359629.80
PID 1456 wrote to memory of 3840	1456	BTRSetp.exe	7359629.80
PID 1456 wrote to memory of 3840	1456	BTRSetp.exe	7359629.80
PID 1456 wrote to memory of 928	1456	BTRSetp.exe	3318066.36
PID 1456 wrote to memory of 928	1456	BTRSetp.exe	3318066.36
PID 1456 wrote to memory of 928	1456	BTRSetp.exe	3318066.36
PID 808 wrote to memory of 852	808	6731678.74	Windows Host.exe
PID 808 wrote to memory of 852	808	6731678.74	Windows Host.exe
PID 808 wrote to memory of 852	808	6731678.74	Windows Host.exe
PID 3840 wrote to memory of 2732	3840	7359629.80	Driver.exe
PID 3840 wrote to memory of 2732	3840	7359629.80	Driver.exe
PID 3840 wrote to memory of 3556	3840	7359629.80	Driver.exe
PID 3840 wrote to memory of 3556	3840	7359629.80	Driver.exe

C:\Users\Admin\AppData\Local\Temp\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\BTRSetp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\ProgramData\7859414.86
"C:\ProgramData\7859414.86"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\ProgramData\6731678.74
"C:\ProgramData\6731678.74"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:808

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
3⤵
- Executes dropped EXE
PID:852

C:\ProgramData\7359629.80
"C:\ProgramData\7359629.80"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2732 -s 944
4⤵
- Program crash
PID:1956

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\ProgramData\3318066.36
"C:\ProgramData\3318066.36"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3318066.36
MD5
02d586b2b772f5bf3ff9068d03a7f9c1

SHA1
64f09d1f6ae801bfda1f782a14dcb08c1a2518f7

SHA256
a078e95bd8f961433ccb7465a866efffa4e1d23c6c1dceece246928133762bc9

SHA512
3c927b3b2b0b29b3f4ba06eaa18159e51ec4d1b45bbaae54f7a7bc37428b89127c8c6e14515be1221cbe938bc5adc5efd0fc77d855c8da52e5a6e4a0531cc993

Download Submit
C:\ProgramData\3318066.36
MD5
02d586b2b772f5bf3ff9068d03a7f9c1

SHA1
64f09d1f6ae801bfda1f782a14dcb08c1a2518f7

SHA256
a078e95bd8f961433ccb7465a866efffa4e1d23c6c1dceece246928133762bc9

SHA512
3c927b3b2b0b29b3f4ba06eaa18159e51ec4d1b45bbaae54f7a7bc37428b89127c8c6e14515be1221cbe938bc5adc5efd0fc77d855c8da52e5a6e4a0531cc993

Download Submit
C:\ProgramData\6731678.74
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\ProgramData\6731678.74
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\ProgramData\7359629.80
MD5
880fd252bc4e801e6170002efb6aef4d

SHA1
b10c102503f73acc57fc14326108e300fa94f8f5

SHA256
9157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911

SHA512
91071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2

Download Submit
C:\ProgramData\7359629.80
MD5
880fd252bc4e801e6170002efb6aef4d

SHA1
b10c102503f73acc57fc14326108e300fa94f8f5

SHA256
9157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911

SHA512
91071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2

Download Submit
C:\ProgramData\7859414.86
MD5
2586f08dfe627ea31b60e5d95abf6e73

SHA1
413320766fcc45a353c4d6c68647b48600580575

SHA256
3307ac37e52543cc7fa8e86732aade60a666eabcb47d5337378c7f11d5636480

SHA512
851bf6a564dd4d53af408324edb6db7fdf7491ef08a71057733ca7cfa5df7f9a1145adfddb49b6cc7aa8418ec56e4d8e9a8bd1c29a26f9f2e2147e66f56ce81a

Download Submit
C:\ProgramData\7859414.86
MD5
2586f08dfe627ea31b60e5d95abf6e73

SHA1
413320766fcc45a353c4d6c68647b48600580575

SHA256
3307ac37e52543cc7fa8e86732aade60a666eabcb47d5337378c7f11d5636480

SHA512
851bf6a564dd4d53af408324edb6db7fdf7491ef08a71057733ca7cfa5df7f9a1145adfddb49b6cc7aa8418ec56e4d8e9a8bd1c29a26f9f2e2147e66f56ce81a

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
f7a040bef124bb5716718b77c788cbf4

SHA1
0ad2f39ab5786a0c918b70cd0ed5c97ffb828a18

SHA256
2b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea

SHA512
bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll
MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
memory/808-25-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/808-40-0x000000000A480000-0x000000000A481000-memory.dmp

Filesize
4KB

Download
memory/808-11-0x0000000000000000-mapping.dmp

Download
memory/808-47-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/808-39-0x0000000004B20000-0x0000000004B2D000-memory.dmp

Filesize
52KB

Download
memory/808-37-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/808-32-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/852-51-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/852-63-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/852-64-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/852-48-0x0000000000000000-mapping.dmp

Download
memory/928-18-0x0000000000000000-mapping.dmp

Download
memory/928-31-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/928-23-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/928-73-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/928-57-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/928-35-0x0000000001420000-0x0000000001426000-memory.dmp

Filesize
24KB

Download
memory/928-38-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1204-42-0x0000000002F10000-0x0000000002F44000-memory.dmp

Filesize
208KB

Download
memory/1204-24-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1204-28-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1204-43-0x0000000009C90000-0x0000000009C91000-memory.dmp

Filesize
4KB

Download
memory/1204-44-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/1204-45-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/1204-9-0x0000000000000000-mapping.dmp

Download
memory/1204-36-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/1456-8-0x000000001B930000-0x000000001B932000-memory.dmp

Filesize
8KB

Download
memory/1456-2-0x00007FFB59970000-0x00007FFB5A35C000-memory.dmp

Filesize
9.9MB

Download
memory/1456-7-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1456-5-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/1456-3-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1456-6-0x0000000001270000-0x00000000012A3000-memory.dmp

Filesize
204KB

Download
memory/2732-71-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/2732-68-0x0000000000000000-mapping.dmp

Download
memory/2732-74-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2732-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2732-77-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/3556-78-0x0000000000000000-mapping.dmp

Download
memory/3556-81-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3556-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3840-13-0x0000000000000000-mapping.dmp

Download
memory/3840-22-0x0000000077384000-0x0000000077385000-memory.dmp

Filesize
4KB

Download
memory/3840-72-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/3840-26-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/3840-27-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download