Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 08:30

General

  • Target

    2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe

  • Size

    4.4MB

  • MD5

    a5d9278cbbe4fe8f36e20f42ffaaef33

  • SHA1

    fd1e19aaed6d9e08d164f987592618133b5728ff

  • SHA256

    33c98b343bfb4807546e83f8cd1ce5adc868b8e5712d1598ea6b6e8bffbff777

  • SHA512

    a8e4683fe16138da711172205c1206265950cc407bbb7bdba8c9ff079e904b9e7669929e72626cb3e138c09abc6582738f135f27763ebd62fd6d75b7cee1c3ed

  • SSDEEP

    98304:ZWE4hFqotKGJnWLI2MXCT9b4vHwPOwAf8jTlwFTQ2C0u2gaR:ZGqotJ0MGb4fdwLnG21GgG

Malware Config

Signatures

  • Detects Mofksys worm 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Mofksys

    Mofksys is a worm written in VisualBasic.

  • Mofksys family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 21 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4940
    • \??\c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 
      c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:c:\users\admin\appdata\local\temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe  _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\SysWOW64\getmac.exe
          "getmac"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3584
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4572
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1884
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4892
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2496
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5280
            • C:\Windows\SysWOW64\at.exe
              at 08:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:312
            • C:\Windows\SysWOW64\at.exe
              at 08:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1744
            • C:\Windows\SysWOW64\at.exe
              at 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3916
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:316
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:6072
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4052
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4076

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202505200830254533.json

          Filesize

          162B

          MD5

          ad891c3b02a02419dc60db8c273a8315

          SHA1

          141a08ca0e25d56bdb35fc71e1c767667079114a

          SHA256

          186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7

          SHA512

          64cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f

        • C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20250520083057_c4095fcaba8347b88afb1f0042d28e2f.trn

          Filesize

          6KB

          MD5

          c3e53fc93b3cc29a5a131c5c149f0d95

          SHA1

          f3ab38ded5d0fa803db6af4d2c5c811b9bcb00ec

          SHA256

          df86537e910ac72d0a3da1880adbf3c20d772d6baf1a11ffd2bede5219996792

          SHA512

          442e8428cd04dd45a0d0ff32a25af04eac8825a06fd1bb330bf6d4c01a4892224443e7d3419eaa3e73795663537cb817f6941264e76b37ca68031aa214b42411

        • C:\Users\Admin\AppData\Local\Temp\2025-05-20_a5d9278cbbe4fe8f36e20f42ffaaef33_amadey_black-basta_coinminer_darkgate_elex_luca-stealer.exe 

          Filesize

          4.2MB

          MD5

          f31be30464259e66a1caa8a3196b2d91

          SHA1

          74b4eeb5e7517707b04a01d4e0d9143b41495a49

          SHA256

          db062cd6a3fe35d0f04873ca387c748417468439b80a11b5a1379b25b0465194

          SHA512

          01923fd49e73c4bb56f806bc93cfbb11da14469a5a8f847d290b45faef0cd9f221b2af0b118196e99ffae30a8ff8749f8be372a9523ca5a885dcf7e13e89595c

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

          Filesize

          19KB

          MD5

          2999091dfdc507751c83112b99ccf45c

          SHA1

          7bd85c761a84ffa95f40eca4a0755b966aa5f396

          SHA256

          53b2d60f8a6904a474a12620623f8a3c8630e248f228398795c47941703b3654

          SHA512

          fc61a4746996ec082baa020d578ad2cadf5c1c0fe3d5901351f7e179a9d36db5d43fa38acd97c34795a3b82532db928267155a181a1f1e459d87ab75a035efcd

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

          Filesize

          115KB

          MD5

          5b8c95a244032aabc7b043af9c4e6111

          SHA1

          c045eaa89b47b8cf7249cb406d34a796078e9835

          SHA256

          5304aadfedfc2b74e78cefa04b7e5481add6ca9d295922454afd33812c4fa929

          SHA512

          149df41ecc4849237d01c304ebb3b2d280db4a7a5dc7e4168d9fbfdddf31d1214c465754afc95fa2faeb8fcfffca151a3e0ae21d56784db19e31e1c8e9fc8dea

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

          Filesize

          46KB

          MD5

          355c1a112bc0f859b374a4b1c811c1e7

          SHA1

          b9a58bb26f334d517ab777b6226fef86a67eb4dd

          SHA256

          cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed

          SHA512

          f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

          Filesize

          582KB

          MD5

          2d276aa3eedf5d56d287cfa062cbf996

          SHA1

          5ccb1ead82b7047618825ebf60344076fc1f82fc

          SHA256

          53843b1c80e18fd9581d18f9cb4f2b8d0096a8305db43784e760a6f168122155

          SHA512

          7f71b2b1e1834ca247fdbe64d85ade3eaa8b2171d1fe9d6ed36ca3916129ac925ab01d7de336643d8e3bc2ebaac4083bd6cc6c311901ea392686bdd6730e4c19

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

          Filesize

          307KB

          MD5

          f010059bc2c2d7a8f9c9e96bd88d5a95

          SHA1

          ddb9c2c07c0deabca0d7b7df56bfd64a7672de59

          SHA256

          47cebe91571377764ffbf50d7c346975d80601ffc6211de7ff6c5ebbe7258f48

          SHA512

          70f6001080f0754fc9e2eb39ab70a8daee743aacba7828373420219dcd6122414ad70c9d1860c653a6d932d1960e4b6495935ff13961695de2dfc051cca701e0

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

          Filesize

          1.4MB

          MD5

          99208fd00d39640093d6db9a72d2205f

          SHA1

          b8b2101026d1d0cc117be3ab56d334078b481b2f

          SHA256

          c904d85273eed1173b229cd03593defaa3ff6afb8388ff77853e141d33788d02

          SHA512

          17ae8fd7b66b68f3f36ede4055d64145f8990960064e7d49e7dfcbdf3b5c689df32f41e6876efaaa34ca3c1879a5c6ad5bc1463c0a7b081490badccbc35328b3

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

          Filesize

          1012KB

          MD5

          e3f32bd0c7ea3408258d44dd3a6a2459

          SHA1

          62bebff872c0e9bd1a46524584332a51aa3d7d10

          SHA256

          7b409e6d96f602671f08243d0ed649e1c833271a331af2059f00add59a12140f

          SHA512

          60d18615f5dd55675232dd4e372e3075a6646f3601298ab28f393c33354a2006d059dc63d601d04cf72746f6f0470ff00de0e1e1e3181118f3d36e2f8ded3a07

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

          Filesize

          61KB

          MD5

          370769c79ea79463adbf0c6476225935

          SHA1

          2d340026691f83e069c4a87125ca096b9f26c97e

          SHA256

          4d1d5efd28d72c332ba87e1993cb35e46404753543c5563700b98a97aa3c42a6

          SHA512

          5d3af80c54fda6d4d0de06f7b22722d400857743203a745bfcd1667e5e48ea8c2ef7b0c6ffede84b2ea2bd4b74a2ddc766c17392ed07f366d1f0a9b34eb5c63c

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\Newtonsoft.Json.dll

          Filesize

          705KB

          MD5

          00c34112da9e104a0deaebe2e71cc21a

          SHA1

          f0ea635ef401d75f6ea939e71d750cff7f074d53

          SHA256

          8e9dd1dc511093f7edd8b96e4e113e8761676210197093b6b59cb1e4bb46e277

          SHA512

          141c3127c2ed281cdef9630f25f0febcb69322285188a0082e653ef33d00de593991f31585d05b2dafe6d439cae87a1f7788cbbb3a925bebf04bcad6c56993bb

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\System.Memory.dll

          Filesize

          138KB

          MD5

          f09441a1ee47fb3e6571a3a448e05baf

          SHA1

          3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

          SHA256

          bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

          SHA512

          0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

          Filesize

          17KB

          MD5

          c610e828b54001574d86dd2ed730e392

          SHA1

          180a7baafbc820a838bbaca434032d9d33cceebe

          SHA256

          37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

          SHA512

          441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\detection.json

          Filesize

          8KB

          MD5

          782f4beae90d11351db508f38271eb26

          SHA1

          f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c

          SHA256

          c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9

          SHA512

          0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.config

          Filesize

          621B

          MD5

          8024f977c83c16eed95e0358ee03b272

          SHA1

          2393025a5aebb33ec563cab32e6b2956b24a30d6

          SHA256

          b3f28c843956917cd334b50476a52d2e23afafc48b8818ba13cf75b12c90a328

          SHA512

          d182a5c8bc2616331b66bd41d568c868ecae70cd240b8776e2532607adf7ad20bdd44d56f0a351cb9aeae3cc583c312ff2727b900d869628c1cea0bf1f9f0236

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

          Filesize

          404KB

          MD5

          0941bc3970a158835cfa9b769be06f47

          SHA1

          5bf04b54e308b75671ad4a00506cfaa207ffb9dd

          SHA256

          f0ef5058eca8af96cc72c0505b0f5427b08c12f196c8afd3c13d7ecf4bc1cc1d

          SHA512

          53a9ff67023113d27e267cda538e142b3a5b277e38229ad8969bd914093b2421756b5c704591a27102865e57fd2f2b0f22a837c2fb2ccd68efd3792960611edb

        • C:\Users\Admin\AppData\Local\Temp\d0e73403b19b23a1eb\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

          Filesize

          3KB

          MD5

          aa49563d97bd34bb11ebe5ba7305adc9

          SHA1

          930b61f0c1400e28823ce56212c4d9e0c673c750

          SHA256

          405b6cfe55904b670ba0f0cfde16e14f37168192a4993a2f9d91886631145cad

          SHA512

          1998a3edc5b5a06e775bac58d3bfe2a4623be0f9f1c55f1063240e9b735fdcf6b676aa133a90dca96161eb4128d16c9c8822bfe064391bc7e6b04fa45d03b199

        • C:\Users\Admin\AppData\Local\icsys.icn.exe

          Filesize

          206KB

          MD5

          536290c5f5bcbe6b1a21e1579898d525

          SHA1

          f3e7e9ac466a33ad5b739af20d726a83457b3667

          SHA256

          b4d15ba1e4d0bf6487110161d9cfd0376f38dc1f6d19cd4f18e39ffaffa0e871

          SHA512

          b8a7ac64bcce30eac8f74abaf1b65364fc1f38c3341019e3bb4eec162588a642d53c7055d1216f9a8a42e6caaf588380b73ad88a3e69d854eb2017c77e27c5c2

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          207KB

          MD5

          2012f3a33f5ffad279aed1b033d86fc6

          SHA1

          4d0bb4b780ed7e365a7e12aadeed1675d3dc6bd0

          SHA256

          708149e78f4144f4201a44216c1bf292d696e17c0b49e3c559bdcbc1815294dd

          SHA512

          fe0e9a3432aad17e7869cfbeb8b5d24160362226763c48f85b9f64f62c85e3194863c5d0b2bd5c2e8ce38df8f47886007e7cb9968519cb601437c8d3c5f9cd5b

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          bfdf07f78cc12bd77b1c0323ceb84e55

          SHA1

          c949778d37bc9425018be6d97eff1b4a28f0d00f

          SHA256

          de6eead86515e0e865fc1a7c8b2b48919bcc6dc0890ba32d3831997fb7a4c31c

          SHA512

          af4d7f725814d2921dfb2cebd8e557357d5c6c682ceae58cf45604f3451ee7ce2df4f475ee421a2e72e15dd7e16571bc35679ceab6e43024ff641bbe3bb42d3f

        • \??\c:\windows\system\explorer.exe

          Filesize

          206KB

          MD5

          e36ef68cd1d06ccff64cfd03e3b9a52d

          SHA1

          a0dc57d6304495ee9d0a834c2427243af64fd129

          SHA256

          ea01a36417b2e4b4ac7ca0b06bffc6c00fe3da34f1908f8ecba1087f6997500c

          SHA512

          6de7e5d2ecf17fe7255e55d596b2da08379255a730be6c8c2396382d50b762b10d5ca6d6ff317109b866a09ef166360e0bd84e572561470731ade9f57be8f5eb

        • \??\c:\windows\system\svchost.exe

          Filesize

          206KB

          MD5

          72be56237e45aa7652387d0718da0c00

          SHA1

          07d86358d5b8df7dcc6f71009f8cfc08815da89b

          SHA256

          74743ec65c74b151e8d655d97999f5f3b0c0549976ceb2049c7fefc94db90530

          SHA512

          3f2561e2c77cf593df29c0f05ffb08fb1df09ad9a3ed262a92b04c804a0cfede9fa86f40b60e5f8bd7615b9c3c65921d71ce57c63aabd9bb37c827f1ad16a208

        • memory/4736-179-0x0000000005210000-0x0000000005260000-memory.dmp

          Filesize

          320KB

        • memory/4736-219-0x00000000068C0000-0x0000000006926000-memory.dmp

          Filesize

          408KB

        • memory/4736-169-0x0000000005400000-0x0000000005500000-memory.dmp

          Filesize

          1024KB

        • memory/4736-212-0x0000000005EC0000-0x0000000005EE2000-memory.dmp

          Filesize

          136KB

        • memory/4736-154-0x00000000002D0000-0x0000000000338000-memory.dmp

          Filesize

          416KB

        • memory/4736-183-0x0000000005840000-0x00000000058F2000-memory.dmp

          Filesize

          712KB

        • memory/4736-161-0x0000000004E50000-0x0000000004FBE000-memory.dmp

          Filesize

          1.4MB

        • memory/4736-214-0x0000000005FF0000-0x0000000006344000-memory.dmp

          Filesize

          3.3MB

        • memory/4736-191-0x00000000057D0000-0x00000000057F6000-memory.dmp

          Filesize

          152KB

        • memory/4736-187-0x0000000005780000-0x0000000005794000-memory.dmp

          Filesize

          80KB

        • memory/4736-195-0x00000000057C0000-0x00000000057C8000-memory.dmp

          Filesize

          32KB

        • memory/4736-218-0x0000000006800000-0x00000000068BA000-memory.dmp

          Filesize

          744KB

        • memory/4736-199-0x0000000005B90000-0x0000000005BA0000-memory.dmp

          Filesize

          64KB

        • memory/4736-221-0x0000000007140000-0x00000000071D2000-memory.dmp

          Filesize

          584KB

        • memory/4736-222-0x0000000007790000-0x0000000007D34000-memory.dmp

          Filesize

          5.6MB

        • memory/4736-225-0x00000000076C0000-0x00000000076C8000-memory.dmp

          Filesize

          32KB

        • memory/4736-224-0x0000000007630000-0x0000000007638000-memory.dmp

          Filesize

          32KB

        • memory/4736-227-0x0000000007720000-0x000000000772E000-memory.dmp

          Filesize

          56KB

        • memory/4736-226-0x000000000B400000-0x000000000B438000-memory.dmp

          Filesize

          224KB

        • memory/4736-173-0x0000000004E40000-0x0000000004E48000-memory.dmp

          Filesize

          32KB

        • memory/4736-165-0x0000000005260000-0x00000000052F4000-memory.dmp

          Filesize

          592KB