Analysis

  • max time kernel
    36s
  • max time network
    40s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-05-2024 05:21

General

  • Target

    lets.exe

  • Size

    42.0MB

  • MD5

    8a3c7e3beb7fcb705d4ecf227918bec4

  • SHA1

    10355d8fe4b431e3fcddd55df4521950907833ab

  • SHA256

    e3a7b4653b6d2f1270192a01da0b71f7682c6689636a8aab28b82e7365de142f

  • SHA512

    7b4926ed15801529a39ade6cd56db19784b734daae60c13deb3e77508a85ed8a0434737734caf210571e9290ef7af0e90740492d1b7b966bc4682c406f0da6ca

  • SSDEEP

    786432:FDQhzq1UfvJNik9GKMCJo8vTWz1HcRVXbjP+1AjozPvDeiq9esxqmStk37WAU796:9yFBQa9MYowTm1AVnPC8MH6iq9dqmElS

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Modifies Windows Firewall 2 TTPs 4 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lets.exe
    "C:\Users\Admin\AppData\Local\Temp\lets.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5563250 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\lets.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-160447019-1232603106-4168707212-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Program Files (x86)\NetSarangX\upload.exe
        "C:\Program Files (x86)\NetSarangX\upload.exe" /NOFOCUS /checkin
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4468
      • C:\Program Files\let'svp-n\lets\tmp.exe
        "C:\Program Files\let'svp-n\lets\tmp.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4188
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2136
        • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
          "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious use of SetWindowsHookEx
          PID:2312
        • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
          "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:504
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c netsh advfirewall firewall Delete rule name=lets
          4⤵
            PID:4224
            • C:\Windows\SysWOW64\netsh.exe
              netsh advfirewall firewall Delete rule name=lets
              5⤵
              • Modifies Windows Firewall
              PID:2968
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c netsh advfirewall firewall Delete rule name=lets.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4472
            • C:\Windows\SysWOW64\netsh.exe
              netsh advfirewall firewall Delete rule name=lets.exe
              5⤵
              • Modifies Windows Firewall
              PID:920
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1460
            • C:\Windows\SysWOW64\netsh.exe
              netsh advfirewall firewall Delete rule name=LetsPRO.exe
              5⤵
              • Modifies Windows Firewall
              PID:1732
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4144
            • C:\Windows\SysWOW64\netsh.exe
              netsh advfirewall firewall Delete rule name=LetsPRO
              5⤵
              • Modifies Windows Firewall
              PID:376
          • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
            "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
            4⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious use of SetWindowsHookEx
            PID:4044
    • C:\Program Files (x86)\NetSarangX\upload.exe
      "C:\Program Files (x86)\NetSarangX\upload.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2512
      • \??\c:\windows\sysWoW64\msiexec.exe
        "c:\windows\sysWoW64\msiexec.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4132
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{41560030-acf4-4142-8d06-504723712836}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\letsvpn\driver"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:2408
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000174"
        2⤵
        • Drops file in Drivers directory
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:4248
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:3224
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\NetSarangX\upload.dat

      Filesize

      74KB

      MD5

      ed5ce3c2d78ace16956117ab67d77c2c

      SHA1

      d9ba439f9e723c04bd12a33c6455d0eff70fc2ba

      SHA256

      fffc1d2f822b8ddaba16e86ddd445b70fc5cb4d5a910d24b62f5d9c1ffaa2b22

      SHA512

      b6f36640320ed463aa5fc1a2e7db727128f6fa235b3d6f0b4afce1ca475ebaa287ad547384560c441b9ee4d95299b37125c27e46b3a7f3e95739859a66be6dc2

    • C:\Program Files (x86)\NetSarangX\upload.exe

      Filesize

      474KB

      MD5

      9050ac019b4c8dddbc5e250bb87cf9f2

      SHA1

      241f50bf6100bd84a14bd927a28bba5bc7df30f3

      SHA256

      83d225323c8783c84d70aee1da5b507dde1e717ab3233f784fbb1b749dba11b9

      SHA512

      2d3a167bb8d5c06b371f1f0c82ffb25e2aabb2c518b062816ae324d4ed1916f7c2271a7bb220bd49079cc4e33162e27757f3d35b062576ee160de4c209aedbc3

    • C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1

      Filesize

      318B

      MD5

      b34636a4e04de02d079ba7325e7565f0

      SHA1

      f32c1211eac22409bb195415cb5a8063431f75cd

      SHA256

      a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df

      SHA512

      6eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f

    • C:\Program Files (x86)\letsvpn\LetsPRO.exe

      Filesize

      241KB

      MD5

      a1a68d4eb068d5b2ce6aa93679c81f2b

      SHA1

      1e15a5057e5754661a6a10bb55a6dd09ee939418

      SHA256

      a2e047058f5a9225339513ff26ecdfdb5af04d325211d58b47f0d31624ab2438

      SHA512

      f3375e33ce7bcb703e2d43e07d24720de6331c5f61bea9b56de8c3c0e2f02d72cc16a34a93a0553f502ce5af3976ee79082ea642414500b7dedfc664a886289f

    • C:\Program Files (x86)\letsvpn\driver\OemVista.inf

      Filesize

      7KB

      MD5

      26009f092ba352c1a64322268b47e0e3

      SHA1

      e1b2220cd8dcaef6f7411a527705bd90a5922099

      SHA256

      150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

      SHA512

      c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

    • C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

      Filesize

      99KB

      MD5

      1e3cf83b17891aee98c3e30012f0b034

      SHA1

      824f299e8efd95beca7dd531a1067bfd5f03b646

      SHA256

      9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f

      SHA512

      fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

    • C:\Program Files\let'svp-n\lets\tmp.exe

      Filesize

      14.6MB

      MD5

      e680b7e43f6fb7dab7fcd9a07f0b9367

      SHA1

      e29c59617f8aafcde20e06542510c087ef1892a9

      SHA256

      185b11b4952aa5a8bd4ab83b8feade5224ad5823f002ff2381f74e184b9f0a25

      SHA512

      e7a10a5e14eb06da5634f847956edbd8a377e678648f5fe5deddfa30f4f69533d0f256ae046705ac7eefa48fe48c4c77bba2459831a59edc1c2b198da089abed

    • C:\ProgramData\templateWatch.dat

      Filesize

      5.9MB

      MD5

      81185e90f128ed274893d2fb749c7f6e

      SHA1

      f21ae1050bb4da1e63ce448eb4632123327ee1f1

      SHA256

      c5cf7f3e08f1bf838ca2d0d041a75a51b17a03759183d3d6d97e2d3f2a31adaf

      SHA512

      11ed065dbb034f610349d45d27115c3bdd55ab21f9f0194316d1b016ff4d8568a481b5ae711139b47a92f37ef33cf5883a513a4aaf5726d4224164ca3fac2a18

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      1KB

      MD5

      0f5cbdca905beb13bebdcf43fb0716bd

      SHA1

      9e136131389fde83297267faf6c651d420671b3f

      SHA256

      a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

      SHA512

      a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      12KB

      MD5

      b10399c009aa5ee9c60d2eb24023445d

      SHA1

      2260b80647e7f64ef5fc098c1610548146e8badd

      SHA256

      567376eb173601ceaa5c6ce1dabd2a88fe88c048e4a8f6343460aa21e24103d7

      SHA512

      68c11e42f4311e7a06e73e27a46ae0180c11386dbc856820e112070b7ecfe2ccc51033e1107b20c1102ae48c442f281ddc5b680c2b0de076199d895a08cf8cba

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrcyzdel.f3s.ps1

      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

      Filesize

      2KB

      MD5

      3220a6aefb4fc719cc8849f060859169

      SHA1

      85f624debcefd45fdfdf559ac2510a7d1501b412

      SHA256

      988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765

      SHA512

      5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

      Filesize

      4.9MB

      MD5

      d33dd57c830b9b52ec844d713ea1a1da

      SHA1

      51fc3d3316bb308e164a981d364181ae6cadbd1b

      SHA256

      b4255a661c37f4bffcb74baf33d1860cf54f0bdaf68a7b172d4beef3e22729d3

      SHA512

      9b28c9968f0fd1e908d696e363725c6278771c51ac11e52fc6e89081197b88e5f1153293d6e61ae706278b3a98ee70be5ea2765443492461bc5d2330e5c8a260

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

      Filesize

      329KB

      MD5

      52a0b3c36a01a89187342803bc11709d

      SHA1

      8f17c48ecfb5f798cfe565b8f370a86cf8efb091

      SHA256

      af97caa9ff7fba485bdbc688ac1f9de451d38efd102b2bf18deeeed7bd1a30c0

      SHA512

      830259b06dc26197eb5bff1d12cc490a2813bf15ce99b2eb8fa3a61586d0cf613f5ba81fe120be8350ac7f27841633c74a97add2c33591952a0060404249c89c

    • C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

      Filesize

      6KB

      MD5

      e39405e85e09f64ccde0f59392317dd3

      SHA1

      9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

      SHA256

      cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

      SHA512

      6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

    • C:\Users\Admin\AppData\Local\Temp\nst9C60.tmp\modern-wizard.bmp

      Filesize

      51KB

      MD5

      7f8e1969b0874c8fb9ab44fc36575380

      SHA1

      3057c9ce90a23d29f7d0854472f9f44e87b0f09a

      SHA256

      076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd

      SHA512

      7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555

    • C:\Windows\INF\oem3.PNF

      Filesize

      8KB

      MD5

      81563688bd15b095f45c1c4ce7041066

      SHA1

      cb1122e20cda7e48b650e6d33c985b8b36aae076

      SHA256

      3520fec40273e0e2a2fd1d7f080172b680a060b4c374665c2165cd2de04edf7f

      SHA512

      df13e63e25c589bfdf53b9d16325f18ee5f39250fac9f53926ef221dcc2bd7790a4fb834b731bb29be6aa103616bedd0ccd5dfcf6df977c30c2b9a6970a7244e

    • C:\Windows\Temp\_ir_tu2_temp_0\IRIMG3.JPG

      Filesize

      13KB

      MD5

      29b994bbbfa6110402d25849acd61baa

      SHA1

      e3dae0632750d70cb38a1a7a741fc1a91f28580d

      SHA256

      165c99b55b3dcc4844d5066e4f3beea3181320d7e6c647439c0fe3035a4695fe

      SHA512

      98cc2abfb6904cffa82681b4f799a19f3bc9605cc2e17f1778cecc0b67d78c49ad7e08c9f2b606ffe8a572e0224a355cf9bb3b8d97dcc15e7d3a0841e423b889

    • C:\Windows\Temp\_ir_tu2_temp_0\_TUProjDT.dat

      Filesize

      4B

      MD5

      67bf1f80834081fc794c6ed1f7c2fed5

      SHA1

      4d73fbec18037110be3248e97a555b7f9e458777

      SHA256

      54fd2361602e82db016d6ea62fbadc3984b566399dfaac7e0a1181e4c70b90c2

      SHA512

      fd08c52f7f712dc477ce548476cc2f2582b19f05dc03a814e93ea8464b9a4510375b26f2a39ec50057bd0b0bfc3bdd94eda1e814254a259f0b209da2358d3bae

    • \??\c:\PROGRA~2\letsvpn\driver\tap0901.sys

      Filesize

      38KB

      MD5

      c10ccdec5d7af458e726a51bb3cdc732

      SHA1

      0553aab8c2106abb4120353360d747b0a2b4c94f

      SHA256

      589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253

      SHA512

      7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981

    • \??\c:\program files (x86)\letsvpn\driver\tap0901.cat

      Filesize

      10KB

      MD5

      f73ac62e8df97faf3fc8d83e7f71bf3f

      SHA1

      619a6e8f7a9803a4c71f73060649903606beaf4e

      SHA256

      cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b

      SHA512

      f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe

    • \Users\Admin\AppData\Local\Temp\nst9C60.tmp\System.dll

      Filesize

      11KB

      MD5

      75ed96254fbf894e42058062b4b4f0d1

      SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

      SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

      SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    • \Users\Admin\AppData\Local\Temp\nst9C60.tmp\nsDialogs.dll

      Filesize

      9KB

      MD5

      ca95c9da8cef7062813b989ab9486201

      SHA1

      c555af25df3de51aa18d487d47408d5245dba2d1

      SHA256

      feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

      SHA512

      a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

    • \Users\Admin\AppData\Local\Temp\nst9C60.tmp\nsExec.dll

      Filesize

      6KB

      MD5

      3d366250fcf8b755fce575c75f8c79e4

      SHA1

      2ebac7df78154738d41aac8e27d7a0e482845c57

      SHA256

      8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

      SHA512

      67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

    • memory/2136-860-0x0000000009A50000-0x0000000009A58000-memory.dmp

      Filesize

      32KB

    • memory/2136-635-0x0000000008420000-0x000000000846B000-memory.dmp

      Filesize

      300KB

    • memory/2136-654-0x00000000097A0000-0x00000000097D3000-memory.dmp

      Filesize

      204KB

    • memory/2136-655-0x0000000071370000-0x00000000713BB000-memory.dmp

      Filesize

      300KB

    • memory/2136-656-0x00000000097E0000-0x00000000097FE000-memory.dmp

      Filesize

      120KB

    • memory/2136-661-0x00000000099A0000-0x0000000009A45000-memory.dmp

      Filesize

      660KB

    • memory/2136-662-0x0000000009AF0000-0x0000000009B84000-memory.dmp

      Filesize

      592KB

    • memory/2136-633-0x0000000007EA0000-0x00000000081F0000-memory.dmp

      Filesize

      3.3MB

    • memory/2136-855-0x0000000009A70000-0x0000000009A8A000-memory.dmp

      Filesize

      104KB

    • memory/2512-158-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

    • memory/2512-176-0x0000000001F80000-0x00000000029C9000-memory.dmp

      Filesize

      10.3MB

    • memory/2512-175-0x0000000000E50000-0x0000000000E51000-memory.dmp

      Filesize

      4KB

    • memory/2512-169-0x0000000001F80000-0x00000000029C9000-memory.dmp

      Filesize

      10.3MB

    • memory/2512-165-0x0000000010000000-0x0000000010004000-memory.dmp

      Filesize

      16KB

    • memory/2512-999-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

    • memory/4132-179-0x0000000002800000-0x0000000002DE8000-memory.dmp

      Filesize

      5.9MB

    • memory/4132-182-0x0000000010000000-0x0000000010A49000-memory.dmp

      Filesize

      10.3MB

    • memory/4132-188-0x00000000030B0000-0x00000000030B1000-memory.dmp

      Filesize

      4KB

    • memory/4132-189-0x0000000010000000-0x0000000010A49000-memory.dmp

      Filesize

      10.3MB

    • memory/4188-112-0x0000000008300000-0x0000000008650000-memory.dmp

      Filesize

      3.3MB

    • memory/4188-104-0x0000000007A80000-0x00000000080A8000-memory.dmp

      Filesize

      6.2MB

    • memory/4188-120-0x0000000008A70000-0x0000000008AE6000-memory.dmp

      Filesize

      472KB

    • memory/4188-119-0x00000000089C0000-0x0000000008A0B000-memory.dmp

      Filesize

      300KB

    • memory/4188-111-0x00000000080B0000-0x0000000008116000-memory.dmp

      Filesize

      408KB

    • memory/4188-110-0x0000000008290000-0x00000000082F6000-memory.dmp

      Filesize

      408KB

    • memory/4188-109-0x0000000007990000-0x00000000079B2000-memory.dmp

      Filesize

      136KB

    • memory/4188-103-0x00000000072C0000-0x00000000072F6000-memory.dmp

      Filesize

      216KB

    • memory/4188-113-0x0000000008170000-0x000000000818C000-memory.dmp

      Filesize

      112KB

    • memory/4468-105-0x0000000002480000-0x0000000002481000-memory.dmp

      Filesize

      4KB

    • memory/4468-106-0x0000000003410000-0x0000000003E59000-memory.dmp

      Filesize

      10.3MB

    • memory/4468-95-0x0000000003410000-0x0000000003E59000-memory.dmp

      Filesize

      10.3MB

    • memory/4468-84-0x0000000002CE0000-0x00000000032C8000-memory.dmp

      Filesize

      5.9MB

    • memory/4468-80-0x0000000010000000-0x0000000010004000-memory.dmp

      Filesize

      16KB

    • memory/4468-79-0x00000000023F0000-0x00000000023F2000-memory.dmp

      Filesize

      8KB

    • memory/4468-645-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

    • memory/4468-56-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB