servhelper | ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb

Analysis

max time kernel
95s
max time network
120s
platform
windows10_x64
resource
win10-en-20210920
submitted
10-10-2021 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb3cc551561883ab8fc4fb6fc837a469.exe
Size

4.0MB
MD5

cb3cc551561883ab8fc4fb6fc837a469
SHA1

f74ae6d243342099d3fa500cbc630f4a244a8d82
SHA256

ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb
SHA512

b97782f7835949ec41da357cfba598936bc2542fa53c0c8da7f35168f4f0fe19158a5946a297dcc540b7ce0dda8aeacd06f69ac209bd562e58fb31924e8fd7d1

Score

10^/10

servhelper xmrig backdoor miner persistence trojan

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
3632	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
3424	powershell.exe
3424	powershell.exe
3424	powershell.exe
1600	powershell.exe
1600	powershell.exe
1600	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
640

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

cb3cc551561883ab8fc4fb6fc837a469.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.exe

description	pid	Process	procid_target
PID 2524 wrote to memory of 1572	2524	cb3cc551561883ab8fc4fb6fc837a469.exe	72
PID 2524 wrote to memory of 1572	2524	cb3cc551561883ab8fc4fb6fc837a469.exe	72
PID 2524 wrote to memory of 1572	2524	cb3cc551561883ab8fc4fb6fc837a469.exe	72
PID 1572 wrote to memory of 1072	1572	powershell.exe	74
PID 1572 wrote to memory of 1072	1572	powershell.exe	74
PID 1572 wrote to memory of 1072	1572	powershell.exe	74
PID 1072 wrote to memory of 1144	1072	csc.exe	75
PID 1072 wrote to memory of 1144	1072	csc.exe	75
PID 1072 wrote to memory of 1144	1072	csc.exe	75
PID 1572 wrote to memory of 3424	1572	powershell.exe	76
PID 1572 wrote to memory of 3424	1572	powershell.exe	76
PID 1572 wrote to memory of 3424	1572	powershell.exe	76
PID 1572 wrote to memory of 1600	1572	powershell.exe	78
PID 1572 wrote to memory of 1600	1572	powershell.exe	78
PID 1572 wrote to memory of 1600	1572	powershell.exe	78
PID 1572 wrote to memory of 4052	1572	powershell.exe	80
PID 1572 wrote to memory of 4052	1572	powershell.exe	80
PID 1572 wrote to memory of 4052	1572	powershell.exe	80
PID 1572 wrote to memory of 1548	1572	powershell.exe	82
PID 1572 wrote to memory of 1548	1572	powershell.exe	82
PID 1572 wrote to memory of 1548	1572	powershell.exe	82
PID 1572 wrote to memory of 3632	1572	powershell.exe	83
PID 1572 wrote to memory of 3632	1572	powershell.exe	83
PID 1572 wrote to memory of 3632	1572	powershell.exe	83
PID 1572 wrote to memory of 3200	1572	powershell.exe	84
PID 1572 wrote to memory of 3200	1572	powershell.exe	84
PID 1572 wrote to memory of 3200	1572	powershell.exe	84
PID 1572 wrote to memory of 408	1572	powershell.exe	85
PID 1572 wrote to memory of 408	1572	powershell.exe	85
PID 1572 wrote to memory of 408	1572	powershell.exe	85
PID 408 wrote to memory of 2488	408	net.exe	86
PID 408 wrote to memory of 2488	408	net.exe	86
PID 408 wrote to memory of 2488	408	net.exe	86
PID 1572 wrote to memory of 3312	1572	powershell.exe	87
PID 1572 wrote to memory of 3312	1572	powershell.exe	87
PID 1572 wrote to memory of 3312	1572	powershell.exe	87
PID 3312 wrote to memory of 2344	3312	cmd.exe	88
PID 3312 wrote to memory of 2344	3312	cmd.exe	88
PID 3312 wrote to memory of 2344	3312	cmd.exe	88
PID 2344 wrote to memory of 1756	2344	cmd.exe	89
PID 2344 wrote to memory of 1756	2344	cmd.exe	89
PID 2344 wrote to memory of 1756	2344	cmd.exe	89
PID 1756 wrote to memory of 2328	1756	net.exe	90
PID 1756 wrote to memory of 2328	1756	net.exe	90
PID 1756 wrote to memory of 2328	1756	net.exe	90
PID 1572 wrote to memory of 1744	1572	powershell.exe	91
PID 1572 wrote to memory of 1744	1572	powershell.exe	91
PID 1572 wrote to memory of 1744	1572	powershell.exe	91
PID 1744 wrote to memory of 2000	1744	cmd.exe	92
PID 1744 wrote to memory of 2000	1744	cmd.exe	92
PID 1744 wrote to memory of 2000	1744	cmd.exe	92
PID 2000 wrote to memory of 4020	2000	cmd.exe	93
PID 2000 wrote to memory of 4020	2000	cmd.exe	93
PID 2000 wrote to memory of 4020	2000	cmd.exe	93
PID 4020 wrote to memory of 1936	4020	net.exe	94
PID 4020 wrote to memory of 1936	4020	net.exe	94
PID 4020 wrote to memory of 1936	4020	net.exe	94
PID 1572 wrote to memory of 1840	1572	powershell.exe	96
PID 1572 wrote to memory of 1840	1572	powershell.exe	96
PID 1572 wrote to memory of 1840	1572	powershell.exe	96
PID 1572 wrote to memory of 2380	1572	powershell.exe	97
PID 1572 wrote to memory of 2380	1572	powershell.exe	97
PID 1572 wrote to memory of 2380	1572	powershell.exe	97

C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469.exe
"C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5v3nplro\5v3nplro.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2D4.tmp" "c:\Users\Admin\AppData\Local\Temp\5v3nplro\CSCB864D1E737C475DBB2095527C87833.TMP"
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:3632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
f3068198b62b4b70404ec46694d632be

SHA1
7b0b31ae227cf2a78cb751573a9d07f755104ea0

SHA256
bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

SHA512
ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\5v3nplro\5v3nplro.dll

MD5
acf1798c2d21b1ffacb9bf25aeaa4981

SHA1
30d499750db558d0c8a8dff3636028999ae1469e

SHA256
8119436bd0e13c95adea910a80c284b0a23179db812e71fabf2271c5efdb1446

SHA512
a37a61cccc24025e88f72032cc6d0922ad5fbeba221274de7ddf0fc7e184ff4e683eccb9af99b2614e9920cdeff94dd0d780425da6250e0ced0508f5ba63a706

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2D4.tmp

MD5
3f59d8c6da5e528a387e0dc7c3462ebd

SHA1
2160e936a03a3e4d3e3d796bfedcaa56a6056673

SHA256
414e3878cf6b2ed33b16272690bc4104af1bd931543f7dcf913d2121d7249912

SHA512
0b8406182ee691af3867e862f650f6cc2be2ff04f9f298c28b541c4d6c6a5c7480c785dd82c510d7b3f336681d3d1b49a8666489d93954f6dff92bfe030cdc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
841cc93778b4ec353d0075d717b90df4

SHA1
287f652b7be199d127aab4655055654a6ea2bed6

SHA256
77f2e15c057346682081eae41389c9d91ba710c2f91107a9c59543c71cf6cad1

SHA512
a98053ebe4279d8b312a27f634ca2a9b4d929e15f8d27bdb2e89706a9fa967035e58a5d5cec2be0e5ea763b8c278884863f91d8ca270d4a30a20c51d00b72541

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5v3nplro\5v3nplro.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5v3nplro\5v3nplro.cmdline

MD5
292905cdc8c1defa62d1b8f89a49c38c

SHA1
f97c2427fbac0ad008cc2c7f5510c5db83dc768e

SHA256
4c6f52ebd5cb111806c3a2ae0f35e850c6c42773042f632db9c5c98518881dc6

SHA512
afc23bd7273f47b2053aabb1b89b50cb54cebd467ce901c9b736a4fc164228e854c6ccd227255e025709f9e7c09c9653e04c79ff3cf866739b2f13c245eb568e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5v3nplro\CSCB864D1E737C475DBB2095527C87833.TMP

MD5
5fd7d630ec70b241981394c5f84dbe87

SHA1
53b76710e2c8407b31fbe644a94ed8eeacd90d84

SHA256
a9a4d888af53069e728b3ccc0e2a798ac523e86b0f0443ec4957ab3388ccf5de

SHA512
90ec2357d2825f4b72e6a8b43003515d23342d9a022be4715b00a38cfeba1277b595dd3282abde733cbabf12c9867a7d06b44aef2cf7ea8a32268ffc75f18678

Download Submit
memory/408-1002-0x0000000000000000-mapping.dmp

Download
memory/1072-147-0x0000000000000000-mapping.dmp

Download
memory/1144-150-0x0000000000000000-mapping.dmp

Download
memory/1548-963-0x0000000000000000-mapping.dmp

Download
memory/1572-134-0x0000000008300000-0x0000000008301000-memory.dmp

Filesize
4KB

Download
memory/1572-128-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1572-130-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/1572-131-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/1572-132-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/1572-177-0x0000000009A70000-0x0000000009A71000-memory.dmp

Filesize
4KB

Download
memory/1572-135-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/1572-136-0x00000000086D0000-0x00000000086D1000-memory.dmp

Filesize
4KB

Download
memory/1572-138-0x0000000004E62000-0x0000000004E63000-memory.dmp

Filesize
4KB

Download
memory/1572-137-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1572-139-0x0000000008930000-0x0000000008931000-memory.dmp

Filesize
4KB

Download
memory/1572-156-0x0000000004E63000-0x0000000004E64000-memory.dmp

Filesize
4KB

Download
memory/1572-141-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1572-145-0x0000000009CF0000-0x0000000009CF1000-memory.dmp

Filesize
4KB

Download
memory/1572-146-0x00000000096A0000-0x00000000096A1000-memory.dmp

Filesize
4KB

Download
memory/1572-127-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1572-126-0x0000000000000000-mapping.dmp

Download
memory/1572-154-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/1572-1128-0x000000007E230000-0x000000007E231000-memory.dmp

Filesize
4KB

Download
memory/1572-129-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/1600-433-0x0000000000000000-mapping.dmp

Download
memory/1600-444-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/1600-445-0x00000000066C2000-0x00000000066C3000-memory.dmp

Filesize
4KB

Download
memory/1600-542-0x000000007E930000-0x000000007E931000-memory.dmp

Filesize
4KB

Download
memory/1744-1010-0x0000000000000000-mapping.dmp

Download
memory/1756-1008-0x0000000000000000-mapping.dmp

Download
memory/1840-1026-0x0000000000000000-mapping.dmp

Download
memory/1936-1013-0x0000000000000000-mapping.dmp

Download
memory/2000-1011-0x0000000000000000-mapping.dmp

Download
memory/2328-1009-0x0000000000000000-mapping.dmp

Download
memory/2344-1007-0x0000000000000000-mapping.dmp

Download
memory/2380-1027-0x0000000000000000-mapping.dmp

Download
memory/2488-1003-0x0000000000000000-mapping.dmp

Download
memory/2524-124-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/2524-123-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/2524-125-0x00000000054F4000-0x00000000054F5000-memory.dmp

Filesize
4KB

Download
memory/2524-115-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2524-121-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/2524-122-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/2524-120-0x00000000054F3000-0x00000000054F4000-memory.dmp

Filesize
4KB

Download
memory/2524-119-0x00000000054F2000-0x00000000054F3000-memory.dmp

Filesize
4KB

Download
memory/2524-118-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/2524-117-0x0000000005900000-0x0000000005CFF000-memory.dmp

Filesize
4.0MB

Download
memory/3200-965-0x0000000000000000-mapping.dmp

Download
memory/3312-1006-0x0000000000000000-mapping.dmp

Download
memory/3424-214-0x000000007F990000-0x000000007F991000-memory.dmp

Filesize
4KB

Download
memory/3424-192-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3424-184-0x0000000007252000-0x0000000007253000-memory.dmp

Filesize
4KB

Download
memory/3424-182-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/3424-179-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3424-180-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3424-178-0x0000000000000000-mapping.dmp

Download
memory/3632-964-0x0000000000000000-mapping.dmp

Download
memory/4020-1012-0x0000000000000000-mapping.dmp

Download
memory/4052-698-0x0000000006A22000-0x0000000006A23000-memory.dmp

Filesize
4KB

Download
memory/4052-777-0x000000007E3E0000-0x000000007E3E1000-memory.dmp

Filesize
4KB

Download
memory/4052-697-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download
memory/4052-684-0x0000000000000000-mapping.dmp

Download