servhelper | c2add78326f26be631d5cf21ff3ca5e5393b090adb1dc7b11a14f29a00818ac2

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0c3c2a0596614eeb982676f23b2b3c2.exe
Size

4.2MB
MD5

b0c3c2a0596614eeb982676f23b2b3c2
SHA1

4fd90dccbb3d603c522b5a3ed172004131f45413
SHA256

c2add78326f26be631d5cf21ff3ca5e5393b090adb1dc7b11a14f29a00818ac2
SHA512

3a5cb95b6ed274debd2ec711f58d1ae647b8725aa86c63b8181accc48bc26cb2311ca62cd5dabc0906c3daf4866cb861fae6ff1e054f2ad94b237bc5d7391a44
SSDEEP

98304:KI6X9OmbHlT6U1FGbJqj2OCuaIGbFAUqxdijH8tk8vp8K:jmbN6kEJqjGu7iFoxk8+

Score

10^/10

servhelper backdoor discovery exploit persistence trojan

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
2384	icacls.exe
2576	icacls.exe
1992	takeown.exe
784	icacls.exe
1880	icacls.exe
1980	icacls.exe
396	icacls.exe
996	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1992	takeown.exe
784	icacls.exe
1880	icacls.exe
1980	icacls.exe
396	icacls.exe
996	icacls.exe
2384	icacls.exe
2576	icacls.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe
File created	C:\Windows\SysWOW64\rfxvmt.dll	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2436	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2628	powershell.exe
2512	powershell.exe
2660	powershell.exe
612	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeRestorePrivilege	2576	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2628	2072	b0c3c2a0596614eeb982676f23b2b3c2.exe	29
PID 2072 wrote to memory of 2628	2072	b0c3c2a0596614eeb982676f23b2b3c2.exe	29
PID 2072 wrote to memory of 2628	2072	b0c3c2a0596614eeb982676f23b2b3c2.exe	29
PID 2072 wrote to memory of 2628	2072	b0c3c2a0596614eeb982676f23b2b3c2.exe	29
PID 2628 wrote to memory of 2896	2628	powershell.exe	31
PID 2628 wrote to memory of 2896	2628	powershell.exe	31
PID 2628 wrote to memory of 2896	2628	powershell.exe	31
PID 2628 wrote to memory of 2896	2628	powershell.exe	31
PID 2896 wrote to memory of 2960	2896	csc.exe	32
PID 2896 wrote to memory of 2960	2896	csc.exe	32
PID 2896 wrote to memory of 2960	2896	csc.exe	32
PID 2896 wrote to memory of 2960	2896	csc.exe	32
PID 2628 wrote to memory of 2512	2628	powershell.exe	36
PID 2628 wrote to memory of 2512	2628	powershell.exe	36
PID 2628 wrote to memory of 2512	2628	powershell.exe	36
PID 2628 wrote to memory of 2512	2628	powershell.exe	36
PID 2628 wrote to memory of 2660	2628	powershell.exe	37
PID 2628 wrote to memory of 2660	2628	powershell.exe	37
PID 2628 wrote to memory of 2660	2628	powershell.exe	37
PID 2628 wrote to memory of 2660	2628	powershell.exe	37
PID 2628 wrote to memory of 612	2628	powershell.exe	40
PID 2628 wrote to memory of 612	2628	powershell.exe	40
PID 2628 wrote to memory of 612	2628	powershell.exe	40
PID 2628 wrote to memory of 612	2628	powershell.exe	40
PID 2628 wrote to memory of 1992	2628	powershell.exe	41
PID 2628 wrote to memory of 1992	2628	powershell.exe	41
PID 2628 wrote to memory of 1992	2628	powershell.exe	41
PID 2628 wrote to memory of 1992	2628	powershell.exe	41
PID 2628 wrote to memory of 784	2628	powershell.exe	42
PID 2628 wrote to memory of 784	2628	powershell.exe	42
PID 2628 wrote to memory of 784	2628	powershell.exe	42
PID 2628 wrote to memory of 784	2628	powershell.exe	42
PID 2628 wrote to memory of 2576	2628	powershell.exe	51
PID 2628 wrote to memory of 2576	2628	powershell.exe	51
PID 2628 wrote to memory of 2576	2628	powershell.exe	51
PID 2628 wrote to memory of 2576	2628	powershell.exe	51
PID 2628 wrote to memory of 2384	2628	powershell.exe	50
PID 2628 wrote to memory of 2384	2628	powershell.exe	50
PID 2628 wrote to memory of 2384	2628	powershell.exe	50
PID 2628 wrote to memory of 2384	2628	powershell.exe	50
PID 2628 wrote to memory of 1880	2628	powershell.exe	43
PID 2628 wrote to memory of 1880	2628	powershell.exe	43
PID 2628 wrote to memory of 1880	2628	powershell.exe	43
PID 2628 wrote to memory of 1880	2628	powershell.exe	43
PID 2628 wrote to memory of 1980	2628	powershell.exe	44
PID 2628 wrote to memory of 1980	2628	powershell.exe	44
PID 2628 wrote to memory of 1980	2628	powershell.exe	44
PID 2628 wrote to memory of 1980	2628	powershell.exe	44
PID 2628 wrote to memory of 996	2628	powershell.exe	49
PID 2628 wrote to memory of 996	2628	powershell.exe	49
PID 2628 wrote to memory of 996	2628	powershell.exe	49
PID 2628 wrote to memory of 996	2628	powershell.exe	49
PID 2628 wrote to memory of 396	2628	powershell.exe	48
PID 2628 wrote to memory of 396	2628	powershell.exe	48
PID 2628 wrote to memory of 396	2628	powershell.exe	48
PID 2628 wrote to memory of 396	2628	powershell.exe	48
PID 2628 wrote to memory of 2352	2628	powershell.exe	45
PID 2628 wrote to memory of 2352	2628	powershell.exe	45
PID 2628 wrote to memory of 2352	2628	powershell.exe	45
PID 2628 wrote to memory of 2352	2628	powershell.exe	45
PID 2628 wrote to memory of 2436	2628	powershell.exe	47
PID 2628 wrote to memory of 2436	2628	powershell.exe	47
PID 2628 wrote to memory of 2436	2628	powershell.exe	47
PID 2628 wrote to memory of 2436	2628	powershell.exe	47

C:\Users\Admin\AppData\Local\Temp\b0c3c2a0596614eeb982676f23b2b3c2.exe
"C:\Users\Admin\AppData\Local\Temp\b0c3c2a0596614eeb982676f23b2b3c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxbila8d.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDBC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCDBB.tmp"
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:612
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1992
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:784
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1880
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:2436
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:396
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:996
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2384
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1312

C:\Windows\SysWOW64\net.exe
net start rdpdr
1⤵
PID:2032
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 start rdpdr
  2⤵
  PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c net start TermService
1⤵
PID:1304
- C:\Windows\SysWOW64\net.exe
  net start TermService
  2⤵
  PID:748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TermService
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCDBC.tmp

Filesize
1KB

MD5
9d85111571db05d4e5460250a6d5ddc8

SHA1
b98161489cf5fe766e48d62a4a5b856480eff283

SHA256
a2eb534db887e02e08aba31056efcee6241de5fedc198b3b0395f54624008598

SHA512
aa33b43ef3bd33893660d98ad2e43986d734d131c9a0f76be3cbf2a8f73f15f5af76e37389d9984c626bbaccc0194cacf01e3526c1c241a229cddf424d4eabcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxbila8d.dll

Filesize
3KB

MD5
7ea3e033f28a232f912fb2890043194e

SHA1
6fb11a9c4b7ae5a9d3c2337764d165a07431fbcf

SHA256
cf96bc7556bfdd215088ef151e22f584bfbe93c42ea6ffb6e0be98982cbddde1

SHA512
7db224582b864f94e67277ef55eef380ea26953b09c824c9fbffd169dab2062c6dc73e56b11b867a53a0275a54619ea329a4a5754153a2dad856b7a61cf813bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxbila8d.pdb

Filesize
7KB

MD5
8373f85bc72fbe1a580fb55385399e0e

SHA1
c3224f9da7d94c9b5ea67ddb6abdbd89c294346d

SHA256
524e8f62b884d8b36db3f130d336433cff654276b180db198286e9873a2150d1

SHA512
98471fbd902b1178dfdc0eb5f8233e4b606388e9f50d31834065a0b6c7f20b7471b88f643a57c89a14451577bc2e68930ad766b881cc0cd3cda339d6a990efb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
712KB

MD5
a05939b3da9531bf7c654178263cc030

SHA1
93fbfce5877df0051c450fbc2424ec82570fb08c

SHA256
d4bd5f575c2bc53f20574ac14464c516df194cd73b338775a56de2b53213921b

SHA512
71a4f6e5923804179ba20dffe6eca3592431e45b4cc7e461eb66e54ab26e302d9a6c38ac4cc21ba8645c3e3ffb5a073f8e9b4e117b35b38f7f3275fab6d3b667

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a9eb19acc2c697ba94b64dc60b800295

SHA1
8eb27e24ae39d4079459083324362113d5628194

SHA256
960f94e8c016e0eb9e009b3e551136b13f6906e10b6c09bcc975270e0e0ed2ff

SHA512
097e8b7afc8df859b9e738cde75e1da1e0e2d54c5f6afcbb430fa86d152468c78ba1e8b0664e7c7ad5f90faa59b0a3f50eb04f5d20697aac830c076df76b70c1

Download Submit
C:\Windows\SysWOW64\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCDBB.tmp

Filesize
652B

MD5
97ab07b73e8396ccced4262df39aead4

SHA1
2f8433be72e1061f646647eba976453b7550c84d

SHA256
ceb67d8f48705e44ded3a50fa593dd36513f6b5ae0b0585bb4c639c9f60b2b40

SHA512
dd5e452da669a89cd6866eb02c9f4a4c80107e649fb54fab1f9148ecd4b4bc7a7a74e4061401605b299a3f71430e63cead3f015fd85c87c8024163fb448c1ddc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cxbila8d.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cxbila8d.cmdline

Filesize
309B

MD5
a217f993327e413789560573d5de9236

SHA1
a1b79d88e6ca7c0d291b67fd5b281ce5c1c3e5da

SHA256
9341f883e383437709d5438aa62faeb629e2ea8a6a34b1aa90809beedb3df6bc

SHA512
665022cc76ebcb48f5f93b0bf7a0814bd02477c200fe4bff8079bcaa0f92689fe061078aecebc342d4ab20c9deec071965b07d8d2198f0cfb56b35b65953fc20

Download Submit
memory/612-76-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/612-75-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/612-72-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/612-73-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/612-77-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/612-74-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-6-0x0000000007A80000-0x0000000007AC0000-memory.dmp

Filesize
256KB

Download
memory/2072-0-0x0000000004940000-0x0000000004D46000-memory.dmp

Filesize
4.0MB

Download
memory/2072-9-0x0000000004940000-0x0000000004D46000-memory.dmp

Filesize
4.0MB

Download
memory/2072-4-0x0000000007EC0000-0x00000000082C4000-memory.dmp

Filesize
4.0MB

Download
memory/2072-7-0x0000000007A80000-0x0000000007AC0000-memory.dmp

Filesize
256KB

Download
memory/2072-5-0x0000000073DF0000-0x00000000744DE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-3-0x0000000000400000-0x0000000002F44000-memory.dmp

Filesize
43.3MB

Download
memory/2072-2-0x0000000004D50000-0x0000000005152000-memory.dmp

Filesize
4.0MB

Download
memory/2072-1-0x0000000004940000-0x0000000004D46000-memory.dmp

Filesize
4.0MB

Download
memory/2072-10-0x0000000004D50000-0x0000000005152000-memory.dmp

Filesize
4.0MB

Download
memory/2072-13-0x0000000007A80000-0x0000000007AC0000-memory.dmp

Filesize
256KB

Download
memory/2072-11-0x0000000073DF0000-0x00000000744DE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-54-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-50-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-51-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-49-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-52-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/2628-18-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-53-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2628-61-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2628-19-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-20-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2628-21-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2628-42-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-48-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-63-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/2660-66-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-65-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/2660-64-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/2660-60-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-62-0x000000006ED90000-0x000000006F33B000-memory.dmp

Filesize
5.7MB

Download
memory/2896-29-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download