plugx | a0b1b2960c06849e66e36c739829d409d03870e400d6402f438e80741cb2ef34

Analysis

max time kernel
149s
max time network
154s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-04-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa.rar
Size

191KB
MD5

1f5da599ec39b53f38093acb1d77d8e4
SHA1

f2c6a5094baed51cb35151271394bd208226fc6d
SHA256

a0b1b2960c06849e66e36c739829d409d03870e400d6402f438e80741cb2ef34
SHA512

e9e21285bca2156b6320a60a4d2de1e67ac266e4483663b8bb47569b357ff8e287149f5dbe6b0fe88d3ed898f96ce12e3394378e684722ddee9cc1d930237a0c
SSDEEP

3072:QFkxQpxPrp85bdiA7OW6QyxrWHONGmLnSxMs8a2HOeAtz3z0a4Gn8:Qf7sEA7Odhx1fat2ub7T/n8

Score

10^/10

plugx persistence trojan

Malware Config

Extracted

Family

plugx

45.251.240.55:443

45.251.240.55:8080

45.251.240.55:8000

Mutex

EDysZYTmoiuUydWatmWb

Attributes

folder
AAM UpdatesHtA

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

Processes:

AAM Updates.exeAAM Updates.exe

pid	Process
808	AAM Updates.exe
3672	AAM Updates.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exeAAM Updates.exeAAM Updates.exe

pid	Process
5044	rundll32.exe
808	AAM Updates.exe
3672	AAM Updates.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AAM Updates.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AAM UpdatesHtA = "\"C:\\ProgramData\\AAM UpdatesHtA\\AAM Updates.exe\" 346"	AAM Updates.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\AAM UpdatesHtA = "\"C:\\ProgramData\\AAM UpdatesHtA\\AAM Updates.exe\" 346"	AAM Updates.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AAM Updates.exe

description	ioc	Process
File opened (read-only)	\??\D:	AAM Updates.exe
File opened (read-only)	\??\F:	AAM Updates.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 43 IoCs

Processes:

explorer.exeAAM Updates.execmd.exeAAM Updates.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000009a583375100054656d7000003a0009000400efbe84580d629a5833752e000000ad52010000000100000000000000000000000000000010168a00540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\ms-pu	AAM Updates.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY	AAM Updates.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AAM Updates.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 780031000000000084580d621100557365727300640009000400efbe724a0b5d84580d622e000000320500000000010000000000000000003a000000000008d3c90055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000084583a6d100041646d696e003c0009000400efbe84580d6284583a6d2e0000008e52010000000100000000000000000000000000000023bffe00410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 560031000000000084580d6212004170704461746100400009000400efbe84580d6284580d622e00000099520100000001000000000000000000000000000000a184bb004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 37004600410036004500370042004100360038004200330043003700320034000000	AAM Updates.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AAM Updates.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000008458356d10004c6f63616c003c0009000400efbe84580d628458356d2e000000ac5201000000010000000000000000000000000000004dce02014c006f00630061006c00000014000000	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid	Process
5024	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AAM Updates.exe

pid	Process
3672	AAM Updates.exe
3672	AAM Updates.exe
3672	AAM Updates.exe
3672	AAM Updates.exe
3672	AAM Updates.exe
3672	AAM Updates.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid	Process
5024	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7zG.exeAAM Updates.exe

description	pid	Process
Token: SeRestorePrivilege	1856	7zG.exe
Token: 35	1856	7zG.exe
Token: SeSecurityPrivilege	1856	7zG.exe
Token: SeSecurityPrivilege	1856	7zG.exe
Token: SeDebugPrivilege	3672	AAM Updates.exe
Token: SeDebugPrivilege	3672	AAM Updates.exe
Token: SeTcbPrivilege	3672	AAM Updates.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid	Process
1856	7zG.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

OpenWith.exeexplorer.exe

pid	Process
3120	OpenWith.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exeexplorer.exerundll32.exeAAM Updates.exe

description	pid	Process	procid_target
PID 992 wrote to memory of 4508	992	cmd.exe	79
PID 992 wrote to memory of 4508	992	cmd.exe	79
PID 5024 wrote to memory of 1856	5024	explorer.exe	83
PID 5024 wrote to memory of 1856	5024	explorer.exe	83
PID 992 wrote to memory of 5084	992	cmd.exe	84
PID 992 wrote to memory of 5084	992	cmd.exe	84
PID 5084 wrote to memory of 5044	5084	rundll32.exe	85
PID 5084 wrote to memory of 5044	5084	rundll32.exe	85
PID 5084 wrote to memory of 5044	5084	rundll32.exe	85
PID 992 wrote to memory of 808	992	cmd.exe	86
PID 992 wrote to memory of 808	992	cmd.exe	86
PID 992 wrote to memory of 808	992	cmd.exe	86
PID 808 wrote to memory of 3672	808	AAM Updates.exe	87
PID 808 wrote to memory of 3672	808	AAM Updates.exe	87
PID 808 wrote to memory of 3672	808	AAM Updates.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\aa.rar
1⤵
- Modifies registry class
PID:1168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3120

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\explorer.exe
  explorer .
  2⤵
  PID:4508
- C:\Windows\system32\rundll32.exe
  rundll32 hex.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 hex.dll,#1
    3⤵
    - Loads dropped DLL
    PID:5044
- C:\Users\Admin\AppData\Local\Temp\AAM Updates.exe
  "AAM Updates.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\ProgramData\AAM UpdatesHtA\AAM Updates.exe
    "C:\ProgramData\AAM UpdatesHtA\AAM Updates.exe" 346
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3672

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap14091:84:7zEvent8992
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AAM Updates.exe

Filesize
185KB

MD5
c70d8dce46b4551133ecc58aed84bf0e

SHA1
00626346632fdfb2a1d5831793e92a3601ec4d9f

SHA256
0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681

SHA512
12117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobeupdate.dat

Filesize
157KB

MD5
317705ca7476ac9a754b80fded717f6b

SHA1
ed690e1eb83b4a71529e2b8e92d9699f53171250

SHA256
abd6521990e88bd18bbcba063744efe0ccac23063bb340720cc3f610d9b1c770

SHA512
2d452ab0fa2f2692061b1afb43bea1ead1bc47b328a00e8508e1121446646cb6ce686bf4d9538cdaf2c176ba0ae59df701930331cc52a3d94cc1ba9d64abf167

Download Submit
C:\Users\Admin\AppData\Local\Temp\hex.dll

Filesize
20KB

MD5
b061d981d224454ffd8d692cf7ee92b7

SHA1
2c93c30207786343f3de6ca540d14fefc237a9b4

SHA256
14f9278f3515fae71ccb8073cfaf73bdcc00eab3888d8cee6fb43a4f51c9e699

SHA512
ac1923f62becd49f164f9ff6782468e554a6a13b5d00cff3fb889f8198d311004ecfe9658ccad58b348e2b39d4e8c51d9623e658d64a2fdcafa82e4b86493014

Download Submit
memory/808-13-0x0000000003040000-0x0000000006C76000-memory.dmp

Filesize
60.2MB

Download
memory/3672-28-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-25-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-26-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-27-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-24-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-32-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-33-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-34-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-35-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-36-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-37-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-38-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download
memory/3672-39-0x0000000002380000-0x0000000005FB6000-memory.dmp

Filesize
60.2MB

Download