plugx | 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
Size

263KB
MD5

582fb65add01ce95d827b96006a3ff42
SHA1

d8931a791f8ef3d4015aec2bffa47808e28877b5
SHA256

4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01
SHA512

6e2194abfba98c6723040b9d4e801a8d4e75cc8449d408638fa80edfa11865cad9d01b768c21919ed863f3e7f97d258930ccbbf6acbc0e65c730ead79f5c7141
SSDEEP

6144:iz+92mhAMJ/cPl3i+eLba0WZj+ufaZef6IMLWKH1cLb1UyOr0Sg3:iK2mhAMJ/cPlQIFXfaZefAyb1FOB2

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 18 IoCs

resource	yara_rule
behavioral1/memory/2940-26-0x00000000002A0000-0x00000000002D0000-memory.dmp	family_plugx
behavioral1/memory/2904-47-0x0000000000440000-0x0000000000470000-memory.dmp	family_plugx
behavioral1/memory/2620-51-0x00000000002A0000-0x00000000002D0000-memory.dmp	family_plugx
behavioral1/memory/2684-57-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_plugx
behavioral1/memory/2620-58-0x00000000002A0000-0x00000000002D0000-memory.dmp	family_plugx
behavioral1/memory/2684-76-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_plugx
behavioral1/memory/2684-75-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_plugx
behavioral1/memory/2684-74-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_plugx
behavioral1/memory/2684-80-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_plugx
behavioral1/memory/2684-62-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_plugx
behavioral1/memory/2940-61-0x00000000002A0000-0x00000000002D0000-memory.dmp	family_plugx
behavioral1/memory/2684-81-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_plugx
behavioral1/memory/2904-85-0x0000000000440000-0x0000000000470000-memory.dmp	family_plugx
behavioral1/memory/1560-91-0x0000000000250000-0x0000000000280000-memory.dmp	family_plugx
behavioral1/memory/1560-94-0x0000000000250000-0x0000000000280000-memory.dmp	family_plugx
behavioral1/memory/1560-93-0x0000000000250000-0x0000000000280000-memory.dmp	family_plugx
behavioral1/memory/2684-95-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_plugx
behavioral1/memory/2684-98-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Deletes itself 1 IoCs

pid	Process
2940	Nv.exe

Executes dropped EXE 3 IoCs

pid	Process
2940	Nv.exe
2904	Nv.exe
2620	Nv.exe

Loads dropped DLL 8 IoCs

pid	Process
2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
2940	Nv.exe
2904	Nv.exe
2620	Nv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies data under HKEY_USERS 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-ca-24-3b-ab-ef\WpadDecisionTime = e090c77dff5ddb01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{92F7C9E8-F056-4FBA-A791-4147CB7B9EE2}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{92F7C9E8-F056-4FBA-A791-4147CB7B9EE2}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{92F7C9E8-F056-4FBA-A791-4147CB7B9EE2}\WpadNetworkName = "Network 3"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-ca-24-3b-ab-ef\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ae000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-ca-24-3b-ab-ef	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{92F7C9E8-F056-4FBA-A791-4147CB7B9EE2}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{92F7C9E8-F056-4FBA-A791-4147CB7B9EE2}\WpadDecisionTime = e090c77dff5ddb01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{92F7C9E8-F056-4FBA-A791-4147CB7B9EE2}\4a-ca-24-3b-ab-ef	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-ca-24-3b-ab-ef\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004300360042003300390042003300330044004100300035003700330035000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	Nv.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
2684	svchost.exe
2684	svchost.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
2684	svchost.exe
2684	svchost.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
2684	svchost.exe
2684	svchost.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
2684	svchost.exe
2684	svchost.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
1560	msiexec.exe
2684	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2684	svchost.exe
1560	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	Nv.exe
Token: SeTcbPrivilege	2940	Nv.exe
Token: SeDebugPrivilege	2904	Nv.exe
Token: SeTcbPrivilege	2904	Nv.exe
Token: SeDebugPrivilege	2620	Nv.exe
Token: SeTcbPrivilege	2620	Nv.exe
Token: SeDebugPrivilege	2684	svchost.exe
Token: SeTcbPrivilege	2684	svchost.exe
Token: SeDebugPrivilege	1560	msiexec.exe
Token: SeTcbPrivilege	1560	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2940	2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	30
PID 2416 wrote to memory of 2940	2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	30
PID 2416 wrote to memory of 2940	2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	30
PID 2416 wrote to memory of 2940	2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	30
PID 2416 wrote to memory of 2940	2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	30
PID 2416 wrote to memory of 2940	2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	30
PID 2416 wrote to memory of 2940	2416	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	30
PID 2620 wrote to memory of 2684	2620	Nv.exe	34
PID 2620 wrote to memory of 2684	2620	Nv.exe	34
PID 2620 wrote to memory of 2684	2620	Nv.exe	34
PID 2620 wrote to memory of 2684	2620	Nv.exe	34
PID 2620 wrote to memory of 2684	2620	Nv.exe	34
PID 2620 wrote to memory of 2684	2620	Nv.exe	34
PID 2620 wrote to memory of 2684	2620	Nv.exe	34
PID 2620 wrote to memory of 2684	2620	Nv.exe	34
PID 2620 wrote to memory of 2684	2620	Nv.exe	34
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35
PID 2684 wrote to memory of 1560	2684	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
"C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 100 2940
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2684
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
622B

MD5
553828a8a7ad2c333d55a5d0de546349

SHA1
4a8f4292fae7368e11991f2b12bf069190931f93

SHA256
f37643101e044afb622c876c7bd4d0d7d44d270daef5cbf29081155d8227142b

SHA512
0a05675e504a80fadae3ec5c0999650db7ba4a666ae853a3b9abc50b539ff45b0f0ba973a7fedc91f73c8a6380ba8b46f547ccb7d6bb614d74fbb1ad928f8fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.mp3

Filesize
120KB

MD5
e1e6d954482a108020c8e471bd0790e4

SHA1
138def3945437e9d81902f00b1119795140ae8bf

SHA256
9f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954

SHA512
7573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
41KB

MD5
92b5a067fc1866b933eade6ebd4e1564

SHA1
91c38bb2d1993dde1068550e42580c4d2993a5c1

SHA256
632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

SHA512
3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
memory/1560-92-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1560-93-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1560-94-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1560-91-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2620-58-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/2620-51-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/2684-74-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2684-57-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2684-76-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2684-75-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2684-52-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2684-80-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2684-55-0x00000000000F0000-0x000000000010D000-memory.dmp

Filesize
116KB

Download
memory/2684-73-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2684-62-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2684-98-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2684-81-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2684-95-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2684-56-0x00000000000A0000-0x00000000000A2000-memory.dmp

Filesize
8KB

Download
memory/2904-47-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/2904-85-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/2940-26-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/2940-25-0x0000000001D70000-0x0000000001E70000-memory.dmp

Filesize
1024KB

Download
memory/2940-61-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download