Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Desktop.exe

windows7-x64

1

Desktop.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    262s
  • max time network
    265s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/02/2025, 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Desktop.exe

  • Size

    1.2MB

  • MD5

    5833c4689f6bbc304244301c22fddd3f

  • SHA1

    6bc8af057a2f44745b3e0ff83b54da8f9aea0aa9

  • SHA256

    8754de98bb6c8a9684c964b0453d69fb1dc619236c8b3bbf6495e47f5200bafe

  • SHA512

    2c54c61e73c6cea8e1b16ce1888da64094cce5dfa8e00f8d14b66c9aee411eaf5183f46d8f7c9d87d6dd9489b4d3d604a355643e1493c0173407ae29de85b28a

  • SSDEEP

    24576:yuDXTIGaPhEYzUzA0bBY2mb7vwKE5ziV5kD12wxc3C0FqVj8GACbZfsV:1Djlabwz9K2OvwKE5GV5k5c3XFqp8fdV

Score
10/10
njratdefense_evasiondiscoveryexecutionpersistencetrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Desktop.exe
    "C:\Users\Admin\AppData\Local\Temp\Desktop.exe"
    1⤵
      PID:1520
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:536
      • C:\Users\Admin\AppData\Local\Temp\Desktop.exe
        "C:\Users\Admin\AppData\Local\Temp\Desktop.exe"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe
          "C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:452
          • C:\Users\Admin\AppData\Roaming\1.exe
            "C:\Users\Admin\AppData\Roaming\1.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4076
            • C:\Users\Admin\AppData\Roaming\dllhost.exe
              "C:\Users\Admin\AppData\Roaming\dllhost.exe"
              4⤵
              • Checks computer location settings
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3556
              • C:\Windows\SysWOW64\attrib.exe
                attrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"
                5⤵
                • System Location Discovery: System Language Discovery
                • Views/modifies file attributes
                PID:5048
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3688
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell Set-MpPreference -DisableRealtimeMonitoring $true
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3924
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c sc query windefend
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4308
                • C:\Windows\SysWOW64\sc.exe
                  sc query windefend
                  6⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1536
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c sc stop windefend
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1992
                • C:\Windows\SysWOW64\sc.exe
                  sc stop windefend
                  6⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1776
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c sc delete windefend
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3364
                • C:\Windows\SysWOW64\sc.exe
                  sc delete windefend
                  6⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:3560
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /delete /tn CleanSweepCheck /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:760
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe
                5⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1060
              • C:\Users\Admin\AppData\Local\Temp\c4dcbc5831444c439af6c44ef399b75b.exe
                "C:\Users\Admin\AppData\Local\Temp\c4dcbc5831444c439af6c44ef399b75b.exe"
                5⤵
                • Executes dropped EXE
                PID:2288
              • C:\Users\Admin\AppData\Local\Temp\9be3e1982fbf46388fa6be2b4646a175.exe
                "C:\Users\Admin\AppData\Local\Temp\9be3e1982fbf46388fa6be2b4646a175.exe"
                5⤵
                • Executes dropped EXE
                PID:4352
              • C:\Users\Admin\AppData\Local\Temp\92074149b9204fbeba672fe752b2bc29.exe
                "C:\Users\Admin\AppData\Local\Temp\92074149b9204fbeba672fe752b2bc29.exe"
                5⤵
                • Executes dropped EXE
                PID:3980
        • C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
          "C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2624
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3096
      • C:\Users\Admin\AppData\Roaming\dllhost.exe
        C:\Users\Admin\AppData\Roaming\dllhost.exe
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4256
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x2ec 0x150
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
      • C:\Users\Admin\AppData\Roaming\dllhost.exe
        C:\Users\Admin\AppData\Roaming\dllhost.exe
        1⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:456
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1036
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Set-MpPreference -DisableRealtimeMonitoring $true
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:640
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c sc query windefend
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:772
          • C:\Windows\SysWOW64\sc.exe
            sc query windefend
            3⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:3556
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c sc stop windefend
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4208
          • C:\Windows\SysWOW64\sc.exe
            sc stop windefend
            3⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2572
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c sc delete windefend
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1540
          • C:\Windows\SysWOW64\sc.exe
            sc delete windefend
            3⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:5012
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /delete /tn CleanSweepCheck /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1532
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1900
      • C:\Users\Admin\AppData\Roaming\dllhost.exe
        C:\Users\Admin\AppData\Roaming\dllhost.exe
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2896
      • C:\Users\Admin\AppData\Roaming\dllhost.exe
        C:\Users\Admin\AppData\Roaming\dllhost.exe
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3856

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      System Services

      1
      T1569

      Service Execution

      1
      T1569.002

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Impair Defenses

      1
      T1562

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Service Stop

      1
      T1489

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dllhost.exe.log
        Filesize

        319B

        MD5

        da4fafeffe21b7cb3a8c170ca7911976

        SHA1

        50ef77e2451ab60f93f4db88325b897d215be5ad

        SHA256

        7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

        SHA512

        0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        13359149579e2d2855d13bdb42169f78

        SHA1

        a423b9590bc5a41b51ac50eaaa8ab01bc4dd7532

        SHA256

        316b4c52727c53fbcf96cd7b9c112aeaa868feb8b4fddee0b7b203f37efcaf1b

        SHA512

        a62f2a42aa97e29aa7ee81b82d2a217ef2b5cf64516888425ffc18a80b13b1ae30b5c054c052018ac3c55660599301db90cca14fa57c476cefd38447cc2e2dde

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9be3e1982fbf46388fa6be2b4646a175.exe
        Filesize

        997KB

        MD5

        28aaac578be4ce06cb695e4f927b4302

        SHA1

        880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e

        SHA256

        8929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc

        SHA512

        068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwsqfazg.rnj.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c4dcbc5831444c439af6c44ef399b75b.exe
        Filesize

        844KB

        MD5

        8cac1595b184f66d7a122af38d5dfe71

        SHA1

        e0bc0162472edf77a05134e77b540663ac050ab6

        SHA256

        00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

        SHA512

        88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\1.exe
        Filesize

        83KB

        MD5

        fc2d4b9309debcea8f52537442d05b81

        SHA1

        ca5a2b9a954f0f1d2d553429a85470af9d02e131

        SHA256

        7c797c4bcbf2c867c4e2e62e7db64389faa7ff2baf94dcb85c5d3040bc17c6ce

        SHA512

        8fcbcf041045c00f9bb8e9571c2f357db6967f9dceef01b166635072f136e038ba0a0d5989852b5f02a537ed157fbd2bf5b0780a12aa339c0f0bbfd680bd78e8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
        Filesize

        758KB

        MD5

        cb1929328dea316fcb34f3486697d16e

        SHA1

        8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b

        SHA256

        7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9

        SHA512

        90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

        Download Submit

      • C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe
        Filesize

        519KB

        MD5

        a40b8cf101834a796e8bda79f60d5707

        SHA1

        3b025c326303fe183642a9ac2c9bfaa5c0911380

        SHA256

        d4fa450eca9bf6a80015d4b92c09068b4fad6cb0b0b737cf28bca3ba659fa025

        SHA512

        e5af5e7bbe3a9db0daa6d1f89c52d21563457b79ba2ca2ce4e017ac696e6fa5ec17e83086cbce506945419e63d9fa595bdbfb40278ce783d416f27c1f917b854

        Download Submit

      • memory/640-166-0x0000000007920000-0x0000000007934000-memory.dmp

        Filesize

        80KB

        Download

      • memory/640-165-0x00000000078D0000-0x00000000078E1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/640-164-0x0000000007630000-0x00000000076D3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/640-154-0x000000006F570000-0x000000006F5BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/640-153-0x0000000006910000-0x000000000695C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/640-143-0x0000000005D00000-0x0000000006054000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2288-112-0x000000001C8F0000-0x000000001C93C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2288-111-0x00000000013D0000-0x00000000013D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2288-110-0x000000001C660000-0x000000001C6FC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2288-109-0x000000001C0F0000-0x000000001C5BE000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2288-108-0x000000001BB30000-0x000000001BBD6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/2624-21-0x0000024FBB3C0000-0x0000024FBB484000-memory.dmp

        Filesize

        784KB

        Download

      • memory/3096-47-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-48-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-40-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-41-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-42-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-46-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-52-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-51-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-50-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-49-0x0000016013190000-0x0000016013191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3924-86-0x00000000075C0000-0x0000000007656000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3924-53-0x00000000026D0000-0x0000000002706000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3924-90-0x0000000007680000-0x000000000769A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3924-91-0x0000000007660000-0x0000000007668000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3924-69-0x0000000006060000-0x00000000060AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3924-68-0x0000000006010000-0x000000000602E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3924-67-0x0000000005B10000-0x0000000005E64000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3924-57-0x0000000005970000-0x00000000059D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3924-56-0x0000000005900000-0x0000000005966000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3924-55-0x0000000005020000-0x0000000005042000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3924-54-0x00000000051E0000-0x0000000005808000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3924-89-0x0000000007580000-0x0000000007594000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3924-88-0x0000000007570000-0x000000000757E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3924-87-0x0000000007540000-0x0000000007551000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3924-70-0x0000000006610000-0x0000000006642000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3924-85-0x00000000073B0000-0x00000000073BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3924-84-0x0000000007340000-0x000000000735A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3924-83-0x0000000007980000-0x0000000007FFA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3924-82-0x0000000007200000-0x00000000072A3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3924-81-0x00000000065D0000-0x00000000065EE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3924-71-0x000000006EF40000-0x000000006EF8C000-memory.dmp

        Filesize

        304KB

        Download