aff4bb9b15bccff67a112a7857d28d3f2f436e2e42f11be14930fe496269d573

Analysis

max time kernel
51s
max time network
72s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-07-2022 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winrar600.exe
Size

2.9MB
MD5

c74862e16bcc2b0e02cadb7ab14e3cd6
SHA1

6569aa87d28db836d7d3380b32a83654f3e909cf
SHA256

aff4bb9b15bccff67a112a7857d28d3f2f436e2e42f11be14930fe496269d573
SHA512

d28fbfd2b75789d85f402190b25bc7649bcde742495465ac22ffc3bc583d5e27aa2975d781d3a7d51b26149236ebcce8a94ec1d615e83a568d68c57bb8b10fa7

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe

Executes dropped EXE 1 IoCs

pid	Process
304	uninstall.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files (x86)\\WinRAR\\rarext64.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinRAR\UnRAR.exe	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Descript.ion	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\ReadMe.txt	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\RarFiles.lst	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RarFiles.lst	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\Rar.exe	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Rar.txt	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\7zxa.dll	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\Zip.SFX	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RarExt64.dll	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\License.txt	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\License.txt	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\WhatsNew.txt	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\UnRAR.exe	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Default.SFX	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\WinCon.SFX	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\WinRAR.chm	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\__tmp_rar_sfx_access_check_240584281	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WhatsNew.txt	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\Uninstall.exe	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Uninstall.exe	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\RarExt.dll	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\Order.htm	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Uninstall.lst	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\7zxa.dll	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files (x86)\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Zip.SFX	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\Rar.txt	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Rar.exe	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\WinRAR.exe	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RarExt.dll	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\Default.SFX	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinRAR.chm	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\Descript.ion	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\Uninstall.lst	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinRAR.exe	winrar600.exe
File created	C:\Program Files (x86)\WinRAR\RarExt64.dll	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinCon.SFX	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\ReadMe.txt	winrar600.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Order.htm	winrar600.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r03\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files (x86)\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files (x86)\\WinRAR\\rarnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files (x86)\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR"	uninstall.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3036	winrar600.exe
3036	winrar600.exe
304	uninstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 304	3036	winrar600.exe	67
PID 3036 wrote to memory of 304	3036	winrar600.exe	67
PID 3036 wrote to memory of 304	3036	winrar600.exe	67

C:\Users\Admin\AppData\Local\Temp\winrar600.exe
"C:\Users\Admin\AppData\Local\Temp\winrar600.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\WinRAR\uninstall.exe
  "C:\Program Files (x86)\WinRAR\uninstall.exe" /setup
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinRAR\Rar.txt

Filesize
105KB

MD5
a2cebfd18b8b97fc0b18db95d9364ca1

SHA1
7d4fdd5d33b1098df5ec3471d8934b5d30c5da73

SHA256
f3ccf2f7a7981a09b5ad75302d33cad253394fcc344edc8fdb59c2e66d405930

SHA512
1f426c3863f207b24c02067361188e2630bf553d9840bc170d3633af313852a47421e43f25d87d460c366668eb7c6f60523b2b087a1a9d710d07d0a2627abd72

Download Submit
C:\Program Files (x86)\WinRAR\Uninstall.exe

Filesize
366KB

MD5
54ebba23af8ea3562c143b6f9a2e0bc1

SHA1
3dbca72735ce91059e22c41b6527a1fd74c08425

SHA256
a434ef5347fa047e6eb21e0c00e689bdc88f3c715281c9c2afb0ec1a46578586

SHA512
2662f189cb4b8a95d5356e89add685c606c4bbd60f189ed975e9f5c1148c7051d025741743e74eec8e67d61f36f87ff2faac417a1847a71b02cd2fc5fb7d68ef

Download Submit
C:\Program Files (x86)\WinRAR\WhatsNew.txt

Filesize
82KB

MD5
f9b2c17e898b62cbcdfc641282eaeddf

SHA1
7870d39eb4955bb7c5f0dd25f52846aa120831aa

SHA256
4f78d917ef8238238495168bd780bea42063ac6097dfe4322544eee65cbb67d8

SHA512
0306c0cec9c8233d694784b1512adcb936aa5c499af695adfa68efc48c39f2a2c02e9f5637e02541e13d6bb73c48400c8ca9c79affd66e8be24e1a692b81ae33

Download Submit
C:\Program Files (x86)\WinRAR\WinRAR.chm

Filesize
313KB

MD5
2cf1541d0f89c9b0f4c77d1c276abb2b

SHA1
bc4dced7f3fcc4aa3b804ebb27c55a5eba57dc96

SHA256
48f7da1a43e24e564cc8c93ce967434b5e0bb2ff6cb705b62381fde827bf3f81

SHA512
a7a8093f7762ed5a928020d598490b2fa2f9fc2db61d77ab91f015ee2c112f591826e620c22510980108101dfcf86d5bfb08f54d15a9a16c3c0659d8bc66fa36

Download Submit
C:\Program Files (x86)\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
fd7b28f197668c62d7ab2eb77ad2750d

SHA1
d9c0ec348cf944c7f239e92e1bdb66caaf711895

SHA256
1317d70682bd11e5d320af850d6ecbb5a70c200d626ec7bf69c47566894db515

SHA512
49017ed6caa0ccd00834bca3cd96ef42fc9923e2b6232841680d44e3cb6907dc5cc3c3a8c2aaff8239230755c5dab43a9f9003347cb274d7ff5f0ed06c0c8e61

Download Submit
C:\Program Files (x86)\WinRAR\uninstall.exe

Filesize
366KB

MD5
54ebba23af8ea3562c143b6f9a2e0bc1

SHA1
3dbca72735ce91059e22c41b6527a1fd74c08425

SHA256
a434ef5347fa047e6eb21e0c00e689bdc88f3c715281c9c2afb0ec1a46578586

SHA512
2662f189cb4b8a95d5356e89add685c606c4bbd60f189ed975e9f5c1148c7051d025741743e74eec8e67d61f36f87ff2faac417a1847a71b02cd2fc5fb7d68ef

Download Submit
memory/3036-150-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-181-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-124-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-125-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-127-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-128-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-129-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-130-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-132-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-131-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-158-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-134-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-135-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-136-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-137-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-138-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-140-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-139-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-141-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-142-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-143-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-144-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-145-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-146-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-147-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-148-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-149-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-121-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-151-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-152-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-183-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-122-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-133-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-159-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-161-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-162-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-160-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-164-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-163-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-157-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-165-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-156-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-155-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-166-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-167-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-168-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-170-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-171-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-172-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-169-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-173-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-174-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-176-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-177-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-178-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-175-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-179-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-120-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-119-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-154-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-184-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-153-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-182-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/3036-180-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download