Overview

overview

10

Static

static

7ec95111e0...ed.exe

windows7_x64

10

7ec95111e0...ed.exe

windows10_x64

3

Resubmissions

18-08-2021 21:21

210818-5xegav1ypa 10

22-05-2021 10:53

210522-fad5v5zgre 10

Analysis

  • max time kernel
    128s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-05-2021 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe

  • Size

    22KB

  • MD5

    c6b6ec00b64069d66c8d14d65f7cfd8f

  • SHA1

    b90e6bf12728fa3b0984aabc32b39f1db082a1da

  • SHA256

    7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed

  • SHA512

    c9d7c97c63806e87804c33530f48ba950542ba28421d354cb287c9bf027ff5a853b76200e87eadd3cde0469f4b8c93f8c4bc0e71f5e4aa1cdf33e05c0673254a

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://4c48acb82e784a70aecsnwyqmwa.erpp3f6j634gmj33.onion/csnwyqmwa Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://4c48acb82e784a70aecsnwyqmwa.jobsbig.cam/csnwyqmwa http://4c48acb82e784a70aecsnwyqmwa.nowuser.casa/csnwyqmwa http://4c48acb82e784a70aecsnwyqmwa.boxgas.icu/csnwyqmwa http://4c48acb82e784a70aecsnwyqmwa.bykeep.club/csnwyqmwa Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://4c48acb82e784a70aecsnwyqmwa.erpp3f6j634gmj33.onion/csnwyqmwa

http://4c48acb82e784a70aecsnwyqmwa.jobsbig.cam/csnwyqmwa

http://4c48acb82e784a70aecsnwyqmwa.nowuser.casa/csnwyqmwa

http://4c48acb82e784a70aecsnwyqmwa.boxgas.icu/csnwyqmwa

http://4c48acb82e784a70aecsnwyqmwa.bykeep.club/csnwyqmwa

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies registry class 50 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:288
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe
      "C:\Users\Admin\AppData\Local\Temp\7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1788
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:296
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1836
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1792
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
        PID:2280
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1320
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://4c48acb82e784a70aecsnwyqmwa.jobsbig.cam/csnwyqmwa^&1^&46283070^&88^&399^&12"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://4c48acb82e784a70aecsnwyqmwa.jobsbig.cam/csnwyqmwa&1&46283070&88&399&12
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1064
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1704
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:952
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:1548
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:912
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:668
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1692
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
              PID:1596
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:1688
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:1016
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                  PID:1084
                  • C:\Windows\system32\wbem\wmic.exe
                    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                    3⤵
                      PID:1764
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe Delete Shadows /all /quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Interacts with shadow copies
                  PID:720
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe Delete Shadows /all /quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Interacts with shadow copies
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1788
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe Delete Shadows /all /quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Interacts with shadow copies
                  PID:1644
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "1525249610-309335695-16022926011397113584159485717820089419132011234923-998227471"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1084
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "75213905212396859241736988255-4711596821574049572-1916106291-170072928-1789860560"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1596
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe Delete Shadows /all /quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Interacts with shadow copies
                  PID:1368
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                    PID:944
                  • C:\Windows\system32\AUDIODG.EXE
                    C:\Windows\system32\AUDIODG.EXE 0x448
                    1⤵
                      PID:2372

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Privilege Escalation

                    Defense Evasion

                    File Deletion

                    2
                    T1107

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Inhibit System Recovery

                    2
                    T1490

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\Desktop\CloseResize.eps.csnwyqmwa
                      MD5

                      a95690d4dd0c56ac3cd9f6944409be6a

                      SHA1

                      465eeb1468fd47adeded7820a25ba90faf8830fa

                      SHA256

                      c08afac131ab2865b6a65a8dd72dee112e9f44fa72ec2e08b9e34a268953e337

                      SHA512

                      8d86f0b20e79a9b6d31f9127b6b6c2e76266fd40e370e78b0c850cb1e7ba65048ac07dffc61710ea7cecebd96fe0856e4bb6ab799632c1c4c357a5b6d26752e2

                      Download Submit
                    • C:\Users\Admin\Desktop\CompletePing.svgz.csnwyqmwa
                      MD5

                      36d874ce384f2ecdcdf688950719fbea

                      SHA1

                      5c3776cd1ae864d8af734d788364cad913ca1138

                      SHA256

                      1ed783e9970d1e0c7ea281d3388f170441fcd527c7dc147759293b401f5b8fbc

                      SHA512

                      515989d5b1a2a4410df063d4b1e3f326240b1ef317d2866b5645538ba8f5e7a2682f8d7de650246644b5e481d8165dfb5d67c6fcb7951e1c851accfea6625c88

                      Download Submit
                    • C:\Users\Admin\Desktop\ConnectUnlock.asf.csnwyqmwa
                      MD5

                      b6b5e9a1e5a15672cfd9725ebf72b78e

                      SHA1

                      a3d4086abd2c850dd1c903b21343bda155da2941

                      SHA256

                      b6562bb22b83fd32e8b804192e55b8b3d0fb5ccc7fdf55915c669c32bb7a8b71

                      SHA512

                      44223a5cde2dd2dc6563ee710d234021e23abfbb5c5b955a7ed752b1b7ece97b5500ef334d93dddbb856542c3d3180095d62558d4a192ed17e0cc2c4ea862118

                      Download Submit
                    • C:\Users\Admin\Desktop\InitializeBackup.tif.csnwyqmwa
                      MD5

                      17450a6bc16d23d9f0a525e5d05e1fe2

                      SHA1

                      c1ac85aa0f131eae426775fe973d446be4252c01

                      SHA256

                      5ebfb00752b85043b9c0decee4267ec95a12ef54e9144fcb5aa7414a403f9d9e

                      SHA512

                      3fb8357af3d0ae64b1f5715ffe80acf8e17d56cf43ce2c8c4ec6ea0f757da68850d703b4a43904943641616d5a7be8870c132b7b43ef30237ac157eaace03c99

                      Download Submit
                    • C:\Users\Admin\Desktop\InstallReceive.xlsx.csnwyqmwa
                      MD5

                      665dc45cec291516cc534a9fa1a5b74c

                      SHA1

                      ae63e1e24da3bb9f1dbfa0edd4dc8ca5a2fa4c72

                      SHA256

                      30e556e547260e0020167b0b848c94bc50466cc0f2594b9695a7492c48484695

                      SHA512

                      4a763710fb711fa3a70ce67b265d58d80c519850c688d6389f5e6ef66d8bcbfd5911199db34da45f05cecda2486bc2886a82b1fd9f02329db07003492d6c6aa1

                      Download Submit
                    • C:\Users\Admin\Desktop\PublishOut.dot.csnwyqmwa
                      MD5

                      248db599316aa212b3baea0312ee1cb8

                      SHA1

                      885440b633dd1963c649e7829a39ce0b2ff19de7

                      SHA256

                      7c6675709c6cc6c4ad6af211690a7f939d378b0ec78978c336d616298e6c014e

                      SHA512

                      bf08e17ffed7c0b7e32ffbe3f390c642b486ba04c489239a0b5c1c8f2bc7e29ff7a05d5d5d784d654d4a12176a9ac6174a56eee1f483115a8ae16c9c4915721d

                      Download Submit
                    • C:\Users\Admin\Desktop\ReadResume.tif.csnwyqmwa
                      MD5

                      0bca1fc87fd67fec874e1a71435a593d

                      SHA1

                      a977bd5aa70406a0f1efb86029d65758ee83c335

                      SHA256

                      a6d9e41ac7ae8cb9d20a693acbdfbe27f2013177c6bc0e3ff775d9cf992a07f9

                      SHA512

                      ce724e6d2dd703ee4ea9321b48922205f56d53eab63627a212141867a6d439f3ad6b636f1c417b5d3ff5fda52f5df5872330a3721d166630c03a306bd11f953e

                      Download Submit
                    • C:\Users\Admin\Desktop\RedoUnlock.svgz.csnwyqmwa
                      MD5

                      a68ce680178346280d407cfe25ce4ea1

                      SHA1

                      741c5b87bb71d10c1d3fbf56c2e81d5bb2346abb

                      SHA256

                      8104040b7d42ee8b428f16033556e76f0527052bc78d97395e0ce3022253c0ab

                      SHA512

                      6beee6c06fedfa13301ec6b6d275cc04d09c049240fb3a3a83c255c8530ab250a0befc355ea39153d41d0f620f8ad3cb58a8ee28299c61c25c7d938e10ff46e5

                      Download Submit
                    • C:\Users\Admin\Desktop\TestInvoke.php.csnwyqmwa
                      MD5

                      e166b773919a6a02ad81d5dea443f01f

                      SHA1

                      f263632a5c55fdc4dc3f368e5a227ea489f733f6

                      SHA256

                      b711e6bba648434011c4e9118c2e68a73c9d234d878ff93911b0da43aa326bb4

                      SHA512

                      73e67b9b1004431d17444edbf96c2648a9fc4a8955a4c2f131df5029732d19a0680beb29e10df0ca5e7357b827d8cc7334e2de6f1edfbafa7f87796532c7ad75

                      Download Submit
                    • C:\Users\Admin\Desktop\UpdateHide.xlt.csnwyqmwa
                      MD5

                      550a2f22e83d0b3ddc4bd9dbd2f36e6a

                      SHA1

                      192995d5dc248b4f49c76e29264e52a52de46a9b

                      SHA256

                      e74311b3b35aa7a90232b210f331d7034d6be0875d0e88dfca7bdc7a23f139fb

                      SHA512

                      d60b217919f2ef20e95fd1d17f3cf53527f1972b5ee2495bc7edbeb3f7e5a84c8a1ab48513e48cf06b988ac62dfe253738ed3f9e9c7605c10eded2dbaa5c943a

                      Download Submit
                    • C:\Users\Admin\Desktop\readme.txt
                      MD5

                      10e82c1f6d749491731c3b5be53d5e27

                      SHA1

                      d83bc0ac4fcad6ff8773a42479f61c6db45fa963

                      SHA256

                      a054c9e30f65a21e6581b7aabbdd428d1de2ddc59b774e14b85c49dc034a6c53

                      SHA512

                      396c56d5371d04428972177a2067d36ef77bc9e6f28c92eb710579cdf4870e61273cc429d2d9a2d796f0e43680c86efab658dfc8555afc4d657e82f0773688e2

                      Download Submit
                    • C:\Users\Admin\Downloads\CloseAdd.docx.csnwyqmwa
                      MD5

                      1f5cc641185b1f9ef2cf9f03552beb02

                      SHA1

                      3215b7d64f82574e5f89836b7700a9c8a3142bc5

                      SHA256

                      a04d02edad432530719e79d43e020a8839364b7f3ae836de28ca1a3df527b91f

                      SHA512

                      4c371b7d61ec46688dc64e9f94c82743ff6278a1be4278aec50b646a8c0a3e3821a1850be6c2c8f451e500a9a2065add9339cc03c643fa11b8cdc17fd211626b

                      Download Submit
                    • C:\Users\Admin\Downloads\CopyCompress.gif.csnwyqmwa
                      MD5

                      5ef73302eae46a094f37b17b2d74a479

                      SHA1

                      41b8b659fabeb77ba916eec0aac9098a37450ef5

                      SHA256

                      4bf307bd9f71975ea38e2f4d2076e88540583d8de334054b6a3bf9cb45cc3888

                      SHA512

                      590881f066bdb6791810010ca82c22da6fce2cbb1f548d9452146b6992a1129b8023904c593438bfde36d70f2a2d42f87b9a3f12d12df2266aaac0ecdcc743f9

                      Download Submit
                    • C:\Users\Admin\Downloads\DebugUninstall.vstm.csnwyqmwa
                      MD5

                      e85731df77cb320f0fc8bbb14a7a874f

                      SHA1

                      17fb45913c11c1a4a797a4b5e3521d3301cb5b12

                      SHA256

                      1b1cd15856cea4cccd025c2375773cf5732853411a6b2281d6f5a08af1f55fa0

                      SHA512

                      6cd4678b89a1d0ec83c41f56f9684dc24cc14c19dc5512baec8e6ceaa3c703f2ce0504191344f6eaf01a087e90fa78d39427ea84164697c221274ec19e1f2275

                      Download Submit
                    • C:\Users\Admin\Downloads\PushCompress.emf.csnwyqmwa
                      MD5

                      f2da52d43a54bcc11476d159371fb726

                      SHA1

                      dbe5fb7c5140224b8c5cee606e4fa32de474b991

                      SHA256

                      db853287654c2dd6d7b9621812192abad6c48baab71be071f9de6769ded3b24b

                      SHA512

                      279ee8e460d2adc537339cac6d05ba0f650f2bad22d6d8940ebbc21c99eb819bb0781954de189a9db215d4ec2d6f5fda49bae16bf054b85dc8e7c83cbe37898e

                      Download Submit
                    • C:\Users\Admin\Downloads\readme.txt
                      MD5

                      10e82c1f6d749491731c3b5be53d5e27

                      SHA1

                      d83bc0ac4fcad6ff8773a42479f61c6db45fa963

                      SHA256

                      a054c9e30f65a21e6581b7aabbdd428d1de2ddc59b774e14b85c49dc034a6c53

                      SHA512

                      396c56d5371d04428972177a2067d36ef77bc9e6f28c92eb710579cdf4870e61273cc429d2d9a2d796f0e43680c86efab658dfc8555afc4d657e82f0773688e2

                      Download Submit
                    • C:\Users\Public\readme.txt
                      MD5

                      10e82c1f6d749491731c3b5be53d5e27

                      SHA1

                      d83bc0ac4fcad6ff8773a42479f61c6db45fa963

                      SHA256

                      a054c9e30f65a21e6581b7aabbdd428d1de2ddc59b774e14b85c49dc034a6c53

                      SHA512

                      396c56d5371d04428972177a2067d36ef77bc9e6f28c92eb710579cdf4870e61273cc429d2d9a2d796f0e43680c86efab658dfc8555afc4d657e82f0773688e2

                      Download Submit
                    • memory/288-136-0x0000000000000000-mapping.dmp
                      Download
                    • memory/296-133-0x0000000000000000-mapping.dmp
                      Download
                    • memory/544-135-0x0000000000000000-mapping.dmp
                      Download
                    • memory/668-160-0x0000000000000000-mapping.dmp
                      Download
                    • memory/912-141-0x0000000000000000-mapping.dmp
                      Download
                    • memory/952-132-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1064-134-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1084-143-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1124-120-0x00000000004A0000-0x00000000004A4000-memory.dmp
                      Filesize

                      16KB

                      Download
                    • memory/1256-61-0x0000000002A20000-0x0000000002A30000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1320-85-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1320-102-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/1548-162-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1596-142-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1688-161-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1704-164-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1764-163-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1788-107-0x0000000001FF0000-0x0000000001FF1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-64-0x0000000000100000-0x0000000000101000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-63-0x00000000000F0000-0x00000000000F1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-105-0x0000000001FD0000-0x0000000001FD1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-106-0x0000000001FE0000-0x0000000001FE1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-103-0x0000000001FA0000-0x0000000001FA1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-148-0x0000000002390000-0x0000000002391000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-65-0x0000000000110000-0x0000000000111000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-60-0x0000000000020000-0x0000000000025000-memory.dmp
                      Filesize

                      20KB

                      Download
                    • memory/1788-101-0x0000000001F90000-0x0000000001F91000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-62-0x00000000000E0000-0x00000000000E1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-108-0x0000000002000000-0x0000000002001000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1788-100-0x0000000001F80000-0x0000000001F81000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1792-139-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1836-138-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1932-122-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2016-140-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2024-128-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2032-119-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2280-165-0x0000000000000000-mapping.dmp
                      Download