...

For extortion responses with a Modified Memory value of True, there is a download icon in the Root Cause Analysis column to download the Memory Diff file for the response:

...

The Memory Diff File is the compiled source code of what was injected into the program. It likely contains malware and/or exploit code, for a malware or security analyst to examine. Note that this file does not contain the entire program, just the part that was altered through an exploit or attach technique like process injection. Learn more about this file here.

Process Injection Analytics

...