Malware Analysis Report

2024-10-16 03:14

Sample ID 220402-rveh6sfac4
Target TTT.bin
SHA256 08f2cce77ba2016baf5819ebe697207af6d78262db0d07dc8158b9f37924816d
Tags
conti ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f2cce77ba2016baf5819ebe697207af6d78262db0d07dc8158b9f37924816d

Threat Level: Known bad

The file TTT.bin was found to be: Known bad.

Malicious Activity Summary

conti ransomware

Conti Ransomware

Modifies extensions of user files

Drops file in Program Files directory

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-02 14:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-02 14:30

Reported

2022-04-02 14:34

Platform

win7-20220310-en

Max time kernel

4294215s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TTT.exe"

Signatures

Conti Ransomware

ransomware conti

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\SplitInitialize.MOD C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.chm C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Microsoft Games\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\MSBuild\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Internet Explorer\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\ConvertToUnlock.ods C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\ResolveConnect.wdp C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\UnprotectExit.cmd C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DVD Maker\bod_r.TTF C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DenyRead.mht C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\DVD Maker\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Java\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\LimitSwitch.rar C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\omni.ja C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Microsoft Office\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\HideEnable.mid C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\TraceRestart.scf C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\UnregisterSave.jpg C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DVD Maker\offset.ax C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\WatchInvoke.xltm C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\MoveLock.raw C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\UnregisterUse.wmf C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DVD Maker\SecretST.TTF C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Google\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Internet Explorer\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Reference Assemblies\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Uninstall Information\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Mozilla Firefox\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Google\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\PingUnlock.reg C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\removed-files C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\DVD Maker\directshowtap.ax C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Uninstall Information\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\VideoLAN\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Adobe\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Common Files\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\ImportUpdate.dotx C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\TracePublish.ADTS C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 948 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TTT.exe

"C:\Users\Admin\AppData\Local\Temp\TTT.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{34A060B1-EA28-439C-93B6-A7B80D359DA7}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{A37B6ECE-5CCF-45CF-B77A-0B1D4D56802E}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{0156D771-1B0E-475A-93A9-0073048206BC}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{E8D0B020-C3BE-4ABA-A7F6-9C0DBCC9B51D}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{14D436DC-4083-4645-A1CB-0D23F5D3F9E0}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{E2C86C6A-5E79-4A59-8F07-FA4AB7F2DBCC}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{E1F64302-A7DF-4036-8234-C8E8C2644BA8}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{C16269E2-735E-40DE-BEC6-790EA4DF3034}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{79B3BF4F-3115-4890-BA8D-483876E96BEF}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{B582BD05-EC08-46A2-AB20-494E61EBC428}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{6F98DC66-8627-46BF-AEA4-65D47F4A9B76}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{6F058F62-B4B5-47EE-A2B8-4D47898B4CBE}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{8CB8CE90-57EF-40E0-A550-5AFC10F0BACF}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{A39E9092-325A-4FE4-992E-D4C87EEC8F41}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{F70F0F06-EA0E-4F4E-94EA-3137DF26413A}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{3D8A686C-2769-47C4-AF77-80EDD29D25F2}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{07CDFE35-E38D-417A-B988-11444F3FCCDD}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{FDBC0D18-0966-4856-85E8-C7AA5D1CFF61}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp

Files

memory/948-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

memory/948-55-0x00000000002F0000-0x000000000031E000-memory.dmp

memory/1772-56-0x0000000000000000-mapping.dmp

memory/1232-57-0x0000000000000000-mapping.dmp

memory/280-58-0x0000000000000000-mapping.dmp

memory/928-59-0x0000000000000000-mapping.dmp

memory/1360-60-0x0000000000000000-mapping.dmp

memory/1612-61-0x0000000000000000-mapping.dmp

memory/240-62-0x0000000000000000-mapping.dmp

memory/1980-63-0x0000000000000000-mapping.dmp

memory/1484-64-0x0000000000000000-mapping.dmp

memory/528-65-0x0000000000000000-mapping.dmp

memory/1224-66-0x0000000000000000-mapping.dmp

memory/1072-67-0x0000000000000000-mapping.dmp

memory/2004-68-0x0000000000000000-mapping.dmp

memory/1272-69-0x0000000000000000-mapping.dmp

memory/1652-70-0x0000000000000000-mapping.dmp

memory/900-71-0x0000000000000000-mapping.dmp

memory/1664-72-0x0000000000000000-mapping.dmp

memory/1068-73-0x0000000000000000-mapping.dmp

memory/1544-74-0x0000000000000000-mapping.dmp

memory/1628-75-0x0000000000000000-mapping.dmp

memory/880-76-0x0000000000000000-mapping.dmp

memory/1576-77-0x0000000000000000-mapping.dmp

memory/1236-78-0x0000000000000000-mapping.dmp

memory/1076-79-0x0000000000000000-mapping.dmp

memory/988-80-0x0000000000000000-mapping.dmp

memory/1224-81-0x0000000000000000-mapping.dmp

memory/1156-82-0x0000000000000000-mapping.dmp

memory/1412-83-0x0000000000000000-mapping.dmp

memory/1508-84-0x0000000000000000-mapping.dmp

memory/1312-85-0x0000000000000000-mapping.dmp

memory/652-86-0x0000000000000000-mapping.dmp

memory/2028-87-0x0000000000000000-mapping.dmp

memory/1600-88-0x0000000000000000-mapping.dmp

memory/904-89-0x0000000000000000-mapping.dmp

memory/1592-90-0x0000000000000000-mapping.dmp

memory/1272-91-0x0000000000000000-mapping.dmp

memory/1616-92-0x0000000000000000-mapping.dmp

memory/548-93-0x0000000000000000-mapping.dmp

memory/320-94-0x0000000000000000-mapping.dmp

memory/1852-95-0x0000000000000000-mapping.dmp

memory/216-96-0x0000000000000000-mapping.dmp

memory/224-97-0x0000000000000000-mapping.dmp

memory/236-98-0x0000000000000000-mapping.dmp

memory/936-99-0x0000000000000000-mapping.dmp

memory/944-100-0x0000000000000000-mapping.dmp

memory/1484-101-0x0000000000000000-mapping.dmp

memory/1912-102-0x0000000000000000-mapping.dmp

memory/1544-103-0x0000000000000000-mapping.dmp

memory/1240-104-0x0000000000000000-mapping.dmp

memory/1772-105-0x0000000000000000-mapping.dmp

memory/1220-106-0x0000000000000000-mapping.dmp

memory/1204-107-0x0000000000000000-mapping.dmp

memory/1804-108-0x0000000000000000-mapping.dmp

memory/436-109-0x0000000000000000-mapping.dmp

memory/968-110-0x0000000000000000-mapping.dmp

memory/1072-111-0x0000000000000000-mapping.dmp

memory/820-112-0x0000000000000000-mapping.dmp

memory/568-113-0x0000000000000000-mapping.dmp

memory/280-114-0x0000000000000000-mapping.dmp

memory/652-115-0x0000000000000000-mapping.dmp

memory/1488-116-0x0000000000000000-mapping.dmp

memory/1656-117-0x0000000000000000-mapping.dmp

memory/1992-118-0x0000000000000000-mapping.dmp

memory/320-119-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-02 14:30

Reported

2022-04-02 14:33

Platform

win10v2004-en-20220113

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TTT.exe"

Signatures

Conti Ransomware

ransomware conti

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UnprotectLock.raw => C:\Users\Admin\Pictures\UnprotectLock.raw.V00Zb C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterConvertTo.tif => C:\Users\Admin\Pictures\UnregisterConvertTo.tif.V00Zb C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromClose.raw => C:\Users\Admin\Pictures\ConvertFromClose.raw.V00Zb C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopRedo.tiff C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File renamed C:\Users\Admin\Pictures\StopRedo.tiff => C:\Users\Admin\Pictures\StopRedo.tiff.V00Zb C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\calendars.properties C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\proofing.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\NOTICE C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunjce_provider.jar C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.tree.dat C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\javaws.policy C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\as_IN\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\custom.lua C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\javaws.jar C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\MergeMove.svg C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\readme.txt C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\classlist C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 1272 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 1272 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 1272 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\System32\wbem\WMIC.exe
PID 1272 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 5060 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 5060 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3792 wrote to memory of 4408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3792 wrote to memory of 4408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3792 wrote to memory of 4408 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1272 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4596 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4596 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4828 wrote to memory of 4816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4828 wrote to memory of 4816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4828 wrote to memory of 4816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1272 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3548 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3548 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2844 wrote to memory of 3224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2844 wrote to memory of 3224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2844 wrote to memory of 3224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1272 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2128 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2128 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 532 wrote to memory of 1032 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 532 wrote to memory of 1032 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 532 wrote to memory of 1032 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1272 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3892 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3892 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 448 wrote to memory of 3616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 448 wrote to memory of 3616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 448 wrote to memory of 3616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1272 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1884 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1884 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4044 wrote to memory of 4084 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4044 wrote to memory of 4084 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4044 wrote to memory of 4084 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1272 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\TTT.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1576 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1576 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TTT.exe

"C:\Users\Admin\AppData\Local\Temp\TTT.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{17C5A010-80A0-4F9A-836F-BFCB14B6316C}'" delete

C:\Windows\System32\wbem\WMIC.exe

shadowcopy where "ID='{E9B5643F-8908-41A9-879A-BF3F65E24DF9}'" delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net.exe

net stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPS /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$TPSAMA /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net.exe

net stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net.exe

net stop MSSQLSERVER /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLBrowser /y

C:\Windows\SysWOW64\net.exe

net stop SQLBrowser /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLBrowser /y

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop SQLWriter /y

C:\Windows\SysWOW64\net.exe

net stop SQLWriter /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SQLWriter /y

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.254:445 tcp

Files

memory/1272-130-0x0000000001320000-0x000000000134E000-memory.dmp

memory/3696-131-0x0000000000000000-mapping.dmp

memory/1936-132-0x0000000000000000-mapping.dmp

memory/5060-133-0x0000000000000000-mapping.dmp

memory/3792-134-0x0000000000000000-mapping.dmp

memory/4408-135-0x0000000000000000-mapping.dmp

memory/4596-136-0x0000000000000000-mapping.dmp

memory/4828-137-0x0000000000000000-mapping.dmp

memory/4816-138-0x0000000000000000-mapping.dmp

memory/3548-139-0x0000000000000000-mapping.dmp

memory/2844-140-0x0000000000000000-mapping.dmp

memory/3224-141-0x0000000000000000-mapping.dmp

memory/2128-142-0x0000000000000000-mapping.dmp

memory/532-143-0x0000000000000000-mapping.dmp

memory/1032-144-0x0000000000000000-mapping.dmp

memory/3892-145-0x0000000000000000-mapping.dmp

memory/448-146-0x0000000000000000-mapping.dmp

memory/3616-147-0x0000000000000000-mapping.dmp

memory/1884-148-0x0000000000000000-mapping.dmp

memory/4044-149-0x0000000000000000-mapping.dmp

memory/4084-150-0x0000000000000000-mapping.dmp

memory/1576-151-0x0000000000000000-mapping.dmp

memory/2364-152-0x0000000000000000-mapping.dmp

memory/4484-153-0x0000000000000000-mapping.dmp

memory/2216-154-0x0000000000000000-mapping.dmp

memory/2988-155-0x0000000000000000-mapping.dmp

memory/3588-156-0x0000000000000000-mapping.dmp

memory/4508-157-0x0000000000000000-mapping.dmp

memory/2904-158-0x0000000000000000-mapping.dmp

memory/2588-159-0x0000000000000000-mapping.dmp

memory/2348-160-0x0000000000000000-mapping.dmp

memory/3808-161-0x0000000000000000-mapping.dmp

memory/4016-162-0x0000000000000000-mapping.dmp

memory/3652-163-0x0000000000000000-mapping.dmp

memory/4280-164-0x0000000000000000-mapping.dmp

memory/3376-165-0x0000000000000000-mapping.dmp

memory/3780-166-0x0000000000000000-mapping.dmp

memory/3464-167-0x0000000000000000-mapping.dmp

memory/832-168-0x0000000000000000-mapping.dmp

memory/3672-169-0x0000000000000000-mapping.dmp

memory/4752-170-0x0000000000000000-mapping.dmp

memory/4564-171-0x0000000000000000-mapping.dmp

memory/4920-172-0x0000000000000000-mapping.dmp

memory/2480-173-0x0000000000000000-mapping.dmp

memory/4104-174-0x0000000000000000-mapping.dmp

memory/868-175-0x0000000000000000-mapping.dmp

memory/1208-176-0x0000000000000000-mapping.dmp

memory/1372-177-0x0000000000000000-mapping.dmp

memory/2148-178-0x0000000000000000-mapping.dmp

memory/4248-179-0x0000000000000000-mapping.dmp

memory/4172-180-0x0000000000000000-mapping.dmp

memory/628-181-0x0000000000000000-mapping.dmp

memory/2384-182-0x0000000000000000-mapping.dmp

memory/2840-183-0x0000000000000000-mapping.dmp

memory/3416-184-0x0000000000000000-mapping.dmp

memory/916-185-0x0000000000000000-mapping.dmp

memory/3396-186-0x0000000000000000-mapping.dmp

memory/1392-187-0x0000000000000000-mapping.dmp

memory/3168-188-0x0000000000000000-mapping.dmp

memory/3280-189-0x0000000000000000-mapping.dmp