exorcist | 768b40ceafed20055bbc60418929e8ec52fe3d1935caa1405af01e775d03e5e1

Analysis

max time kernel
99s
max time network
125s
platform
windows10_x64
resource
win10
submitted
01-10-2020 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

excorsist.bin.exe
Size

68KB
MD5

9e5c89c84cdbf460fc6857c4e32dafdf
SHA1

ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d
SHA256

dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620
SHA512

6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8

Score

10^/10

ransomware exorcist persistence

Malware Config

Signatures

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

excorsist.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\MeasureUninstall.tiff	excorsist.bin.exe
File renamed	C:\Users\Admin\Pictures\MeasureUninstall.tiff => C:\Users\Admin\Pictures\MeasureUninstall.tiff.bHkCYN	excorsist.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureUninstall.tiff.bHkCYN	excorsist.bin.exe
File created	C:\Users\Admin\Pictures\MeasureUninstall.tiff.bHkCYNkey	excorsist.bin.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

excorsist.bin.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	excorsist.bin.exe
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-18\desktop.ini	excorsist.bin.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

excorsist.bin.exe

description	ioc	process
File opened (read-only)	\??\K:	excorsist.bin.exe
File opened (read-only)	\??\I:	excorsist.bin.exe
File opened (read-only)	\??\G:	excorsist.bin.exe
File opened (read-only)	\??\R:	excorsist.bin.exe
File opened (read-only)	\??\D:	excorsist.bin.exe
File opened (read-only)	\??\B:	excorsist.bin.exe
File opened (read-only)	\??\O:	excorsist.bin.exe
File opened (read-only)	\??\N:	excorsist.bin.exe
File opened (read-only)	\??\X:	excorsist.bin.exe
File opened (read-only)	\??\W:	excorsist.bin.exe
File opened (read-only)	\??\V:	excorsist.bin.exe
File opened (read-only)	\??\T:	excorsist.bin.exe
File opened (read-only)	\??\S:	excorsist.bin.exe
File opened (read-only)	\??\Q:	excorsist.bin.exe
File opened (read-only)	\??\M:	excorsist.bin.exe
File opened (read-only)	\??\J:	excorsist.bin.exe
File opened (read-only)	\??\H:	excorsist.bin.exe
File opened (read-only)	\??\F:	excorsist.bin.exe
File opened (read-only)	\??\E:	excorsist.bin.exe
File opened (read-only)	\??\A:	excorsist.bin.exe
File opened (read-only)	\??\Z:	excorsist.bin.exe
File opened (read-only)	\??\Y:	excorsist.bin.exe
File opened (read-only)	\??\U:	excorsist.bin.exe
File opened (read-only)	\??\P:	excorsist.bin.exe
File opened (read-only)	\??\L:	excorsist.bin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1320 vssadmin.exe

pid	process
1320	vssadmin.exe

Modifies data under HKEY_USERS 484 IoCs

Processes:

excorsist.bin.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = f36b4d50242b71915dcceaf73045ec811d1d6b85949e0ea8b365becbcab587ce	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 045dae5e883b8f0e5575a2761a1b225d93582c220cb217c8f9d5043332f8dfd1	excorsist.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9563bb1f-0000-0000-0000-100000000000}	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 66b97f8502769e4e4d0cbcd2e35489afcab4999a865c877402ba82b4db0b2a97	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 04af62fda022cf8e1053caa01c6cdf1cba13735473adcd0fd568e0b831ebd910	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = cc4416eac73eebbcef7ed6d9774d834180dc474d739f7ca02affd8009d74b3cb	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 1e581efe00a8c1b1275f39bc33fc8e998d10b8fc98fd70a5dfab9002cdc79619	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0050006f00700055006e0064006f002e006d0070007600320000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c005200650073006f006c00760065004200610063006b00750070002e007000700073006d0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0043006800650063006b0070006f0069006e0074004f00750074002e006d007000340000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = a86b4c2f64eb809706b0f4b550b01f43b8e0ac57ef26ed7946ba6b47a935dfdb	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c004700720061006e007400440069007300610062006c0065002e00740069006600660000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 07af2c8240bfb2e9f2eeb36c26748ad7c3a5fe47e50079362b3daae946a400ba	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 704a7e988f22f191fa91dd000747d29f3ff5d742ad63f0c63ce6ba0cb8206bcb	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0043006f006e00760065007200740054006f0055006e006c006f0063006b002e006b006900780000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0053006100760065004100640064002e006a007000670000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6b90ff377ed7d81e347d977bdc2955a1354951cadf4bde8ab8f3edbd2f3ca8d0	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3d61073f4dd09eccda4dc18b9085ec4e52a470c97f7096163fcf957a85859a5c	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 9b6e4f366eeb56d00ba3cfc671eee8f93d0bb7943e79f343decc0fd20650038a	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c00530075007300700065006e006400530068006f0077002e0062006d00700000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00530075007300700065006e00640041007000700072006f00760065002e006d00680074006d006c0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 8e85eb17797e83afbab2e82e314a9b02268eb26a50e1bd2878de4f3d79735600	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0055006e006c006f0063006b0055006e00720065006700690073007400650072002e006d006800740000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 36122184f5e598cffe626aa288964d8616d5ff3420dd4cfb7853c2c2fcfb5c8f	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = bb2fc102c415b29fadf7618a19bc500306771d0bd77b2408c11b2321ee7cd609	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 0875a82a0765f4607d530b83eb4cbcfb3697ab0dea466cbad61c6afcba7c0b78	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = cee670697f09f057305069c40aa587dc1dcc6358959dd5b48afaa5214e16cccc	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 96844074741c115cbdd392c077a88f77563ac17f46da558d11c7bd4469c2fcc5	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = da2ec336bf19c38244c6981057ae864bcb2a0ad1d9b6bfdcd0f53683213fa6d9	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 467fa5819b03495d2c070a9f34da86b5ab65493f0ad97ead0a5e7bd55f32ca32	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c00500069006300740075007200650073005c004d0065006100730075007200650055006e0069006e007300740061006c006c002e00740069006600660000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 5fd82dd5f2891a65a7ec7d68523944e01393bd4f94accd0ff8434edd1029fe2b	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 94d90213f4d00d655c4954f00b36f957916dea47ecf3092b205f59a5059291c9	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = eb01026a680ed4a16b8802c5a41b65ba785e2059e036c021a0e64b155e194554	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 7d32f2280f0700e30533d9bf5b23680f2a29f4ff0f04250d9ff80cb998278b54	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = dbc5c204206dd4ef54ccffbf2cb33ffdf952f675e681ae3f75d27d578d2b0fa8	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 09402f42e86081d73480641336a55c205a39d6e652ebef5daed5cd735648429e	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0054006500730074004e00650077002e006d00700065006700330000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0052006500630065006e0074006c0079002e0064006f006300780000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = c9291fec2b6a6a2727dfa52fd9af748048b0ccd678c31111478d20d64f74719f	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 752a2f66978c430b40ea4e485e685a2bb7bff9559eebaa2897c96e1b810139e1	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = af7dda9f6eaf1a2e79e10608e4f6cccf425e59e16f0f20774fc4b17bd5a527df	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 5f8359d51105007c0e6a24effaf34002bbeaa38c6dd0beeb4e1b7c6e9c98890e	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c004d00650072006700650043006f006e007600650072007400460072006f006d002e0073006e00640000000000	excorsist.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 54080bc89fd2662ce0d441d53ca0b69802dd315581d8d17ef00441e8c9469d90	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0052006500710075006500730074005300650061007200630068002e0078006c007300780000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 58b436c7d2f29efc1d07e9035684c336f071ee05625349b242ba458efb6bc3e0	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 42341b082fbf95e5e3fdb2356293ebeb4ea9fd8029ac4b8ce9285e90b89614e6	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c00500069006e0067005000750062006c006900730068002e0063007300760000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = de1fdec8ccb13594aa76e555c0520af66c867aef84e8e49d151e8c5dae095909	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f5928aae7d913e9e9d72d0eaafad22b0781ea7ecd401de1a94b21cc12f9b6a01	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c00500069006300740075007200650073005c0043006800650063006b0070006f0069006e00740052006500610064002e007300760067007a0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c00520065007300740061007200740045006e00610062006c0065002e00680074006d006c0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = b39c8515e4526aaff48427dfdcc2d85e22a0650ecfc52e0c175be5949aac83b7	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 13b28eba964b96093ebf84be121f0c3a249736506c12690c60913634051ef147	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 6a2114136ca7ef2a85d9fdbad7ecf3bf6999467da887a9486266e4fbe2af1911	excorsist.bin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9563bb1f-0000-0000-0000-500600000000}\MaxCapacity = "15150"	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = a1dcf0ae86b16004160feaf798f11259a0afb7824cf1be64a96cffc31048208a	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = b4eb66a8e08e074dfa02a80ae5bec6158c74993aa055489f2071eacc8a4c4ba0	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b82e054aec3120aba3e17959c62833721fe9fe5b25f124a1b13ffa03981b1478	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 77fbbfb22d5e294304cce4bfb0277927066f4721e2e7f3edc28c336f147585ba	excorsist.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0055006e0064006f005300650074002e006f006400730000000000	excorsist.bin.exe

NTFS ADS 4 IoCs

Processes:

excorsist.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\lVvwrn\windows.sys:dhpkxqkdun	excorsist.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\Stq6AP\windows.sys:qvqhfjkvnrdtqgtt	excorsist.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\lVvwrn\windows.sys:dhpkxqkdun	excorsist.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\qhmHkZ\windows.sys:qxoyhxveerelbnrwg	excorsist.bin.exe

Suspicious behavior: EnumeratesProcesses 5070 IoCs

Processes:

excorsist.bin.exe

pid	process
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe
2920	excorsist.bin.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

excorsist.bin.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2920	excorsist.bin.exe
Token: SeRestorePrivilege	2920	excorsist.bin.exe
Token: SeDebugPrivilege	2920	excorsist.bin.exe
Token: SeSecurityPrivilege	2920	excorsist.bin.exe
Token: SeRestorePrivilege	2920	excorsist.bin.exe
Token: SeDebugPrivilege	2920	excorsist.bin.exe
Token: SeBackupPrivilege	424	vssvc.exe
Token: SeRestorePrivilege	424	vssvc.exe
Token: SeAuditPrivilege	424	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2556	WMIC.exe
Token: SeSecurityPrivilege	2556	WMIC.exe
Token: SeTakeOwnershipPrivilege	2556	WMIC.exe
Token: SeLoadDriverPrivilege	2556	WMIC.exe
Token: SeSystemProfilePrivilege	2556	WMIC.exe
Token: SeSystemtimePrivilege	2556	WMIC.exe
Token: SeProfSingleProcessPrivilege	2556	WMIC.exe
Token: SeIncBasePriorityPrivilege	2556	WMIC.exe
Token: SeCreatePagefilePrivilege	2556	WMIC.exe
Token: SeBackupPrivilege	2556	WMIC.exe
Token: SeRestorePrivilege	2556	WMIC.exe
Token: SeShutdownPrivilege	2556	WMIC.exe
Token: SeDebugPrivilege	2556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2556	WMIC.exe
Token: SeRemoteShutdownPrivilege	2556	WMIC.exe
Token: SeUndockPrivilege	2556	WMIC.exe
Token: SeManageVolumePrivilege	2556	WMIC.exe
Token: 33	2556	WMIC.exe
Token: 34	2556	WMIC.exe
Token: 35	2556	WMIC.exe
Token: 36	2556	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

excorsist.bin.execmd.execmd.exe

description	pid	process	target process
PID 2920 wrote to memory of 3856	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 3856	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 3856	2920	excorsist.bin.exe	cmd.exe
PID 3856 wrote to memory of 1320	3856	cmd.exe	vssadmin.exe
PID 3856 wrote to memory of 1320	3856	cmd.exe	vssadmin.exe
PID 3856 wrote to memory of 1320	3856	cmd.exe	vssadmin.exe
PID 2920 wrote to memory of 1220	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1220	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1220	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1464	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1464	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1464	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1816	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1816	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1816	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1664	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1664	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 1664	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 2140	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 2140	2920	excorsist.bin.exe	cmd.exe
PID 2920 wrote to memory of 2140	2920	excorsist.bin.exe	cmd.exe
PID 2140 wrote to memory of 2556	2140	cmd.exe	WMIC.exe
PID 2140 wrote to memory of 2556	2140	cmd.exe	WMIC.exe
PID 2140 wrote to memory of 2556	2140	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\excorsist.bin.exe
"C:\Users\Admin\AppData\Local\Temp\excorsist.bin.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-2-0x0000000000000000-mapping.dmp

Download
memory/1320-1-0x0000000000000000-mapping.dmp

Download
memory/1464-3-0x0000000000000000-mapping.dmp

Download
memory/1664-5-0x0000000000000000-mapping.dmp

Download
memory/1816-4-0x0000000000000000-mapping.dmp

Download
memory/2140-6-0x0000000000000000-mapping.dmp

Download
memory/2556-7-0x0000000000000000-mapping.dmp

Download
memory/2920-8-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-9-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2920-10-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-11-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-12-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-13-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-14-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-15-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-16-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-17-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-18-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-19-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-20-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-21-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-22-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-23-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-24-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-25-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-26-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-27-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-28-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-29-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-30-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-31-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-32-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-33-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-34-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-35-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-36-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-37-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-38-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-39-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-40-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-41-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-42-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-43-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-44-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-45-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-46-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-47-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-48-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-49-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-50-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-51-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-52-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-53-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-54-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-55-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-56-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-57-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-58-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-59-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-60-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-61-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-62-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-63-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-64-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-65-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-66-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-67-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-68-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-69-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-70-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-71-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-72-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-73-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-74-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-75-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-76-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-77-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-78-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-79-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2920-81-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-82-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2920-154-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-156-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-158-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-160-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-162-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-164-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-166-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-167-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2920-168-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-170-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-172-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-174-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-176-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-178-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-180-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-182-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-184-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-186-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-188-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-190-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-192-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-193-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2920-194-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-196-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-198-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-200-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-202-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-204-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-205-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2920-206-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-208-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-210-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-212-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-214-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-216-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-218-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-220-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-222-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-224-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-226-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-228-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-230-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-232-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-234-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-236-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-238-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-240-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-242-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-244-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-246-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-248-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-250-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-252-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-254-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-256-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-258-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-260-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-262-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-264-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-266-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-268-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-270-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-272-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-274-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-276-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-278-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-280-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-282-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-284-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-286-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-288-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-290-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-292-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-294-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-296-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-298-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-300-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-302-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-304-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-306-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-308-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-310-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-312-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-314-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-316-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-318-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-320-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-322-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-324-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-326-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-328-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-330-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2920-451-0x0000000001000000-0x00000000010C6000-memory.dmp

Filesize
792KB

Download
memory/3856-0-0x0000000000000000-mapping.dmp

Download