Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows7_x64 -
resource
win7 -
submitted
01-10-2020 16:10
Static task
static1
Behavioral task
behavioral1
Sample
excorsist.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
excorsist.bin.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
excorsist.bin.exe
-
Size
68KB
-
MD5
9e5c89c84cdbf460fc6857c4e32dafdf
-
SHA1
ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d
-
SHA256
dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620
-
SHA512
6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8
Score
10/10
Malware Config
Signatures
-
Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini excorsist.bin.exe File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-18\desktop.ini excorsist.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: excorsist.bin.exe File opened (read-only) \??\E: excorsist.bin.exe File opened (read-only) \??\A: excorsist.bin.exe File opened (read-only) \??\S: excorsist.bin.exe File opened (read-only) \??\L: excorsist.bin.exe File opened (read-only) \??\Q: excorsist.bin.exe File opened (read-only) \??\O: excorsist.bin.exe File opened (read-only) \??\Z: excorsist.bin.exe File opened (read-only) \??\R: excorsist.bin.exe File opened (read-only) \??\G: excorsist.bin.exe File opened (read-only) \??\D: excorsist.bin.exe File opened (read-only) \??\Y: excorsist.bin.exe File opened (read-only) \??\H: excorsist.bin.exe File opened (read-only) \??\V: excorsist.bin.exe File opened (read-only) \??\U: excorsist.bin.exe File opened (read-only) \??\T: excorsist.bin.exe File opened (read-only) \??\P: excorsist.bin.exe File opened (read-only) \??\N: excorsist.bin.exe File opened (read-only) \??\M: excorsist.bin.exe File opened (read-only) \??\X: excorsist.bin.exe File opened (read-only) \??\W: excorsist.bin.exe File opened (read-only) \??\F: excorsist.bin.exe File opened (read-only) \??\B: excorsist.bin.exe File opened (read-only) \??\K: excorsist.bin.exe File opened (read-only) \??\I: excorsist.bin.exe -
Modifies service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1796 vssadmin.exe -
Modifies data under HKEY_USERS 223 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 7e08ccfc7f170a13a6aee03a498e1aa56f4304ff4cd50e6e737df28eeb1896f0 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = f26e92789339c7df98b214610abda531e461a1d33af6afadbfe17abe232f1fc8 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = b99e14a8256d69e92ee011dc2fb27266f24e02258e281f19903522ec023b51cd excorsist.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7121406-7FD4-42C9-B2AC-0BA026A12C21}\WpadDecisionTime = 309201fc0d98d601 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1526ed98074e8dc369b9a829fff20a29fa68a78b63d650635798f2282bc3d93b excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00470072006f007500700045007800690074002e007000700073006d0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 69ad50e7ad2b32085846e432abad94477625aeee8d9216b981b4fc38eedc483f excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006400650070006c006f0079006d0065006e0074002e00700072006f00700065007200740069006500730000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004f00700065006e00650064002e0064006f006300780000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 9568fe95bbce628f624bd36367f40ecb097b247628557d724e281fbfa56e2df3 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c96ce671ec05d7cb600f5dd30de47c83ef4456d1668560e54bd471af5c8dc9b1 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 1bd992052017f4c671eda4af858f6662b474acf7b707ea9363ed8242e968c59e excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = fc67012577675b229a1b7fcc43db30348760eebc2978e106792cf72fd2b5b5e3 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = dc652c0d97d365bbbf70e97026c935ba35ca71041f21a2abc86c3d47663b61b8 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c005200650063006f0076006500720079005c00660038003400300062006300380032002d0061006600660032002d0031003100650061002d0038003300390066002d006600320031003400350030006200340066003800350034005c00570069006e00720065002e00770069006d0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0048006900640065005500730065002e0063006600670000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 9d17af2d51a1759245dc7c7047c3dcddc432c9d9fe52ff0fedef3dedaa597ba8 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c7d7d030eb25b5c0fc9bb83b9351fd9dc6177a6fe627c0b41d05d35ae1abf49f excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a1b68c17d873a2a052ab8694dbac208a64ab0faf9b3a6cc87d0847be0b24dce3 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 00fb38ff5e696a73b5d0791dc4ae2b6b82859d6c14cbed9a3ca7c1a5760f472d excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 02f97bc868ad4d94d27d6f5f20bd529daf91b5a71158adb13e91f0d1f020b3fa excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0045006e0074006500720052006500710075006500730074002e0070007000740000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8d25cf9fa4e77dd6a924044100d1f8c41e825783c893822c180bd67eb699577e excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00480069006400650043006f00700079002e0054005400530000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c3d4e803585cdefd5a97e2a275344a9242983c7ad34595092743300811f1c35a excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 628f0a1f54ad792e1ea3f86a6d28b48344faf93cecb6baedad1d48616ed5cc3d excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a34085497471ba1a101e765d038d5fc4274927f43253fb045b4d54c4d488121c excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 7da590da598e4c1063f32863f9961a73ce507021bfe0530abff10814e467febc excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0043006f006d0070006c006500740065005500700064006100740065002e006d00680074006d006c0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = d4d161f2a39f12994a59e75828525d487046d780709de5a66b4c08e4eab40ada excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c004700720061006e00740044006900730063006f006e006e006500630074002e006a007000650000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6c3b79f0468db0b762c8b5d7c1f8731eba9a8ed027b8cddb7cc713fd413c6b10 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 5238c81d39adeee17967e39e78125311864069d9489b70808e7d91e03405b94f excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b7d4ea0ab8707459abaa3ab6abad0ab97d0d51563ec938aef053fd62917317b5 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 48079a42c2f80255677414f4175ce5f31ed7e4eca332829325f844acf046107f excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = cfcd9db890104e854a7c7a442e54568c80055b1f918939b609daa948f52e673d excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0043006f006e006600690072006d0043006c006500610072002e0070006f00740000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 07a8fb5cce0b3afd9db2b6167b655137d15a6ef685f687c3049a6e4ee66a6c42 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7121406-7FD4-42C9-B2AC-0BA026A12C21} excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0057006100740063006800530074006f0070002e00780073006c0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e529a4461977e14f6c3bf1b348b43e64fc4b1d0501cc3a157a1b1acf2fcd8a17 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0055006e00700072006f00740065006300740043006c006f00730065002e0078006c007300780000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e15a4e1fe802d040781929b73d80d8a8d918e857f92b05df58a14ddd8d996607 excorsist.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 053f9074ee62cd0261149158f1f11ebcfda3c2debab9bda46d15ffdf2d68ce26 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a4d5807355c72f9df578a558201fa7d02f6653d69839b1fe1c413fa11a8aefb6 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = eef76fa56bb5bb289232e5f32254c19742e7e0d25a0d07054e52006b2486b169 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7121406-7FD4-42C9-B2AC-0BA026A12C21}\32-e2-17-db-d2-77 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0043006f006d007000610072006500460069006e0064002e0074006900660000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e746c50ddec34d288c2ffdcdc66de76178660aff6f6ac4aa75260268b80d581c excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b0ed0576298e2562d86aaabb72d8be59a471c3b5765b15986418609c4ad6883f excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00500069006e00670045006e00610062006c0065002e00680074006d0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f13edfbf3b72ff8369311b5845a1444ace17d32776ad942a3a28bbdc8398d5db excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c004d0065006100730075007200650042006c006f0063006b002e007300760067007a0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 309201fc0d98d601 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = dee97a119c4fcf24f9ddc9946042a15ef8b7581017ebcb20c848186ea2cce98f excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b952fb6803614eaf8dce1ae5ac78d6dc1fc9feebe62ebf24270a26affb13a7d6 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b3dffffe563848aff99b13ba8056cb67d36426eea636f452646a46acaedecd13 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 6e8792254e01c3b8bd86ca549c38783f145c7e235dc63fd93604222b574dedf0 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f94b21b3433dc20caa8effa62ca01baba6c25de1d007eaee604fc2a638e69fa4 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 3ce21d223896202bdd2ff0127dc37a0ea2c67f0af8b86633be6a1c0c0da4d665 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = ce1ba8ebb3b607aa51e096efa396c3e6cec46bec1efadee77c424cd73a5bf386 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00470072006f0075007000520065006d006f00760065002e006d006900640000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0052006500700061006900720048006900640065002e0070007300310078006d006c0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00530065006e00640041007000700072006f00760065002e0070006f0074006d0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c00440065006200750067004f007000740069006d0069007a0065002e007000700073006d0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d11d6a2c4250040e3d3e2da921965b7632e3706bcbac573f3d2ce3104552780e excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0049006e0076006f006b00650057006100690074002e0063007300730000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 3d230dac930299e8411c0caa71463effd57415952db61df033503ded8e1994b4 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b60f7fbb02ec4153ec88d5b541af6a3d5ac227439301d6ff92bf2cbc6033018c excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 3437eec8c7f5ff4ab107a2d7b900af9ba548b94df0d7d1a36b1e914b3be847c0 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = abf7cab900605ecc1e0df26785e4cb925868a586a14acfd1611ab2e1c5c7db2f excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 0b112752eb467960378a8ca8b560580d378c4c120e07bb9329f826402ed22b68 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6fbf6ca69e976f46f7844fd4e9d36f5eb4fcb03bf083ab2c3f7e46f69b63d3e7 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = feca46e263d9c0a10e71fe7b1a2fe347c3d6bb5594533adfd74fcc1e0c760c12 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 0c2ffd9aaaaaa8ed97f233052a8b677c70126fb6e488ed05e5ef3719a1fd523e excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 013d0808721c0e7a26fb8c013b8b219d6c1ffe12d10ad608fbef2cbdb8dcc825 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d8c4cb44cef15c4eb16780749bdf71da736f7acf48a67141eeccd61fc7e5fb7a excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0055006e006c006f0063006b004700720061006e0074002e006d00680074006d006c0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 50aeffaf895c51e1640f21b0b588af0cbe6e726b2ac638b7cb6c1012e77c67ae excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00460069006c00650073002e0064006f006300780000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 9a8279f1980aa33acea1c4adcd20b8eb61e8f5ee4c953fdb8bc595924d435e96 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00540068006500730065002e0064006f006300780000000000 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket excorsist.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7121406-7FD4-42C9-B2AC-0BA026A12C21}\WpadNetworkName = "Network" excorsist.bin.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 2633031bb14307283c23636f54fa287d021e95f724d72ebaa9b982ee0927fd78 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 148f8a2b30c5ae32a5217547655dbd0d2fb8c6b4f76f5f72dde732a9e4e81b83 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 140f5e787034a71fcbdbb6bfc61cf872078ffed5ef15add34088f0d5498cab3d excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a2da1a03-afea-11ea-ab7e-806e6f6e6963} excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c005200650063006f0076006500720079005c00660038003400300062006300380032002d0061006600660032002d0031003100650061002d0038003300390066002d006600320031003400350030006200340066003800350034005c0062006f006f0074002e0073006400690000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0045007800700061006e0064004400690073006d006f0075006e0074002e0078006d006c0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0043006f006d00700061007200650043006f006d00700072006500730073002e007300680074006d006c0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 268e50d34e28e8b9da1315f63383abd0c8aa351ca69f96f8e9bdb71ea2439780 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004700720061006e007400540072006100630065002e007600620000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 641ba803a877dcbab64927ec79ddcfbf0770d39fd93d1433229ef0386b3e1aee excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 95651bd14f0ff494a6791d3142fe2dd19646fff838f711e4acb44493a739466d excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 80ffe02d660fe354b9f30ca7c0f3775c2b04233f2dfe2cde04b3f03f51a36a29 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 79949a2eee8af9310b3e904568d7fff2fef79f883d233fa94ae64804222f5108 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 4f951abf0fde73319ec6edc507f00212d3233b18284491c67eca70bd7d560eba excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8100fff0352a77a9c36f8f69de5fb8ee51b88445a0d321c927525a5b5d94c481 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c005200650073006500740052006500730074006f00720065002e00760073006400780000000000 excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a2da1a03-afea-11ea-ab7e-806e6f6e6963}\MaxCapacity = "29" excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 2a2f04f995a4c4b81a94001df2a36b4525df7567781fae62c6798d85100c2f02 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 38d50a16a8c13cbc615e898595753077ae3b75da6cea99b01697e9b7eee70ec6 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c00440069007300610062006c00650049006d0070006f00720074002e00740069006600660000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 8c272c1c499c8b30b6941dfaae3521e033c42859401a6327ee30aad8aecdda3a excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0052006500630065006e0074006c0079002e0064006f006300780000000000 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a2da1a04-afea-11ea-ab7e-806e6f6e6963}\MaxCapacity = "15140" excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 3c010000409851760d98d601 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 2e5ad6e0b0ffc34f5c5a9daf80d0fb0b273b7a58f32e36aea94aad3c4e612c76 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = ea50e78ed65c60cf897783d95b667c87b37b012d12577eb339f2f87579600467 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0055006e007000750062006c00690073006800520065006700690073007400650072002e00760073006400780000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = b6e2b5059b8ec04fc17301c6421d17eb085125888cef0065ee1a8a485b1f6565 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d265ab55cfe844c6c2604f55be07eec733d8eb8608e53145575042995daebd50 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 070feaf195d56884e0bca94fda8fde86d3674e244e17c1a62fdad48b733e1c11 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 8b4e36015da45e1c58adc0f030768225ad3f273264a0c01cb2c98158b66a1bd5 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 3b9a4389fe325f82be5ee256f850f5b0ef8379619f23de6bf9841c6e700338df excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0043006f006e007600650072007400460072006f006d00520065006d006f00760065002e0061007600690000000000 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004400690073006d006f0075006e0074004100640064002e0078006c007400780000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004100720065002e0064006f006300780000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 4e0f7475c5641dffab8c53a607d271050448c8498f8f635307b69b35e13f4474 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00530070006c0069007400520065006e0061006d0065002e007600730074006d0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 61ded3b750c423e2a19145fe9900d4d2941ff42dbd3bd4316a6100deae6659b5 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6ff055d6dd68114956639a6ae005cf8ae70ae3eb8d059ab0c06912cec48dc0ba excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = aef5f8e3f05f48d44157f724c3cba3d8afad1e7b046b1bdb11b0a423cee1fd3d excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c00460069006e0064004d0065007200670065002e00330067007000320000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00440069007300610062006c00650043006f006d0070006c006500740065002e007600730074006d0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 56d11f52edef37c53824e3daf1d095524dbeb073e5356fc729f82e8d55c9a974 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 8b78f6293479e00098cfbc1c455a77f66f5156e58ec5f38151f8a2ce4f21c137 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0041007300730065007200740048006900640065002e0064006900620000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c005200650071007500650073007400530065006c006500630074002e0078006c00730000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 4c3e1712c89e63f7176466cba3ef47c120cfb23d1f6e009f5f1560be7263a42b excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = a62774156300a57d1202bddf575e89ab313a3eef4423faad9cad3cfcd7b45882 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0052006500670069007300740065007200530070006c00690074002e0074007400630000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00530079006e006300520065007300650074002e0063007300760000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0043006f006d0070006c006500740065005500730065002e007a006900700000000000 excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a2da1a03-afea-11ea-ab7e-806e6f6e6963}\NukeOnDelete = "0" excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 6cb9830d6fbc8a57f9179fd98b11f27b297788d4cd7c31e02aa06e20e21972a8 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c005400720061006300650055006e007000750062006c006900730068002e00690073006f0000000000 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 5cc47d4c56bb4e54662c8b534378d5b5d893c553978a8e70047b2e5bbbdeecae excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f48177aaa6b379dca697bbb80d37d4a250cb92bf048b39de452f5a8318618435 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 71fc2466898b194ae83b8fc5852d6b79d5f4fe4249bc2a3a861ff387f9c66eda excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 0d3d98291bcaa66bd0de2ea7fada8fce6f682867fcda23dcec246acc5f32cf81 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e0a3aff7bff45ad239c7d9d1eb54dab5d3cfbeb2eea20d0ab5eb111a76e3a099 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00520065006100640052006500730075006d0065002e0077006d00660000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 2b799f22a15e6477b5535dac941daae912ccc1f0c16fbe59fa12ce70a77b21f2 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0052006500730074006f007200650045006e007400650072002e006e0066006f0000000000 excorsist.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0052006500700061006900720055006e0069006e007300740061006c006c002e0065006d00660000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 90f412ac9889be7e2844482391c804de55185487319241f78bbed7267fda2f81 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 5d4951973a8c841c36e72299775a4f0e93d68754ac19b138d6bcae24dbcfef71 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0057006100740063006800530079006e0063002e006d0070006500670000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = fa40c6345aada4477bb16a77729197180bdd5882eed67569a1bbee77073dbb8b excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 700b71c6e126965d2caa8f730c8ebeccf5b52da26866be135e9a4dd26780f09f excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8638f3c85cf4d2cd2eb47260446f91a697eac2c27e9af6ff808502a4e6ed7159 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = de840a508824e58332937bafc03d9b632bcef69bdb4d8e0a41ccf6144910d833 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 618c39dff68bb6facf1ae59a242268fa1b0cd47b3ef2a30fb419f2d57ed08679 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = d664b0cec8feb14c726bb5ad35bc04bf57f16725d306dadd591133b99535e5c0 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 5a26fad6d7e44cb1307d6e5180bcba67523c98836a437ab0151ddf1a96fd92b9 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c00460069006e006400530074006100720074002e006d0069006400690000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 017c705a9e172fee29eb4a9fc94f15455f473a4938de2e8134d260457d762045 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 972cc8e62a33fe1cb25f5e67213e05dc4f851a66c04b489071136f7db5fa3dbf excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 4a088ba6a234fefe8b993d4c3dd34d4d7fb8022d79aebdef7c7d4ece25eb54f8 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a2da1a04-afea-11ea-ab7e-806e6f6e6963} excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = f52b182f33c088165b5d27b58066b645a33640c9788fc2cbe4154964b0e3345a excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00530061007600650043006f006d0070006100720065002e0070007000740000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00610032006400610031006100300034002d0061006600650061002d0031003100650061002d0061006200370065002d003800300036006500360066003600650036003900360033007d0000000000 excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 82b99838e3d1131f0d82d84b66997b10a0cb9d61adde6f96a4800f1cf8d5096e excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c005200650061006400530065006e0064002e0057005400560000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 7963b81d9ccb5197f6332e30ac188fa07e0eb2acf7705878ad42f1d515ab154e excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7121406-7FD4-42C9-B2AC-0BA026A12C21}\WpadDecision = "0" excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1" excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0043006f006e00740061006300740073005c00410064006d0069006e002e0063006f006e00740061006300740000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 9401889ccdafec664dd72428e9af6f043a1400fa01a0db1e2c7038a37462223c excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0049006e0076006f006b0065004700650074002e0078006d006c0000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = d63b41dc2f3d80da25ea3132d9a8b3c236a7b937ffe4468f2281b46e57ae1bb5 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004400690073006d006f0075006e00740043006f006e006e006500630074002e0070007000740000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c005700610074006300680055006e0064006f002e0078006c007300780000000000 excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a2da1a04-afea-11ea-ab7e-806e6f6e6963}\NukeOnDelete = "0" excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0043006c006500610072004e00650077002e00610069006600660000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 65692705151d5a4eebdc3d43c07e5997b1252f5faff3132b1fd7f463ffe7e8aa excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 176253ee1ac3167756708226626a901402d3f6948b857ff3e8300c57cc54714d excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7121406-7FD4-42C9-B2AC-0BA026A12C21}\WpadDecisionReason = "1" excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c005400650073007400500069006e0067002e0070007000730000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 24d628dab840b2df72055cae74170a60d38006cdd806d8ff86ea9329d3cca95e excorsist.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon excorsist.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 93e094b7cfa16c235b8587c4fa9c30ac3201e3741aeff9e3e4fc397d76df6f0a excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 9eb51dd9f1b2b5e52565c052c2f076e98dd8e0e955d3932c1e5fe58cf0140cfa excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 6287c4e72ac43927e8edc4386afe123eb09d29734f69939bf7baa0dae88f59e6 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 4f5319e773d5dbc1bda7704f4e1682dd403be1754b8f90f0e78e5ca60027b9de excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c004a006f0069006e00520065007300650074002e007600620000000000 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = b72e822fa86103715e3b5056663fbdb6ed982009fcd6c1b7bf82ae386c31f79f excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 38975bca0ceb5e1ae8f2a1cae1fac08e01f9e9cc95c902a129198dce1d72d7a5 excorsist.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c00460069006e006400520065006700690073007400650072002e0063007300760000000000 excorsist.bin.exe -
NTFS ADS 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\tcA6as\windows.sys:qxoyhxveerelbnrwg excorsist.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\5bqXmA\windows.sys:dhpkxqkdun excorsist.bin.exe File created C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\g2ea2L\windows.sys:qvqhfjkvnrdtqgtt excorsist.bin.exe File created C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\5bqXmA\windows.sys:dhpkxqkdun excorsist.bin.exe -
Suspicious behavior: EnumeratesProcesses 1366 IoCs
pid Process 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe 316 excorsist.bin.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 316 excorsist.bin.exe Token: SeRestorePrivilege 316 excorsist.bin.exe Token: SeDebugPrivilege 316 excorsist.bin.exe Token: SeSecurityPrivilege 316 excorsist.bin.exe Token: SeRestorePrivilege 316 excorsist.bin.exe Token: SeDebugPrivilege 316 excorsist.bin.exe Token: SeBackupPrivilege 1772 vssvc.exe Token: SeRestorePrivilege 1772 vssvc.exe Token: SeAuditPrivilege 1772 vssvc.exe Token: SeIncreaseQuotaPrivilege 2004 WMIC.exe Token: SeSecurityPrivilege 2004 WMIC.exe Token: SeTakeOwnershipPrivilege 2004 WMIC.exe Token: SeLoadDriverPrivilege 2004 WMIC.exe Token: SeSystemProfilePrivilege 2004 WMIC.exe Token: SeSystemtimePrivilege 2004 WMIC.exe Token: SeProfSingleProcessPrivilege 2004 WMIC.exe Token: SeIncBasePriorityPrivilege 2004 WMIC.exe Token: SeCreatePagefilePrivilege 2004 WMIC.exe Token: SeBackupPrivilege 2004 WMIC.exe Token: SeRestorePrivilege 2004 WMIC.exe Token: SeShutdownPrivilege 2004 WMIC.exe Token: SeDebugPrivilege 2004 WMIC.exe Token: SeSystemEnvironmentPrivilege 2004 WMIC.exe Token: SeRemoteShutdownPrivilege 2004 WMIC.exe Token: SeUndockPrivilege 2004 WMIC.exe Token: SeManageVolumePrivilege 2004 WMIC.exe Token: 33 2004 WMIC.exe Token: 34 2004 WMIC.exe Token: 35 2004 WMIC.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 316 wrote to memory of 1388 316 excorsist.bin.exe 25 PID 316 wrote to memory of 1388 316 excorsist.bin.exe 25 PID 316 wrote to memory of 1388 316 excorsist.bin.exe 25 PID 316 wrote to memory of 1388 316 excorsist.bin.exe 25 PID 1388 wrote to memory of 1796 1388 cmd.exe 28 PID 1388 wrote to memory of 1796 1388 cmd.exe 28 PID 1388 wrote to memory of 1796 1388 cmd.exe 28 PID 1388 wrote to memory of 1796 1388 cmd.exe 28 PID 316 wrote to memory of 1648 316 excorsist.bin.exe 30 PID 316 wrote to memory of 1648 316 excorsist.bin.exe 30 PID 316 wrote to memory of 1648 316 excorsist.bin.exe 30 PID 316 wrote to memory of 1648 316 excorsist.bin.exe 30 PID 316 wrote to memory of 1924 316 excorsist.bin.exe 32 PID 316 wrote to memory of 1924 316 excorsist.bin.exe 32 PID 316 wrote to memory of 1924 316 excorsist.bin.exe 32 PID 316 wrote to memory of 1924 316 excorsist.bin.exe 32 PID 316 wrote to memory of 1936 316 excorsist.bin.exe 34 PID 316 wrote to memory of 1936 316 excorsist.bin.exe 34 PID 316 wrote to memory of 1936 316 excorsist.bin.exe 34 PID 316 wrote to memory of 1936 316 excorsist.bin.exe 34 PID 316 wrote to memory of 1920 316 excorsist.bin.exe 36 PID 316 wrote to memory of 1920 316 excorsist.bin.exe 36 PID 316 wrote to memory of 1920 316 excorsist.bin.exe 36 PID 316 wrote to memory of 1920 316 excorsist.bin.exe 36 PID 316 wrote to memory of 2008 316 excorsist.bin.exe 38 PID 316 wrote to memory of 2008 316 excorsist.bin.exe 38 PID 316 wrote to memory of 2008 316 excorsist.bin.exe 38 PID 316 wrote to memory of 2008 316 excorsist.bin.exe 38 PID 2008 wrote to memory of 2004 2008 cmd.exe 40 PID 2008 wrote to memory of 2004 2008 cmd.exe 40 PID 2008 wrote to memory of 2004 2008 cmd.exe 40 PID 2008 wrote to memory of 2004 2008 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\excorsist.bin.exe"C:\Users\Admin\AppData\Local\Temp\excorsist.bin.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\cmd.execmd /C vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit /set {default} recoveryenabled No2⤵PID:1648
-
-
C:\Windows\SysWOW64\cmd.execmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1924
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:1936
-
-
C:\Windows\SysWOW64\cmd.execmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵PID:1920
-
-
C:\Windows\SysWOW64\cmd.execmd /C wmic SHADOWCOPY /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1772