Analysis
-
max time kernel
299s -
max time network
239s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-12-2021 07:42
Static task
static1
Behavioral task
behavioral1
Sample
Doitman.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Doitman.exe
Resource
win10-en-20211208
General
-
Target
Doitman.exe
-
Size
125KB
-
MD5
f28ac8c53e1776f0bb151bfe969cb50c
-
SHA1
ac6d92aa5213bf0431999688f63c37d72a6206bf
-
SHA256
e95902e83c3cd7ceef665f91faba200dd487a073996e34ae3f041a00d0a061a5
-
SHA512
5ccb69f839dda459fca95a0731a152f831e32e23521e47506710a824a1d5779d59ce1752f623b700a1416263a5537f7c92c16f43c6c9ded028839493bbed8e7c
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Doitman.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SubmitLimit.tiff Doitman.exe -
Drops startup file 1 IoCs
Processes:
Doitman.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Doitman.exe -
Loads dropped DLL 6 IoCs
Processes:
Explorer.EXEExplorer.EXEpid process 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
Doitman.exeExplorer.EXEExplorer.EXEdescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Doitman.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Doitman.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Doitman.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini Doitman.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Doitman.exe File opened for modification C:\Users\Public\Videos\desktop.ini Doitman.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini Doitman.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini Explorer.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Explorer.EXE File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Doitman.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Doitman.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Doitman.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Doitman.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Doitman.exe File opened for modification C:\Program Files\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\Music\desktop.ini Doitman.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Doitman.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Doitman.exe File opened for modification C:\Users\Public\Music\desktop.ini Doitman.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini Doitman.exe File opened for modification C:\Windows\assembly\Desktop.ini Doitman.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Doitman.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini Doitman.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini Doitman.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini Doitman.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini Doitman.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Doitman.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini Doitman.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Doitman.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Doitman.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini Doitman.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini Doitman.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini Doitman.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\Links\desktop.ini Doitman.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Doitman.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini Doitman.exe File opened for modification C:\Program Files (x86)\desktop.ini Doitman.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini Doitman.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Doitman.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png Doitman.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar Doitman.exe File opened for modification C:\Program Files\Java\jre7\bin\ssv.dll Doitman.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul Doitman.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187837.WMF Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png Doitman.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar Doitman.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12 Doitman.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui Doitman.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF Doitman.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL Doitman.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01295_.GIF Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx Doitman.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png Doitman.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png Doitman.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui Doitman.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\sbdrop.dll.mui Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7db.kic Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\subscription.xsd Doitman.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar Doitman.exe File opened for modification C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui Doitman.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.bmp Doitman.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html Doitman.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSCLT.DLL Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXT Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART8.BDR Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750G.GIF Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00286_.WMF Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_SlateBlue.gif Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\VelvetRose.css Doitman.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll Doitman.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif Doitman.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe Doitman.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe Doitman.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json Doitman.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll Doitman.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css Doitman.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp Doitman.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png Doitman.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll Doitman.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf Doitman.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\PREVIEW.GIF Doitman.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\PREVIEW.GIF Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX2.ECF Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tasks.accdt Doitman.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02066_.WMF Doitman.exe -
Drops file in Windows directory 64 IoCs
Processes:
Doitman.exedescription ioc process File opened for modification C:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_es_31bf3856ad364e35\EventViewer.resources.dll Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\6.1.0.0_ja_31bf3856ad364e35\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources.dll Doitman.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\45ec12795950a7d54691591c615a9e3c\System.DirectoryServices.ni.dll Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Applicati#\74c8f5e75ec10458436bb476c2cfd9fc\Microsoft.ApplicationId.RuleWizard.ni.dll Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.resources\3.5.0.0_de_31bf3856ad364e35\System.Web.DynamicData.Resources.dll Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\IIEHost\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources.dll Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.InfoPath\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Managemen#\e72886c96b63be364c0205b6c4ff4413\Microsoft.ManagementConsole.ni.dll Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiUPnP\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\6f4c8aeb8f066adf5cafedbec0cac415\PresentationUI.ni.dll Doitman.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\GAC_MSIL\ehiTVMSMusic\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.ServiceModel#\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\mcstoredb\c359669d601990310a6b30ab5992ffa8\mcstoredb.ni.dll Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.Resources.dll Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Selectors\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualC\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources.dll Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\efec1926513ece87ff644670cdd80031\PresentationUI.ni.dll.aux Doitman.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\MMCEx\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_64\BDATunePIA\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.resources\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\UIAutomationClients#\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.SyncServices\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll Doitman.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\pubpol4.dat Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.PowerPoint\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.Ink.Resources.dll Doitman.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.InfoPath\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.InfoPath.config Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_ja_b77a5c561934e089\System.xml.Resources.dll Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\PresentationFramework.resources\3.0.0.0_fr_31bf3856ad364e35\PresentationFramework.resources.dll Doitman.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\AppPatch\pcamain.sdb Doitman.exe File opened for modification C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.Interop.dll Doitman.exe File created C:\Windows\assembly\GAC_64\mcupdate\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\GAC_MSIL\system.runtime.serialization.resources\3.0.0.0_ja_b77a5c561934e089\System.RunTime.Serialization.Resources.dll Doitman.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\!!ReadmeForHelp!!.txt Doitman.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\!!ReadmeForHelp!!.txt Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\9fa0c0ee9093a5f1aaabffb101332056\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.ni.dll Doitman.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1288d7e030bc0c5d8b2cbe5f33aeed7f\System.Data.ni.dll.aux Doitman.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1832 1208 WerFault.exe 1724 2044 WerFault.exe Explorer.EXE -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Explorer.EXEExplorer.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Explorer.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Explorer.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Explorer.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Explorer.EXE -
Processes:
Explorer.EXEExplorer.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE -
Modifies registry class 64 IoCs
Processes:
Explorer.EXEExplorer.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\0 = 52003100000000008953cd3d11004465736b746f70003c0008000400efbe8853287a8953cd3d2a000000ec0100000000020000000000000000000000000000004400650073006b0074006f007000000016000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "5" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0000000001000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\NodeSlot = "6" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "7" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "4" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 = 4c003100000000008953c53d1100557365727300380008000400efbeee3a851a8953c53d2a000000e601000000000100000000000000000000000000000055007300650072007300000014000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\0\NodeSlot = "9" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Explorer.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 560 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
WerFault.exeWerFault.exepid process 1832 WerFault.exe 1832 WerFault.exe 1832 WerFault.exe 1832 WerFault.exe 1832 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Explorer.EXEExplorer.EXEpid process 2044 Explorer.EXE 1800 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 54 IoCs
Processes:
WerFault.exeExplorer.EXEWerFault.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1832 WerFault.exe Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeShutdownPrivilege 2044 Explorer.EXE Token: SeDebugPrivilege 1724 WerFault.exe Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE Token: SeShutdownPrivilege 1800 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Explorer.EXEExplorer.EXEpid process 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Explorer.EXEpid process 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE 2044 Explorer.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
Explorer.EXEpid process 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE 1800 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WerFault.exeExplorer.EXEWerFault.exeExplorer.EXEdescription pid process target process PID 1832 wrote to memory of 2044 1832 WerFault.exe Explorer.EXE PID 1832 wrote to memory of 2044 1832 WerFault.exe Explorer.EXE PID 1832 wrote to memory of 2044 1832 WerFault.exe Explorer.EXE PID 2044 wrote to memory of 1724 2044 Explorer.EXE WerFault.exe PID 2044 wrote to memory of 1724 2044 Explorer.EXE WerFault.exe PID 2044 wrote to memory of 1724 2044 Explorer.EXE WerFault.exe PID 1724 wrote to memory of 1800 1724 WerFault.exe Explorer.EXE PID 1724 wrote to memory of 1800 1724 WerFault.exe Explorer.EXE PID 1724 wrote to memory of 1800 1724 WerFault.exe Explorer.EXE PID 1800 wrote to memory of 1832 1800 Explorer.EXE NOTEPAD.EXE PID 1800 wrote to memory of 1832 1800 Explorer.EXE NOTEPAD.EXE PID 1800 wrote to memory of 1832 1800 Explorer.EXE NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doitman.exe"C:\Users\Admin\AppData\Local\Temp\Doitman.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\rJRMCpqvFjP6UJrNQ6c6JG2hjyUbdXrQV9IuekyY.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!ReadmeForHelp!!.txt1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1208 -s 37921⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.EXE"C:\Windows\Explorer.EXE"2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2044 -s 33803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.EXE"C:\Windows\Explorer.EXE"4⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!ReadmeForHelp!!.txt5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\!!ReadmeForHelp!!.txtMD5
52884571c004a336afd2e2aac9331c5e
SHA1402e39593f5a3d7968bed135802af702fde3831e
SHA2564f873076901ba322cc43697edc11638b9274409b90d459dc5a58b3419a6fb951
SHA5126d1c1b4dd6c4dd28d4abd4ff4093f6dc6a632485ce1c50dfbeb7ceda4cb59b1f6e3361330ec0c2cf2b29bf8380c761715bd8623c853e50ad6bf549831eddd10e
-
C:\$RECYCLE.BIN\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.iniMD5
a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.iniMD5
fa65945fcf9497fb982645544652b933
SHA17c35c33aa1362a873e6b08e8505a3a132b0ca5d0
SHA256ed7bcc1a756c06e713c44cd8d1cabe89797fc3c525db2534dda45d6c97e5a8a7
SHA5125d6fff1186b2d56219bcc94c3e4cd307a7567330a0a40333df5b0a027fb730235bb84bb4153d1fe116c50104b6c98c81694c9172341c3f2199f2047c46f0ade6
-
C:\7663726564697374323031305F7836342E6C6F672D4D53495F76635F7265642E6D73692E747874MD5
6488ad111c9e82eb3c7b9c9ee2c803c6
SHA11314be4a26bed309eeb573503cb2a9b21e13112d
SHA256e7fe435be2393f95ae62c3a9575a780faf04681f0d076ced5b20b1d7ea49dca2
SHA512ba9366eb632551e57dce8f10efb0a060f2db8761b7c40af31c9f5a15a4877310d5df1df12ae6c4954253f218a68e21370b73263d8dbfb0af0db07b37f932a9a1
-
C:\7663726564697374323031305F7836342E6C6F672E68746D6CMD5
3bde72e20deb8e1cc3c4f902abdaa479
SHA107a41f5e687f4ab4a6419bc3c270d52689e2f5e5
SHA256b842edd54805fad5d88391aae0bae52eacd955e692f2236176577efecea9ee31
SHA5124151478d938682422aaaee9c9c58b38e236659790aba1006424434dfd08ee1947c9ea0f25e0f6ec94ed07ee67ca9591b0effef5d6bd8f93e2b20ae88b4567903
-
C:\7663726564697374323031325F7836345F305F766352756E74696D654D696E696D756D5F7836342E6C6F67MD5
6aafe159ca267b8e893e10a43a1ab802
SHA1151c560a948de872247b2de87591510a48dcacb1
SHA256f3f97c70c89979eabb583555c98143ac737a23807bc331eef2b345738a853d57
SHA512f05aa41e0629051d688c14cfc35e49dcac9745188b10eeffddb0cb24301cbeb910baeeff32d59c8382683059f22046690321f80873fd53788fd95e853a5e25aa
-
C:\7663726564697374323031325F7836345F315F766352756E74696D654164646974696F6E616C5F7836342E6C6F67MD5
df55b466c1fd99c55afda31aa7f6614a
SHA11a2df7f37aa22d372dab552b03aa21bd09a987df
SHA256a71e8e027384d56c82868f341ef58f441eb3047a1b6c535ec1a0c909706d1e6a
SHA512301407bdb2b9e5a79ebc35a31643b66623e63fc761565bd01d2072b89d670922b0f4904f6e0e1ed67673b680fe01ec0ca0df2f5ac90b53d02a283d5a5ce39887
-
C:\7663726564697374323031335F7836345F3030305F766352756E74696D654D696E696D756D5F7836342E6C6F67MD5
ecb7ae88d9e0393f9f6b025df45178c5
SHA141dbfe473a7999eb2a2d81d9a5f4c941c34e8566
SHA256037702da907ac7c16f33de8f5d89fbe59415ff390ae873bcc2eae36665e9bb4d
SHA5121fe998e80d09d97434e1de0be38f63dfc5f87305a47cf38ecea4a2ed0f5f5c5ebaab87d3b9d4a71c40ab0613c9fa05d47aa866da9f346efe126302c5625bbdc5
-
C:\7663726564697374323031335F7836345F3030315F766352756E74696D654164646974696F6E616C5F7836342E6C6F67MD5
8b0aa8fc4eaeca02b06d0a44c46fe2b4
SHA1a1f7d522ba71d9f9faf091cbd1efe49da036cb5b
SHA2568824b29929d4c0118c7a2f403eb86e72faca441f976849b9cfe4afad2d184ec9
SHA512544178804af54b1209cfce6fa788ce7477cb00c62069969c0739106224eebed92fb0dda9b64cfc03d7f46554211b07deb382b9eba93c1c139a915eac71f4de6d
-
C:\7663726564697374323031395F7836345F3030315F766352756E74696D654D696E696D756D5F7836342E6C6F67MD5
6c00cb9571609e112200e20a98d81686
SHA1b8092cb976eee3f21665a9392c9d7cefbc70dbf6
SHA25603c8d014fc55969ca4af193f8dd3471438b9789b71ea187fb3fc4e82e5588aff
SHA512caff065026bd8b7d1bf817aa69983b65a3569f33af24883113d3267fdb086bb7a87859ee1b2f02dfb0bf4ebe4cfbd14ac6f5f662d5924c4bef9f4d4e2ce20ab7
-
C:\7663726564697374323031395F7836345F3030325F766352756E74696D654164646974696F6E616C5F7836342E6C6F67MD5
72c6bbb6ea80147771f89d4b169c7a3c
SHA15a330787025a54e2a0a822ef354ea831111d8043
SHA2566830d0dd9e5231129f4c9b9b8c3e2670d6f44169274e696363d3d4b20ec56e16
SHA512ad2b1a8c2abea2e548e7dcee048815f738a8e3be3dbf47926c1baa6d8f600ec3527a0ec5fac310ff6b7c66bcf65dac8e3f1cc76adc0e0f23d9a35fc29fc4ee2f
-
C:\ProgramData\Microsoft\Windows\Caches\{4CCD719F-5037-4633-868D-4C99B593451C}.2.ver0x0000000000000001.dbMD5
33b2ac432a9253ba716e5e2628756a19
SHA1bcdfda981f2cdd576a1299592ce4ab0b443cf5e8
SHA2567b0f49af6663c876348239065d1b0831a08edea746296612ac1fc63a4fd5e48d
SHA512790f02fec195e09dbf371c5c102be281be9eabb9b46c24e3955f0bdcb7ebd9ba83a5d0a46fa14a57992b9c84d0e215b9a78fa5702e4efdada993d52e2cc9b48d
-
C:\Users\!!ReadmeForHelp!!.txtMD5
52884571c004a336afd2e2aac9331c5e
SHA1402e39593f5a3d7968bed135802af702fde3831e
SHA2564f873076901ba322cc43697edc11638b9274409b90d459dc5a58b3419a6fb951
SHA5126d1c1b4dd6c4dd28d4abd4ff4093f6dc6a632485ce1c50dfbeb7ceda4cb59b1f6e3361330ec0c2cf2b29bf8380c761715bd8623c853e50ad6bf549831eddd10e
-
C:\Users\6465736B746F702E696E69MD5
3da543b4291a4038a38f88929f60af4d
SHA1c22a82627eee8c83d02191a3e8fecb7da106b7bb
SHA25697215e1f5d0fac9bb0de8537a4d8205ecdf1fc971c3ff913ae46b788a9580b7e
SHA512caf3c8afd7793112cd63e56d0db73b40cf163376ff2a29c293dd471016300df35261bb8efa05d85ec28d138b8b00ec64ee132c861e83c46d1ac6a3946c3b5e49
-
C:\Users\Admin\4E54555345522E4441547B30313638383862642D366336662D313164652D386431642D3030316530626364653365637D2E544D436F6E7461696E657230303030303030303030303030303030303030322E7265677472616E732D6D73MD5
9d7f1af4b9611e7f873f4d1ff205666e
SHA19b0ed7d3c5829d02aa97b5528d6709bfa8a423d0
SHA2565e0899cf47c896cee73b6de0320655bf4d79b7231439a168842b92d9dede7735
SHA5125bed78dc9c2ee168d45e948a0335195f9c203e9ec15e11ec21fba404a03b719d4c2babb17355cb78c3420276ffcc61b5d142813b06172afb09de81ab99b6b147
-
C:\Users\Admin\6465706C6F796D656E742E70726F70657274696573MD5
13e9758ec18d4fca932901b5c8bc2a39
SHA19838121f42495cca2361072af50b7eb069adf82b
SHA256eb03edad733429b4fa7464802d67d7b6dee4411d7390146f948d8f6a83171aac
SHA5129d03a96431a47ad97b34e0f0b4fc304d6d55268b7ec988e57016b63e5185f0c14e9a28d3f98b28a85899093a81ca01c9ace0c4084f98f2921dc2769b71aca4ad
-
C:\Users\Admin\6E74757365722E696E69MD5
6f0e6a5099854de4bd11c3dfaacbe604
SHA178a13f6208d408b9d68a2450c1573c8fdf74044f
SHA2569d3b2cb898b537765557262a9c9d4e0e1ec5cb78b826a2c55cdeb106504ea3d5
SHA512346a36a9659af4f7cbf69bdc7726cfb491a38198721b10052a891a8af406a4888575071955942e18d9ac8d3026c857707772d2c0cb86dd82e51550cc07cd83a8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.iniMD5
e0fd7e6b4853592ac9ac73df9d83783f
SHA12834e77dfa1269ddad948b87d88887e84179594a
SHA256feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122
SHA512289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\476F6F676C65204368726F6D652E6C6E6BMD5
72a1cd237a87d9ef098fecf8f14ffbbf
SHA1864d2af1845dacf490087f98b964b71f3b41223b
SHA256cd1551371ac395c7939d8cc33e0e2e36bf334e0d851c66b9db53209442efe38f
SHA5122c2fd08680128a3241daa52472852f006909b081fdd033e94c87034011ea122a4a5c1028fe7f3785db1a7b6a8f28b84cc8463b2a68b72d4b602b681e1380a94c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\496E7465726E6574204578706C6F7265722E6C6E6BMD5
54bde46d44d2ab9d1584b940219308dc
SHA10123f7b7423cc539049d3b99b0b5d1cfd33d66fa
SHA2564430b6776cebe70d0848a1ddd07e96d3945779ba769323a1fa8913a69f017bcb
SHA512b4643b89057bd9030077b01ea2c150527e55467d12b3533147174185f878ef8167d2336b6253501b38cb964c94041a8ce1272a589e56148d0db2d7574e4a9126
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\57696E646F7773204578706C6F7265722E6C6E6BMD5
3b1739ab6c485da28b8407ddadd002b7
SHA1ac8619f538c36e0d9b903b8b7aaaf4dd6f5928ea
SHA2561f2a042fd49406f13e8bee70d6323c6ae4c607dc6bf6d93420a42f5b49351ab0
SHA512e67e8b6a9e0f570116d7b7790e7d33f10a79a1d4f623536d6c095210a8e6c9465358121b458add375aaf8314926a9ec5a172bae4539906a478dea19af5e66d99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\57696E646F7773204D6564696120506C617965722E6C6E6BMD5
2c71a015ca65d04d6c3a6b979ab2b1c6
SHA1c7ad287917c3cf589b3feda7d2145a355cae92e9
SHA256e3db552a59ea6ecc66465bb75942e2b13710fd1318250c5dfa9c173aacd3e1e6
SHA512ed62a4af9f58bf0903017bd5722e8410969a3055346e03db83a502ae63354823be7341c3096a3f939477ddebbc9c084038cec99266c91ed0ab5bd5d0848dd5ed
-
C:\Users\Admin\Desktop\!!ReadmeForHelp!!.txtMD5
52884571c004a336afd2e2aac9331c5e
SHA1402e39593f5a3d7968bed135802af702fde3831e
SHA2564f873076901ba322cc43697edc11638b9274409b90d459dc5a58b3419a6fb951
SHA5126d1c1b4dd6c4dd28d4abd4ff4093f6dc6a632485ce1c50dfbeb7ceda4cb59b1f6e3361330ec0c2cf2b29bf8380c761715bd8623c853e50ad6bf549831eddd10e
-
C:\Users\Admin\Desktop\417070726F766550696E672E414143MD5
68631dc80b54589d463ec7007d9ff475
SHA10d0c3676020b2bda0bd0f947998a8c37d634dbc1
SHA256d02756375e219dbeffabf920ec128bc9a2ac4764f5e506024798461b0b424bff
SHA51265ce99a8332217c241046b632c28d351af0ad843947a92f3539e516944792f4aa2a964df6b5277bbb93eab0a78ee425dc981a73cb61cb0abfb2182c784179f08
-
C:\Users\Admin\Desktop\436865636B706F696E74426C6F636B2E6D7065MD5
2e69451ca8f23ec3926025dc95360951
SHA1c640ac4271667db0e9e4dc1d369553cc6ddb39a3
SHA256f4c46a88807e6f28ac12b1491b88a2e4d37d63e948ed29ef95aee6702f8b2382
SHA51294566d30b3aba4d31ef591e1f77310bb320dab4b1424fb8d2642b60254188b1d755483755e697fa56b115621d927e8f0191ef99e95516f62874995f022e441db
-
C:\Users\Admin\Desktop\436C6F7365526571756573742E707073MD5
a5024d19db76d2341a86978a8c368039
SHA10e66d7fb7296c7327b06cb6b77560004281a5c01
SHA256f6eab15c80e1fe5947637b628aa9c4436b11327c81dc75a3de846b1c8a74ff47
SHA5128b8f4299edfd4f046239d91b0b542adaba34712d54fc1e3fbed7239f0efba3a0ae04eed94015b747ea120cbeade5db80c3760e09b5c3cb13780d6175bfffc6c1
-
C:\Users\Admin\Desktop\436F6E766572744D6561737572652E6A706567MD5
fa3d1b0238d2248bc7e33ce06a0142a7
SHA15df8ad6ce7e407f61387cac1444a1a3814852cef
SHA256f22f82fe8c6fd6f77bd7bcfbcd4e307b44b5d2afbc1ee397df8ab2031e559438
SHA51275e96cca1e42cf85fbb9d04c1a2c6f9e66fe62c8ca0434ee95a40f87100922569d730f2f1d01295fc81020615df0ce595aa582d4da7b79bb610fda973534f286
-
C:\Users\Admin\Desktop\44697361626C654765742E6D7067MD5
3888eec6757d03b230666f7089c949ff
SHA193fc7ac07cabf146a039fe11f26add953f050219
SHA256f9066690a518fcbd196501d5cb41c00a35855c1659d6b7824c8665526a852222
SHA512cfcb71db278d69f9f6075ec9dbbbdb3eb685f2f494497b3c29331588235bd3461d917c4e19727b6b667c62a921d130aaf7601b88206dd31785ea428138303517
-
C:\Users\Admin\Desktop\44697361626C6553656E642E617370MD5
bca1be02c80ea3b60a42a048d8f465b3
SHA17604b7792d12276b504ee571280a39b75c6561aa
SHA256a1a522735496c83467feedd16ebf70c7537df4c2b7e2ceae5fc7bc90a3ae9368
SHA512ea63fab705620eb753795bfeed9688f1ac8216d17aa460bfcc4c57b79e2ec53faf47bd8a3389b1328bdb82ac631df24c2a167c56ccc0a4ac090711f726c2f24a
-
C:\Users\Admin\Desktop\457870616E64556E626C6F636B2E626D70MD5
3f4ff39080f0a2b3a1a5b8f5369214ed
SHA1d5160ebd405bb109be6c63537217b782cf9c1081
SHA25637ac8d2f3aea8d1446f90704d267c792d927a200b4f47af19bbe84e32e346e1d
SHA512a4eb460473f0a6f4bc4bcf8a8eb0f7768fb66174d5c2d1b2f7e25bf2049c273af163f2782c4f7c4392fd2dd6cea2e9de6cb8e91649381422d26e9a0955bb9290
-
C:\Users\Admin\Desktop\48696465576169742E6D3375MD5
464380c029a4c2d5d3793afe1e41ac39
SHA1ab6b2df9518d7da2d8188736d954f64fc4e40980
SHA2565594270c62407fe53cca0ddd68c3e0843f6e1bf43e8e30fb01897b50585a8548
SHA512d0ccdd303b9f2763fb1295d6c68aa08be4bb3a7a76609489cc5e0e19ac51e01473659f7a994cc1fe20ba544a29204d12e07739e0f92338fa62b34364b08b0e92
-
C:\Users\Admin\Desktop\4A6F696E4F70656E2E646F6378MD5
56d0f4e576dc4d389b350e79244e6123
SHA150c4c3fa38e8302307b00b316b2a247f4ad8e2c5
SHA25617f3e93478f06996d4b1e0e67e461aec24942dff7cc1af7978c9000dea36a7ec
SHA512e75798abe675ce6cdbbae1b03d8214f335c3861ea9dffdf74cf7ec729f49021cdf853f44251397e0b852d868c57ac477141a2121e745a0895c0c54b00c739835
-
C:\Users\Admin\Desktop\4D6F756E74556E646F2E637373MD5
42fa32d2b4f6e4f02b0e19e0d919cd47
SHA1957e4b25a821f2ef322ad95c38b5fca472693818
SHA2564250ddc1350708f9acf8162a1fe26b5506bc78ce4026a0f2ce27b2eab6e2f866
SHA5129f93cdd66704199548f00e8257f17ce519d1a352691ae80b77c2fb9ec5b164ad778e74d2aafefec88cd01a5a5cd820329cc1a9813ddfafae00b92f9288920568
-
C:\Users\Admin\Desktop\4E6577556E7075626C6973682E786C7378MD5
a0d2b672c0db09e75eb59b586980eea7
SHA10a1604db93f60dcd2afb0842fe00b4348761963f
SHA256697a1a527e30538a5108cc5186f238fcfd4937923def9b8a83358e9f9d28c5d3
SHA51256ccbdd36314a0c2d4d8586dbd3ddfda01b44a6dbd523136f8663d8b5b513e471d11ec8972cb7e38f642055dfed0dafd85e232d21d5e57f7889977c4cf8d9cba
-
C:\Users\Admin\Desktop\4F70656E556E7075626C6973682E7070736DMD5
c4d094ab5e1d76d1f6a9e762eb331433
SHA169d6f95feaa4d1e2027b2424c8423516cb3b0de3
SHA25619e1170919822e4a16bc23073824c3b61dafc7590fd68232f2debe5d7d296c23
SHA512cb0747f07ef5a49a52e9fcbfdf0ef3956e3037c85b487baab324d1db86882f1101f9d66091fd602e3f6d40ddace5c4a9d21e8f46f89cc804d7da9af7b58c7fcc
-
C:\Users\Admin\Desktop\506F704765742E746966MD5
e749a6126893dade08d1778dbdbe4845
SHA131086e9cd53c7bdce3b18b4c11ae9af3fe98c12a
SHA25627c4d5bfa1e10f23e3cd0a6edb35a1703f10e05c6cfa3f4f2dfeae7a55ae585a
SHA51244c66e3099dd3fb2fdfece640bad5d6a5779f3845926b775dadc426a75602d2ba7fd56cc3de8292c4f75dc55243d11c71ed661d1c34be46313db9da392c315a3
-
C:\Users\Admin\Desktop\5265646F546573742E726172MD5
8f53de16e80fb9c88cd0777a55a45777
SHA1c67cfb18c897655092c81f64b573ef99aa58cebe
SHA256e8176768816e982f9db7a989ff015fd2e601f78eb601bda6b1b209703c39f1e6
SHA5125e0912b7d3999a903620859d78bb183c297143509e0b7ebed3638af46e79ad7cb0c7d55201084a374cf29c155bd14383066fc9a719ee0524ab6738a66e70624b
-
C:\Users\Admin\Desktop\52656E616D655377697463682E7368746D6CMD5
cb536fb2b001bc23df0bdaa02756acb8
SHA153385d9055593ea004e10be59229e8b7d9a3289c
SHA256e070ef25c3a6af6603fc5be565828acd0e155d1f8b9c8d8c42297e887a85a036
SHA5120c8739e15708d03c250151e734e5c7062ec418202499b02523fa9b33fb5c9c5abd0414e5a3611f4544495ff3a56f8433374a2bd2843c56c4c00679fea427d26f
-
C:\Users\Admin\Desktop\52656E616D6554726163652E6F6767MD5
28adbc1d307c8fc8bf13074dc02a65e3
SHA1952a3070b537f8cb29e612e7d31bdb6d63170fcc
SHA2567f90415104df541086918b80055a1049679016442068804a799bf6916dd1e03a
SHA512e26aa50ec78be64db464f4cd4ebccd0269cfe54e7c9cdbf1433202d469b3ba1e3667e5fac3e5a553165417b6b77923f47e1a6daf0d26d3c93c8d9877954a55a9
-
C:\Users\Admin\Desktop\5265717565737453746F702E646F6378MD5
df787bda2c6b232d1a1ddc06825aaf45
SHA1ae3e3cd83335db7faaca2bbd452945a7019c0391
SHA2568a40dea41649d98e2f0807bae09c4f3af16a6ac55bce2465d1f7402de7f2c08a
SHA5122469aadc56a9f3106fb93451f87ee567b6fff500b8c9cb4451111ff7b1699d48eeee6c379dc80a028dcd32f22b06f23532c0e496cdbe1bc8cf77bc034461733c
-
C:\Users\Admin\Desktop\526573756D655265766F6B652E6A706567MD5
88fc3fc5ef3965a0bcdc1f57d5bbaaaa
SHA134afe7a89b5c244ac63a3308c9f12fbce6deb883
SHA25698125933955e61db88598fddcebbc28f396821c80d4bd039b7dbec09f5ad42c1
SHA512bd90634d07c8f9e657293997f3576a717e7ddc0ad347a9d3bc738a4700f7d8cb3eca7c9ccaf1892b91fcffc794c92cb3acbdbd50852e6739c68a01d72b1d8828
-
C:\Users\Admin\Desktop\536561726368436F6E6669726D2E656D7AMD5
31bf1f919864ca055c376e9d5ce7b13f
SHA1a16741cad11ef9c497ffee1d706199e3a5939a6a
SHA2565f0ada4837762756bd5be27595ee353f88d9800048b1177affc856b81ee294e8
SHA512885ff796f671b3febba993516bae3821d40cd1ff1bf27ec3324bb39ce083774128f946f1a27418e0ae338b8c1952504c45d34bed5a8816020f54eeb362972a53
-
C:\Users\Admin\Desktop\5365745265766F6B652E626D70MD5
c782bf4433f1eafb7a66231e3b7154a6
SHA102c1bc479bbe39df36a473712a65cc4881ee3721
SHA25644682104aa478f5a95bec85798bc852bb40264ee80418f9244b534b5533fa56d
SHA512f32be232f8d0c18d0669ef19ad9cb95767fe58175a38eeff621850b557bec39756c9f0d9428de92622c40e23c6b81d55bcc5dd4a3c52c9f2f57e385c3070aa99
-
C:\Users\Admin\Desktop\5374617274526563656976652E7673736DMD5
91dbcbefd671b08fb9101a06c951895d
SHA1a655f502e4e01c2f383c8b4c3570b86bba03989b
SHA25662301e0be367ab029aa9a34eb854c79c92606043e0037dfd8c5c60776cc1a58d
SHA512e88c9e292cf4dad089b7f0297e2ef3d92fe4c337f8d26a9fbbf1198a7be779205d84b6911b0f063fcf9b73e2e479ceac7712bff3d04f535a8ffe1b9344f0e36d
-
C:\Users\Admin\Desktop\53746570436F6E76657274546F2E6D7034MD5
f5121a20e5d8927a7c9e954877bbca62
SHA13e4bf7fec79fcdf000dc348786218e2c0591bd2d
SHA256ec23017c2a7908b380f8c718e57b98ef5a6c9f53ea4d95bbf000446fd1034ecf
SHA512d70f692af4c37146988421aa4296e13872264c4e245009f689be216337834f08512c806270a6a4333b502be8ea01c25106332adde225e3c69b46e7cb86b292f7
-
C:\Users\Admin\Desktop\53746F70496E7374616C6C2E747874MD5
fa3d0f4f8f3f62b8396dce63b3534804
SHA11c768193ade7d5daf80904116c792fbe79078ef0
SHA256e872082720d1722c2b623c27dfa65ba8d26c6d79a5aec1115eb7c98a41bb6f31
SHA5128f67b542a951331b80a12baa7629dbcdd92342809e763bf751328116dacb6580489aa62e1e7c6fe7fed440592e8516acc17726ed0aa03111c4beb2f68ff1c74a
-
C:\Users\Admin\Desktop\576169744173736572742E777678MD5
71c980abcc5f453b177af233898165d0
SHA1bf1392a32cbf4987fcc9e1f1f0378306c858156d
SHA256089510a2a9a52186c3539a50102923623382fa0f6ca46c1e9ff3c3a18167a450
SHA512f35803bfe4e0abf8c394d59d1c224d063bc2f6c0a490021cb4f89ab1c151acb898311bd9fb79758302639ddcea8415abdbca9e154040657fc9aa26cb4cb823b6
-
C:\Users\Admin\Desktop\577269746553746F702E706F7478MD5
f435edb34d921289755422daef4b0ac6
SHA13ba75b85c4cdb1370dd98ca14286817178f9d498
SHA256a9a0d2f7849f32f0e2241a224f117c2d093fe2de885fed1c98e3365c2b87b527
SHA512cdb38b347ea318327ca9d5cdfaa55846215cb7a792517cc994f5a4344dedb7a3d2ba0c78d9c9ada438326a6cf147c13ee2a98344f57a733d53978964b3ac8eb8
-
C:\Users\Admin\Desktop\6465736B746F702E696E69MD5
9c8718925fa1a72699e6296387749c2b
SHA139caa7af13a7ef2ed675aa983f789074fe8d92fc
SHA256f040d1d1155a4b82aeb0c4ff0d7da9ae43e61019b39fe59b696d442cc79ffdb6
SHA5123fa5420c77223ad57c7d56fa84455f43c4e8eef5f4a9f30e7cae1d343d413f4bd504d317ec5395bb120fb7875681db822cb25ed193bc45896098a5e33ef09435
-
C:\Users\Admin\Desktop\rJRMCpqvFjP6UJrNQ6c6JG2hjyUbdXrQV9IuekyY.txtMD5
036c0838158f0fdaf3341e24e388d36f
SHA1d976b9ba2a33b7c805912ba2beb89bc46ca1714f
SHA25618ddcddc47d08ee5fde14efb19477e97f418cdadd3af81258d89781f1024e348
SHA51214dbb163f218c83abddba7ecb95d2d6a2e60f4c681d689dea9cb3d1f416c904fe573f603b28163e0d6340fdbfcb53ed14ed359c5fb6bf697b72d91a4f8d7cd92
-
C:\Users\Public\Desktop\41646F62652052656164657220392E6C6E6BMD5
de6b96dc2ab961ad6f431a03ec2ac58e
SHA1f4766c4efa5cb6196dd1a3540733a74cc533dc79
SHA256d2ae3fb0a3a3515a2a8d2ac09adc6dd2f91621d2d615e6789a9501a4ac271b4f
SHA512d1714a96b8123f98f641f1508953240615beaf0cb4878d70598993bbc70805f598048cdfb90738920955cf42205d75291158e5f17db443bb102a0d7af6386437
-
C:\Users\Public\Desktop\46697265666F782E6C6E6BMD5
23586da4172d741356d67d3dd98a00ec
SHA14c1a3750e758e5d48dabd7db7852d7147f020010
SHA256d1c1769e836bcfe6b88763898812b674eed8b2e32ee09c7a6ee141bcd03afbeb
SHA5123f8713881b67f2617b509c12a18eff575fca4655ef4e2e5d5b62f98473e136d982af5cbdf13d56ee4806d8167e97e189ece1aa6e397d4bf8fd5e84cf0a7c4700
-
C:\Users\Public\Desktop\476F6F676C65204368726F6D652E6C6E6BMD5
4b52baf32fa7646714014ffb6b9b0c55
SHA12c0c7bc913bf6da487d57a39e0cbbcd086169ab5
SHA256c2af59659bb511c9db010d9e167ae2158bec646884dbad1119c8dabb1812db82
SHA51221c6d3ad32de208fa5cb1bd8ec0e1cb23c974c019761ba7e89ee0ba161e0be956d31ba8a0f555ea81f384f63c510ff0a0f6ac65f83b17c3b99b38b5592877d3c
-
C:\Users\Public\Desktop\564C43206D6564696120706C617965722E6C6E6BMD5
bfcc5955354662043dd1e24e6d4236f7
SHA14e956b3762c8a629bb1c1e616ff684360b32e05d
SHA25695a6c10fa68b1606f6f180a1aa79c3399e28b26f23c8675e9f1ca6f2a20ff9ed
SHA512d4b7b52662cc91b312dbadb3d5230cf7fde76e0b3b565d01e59fcde0d507085ee5b5a68c3cdeb00ff50403e2a85164a44e81ccd460b4d4de1ebb6df07b01fe2e
-
C:\Users\Public\Desktop\6465736B746F702E696E69MD5
f5e5c27f458774c302d9536085584683
SHA14cf5276bee99aee611b4eb7b2403373d784a56e3
SHA256867e87ca692e3e83993fc5e5c62955a35aed3509fe5c3c20b25a3099c26b2570
SHA512813c0839cbee79948e3a95dcb5b1191b0b5bdbe25758100ac76b22c42f4c4b0fbb9b137696f2dcab9a9e75f46eceb1ca52307fef51595a0879b0a26dfa74d6aa
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\OFFICE.ODFMD5
c3da214ab5fb2e66e61fd8f63f72839f
SHA10ad2b19a1a59ec94d373d2c865431300c849902b
SHA2569f4845358945756d231b58d2be9dddd1f436df1955daa79ab04149cf1289f4ef
SHA51284f8035d685d517a0e5de019e61674288c087a48a5e01e1b9315e51ff9a4aa84fa72eb2487fd3357d5a1006a4e7c7ef343707347f997e1b66964b9e6c47c64f7
-
\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\OFFICE.ODFMD5
c3da214ab5fb2e66e61fd8f63f72839f
SHA10ad2b19a1a59ec94d373d2c865431300c849902b
SHA2569f4845358945756d231b58d2be9dddd1f436df1955daa79ab04149cf1289f4ef
SHA51284f8035d685d517a0e5de019e61674288c087a48a5e01e1b9315e51ff9a4aa84fa72eb2487fd3357d5a1006a4e7c7ef343707347f997e1b66964b9e6c47c64f7
-
\PROGRA~1\MICROS~2\Office14\1033\GrooveIntlResource.dllMD5
48019bd50a809545c202053313cd4b57
SHA160c431499a9f225334032a2f13b825f7a9da8680
SHA256f9d97706a48caead3004a695b57c252103a67f0be66ba58807b1ed430bbb74fd
SHA512f0ab826b0ee57de7909041671462b87f52fa2837501d1f4fa85d159aadab77f340b12cf5f97ab8a4c1b1d6428c35561e9118f6bb5b3c86628bd93b3d8b7198aa
-
\PROGRA~1\MICROS~2\Office14\1033\GrooveIntlResource.dllMD5
48019bd50a809545c202053313cd4b57
SHA160c431499a9f225334032a2f13b825f7a9da8680
SHA256f9d97706a48caead3004a695b57c252103a67f0be66ba58807b1ed430bbb74fd
SHA512f0ab826b0ee57de7909041671462b87f52fa2837501d1f4fa85d159aadab77f340b12cf5f97ab8a4c1b1d6428c35561e9118f6bb5b3c86628bd93b3d8b7198aa
-
\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLLMD5
a71a930e1e61e73da97423bdb95ce2d8
SHA18779f17ce0f68aef21969e39e1d84019bea04118
SHA25680f65cbcf64bf5de2c957c83af1a41e9fd624bb88c873a4204ccde77ed428be7
SHA5126f36d227d8328b411a8a7eb776eb49de7a4dcb8e18df5caccbf27114b56a79c327b1c9b13bb2d18ff6ca3738bb3a13d819c9b5693385d0a4fe385586f03beac5
-
\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLLMD5
a71a930e1e61e73da97423bdb95ce2d8
SHA18779f17ce0f68aef21969e39e1d84019bea04118
SHA25680f65cbcf64bf5de2c957c83af1a41e9fd624bb88c873a4204ccde77ed428be7
SHA5126f36d227d8328b411a8a7eb776eb49de7a4dcb8e18df5caccbf27114b56a79c327b1c9b13bb2d18ff6ca3738bb3a13d819c9b5693385d0a4fe385586f03beac5
-
memory/560-60-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/972-53-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/972-56-0x0000000000290000-0x00000000002A2000-memory.dmpFilesize
72KB
-
memory/972-55-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/972-57-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/972-58-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/1724-106-0x0000000001D60000-0x0000000001D61000-memory.dmpFilesize
4KB
-
memory/1724-104-0x0000000000000000-mapping.dmp
-
memory/1800-121-0x0000000004350000-0x0000000004351000-memory.dmpFilesize
4KB
-
memory/1800-107-0x0000000000000000-mapping.dmp
-
memory/1832-66-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/1832-136-0x0000000000000000-mapping.dmp
-
memory/2044-67-0x0000000000000000-mapping.dmp
-
memory/2044-72-0x00000000040C0000-0x00000000040C1000-memory.dmpFilesize
4KB