5104ba3b188ed57b396749d2766704b120268e7aa43ff79bc241bfb3e9573ce1

Analysis

max time kernel
125s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe
Size

387KB
MD5

faf4c5b49ccb2df5a87fa5fa0821a3ff
SHA1

72fb46a9fe34f92c2b54f49678f9d8208c93f42a
SHA256

5104ba3b188ed57b396749d2766704b120268e7aa43ff79bc241bfb3e9573ce1
SHA512

cbe266aff51999d2dce09fe3d45b76ed0acf76cdb8923455a9279bd212d1043c0bf2f4eb73663b5a0c3dff3a2358f41880c1ce09e21b42501c010960731b987f
SSDEEP

12288:BqYXje0DF9k64/QSywqP0T8oIN1AHDFhY25fC2WF9sm204P:BqYDF9k64/Q9j28okAHDHY25fC2WF9sX

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2604	StikyNote.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\RESTART_STICKY_NOTESS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\StikyNote.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 2544	2604	StikyNote.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07888AC1-F6F7-11EE-97D2-D20227E6D795} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418887003"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1528	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe
2604	StikyNote.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2544	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2544	iexplore.exe
2544	iexplore.exe
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2036	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	28
PID 1504 wrote to memory of 2036	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	28
PID 1504 wrote to memory of 2036	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	28
PID 1504 wrote to memory of 2036	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	28
PID 1504 wrote to memory of 2036	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	28
PID 1504 wrote to memory of 2036	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	28
PID 1504 wrote to memory of 2036	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	28
PID 1504 wrote to memory of 2036	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	28
PID 1504 wrote to memory of 2036	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	28
PID 1504 wrote to memory of 2076	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	29
PID 1504 wrote to memory of 2076	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	29
PID 1504 wrote to memory of 2076	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	29
PID 1504 wrote to memory of 2076	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	29
PID 1504 wrote to memory of 2604	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	31
PID 1504 wrote to memory of 2604	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	31
PID 1504 wrote to memory of 2604	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	31
PID 1504 wrote to memory of 2604	1504	2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe	31
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2604 wrote to memory of 2544	2604	StikyNote.exe	32
PID 2544 wrote to memory of 2584	2544	iexplore.exe	34
PID 2544 wrote to memory of 2584	2544	iexplore.exe	34
PID 2544 wrote to memory of 2584	2544	iexplore.exe	34
PID 2544 wrote to memory of 2584	2544	iexplore.exe	34
PID 2036 wrote to memory of 1460	2036	rundll32.exe	38
PID 2036 wrote to memory of 1460	2036	rundll32.exe	38
PID 2036 wrote to memory of 1460	2036	rundll32.exe	38
PID 2036 wrote to memory of 1460	2036	rundll32.exe	38
PID 1460 wrote to memory of 1528	1460	cmd.exe	40
PID 1460 wrote to memory of 1528	1460	cmd.exe	40
PID 1460 wrote to memory of 1528	1460	cmd.exe	40
PID 1460 wrote to memory of 1528	1460	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\2024-04-10_faf4c5b49ccb2df5a87fa5fa0821a3ff_mafia_stonedrill.exe" "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
  2⤵
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\StikyNote.exe
  "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2544 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0109041d9ea62b28127971392993e136

SHA1
5a6c6aefafa6e21d93aa406052c9112173cffb57

SHA256
4ad957fae0c4dc470e74e0f50179f80940d13ce9cefe380220b3cb39e1a41de5

SHA512
e74b0bfcf6040f5175df23db8753ab031024c25aee804b62db55083ee89db45cda8596f18d256d69dfb57f24bb2550d2afc5890f9d7cabaaab1dd725eb9e0410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba00e4492becee72e6b0343aeb36e114

SHA1
621033f87143fc10ea904e015977ccee3624d5ae

SHA256
1bee01833b3e232198009a861fe40fb85e04dcdd77c455503b940c889a6a457e

SHA512
bb097d5e04601ab3cfa2dfde25bf142d78706dd14a579b61faf8db9a94bc6c9af1ad4478ebcae84567d655522e52f5619ad9f632987481bfd9bc0ca20ba981cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c3bb8dd00b5b12e51fa0fb845215272

SHA1
236d7b22a51bb81ed61869b00cb7f20381249954

SHA256
600d9b39f1d07894168a06f43a1594405ed6566c6db81eb47fefadb266b40722

SHA512
e79933eb61af4b8c805dd3ce24e7e65d467b91d39552438beed7b031b5f55652c59d5b6a23dbee4e51ed0224cb64ff3b1fe3fb3f0adf2bba837a6837d62fa3ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a5cb50ef4e8a4dbbd5551fad3b57657

SHA1
d860b04c6d514797001dc7a9bc8755ef768bc1d7

SHA256
0da0863696b4292f27a121092deed7ef065d1674047908b948075e0634af94fd

SHA512
ab56e8b982e223a2c19eff0a9d20c7568f2024825ca8e18bf7eb437df6bccc23313cc31d10a714782b7436e88cc6a1dc40caf99a03082a5615e1b7366fa9915b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03535c3e92463f198e34ad7c95071d51

SHA1
d80d22f8c11fd9327f69f09b73821fd95fa0c58a

SHA256
d8207d09ae71aec6b981056691b0f524c027a25b53d8a955aaf83075f771f252

SHA512
8eeb01521e9543a415a5435214f9aff426bb645b72319ca9fc43e46d5c56bf8243bf4d5d9f46fdcc2ce740d22a0299cd29f01276a6ad4d63920161408f40d323

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7973a754c7c412ffd471371208f2c92

SHA1
7c32cc9b78ba8eba6d0518188d21d711eb50f52f

SHA256
d6ac062d9aba033fe0224ffcec105ee9f415cf6467c231f10927ca3a71bf1e95

SHA512
d54bbd33babe006d1816f14af6212c7598dfbd150ba396b857ce97575092704b0863ec5b1a13a51ae20dfb5c442d544f8de733188e2e055e27adcf0d4820182f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2e43bacffd6c65412cce1ffc6c091da

SHA1
30ed5d9a7b69001be9f0955559e7657ed6446e02

SHA256
3a768d693cc6f21fd07a35c135a9a9e7906898d58a9991cbf543cafce1b0a89c

SHA512
f971ee7f50945cad2502b8281d367a1f19b5e3c6a3043d3557e87fdb1b605001c5465b3d742b388159e02ccd80c1b0a4ba781500b4703b65c675f990c1f6f718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a56eafd11ded8b33c83a2768a36a9259

SHA1
10417d37cf8ce1ec21e650330e288f92707db3a6

SHA256
4dfea542f1f01c97bdb926d7c068847027f16a4441988cf017b50a07697fd93b

SHA512
d662aeef8f30164126289d0538b7011a7b422f48da54f6fdf1c081e974c0c789639f0f34503d89e8f27bf3a0216d5253809ca9959e6afd4f6d9b920260271f96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27a5e7e2fb6fd5617b6e6faa76735db3

SHA1
afa42449b789dee0fb24a72e97686a04866b35dd

SHA256
b87a5a0ce6c23cd4f2ae2fd03372b5f284b4ae89e23169730e51c2c1ba2dff5a

SHA512
93ffd39165776bb73209ce2e925cf22b1275eca9c3525777a5204b4a742f11e7cae507ba82cd41533e760e4c2c318429aeed60ece31d21db05931ec6dd35d882

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5ef42cd5c10c26638ac4dcfd2b6b167

SHA1
2b049668f79e038326692a009d018cb58a42e8b5

SHA256
732cdf3573ec14b532b791c6e4ac2a2a4a44ad84e7c1e2c8c443f6718b71454b

SHA512
fa156fab3a46164628beb92cbb2a3aaf5351de6e7803ec75f16ceed3bcc3da3e92dd9355626e8173f574d519b949c2b0c6d438062213c723542458fe605096a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45ebbefe3ec040a416f3dbbe6ef92f17

SHA1
8665d038693b9be414e44b9017597be9fdc2b236

SHA256
7f4263af385b46e765ed1210973a6e8d3baeffd33878b08cc610d1cbea4accf4

SHA512
08f5fe2c49c016fbbb4b4f1c27d23336a69510652113c30e13b804e4bb5f7b5d3612792e4a34bcf13ccab4467225dbb24d2174733c9901122038fe002f29cb42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b0806c4a765fa8b1878a4d8c7f4776d

SHA1
141018748f36a66c9fed75e5608afde2790ae084

SHA256
d630e9812dc1465b3736f52cce3abd0aefce9b5c934d7f679ef22ef796e81137

SHA512
a1fe040caf71424e7dbe40e4565f0647924e5e91b7adf4abc7a1f2c4e032f4335aa2359e29f18524405531c50cb60047017e5ea37abde8bde8ec9144c48a1ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c385e172959b618de32641a66bd70651

SHA1
c97b56676ce33e5fa3cdb56e418a6d1dcb41850c

SHA256
4ad542efe453c0f565c2dba8f82d2b214e99d182e214c852af258dfc1f76d6c0

SHA512
f9afd6b5260dbc1531af50bb6d5efc7701238697412fc21bdfdc51a6695dedad493120fcad718397d59b4bf8ce07b73d19b8cc339108b21d99916c36b3156f80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f604e16185b9829cece64b8ef66a72e0

SHA1
9a97f2dc5ebcfbde11d4d4283c4c4057e53fd2a5

SHA256
0a336c11222e44e7197c0adaa5f8809723bec9817cedd7e531e61f45fdb1d3e8

SHA512
6ddb74a12abaae1f11205fcccd4b8b737eb34ebe432911fa1eef81a384c95a38740048a200fdd416fa6d25d505aaf5c7ac9fa624303207d87755d4b033b15c83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95e360423a2a07ce6ed3e11612c87f75

SHA1
b62bee6e0cca11fd4e033edcb6fda68d3398edf7

SHA256
cb0d2b8b20da9ae88057d163585019888cd4f83f5bf2f882e3ad707dfd4b9bfa

SHA512
b8cdf4626bae25900c74abb5909b91d53757ec5c9eb2264d01dd4d067fe0d4cd70631916de983fe754c40efca4c6e1ecd1334159f7fd615f38f29967149c8482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae5cc0419c1a6f6205431f47840877cc

SHA1
19cc8e1700f0433a38b03933af8fed0c238f1a15

SHA256
850639899e81692f1bf9666306f2c8d1a58fe6edc962bd7568d8c1259b60c824

SHA512
d752896767a0679d1d238c4eaacfc67a5d5d7059f444ba13d72e35cb962179df99e1857167a05828bc586339dfb3f2cfe8565bee6dde3256ec0e118572afcacc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ae68f4feac59da3e46d77bce9386fa7

SHA1
97995c2faab8506f736837000c712ce6d59f9583

SHA256
da87317c08d00a642b0bdf5e2201d4fc7b07b7c46d4a819a0c271d5eef326228

SHA512
643405e77c25102802684abd0c8b71836cd2a37fdd0fc1ff04f96c6de0a03b96889d1daf0cc69284c56ddfdd3d57330d2d35d34df2939fbf1769dde5f26b0e42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
961bb0a7a78d06704af73ae83b0ea5c5

SHA1
f32b924b6ff82fde51f3e37054cdb019bc8efd76

SHA256
af47640dadbc74968374409c65498025fd4e09744c1afb9cf99e6a1728f3f57e

SHA512
f5a325766d15f39b7d3b95345a7e18fc212057380bae807a981729da1a3ec77e9694d24b5fc2ae49510779441355ca64d4ccd013ee94e638a5c4c00c4a863fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d28cd1fe0c306cb7f31806c8fc03a349

SHA1
59280959aa316b2963679937bcdea45f2c389c19

SHA256
df4ef3bea5eb2d20d8387a1f0ce7cc0fb160c30daac412191c47062539f51d82

SHA512
4e22de111d063a255bc0f69041d36f9f16c1357c6e3bd30e5cb4782420ee7780f0d6d9db902d686491e087fee5294230e3a9531243f6fd9e9006c50c3d18e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7CCF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StikyNote.exe

Filesize
384KB

MD5
52d88a95ea0068441a60a419b314b63f

SHA1
c19992b37b29eaa989288f73dd045ec4dfcdbaa2

SHA256
02a3dfdc9a6a99e7322a70249f94b02a931ca66810a4eb142dbfb253c2f8e5bd

SHA512
b25bf852aec657b7d56187bc50cbdc91299c8fe377cbd66107caf541131e3c3e0c11694c246e8b26e4095bd78ed470099a212232921ce31a33b5362f70684b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7E10.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.tmp

Filesize
47B

MD5
72a392628d7f368bb9bc9689a694f55a

SHA1
feacee9c66028a333446f2c968bcb3d567a4033d

SHA256
afa60141aee93d7e3f3d8d296e36de9956f588a6cad99f8e79ce36ab88e828dd

SHA512
76f40be7d3e0de960c7bc199fd094c64588841e5b6a1b99bd7fd2e3b53f9e381ded992ee6d67848dd4fda755416792ff6e29bf0acf1a348796dcf7e9bf96229e

Download Submit
\Users\Admin\AppData\Local\Temp\StikyNote.exe

Filesize
387KB

MD5
faf4c5b49ccb2df5a87fa5fa0821a3ff

SHA1
72fb46a9fe34f92c2b54f49678f9d8208c93f42a

SHA256
5104ba3b188ed57b396749d2766704b120268e7aa43ff79bc241bfb3e9573ce1

SHA512
cbe266aff51999d2dce09fe3d45b76ed0acf76cdb8923455a9279bd212d1043c0bf2f4eb73663b5a0c3dff3a2358f41880c1ce09e21b42501c010960731b987f

Download Submit
memory/2036-6-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/2036-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/2036-3-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/2544-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2604-17-0x0000000076130000-0x0000000076240000-memory.dmp

Filesize
1.1MB

Download