eac4613b8c69b4b84acb79e19ce02e41835de1ced41af5d913fe1869223ca614

Analysis

max time kernel
144s
max time network
142s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 07:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe
Size

387KB
MD5

9e03be269c58a15b6ffc9a1502569686
SHA1

d034168bfa1deecf9f4f0ed702dc1be55d87064b
SHA256

eac4613b8c69b4b84acb79e19ce02e41835de1ced41af5d913fe1869223ca614
SHA512

cd42b990eb30b6bbff95658f34bc96218d8b19aaa4bde6b0e18acfb3b6b3208a958907e8a8a8e05b4640f9e3badab885543266e4ebd5d21973373508a7f2e457
SSDEEP

12288:BqYXje0DF9k64/QSywqP0T8oIN1AHDFhY25fC2WF9sr204P:BqYDF9k64/Q9j28okAHDHY25fC2WF9sk

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	StikyNote.exe

Loads dropped DLL 1 IoCs

pid	Process
1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\RESTART_STICKY_NOTESS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\StikyNote.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2760	2220	StikyNote.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StikyNote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A14FAE1-50A0-11EF-81BB-526249468C57} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428745407"	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2020	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe
2220	StikyNote.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2760	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2760	iexplore.exe
2760	iexplore.exe
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1120	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	29
PID 1052 wrote to memory of 1120	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	29
PID 1052 wrote to memory of 1120	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	29
PID 1052 wrote to memory of 1120	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	29
PID 1052 wrote to memory of 1120	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	29
PID 1052 wrote to memory of 1120	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	29
PID 1052 wrote to memory of 1120	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	29
PID 1052 wrote to memory of 1120	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	29
PID 1052 wrote to memory of 1120	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	29
PID 1052 wrote to memory of 2556	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	30
PID 1052 wrote to memory of 2556	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	30
PID 1052 wrote to memory of 2556	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	30
PID 1052 wrote to memory of 2556	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	30
PID 1052 wrote to memory of 2220	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	32
PID 1052 wrote to memory of 2220	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	32
PID 1052 wrote to memory of 2220	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	32
PID 1052 wrote to memory of 2220	1052	2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe	32
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2220 wrote to memory of 2760	2220	StikyNote.exe	33
PID 2760 wrote to memory of 2756	2760	iexplore.exe	34
PID 2760 wrote to memory of 2756	2760	iexplore.exe	34
PID 2760 wrote to memory of 2756	2760	iexplore.exe	34
PID 2760 wrote to memory of 2756	2760	iexplore.exe	34
PID 1120 wrote to memory of 1908	1120	rundll32.exe	36
PID 1120 wrote to memory of 1908	1120	rundll32.exe	36
PID 1120 wrote to memory of 1908	1120	rundll32.exe	36
PID 1120 wrote to memory of 1908	1120	rundll32.exe	36
PID 1908 wrote to memory of 2020	1908	cmd.exe	38
PID 1908 wrote to memory of 2020	1908	cmd.exe	38
PID 1908 wrote to memory of 2020	1908	cmd.exe	38
PID 1908 wrote to memory of 2020	1908	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RESTART_STICKY_NOTESS /f /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\2024-08-02_9e03be269c58a15b6ffc9a1502569686_mafia_stonedrill.exe" "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\StikyNote.exe
  "C:\Users\Admin\AppData\Local\Temp\StikyNote.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e49653bc708e86668ea66f144ecac809

SHA1
504c7fa9ea8faffd246d72e7b413e3f8a51e915d

SHA256
44de548370891ac8eafa8c16688f45f6ac1d7df0b60a1b1fb7b2c64d928b197d

SHA512
4672c598efb1d11c8c970fa4547548c6c05d06156ac0107d59b24347de93c6e05f35218dfbd358036a22be83e647e00b51356a6e4b61dc7788e319ebdbe5ea92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dabf6df4273e571731e7c229d70385d2

SHA1
e3f2307eb2dbcc46d407e4ce1b949300d1c4c551

SHA256
46d028d14df1cc01e00c63a95b34cf21fd4b0a0737eea5338f9de7d74a670220

SHA512
24cd20a06f00050ff30a34226486452e7a8b7a4330c281d08e565960d4311ebe54fde4ba18e6f7cd3015f921d379a6ea038de21f1dafc82625248ea8eb7f6e83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dc7a6abcb15a24857aedf1e228f2d78

SHA1
a5f3ecc702cb185df2de0eb9f002ede037f29583

SHA256
d1fc0a4c70489e9f877b1c21857b0d5ee1ab565d9778f40d7be734e32c859a08

SHA512
b610ca3d7736c5b6af91df79d8d2a78f0bcef5e90509cbd3a6a0ecc14755272abfb18fc0039c98e03400c9ed5332ddc81e1fee7636ae6b3e021f3948f8faf996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67fe0cf38a3db8b17b9af289d331db21

SHA1
502c6527c9073b387103ea87a152e2adff845899

SHA256
3465f8f791eea14792b5e0a3da995749c69b5c00ad2b32808c0bdb328dcbde53

SHA512
445c7cd192e19e7d99e458fe956cd9ded2f98086468b0b0aa3673015bc4c1f6e07091a61a84c16d5269a74502a80c23c452beebfb32dce639449215ded333948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9335fa1b49e8fef854bfefec60d787fc

SHA1
1f2bad9cd8935d1b7bdc1b447dc7ca7468394a27

SHA256
5b82ca06fb8d046093a7035de27619782ebd3ebed62b5fd9364b1355741926c1

SHA512
08f360e4ad922c3f8760352299bbcba38f3213e3b92e27bd9b6acd10c739498f8080f00975110a968bb35843361e5e86dbe7376ecc474e86f500c61285e4e7c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1150bc96fd2fb9fe103d43813e61548d

SHA1
a2cd5ab2e5e5092298cb8bb4b0b6f44e4afddc5d

SHA256
2987b476ef26d3f10ba0e79b2a81c5d57987c6bf9bcb903a611df4a6c43dd091

SHA512
94d5f0760ab6ab3fe5a43b425072243c4cf1aa1cd35630eebd7e9496ef07d15ca6a0dec7fd72f7dd647347e8d5a5421101b04de55317241a3a58a24e78dc0904

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e585f3bc1e64d09e650163bc65b28f99

SHA1
92ac7e77b64bb027637e95a0fbb0999410385979

SHA256
25af5619fdc28f104ea53d4a6b9efcbd1cea405cec7b785427f59f65c6feff55

SHA512
acfef6c242472533d9fcdfc91348483c54f4c2cf21ad11d20204eeffb0f92e9d6418f1a0f68ed47a3a4d4ef8f7cce22e12fc44a187d2fa8004c43cac583c1669

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f70a9c6c7fcb5db55b1726af7301abb0

SHA1
42629491b9306a8c8682edb37f8c0c1db62fdef2

SHA256
8f6b733b9c3125a658e5a582c795172faf5ab9d724705189f28b26cf5e285d58

SHA512
a5a48316ec1f66727083fcfb7efc6adc006d835e032f578b3647684cb55bba6ec8d64bd8c9902aacada28336745b8e3d07b3fda2552374a66e321b5b0fc9747f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78721ea52a24c4bf6c20c65c966d3990

SHA1
3d28cfe9b57c9be0e9d62bfab9b37b970d97770d

SHA256
b7bffa6d1e8ce0c8f704d05d5b9ee8c39ac1b388d1d55815105a05cdcddb387f

SHA512
23909c3ea21b0b86fb70e0ff878eb374748c0a8b5c6d3341dd5dc4d60406110dbfc6a10896939792805596e8a688bee676395adf4895704737cc2e6e5fafe19e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7562db77e540f7126eba6196e3a95fe5

SHA1
56299e115f6229137b8e0ac61066ab5da9fc76aa

SHA256
bf03084076808a4b6755cde8a27c685f8912a5acd8bcaf6541f25781a9342e21

SHA512
b5729b04644a4f41007b32166cbba55a6fd1b19b54b79256480d8d615383a5b7d4f89886252d9a9bebda134e213cd4dfb59ad42fe1612311e09807a3903780ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfd0958b17d6326cbb579c6f726f73d4

SHA1
96995e37aa5625c2aa0a34c78c6d5f5112a5e692

SHA256
872627ba8045b96ce9d3fb170cf1589fac30e9e389e3271ca3c4b177556a7b72

SHA512
20531e16201011364bfc99f40e2801ab77bea6639f469cac3e06cf7503cec35182c013528574136d0efc072d93c066edaef2d187093e856abd7a3a81819eca92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2435094026f04a0bf0b30bd71d7cb995

SHA1
16e6b8c83ef473b922093b4cb7cf031d9aa435a8

SHA256
be821d54e343a24d3c43906bdd2cadbceb6e1f72c431fc20edfb886bb12b1fe9

SHA512
3f9586fe96dc3684296147c9fe4e6c2adb4983a136613cd76947d1434b9463d64c69e77aa67ba417b9da31e92a0e30eeb142312e84b7e1875df672e322dffdf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec25508d700837f30a76d81b0cf1cec6

SHA1
1cacf52f67137554d8a7a5d54a311e07f2ffd9d4

SHA256
40b7a6ed58742ce559e16d44f9616ffbc09caa27132b54049c60fd65d7242d98

SHA512
6228ec00ca91078596c6c84df1856d9d0650b9c93dc903ba4dc0abae946c68f53d31d988d40f59ed2ae24708a86be8614e18efac68fea3fca74d912d64f9c776

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfaac99cc204f18361b2a1ca58c7b96f

SHA1
5cb6bbe443b9b544eef8320cfff8f828322aa517

SHA256
3c75324c578ebdcf415ea4974b6b559f054de841c4f683bcc01f4679a9c6aa39

SHA512
993bbe2fbd3cd2efc4f7758a2b3a23ed8a7d5a04b84a719093aede22c526b82c046457860640775923fb719e13d40fe6b5c6c339f2c8c485e5d349a9951a8057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4318f29a5890dba7e30ada18054d69a

SHA1
ab387c81230dcbdb4656804c93346bc1b8363260

SHA256
0195702b595ee9fe5bd28dc4e74bb2a962ab63ed64568abcb91cc7287cb8d024

SHA512
e87ef6e059a5918c22200e3e53e98dd8c4cc73420a6aec0287b68e75ea3dc6fedf5d8c0b89588214ed4c5e87aca73784c40703d5ce68ff2ff56255b21416eb53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dc07b54aae5cab94cbdc5c67e06794d

SHA1
44f02efc8378e72ca8931ea281bf91d5cd6bda22

SHA256
685d6946e5b02dfa668fa6438dbacae62524a2135f998941684202e2f6cebeaf

SHA512
0844cc467530c64d6d3e8513103f48ff9a5d25e63bd8e8f388997451f2d33d91b3d04913adbaa9807e4156d18b53a247c20cd9f126d2e19fe8b7e36b31ad137a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe31315c75ce164dcfa94465622a529e

SHA1
309398a08bc3c54f57e5132fb4e78a734316e2dd

SHA256
dc9f67a9fa6f313780b1ccab52882c8284ce856844c71c77916a6a0cd8ebc897

SHA512
432dec9dd745971dec503b6fff1b1246894ae8bf52fb9e35919c184a6e6950f2bd8efdf09388a965009f312ec8a6eba2143102c09eaafd1d36d1b61532f51bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a640fd2c41a0beb3aa3f0231dd7da27

SHA1
bccb073afa3c04035d3e4dd0aab1b65923f11a18

SHA256
d7575f280890adca96972fd4060bccf3adf66482841556e01b989fee0bf66e21

SHA512
e75df7362a773f7bd79bcbc97c64c806234748288729d012a63f885adf5483cac41961bc8dd15c2969cd6eed6b03fa516f6e0581c193cd82ecdd8ec1349464cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fe8c35b2fce4ed76145e20d1eb93a6f

SHA1
fe02f110720a60ba4cfea30918886b85c2846984

SHA256
eea768bfdafcf402828ce4c85f3e3a44dd3dc4f8b067734bf9593a33e048e374

SHA512
c7174e43b11ac327b32baac336f3bc55e31b6bf6fb452a0bea20869ded0f8bc52c9875088ccc587c80ff9b414683b87ce8444270bb679e5a74706a76dc1dae43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2FDA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StikyNote.exe

Filesize
387KB

MD5
9e03be269c58a15b6ffc9a1502569686

SHA1
d034168bfa1deecf9f4f0ed702dc1be55d87064b

SHA256
eac4613b8c69b4b84acb79e19ce02e41835de1ced41af5d913fe1869223ca614

SHA512
cd42b990eb30b6bbff95658f34bc96218d8b19aaa4bde6b0e18acfb3b6b3208a958907e8a8a8e05b4640f9e3badab885543266e4ebd5d21973373508a7f2e457

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3098.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.tmp

Filesize
47B

MD5
72a392628d7f368bb9bc9689a694f55a

SHA1
feacee9c66028a333446f2c968bcb3d567a4033d

SHA256
afa60141aee93d7e3f3d8d296e36de9956f588a6cad99f8e79ce36ab88e828dd

SHA512
76f40be7d3e0de960c7bc199fd094c64588841e5b6a1b99bd7fd2e3b53f9e381ded992ee6d67848dd4fda755416792ff6e29bf0acf1a348796dcf7e9bf96229e

Download Submit
memory/1120-3-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1120-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1120-6-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/2760-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download