Analysis

  • max time kernel
    126s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2023, 08:03

General

  • Target

    2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe

  • Size

    146KB

  • MD5

    ac4efeb9f09e844f22a37de5d1a9c505

  • SHA1

    8e099b2e1d405708c1c76b727aaba272496966c8

  • SHA256

    af4c28fb1c65ebe93181b67d279733e864cafab5919a7aa7eced93fc8113df16

  • SHA512

    c6262e7ac5fcaf82700f6b82c3aca0bad612a40905c572b861c6a5227d2ed6d52f7508a2c263eabf93ddd148e8f3872d39d36b8c01e13e2e76e85a5e6d89397a

  • SSDEEP

    3072:M6glyuxE4GsUPnliByocWepDY0k1p8M/DJ6iHrAa:M6gDBGpvEByocWeRY0k77JzH

Malware Config

Signatures

  • Renames multiple (615) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1532
    • C:\ProgramData\4CF8.tmp
      "C:\ProgramData\4CF8.tmp"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4CF8.tmp >> NUL
        3⤵
          PID:2760
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4940
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:3388
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B730EF9C-2C5F-492B-B942-37635BEC9C02}.xps" 133305122798560000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:4648

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\AAAAAAAAAAA

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\BBBBBBBBBBB

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\CCCCCCCCCCC

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\EEEEEEEEEEE

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\FFFFFFFFFFF

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\GGGGGGGGGGG

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\HHHHHHHHHHH

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\IIIIIIIIIII

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\JJJJJJJJJJJ

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\KKKKKKKKKKK

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\LLLLLLLLLLL

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\MMMMMMMMMMM

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\NNNNNNNNNNN

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\OOOOOOOOOOO

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\PPPPPPPPPPP

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\QQQQQQQQQQQ

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\RRRRRRRRRRR

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\SSSSSSSSSSS

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\TTTTTTTTTTT

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\UUUUUUUUUUU

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\VVVVVVVVVVV

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\WWWWWWWWWWW

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\XXXXXXXXXXX

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\YYYYYYYYYYY

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini

        Filesize

        129B

        MD5

        a437e9870c8e8e5cdb3fc01a32905332

        SHA1

        1e3a3a2da67943545387e1f860035d1ba7d2a869

        SHA256

        f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c

        SHA512

        aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

      • C:\ProgramData\4CF8.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\ProgramData\4CF8.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\9y643jKEQ.README.txt

        Filesize

        599B

        MD5

        a252d99fb46c5547037df1bf2ad28ddd

        SHA1

        11ba8f7716fdb5f5930051476539ae2c28c24cbc

        SHA256

        7f4e580bf421dfee139169eadc44fdcf984039576de034664be2df8d2bb6727b

        SHA512

        106beef199df95707dbd23407172b96dc717350578f13edf5ac89551d6974d1705390bff9d66ed2a2ec40ff3ad9888c2d315f7d21cd121980dec21cce73459f3

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        146KB

        MD5

        62a52f2b932b9742bb9f279a1fc27cae

        SHA1

        b965f805843dae6ebb7c97b643e2c47717b14aa8

        SHA256

        15cc91c33beaa6c2655084b00e21c18c037ab06d19d853b6444b9aef8a98aa40

        SHA512

        8ed59cc30067ba8cecf29363a75d818d8f44290823639a8834702d37f51e085dc06561d0c5893e3bfa97c97460ce3540e6cef38deb13f4ccb1e413aba72f0f9b

      • C:\Users\Admin\AppData\Local\Temp\{F3CBCEB1-9C48-4778-A449-DC4360F8F2D6}

        Filesize

        4KB

        MD5

        90c371ae05864baa8eaee1efcedb1429

        SHA1

        ae329b68ae98462febf28fd97a35f82b7277b567

        SHA256

        aabd954990b15112992449e5287f2cebfc5c9ceefa87cc9937dd962d20f7d7f3

        SHA512

        107c562487be52d65a1048109589d32ad86c8232daaeacf629c24d19c90f1ee9aebf3060fab04f627610a2a5f6315037ec4a56b180d9662b068ecc89a3cd5234

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

        Filesize

        4KB

        MD5

        9430471cb8d341da2d72471ae7c956a4

        SHA1

        d50b7bdf7d98d056b6ab8170c93ecc6e025635a6

        SHA256

        704aaad48fcc972acdffbc16f0018d84324b29efff868fc0aac14cb223d184a6

        SHA512

        32fe092693be0ad5bc0176243c230044b3ad884df51fa38b992e02af1a89537d28cd850799c2a20dfbcd2a40359e27770e31d06b22ad70da697c61380dadd5e9

      • memory/1216-2836-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

        Filesize

        64KB

      • memory/1216-2837-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

        Filesize

        64KB

      • memory/1216-189-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

        Filesize

        64KB

      • memory/1216-187-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

        Filesize

        64KB

      • memory/1216-188-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

        Filesize

        64KB

      • memory/4648-2880-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

        Filesize

        64KB

      • memory/4648-2883-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

        Filesize

        64KB

      • memory/4648-2884-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

        Filesize

        64KB

      • memory/4648-2885-0x00007FFD01030000-0x00007FFD01040000-memory.dmp

        Filesize

        64KB

      • memory/4648-2886-0x00007FFD01030000-0x00007FFD01040000-memory.dmp

        Filesize

        64KB

      • memory/4648-2882-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

        Filesize

        64KB

      • memory/4648-2881-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

        Filesize

        64KB