2317d33628eb06af24d1d6d94ff892d6fb6a7ecca24094d477f5c77829ca35c0

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Size

146KB
MD5

76a0d2ef15e408b4a07f534c8d056b30
SHA1

7ddc10e637b0ab439b80a193420b00bcf03c3dd7
SHA256

2317d33628eb06af24d1d6d94ff892d6fb6a7ecca24094d477f5c77829ca35c0
SHA512

48f709fe69c2aa219ee40167f1f82806fd003b697b6ecc96aa87826670b12533530a9314a4a642e92784ef59b4a97628ab27a4c781695a37d946ca624f6fff67
SSDEEP

3072:D6glyuxE4GsUPnliByocWepOsNPfGk21h:D6gDBGpvEByocWeqN

Score

9^/10

defense_evasion discovery ransomware

Malware Config

Signatures

Renames multiple (161) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CC79.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	CC79.tmp

Deletes itself 1 IoCs

Processes:

CC79.tmp

pid	Process
1448	CC79.tmp

Executes dropped EXE 1 IoCs

Processes:

CC79.tmp

pid	Process
1448	CC79.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPzx9h1vn4whc0c4wz362iip2.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPg73yjcifx0y714v25p4mlupfb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP0epa4c3oi59dov6tb3_xxozpd.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3WaPinOps.bmp"	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3WaPinOps.bmp"	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exeCC79.tmp

pid	Process
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
1448	CC79.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exeCC79.tmpcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CC79.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

Modifies registry class 5 IoCs

Processes:

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3WaPinOps	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\3WaPinOps\DefaultIcon\ = "C:\\ProgramData\\3WaPinOps.ico"	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3WaPinOps	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3WaPinOps\ = "3WaPinOps"	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3WaPinOps\DefaultIcon	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exeONENOTE.EXE

pid	Process
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
4748	ONENOTE.EXE
4748	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

Processes:

CC79.tmp

pid	Process
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp
1448	CC79.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeDebugPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: 36	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeImpersonatePrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeIncBasePriorityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeIncreaseQuotaPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: 33	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeManageVolumePrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeProfSingleProcessPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeRestorePrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSystemProfilePrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeTakeOwnershipPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeShutdownPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeDebugPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeBackupPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Token: SeSecurityPrivilege	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE
4748	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exeprintfilterpipelinesvc.exeCC79.tmp

description	pid	Process	procid_target
PID 3304 wrote to memory of 3852	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe	84
PID 3304 wrote to memory of 3852	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe	84
PID 3640 wrote to memory of 4748	3640	printfilterpipelinesvc.exe	87
PID 3640 wrote to memory of 4748	3640	printfilterpipelinesvc.exe	87
PID 3304 wrote to memory of 1448	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe	88
PID 3304 wrote to memory of 1448	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe	88
PID 3304 wrote to memory of 1448	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe	88
PID 3304 wrote to memory of 1448	3304	2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe	88
PID 1448 wrote to memory of 4940	1448	CC79.tmp	89
PID 1448 wrote to memory of 4940	1448	CC79.tmp	89
PID 1448 wrote to memory of 4940	1448	CC79.tmp	89

C:\Users\Admin\AppData\Local\Temp\2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:3852
- C:\ProgramData\CC79.tmp
  "C:\ProgramData\CC79.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CC79.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2260

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{63803C05-34AA-4B8A-97F2-37C1626EBF38}.xps" 133718244518080000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\YYYYYYYYYYY

Filesize
129B

MD5
eac01c2248189bb27123f8225b248c81

SHA1
89ce7ad637149e3d394eec814a6e8e9fcd045fab

SHA256
6068ee66e9705228b194e3a4f921cd34597aef5ccee60d2964dedeaaeeb504b6

SHA512
836e10ccc7a128df2a23683a5511a84b82217de40f3811e23d4ca4d3be5d1e352a6527f61d283f90a011ed3656e32ce2850f9eb728f4b6d788d5e6008465302b

Download Submit
C:\3WaPinOps.README.txt

Filesize
463B

MD5
6f7db6bb7b29b288b16771cd09f495e6

SHA1
ab4c0ef134b8c4fefa75acd18c5f88d6c6870b58

SHA256
95d26fea78a10ee5d82d4de5e16bba8077ef038139b3c0fcf7519f2b4c813518

SHA512
8ce9df614eae8036043d85d9c3e36d0d0e464e6d3ae288afd6ad538722ef4e48d8910cd2bf34004f7415a6c894654f03fe0f2eb3ffea67e333351818b2d5edd9

Download Submit
C:\ProgramData\CC79.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

Filesize
146KB

MD5
3a2064963aa0152d344fd19e8419e635

SHA1
f1784a8c1b48dcf9986e35d62b07ac724921ebdc

SHA256
94e714539fc0cb3f69594cc61b3821b6e7502cf4ce1e91e181ecfa6cf7315b7e

SHA512
31e865b471552d7835801e2b355b531fe13d7b8f14bb6189b095c338302a72e64c1d4a9dbfada2dcf4793ae747f24fbee9cd4a276c4163e56a22748f9ecd7ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7EE7D885-481D-4D62-A4F1-791A82302812}

Filesize
4KB

MD5
414875404066c3fbfbf89981a8174683

SHA1
aad4511911801d2bf4e58d6e98baf6a339a59834

SHA256
dcab3bc541388509e71c4ebf11a8574f4442f3407a4d3c51871bceecf4520c85

SHA512
9c78a007f8885a5da1c50b588ed97ba5a1de3e8252c192ec3dff59aaa1d63f4475e04b6eb17b113f1942dd71e052fedccd25f0b2b2f5de1c9cc34f8e327af153

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
e57b0c11c03d8e6822b203e76d0ec87a

SHA1
af24da435c04cdccf1f94f95d17b07613201fba3

SHA256
153d9a28e221e1ec9c9703fe3979caa5658ff7874e790593cfc28024ff2e9a13

SHA512
7ad40fe716b4a2d558c8c8816b536c50555c7b6d3387c4532c3b64b689a599fc376784c6a84bbaa63aeb7be9afcdc1a373aedc62bfc06c1dd732b3e3a5328ed2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\DDDDDDDDDDD

Filesize
129B

MD5
8eb94c03cfaf91cb7d057d118d4d25f3

SHA1
e98775382eefc8eaebc8bff6cfa30ab358f71ea7

SHA256
e728693f08563a940673227a2fb8add6f9e9c24fd3dce2f19b9a7e8f12c1f564

SHA512
c75b3466045a39eceecd86f83f2d42ed50478f5e51fe02e4133e7558de0314632d49d09f33e64fc45e97811cedf4022e468ed9cb49c66477c9e0fa17e456c40d

Download Submit
memory/3304-1-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/3304-2-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/3304-339-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/3304-340-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/3304-341-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/3304-0-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/4748-356-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp

Filesize
64KB

Download
memory/4748-357-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp

Filesize
64KB

Download
memory/4748-354-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp

Filesize
64KB

Download
memory/4748-390-0x00007FF7D44F0000-0x00007FF7D4500000-memory.dmp

Filesize
64KB

Download
memory/4748-391-0x00007FF7D44F0000-0x00007FF7D4500000-memory.dmp

Filesize
64KB

Download
memory/4748-355-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp

Filesize
64KB

Download
memory/4748-353-0x00007FF7D6E50000-0x00007FF7D6E60000-memory.dmp

Filesize
64KB

Download