Analysis Overview
SHA256
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409
Threat Level: Known bad
The file 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe was found to be: Known bad.
Malicious Activity Summary
Dragonforce family
DragonForce
Rule to detect Lockbit 3.0 ransomware Windows payload
Lockbit family
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Deletes itself
Indicator Removal: File Deletion
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 13:41
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 13:41
Reported
2024-11-19 13:43
Platform
win7-20240708-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
DragonForce
Dragonforce family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\BB4.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
| N/A | N/A | C:\ProgramData\BB4.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
"C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe"
C:\ProgramData\BB4.tmp
"C:\ProgramData\BB4.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BB4.tmp >> NUL
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
Network
Files
memory/2332-0-0x00000000022F0000-0x0000000002330000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini
| MD5 | f0c50a987b46dc99d90b58519064d401 |
| SHA1 | 5817315b369bc62598848df3ba278e99e15bf055 |
| SHA256 | 23fad72f0f971358c7aa8ae08eb24bf02404cb11a73b99785e1b3c2039209db9 |
| SHA512 | bd28c2e18125635bdb00442e88ca3ff84d00e5f042cadaee649e1a2c9ac02d7f90d16ad08d0f11015c01bba4dcd6919008ea2c56ebeed9b58b4ca98179163878 |
C:\uBBbnTEl1.README.txt
| MD5 | c3ac4e1ff9fff4b5b5146c7903922510 |
| SHA1 | ed24f5a58218e2e6072638f100afc050432fc2fc |
| SHA256 | 9d3f50798e4392f45079afa75fec9c957770fe3cbb6079eb1c42a6992e8efd29 |
| SHA512 | 4173917dffcb176db41fbefe73a25b2886fc6881f8b3b4c007a3e0e956b4672e251f00b8128fd429e0d67449ed954a007dd7948c93ff53fc822979fe39bf6ea8 |
F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\DDDDDDDDDDD
| MD5 | 226a779011f6cf45471956f9b4d53e8b |
| SHA1 | f500727bee21261fa39ea0cebff9426f27865d11 |
| SHA256 | da581a41323e050d6a37102c1160cec68f29f27748a919d75d434fd40ca450f2 |
| SHA512 | 5043f4c2c69d6972c703e79ba82e47610121074823f6a605c3414d193c3bdb791b3c89d1f933ffb1d7ee36913f9df349215d252414d1eda3ec2eaec42536920f |
\ProgramData\BB4.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/2052-861-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
memory/2052-863-0x00000000021F0000-0x0000000002230000-memory.dmp
memory/2052-865-0x000000007EF20000-0x000000007EF21000-memory.dmp
memory/2052-864-0x000000007EF80000-0x000000007EF81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 2c2acddef15d1bd1835c5bc225e0f5a2 |
| SHA1 | a68751ba78e654aaa4ce27155c305fb154c7a03e |
| SHA256 | 3d2b77b6a137836af4cdb758f5766b87d1a3405a1dc70e37aec4bbe4de5725f3 |
| SHA512 | 2ad8b5a6a1c37554fb2a76aab1b2b1cde587fccab49350dba237124cde12df38e832f5d8fa07d46efd06acf7b0b73dbcd43aa6b31de6d1e42bc632b3acde1736 |
memory/2052-895-0x000000007EF60000-0x000000007EF61000-memory.dmp
memory/2052-894-0x000000007EF40000-0x000000007EF41000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 13:41
Reported
2024-11-19 13:43
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
DragonForce
Dragonforce family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\ProgramData\D9B7.tmp | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Windows\splwow64.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPteqmei2bu54238600zlz0tj4c.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPixslvvv0vr8hmawxootgiqngd.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPlwuvw32lqw11b4y3h942brn4d.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\D9B7.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
| N/A | N/A | C:\ProgramData\D9B7.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
"C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EA44AF2A-0594-4663-9A0D-9CC5F6DCA07D}.xps" 133764972849610000
C:\ProgramData\D9B7.tmp
"C:\ProgramData\D9B7.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D9B7.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/2264-1-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/2264-2-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/2264-0-0x00000000031E0000-0x00000000031F0000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini
| MD5 | d2fb427e1989d029e6843443429ac2b0 |
| SHA1 | 04eaacbae57bb3aa0b1d2e8de47e5a723e87b3b6 |
| SHA256 | 47735317f3692bae2713c41de32c54f80337e8b91ce07f258fb61a1bc5632e29 |
| SHA512 | 13a8d26743792eebbbfcb7118d66772ff9a34db67178aa559e0dbf503031815b5429170ba6dc202a1ca92f9db14e499a279c1f0ae351f8cc8f5da9993ad566af |
F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\DDDDDDDDDDD
| MD5 | de70dcab654a6abb31edb0ae9f758ec5 |
| SHA1 | 2a6523514b27ca0887d3999561ff07c451ac0018 |
| SHA256 | ef9322b255b889482724a9b959034784912564b8cdf8679911aa65c87ee3e5f7 |
| SHA512 | b034c1d18e21a91b40cb3eed529be92f89d7b91f491ae35c8cb54b05737c979fe07abcc17a5a5fa7825a28bc94665a0d1146d103c4c818f398bce28d6474133b |
C:\uBBbnTEl1.README.txt
| MD5 | 24a1253f461767a69110d461b1c427ab |
| SHA1 | 6b72c578012088753089a069888405a0234575e0 |
| SHA256 | e5ee992636227ff21ff88c47d1982ef35636391f3515ffdb54486aa6e32f47ff |
| SHA512 | 8573a36ae39ff4c13c393c4a5fa3aa67afb120be62698ce70999a65fadaba7a124e826906657defbcc47f2a76566a88e803eb282b3cb5ba7e811c5df50d372b2 |
memory/2264-2910-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/2264-2909-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/2264-2908-0x00000000031E0000-0x00000000031F0000-memory.dmp
C:\ProgramData\D9B7.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/4872-2929-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp
memory/4872-2928-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp
memory/4872-2926-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
| MD5 | a6a4d7290a56bc89e7e5c1976375ef96 |
| SHA1 | 61f6220cd17bf88b5e8d6eb1deecdf6b6e07dfe8 |
| SHA256 | 2af317d4803e9ba417fcbde28e17026466ddf705cd5e0ff5d67aba4a292b4e70 |
| SHA512 | 7b107c6467b5dfa4f4c92417c0f5c0f1c17b49ef997d2ce03002b0346f7eadfb38ce1d619e8da41110d90fc3956b12fd5e96961e5c6ff0abe3600dfff607d4cd |
memory/4872-2934-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp
memory/4872-2935-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp
memory/4872-2958-0x00007FFC369B0000-0x00007FFC369C0000-memory.dmp
memory/4872-2959-0x00007FFC369B0000-0x00007FFC369C0000-memory.dmp
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
| MD5 | 18344eeb0f6f71123944e3822563252f |
| SHA1 | 61a919c229ecd514b2d32439e5b5436e90d9ade0 |
| SHA256 | 4c50930704349e34e4632252b26292523d3b8a26f1aafad29d30f0401ab29a11 |
| SHA512 | 54e577dfa1ff21bad47e580a1a6498b56d43b64184fd0da87b7a1bf86d9fd10b18d8bc250ee52873bdd4d82b804065ea84c13d1c38e03f9d06c8d6f1128bdd7a |