Analysis Overview
SHA256
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409
Threat Level: Known bad
The file 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe was found to be: Known bad.
Malicious Activity Summary
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
DragonForce
Dragonforce family
Executes dropped EXE
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Indicator Removal: File Deletion
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: RenamesItself
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 02:49
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 02:49
Reported
2024-11-20 02:52
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
DragonForce
Dragonforce family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\D77B.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
| N/A | N/A | C:\ProgramData\D77B.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
"C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe"
C:\ProgramData\D77B.tmp
"C:\ProgramData\D77B.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D77B.tmp >> NUL
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
Network
Files
memory/2076-0-0x0000000000BD0000-0x0000000000C10000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini
| MD5 | 18f0dba3e02c2c5f2c9e9a7671b2afa3 |
| SHA1 | ffb781f489fc8e8e1c7d0082004bef76f266c6c5 |
| SHA256 | 4429ea9700e13c19b998709847a9375c725990a07e937f25c402514a9bb85c45 |
| SHA512 | 9e2f24bbad69693235c922ff5e9ab34bce2a6c79ec32734984177d8d1061fb079de69c24b6fd7dc7c06acfa92029d6f4beb72d24f7443a9fbd42f168c29f1020 |
C:\uBBbnTEl1.README.txt
| MD5 | 647e136dc1eb0bc41640996e7b5dd874 |
| SHA1 | 7b11b8ac6898cc3b393337901bd34b741dbc89b4 |
| SHA256 | 72ac3e587dd7aed6ef36a194ebff1c282c40b19d682b194111cae903f031625d |
| SHA512 | c81b18658d885b1ec47590ef4e37cbf9210e17f50deceac2c7f6e0f7ae8a5dd46ea7e1b7005e33875e94721d47cdf8edd5250b62f591694227b86d3f9332a51f |
F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\DDDDDDDDDDD
| MD5 | c8eea3d29eb723563b6359bd1aaa72f4 |
| SHA1 | 519000cc051a10138cfadcf93874456ef4faf4e0 |
| SHA256 | 587132f41cfda52f2ca181fc0ed92a6d9d164026d4d27f442f5d7be04d8bc61c |
| SHA512 | 5e35d2fde301cf6cf99d4191face7315b4d62885f8968e0e9437c45da651fa31722b7ef1b668a906a58878ea87418b238d83aaeb84006ac3217a5ea7c7274f2a |
C:\ProgramData\D77B.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/2252-889-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2252-891-0x0000000000400000-0x0000000000407000-memory.dmp
memory/2252-892-0x0000000000400000-0x0000000000407000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 1ad6fff5097c5d3d140b6ca028a2304d |
| SHA1 | c7b52602b3fd2fe1bb0cc81c89cefce3224cc17d |
| SHA256 | ee7a6440399d552442069b746f026ab5089446d8d971bb64ed0a62868ab0f860 |
| SHA512 | 513cae165798300d006ac327edb61653e668366395b033434b296d8eb81807ae6de86b038692176512c9560f59b445cfe7106dfce87f87e87c502ce4c28755bb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 02:49
Reported
2024-11-20 02:52
Platform
win10v2004-20241007-en
Max time kernel
105s
Max time network
160s
Command Line
Signatures
DragonForce
Dragonforce family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\ProgramData\4840.tmp | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Windows\splwow64.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPlbe8664lbre7ykwkyl2k0zt5d.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPj29gm6md2rpunjqjxnw0tezvc.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPdbbita43roumy39niyvicjgkc.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\4840.tmp | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
| N/A | N/A | C:\ProgramData\4840.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
"C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
C:\ProgramData\4840.tmp
"C:\ProgramData\4840.tmp"
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{F2BCF7AF-0626-4E0E-9CBA-7B6AE3319B86}.xps" 133765446229100000
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4840.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/2884-2-0x0000000003010000-0x0000000003020000-memory.dmp
memory/2884-1-0x0000000003010000-0x0000000003020000-memory.dmp
memory/2884-0-0x0000000003010000-0x0000000003020000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\AAAAAAAAAAA
| MD5 | bc7817cb3d10660f2bd8b7459fe8aa7c |
| SHA1 | 9a131aac6b94718e445a369bbc0b133a3328fb44 |
| SHA256 | ec20a5f174d5494166538d75ad28dfbb630d6165bb5225d7e415f1ec81edf890 |
| SHA512 | f4b85b41751eed8f405c91af111acf32e7c8378bf4e419a6baadc7426331ac8db840bcc079e2142a8098d0c9f1c8757ccf0e04636db14cae0e5ab6e60b89fea9 |
C:\uBBbnTEl1.README.txt
| MD5 | f1c7e663e380a2b59664d1480cef8472 |
| SHA1 | 03a46a6ea23e9212ed7e355e82630368971741d6 |
| SHA256 | 6c078320da0ae460e4e215c5c319ef557685ad5d6e7fb4bd84c79ec32097a74b |
| SHA512 | f94450d2ccd2d89d13c2a7fbfb5d5188dcc161a05d499620ec9cd8f6b32a36f4e7ebaa4998b539af4d83170c59d1a3bf7c632ad55fbbf6572d18d53c40e79569 |
F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\DDDDDDDDDDD
| MD5 | 40d5383b0a88e634031be950cdde0c15 |
| SHA1 | 35fc20c37884b8de6b539bbc98aa0a4f916eba96 |
| SHA256 | f37f0e303603456bbbfc7ca0de74d3a9038ed612e314c3aaba528c7233cc92aa |
| SHA512 | 7629bb1f41d38cf8f4637197e8d5e6321de1097aed2167e57f8ed22d96052db84041238d2fd546946e3c6b12a171b2dbc38ebea13808f8d8f59ff352115a2a21 |
memory/2884-2936-0x0000000003010000-0x0000000003020000-memory.dmp
memory/2884-2937-0x0000000003010000-0x0000000003020000-memory.dmp
memory/2884-2938-0x0000000003010000-0x0000000003020000-memory.dmp
C:\ProgramData\4840.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/3616-2953-0x00007FFE0EE90000-0x00007FFE0EEA0000-memory.dmp
memory/3616-2955-0x00007FFE0EE90000-0x00007FFE0EEA0000-memory.dmp
memory/3616-2954-0x00007FFE0EE90000-0x00007FFE0EEA0000-memory.dmp
memory/3616-2957-0x00007FFE0EE90000-0x00007FFE0EEA0000-memory.dmp
memory/3616-2958-0x00007FFE0EE90000-0x00007FFE0EEA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | e4eb82e1f1f350d3d95a4c2b5caf64a7 |
| SHA1 | 29ca17cb5d98dfd0db2db61d567a37dc4c90cc23 |
| SHA256 | e51e480f959f4b20bd77ba572b61630e83a9ea30ed9eb3e47eb6bbae77450b89 |
| SHA512 | 3e3b9470c3ba42b1eb80ed47d94579ad88ad777da36340f2246768c6f254b02444fd489d45da0364a6b2544a37448761b06a1dc746fbc70d4b64c779996d6966 |
memory/3616-2986-0x00007FFE0C910000-0x00007FFE0C920000-memory.dmp
memory/3616-2987-0x00007FFE0C910000-0x00007FFE0C920000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{C6BBBDFD-8EF9-42CD-BB2E-0F63FA61C349}
| MD5 | b956c37c40f65a85d7070525c82db6b7 |
| SHA1 | adef708612533be2055a16358797983829c0e70f |
| SHA256 | 3b6137bb3ea3129c816daed293022a1c2e1a1bbb3ce79b17b8993bd325e9cc41 |
| SHA512 | 2701294b143837573da8dabbee55992d91febc1967f26889aa70a81914456466f009a2357b0eb8c3069ec730cb4900c66db14ed365c3295941b30f65aa075175 |
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
| MD5 | 1b9e9ae62dbe5fbec27a3d8d99efc88c |
| SHA1 | 682b3e6ec16917b8287517fee8ec1ad79cd7e2e8 |
| SHA256 | 45ea40485a4abeec56f0ed307175f71662b8eaebb52dd49a0920425cd14fed8a |
| SHA512 | 3985a940a977c56c8b05460e7ccaaee3f416890e187197acc2b45188d939a0032426fd9a75700e4e16aa87d55e656b6e612b1b6063bee5d0c079b466d5185eb2 |