Analysis Overview
SHA256
82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69
Threat Level: Known bad
The file 82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69 was found to be: Known bad.
Malicious Activity Summary
DragonForce
Dragonforce family
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Drops desktop.ini file(s)
Indicator Removal: File Deletion
Drops file in System32 directory
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 10:11
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 10:11
Reported
2024-11-20 10:13
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
DragonForce
Dragonforce family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe | N/A |
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\D191.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
| N/A | N/A | C:\ProgramData\D191.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe
"C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe"
C:\ProgramData\D191.tmp
"C:\ProgramData\D191.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D191.tmp >> NUL
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
Network
Files
memory/2532-0-0x0000000000940000-0x000000000096B000-memory.dmp
memory/2532-1-0x0000000000840000-0x0000000000880000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini
| MD5 | f5ee98003d68f6f4a13f0dc61019c654 |
| SHA1 | d320ce082427554fcb5d9408eb56048bdc93f72a |
| SHA256 | 182310ce360e3e2503b2d204951bfbe18deb438cc8da515ea64952a370a780c8 |
| SHA512 | 10588219019d61b889e30d2f52dda3b2641fe5906b1b7139d21a1fe7823f0791280341aa3562f04e2b2d0dbee94306af39b356c53fd6b96bc7a66344e6da0d21 |
C:\EUPTJQjet.README.txt
| MD5 | 28a0b2da25ffdb6072476fb934c21c68 |
| SHA1 | bfa53a23eadcbf9279a31eb88d4372b9b0eaddef |
| SHA256 | e9be57ffc63a0df53107c73988d5a8e9732b6c951930efda87708ecd8c8cb36d |
| SHA512 | 136f9d3ddf785752e98f5a1527092de61ca39877fe45d5aba861874923789c107e12301053df7f301787163a53be27537f07ba45002f03dfd1b3bd8b8d69b396 |
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\DDDDDDDDDDD
| MD5 | b0684fd90e16c67aa5fbfa9840ea8b01 |
| SHA1 | ad1bee2a7543a74329d153c69027427e97f4ad95 |
| SHA256 | 0b60360c5299846813a115432cf2f8a3e8d6de07e946bf753c1b993ef6c3076a |
| SHA512 | 885c091480afa98db35f059e6f9beff39584b0051ee29e5e65c1a2d55ae4ca2c72d4cfeacbbf8794a70782a4b45ca0db5162e46e1e69eb2c5c9d04f5f19423ad |
C:\ProgramData\D191.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/620-844-0x000000007EF20000-0x000000007EF21000-memory.dmp
memory/620-843-0x000000007EF80000-0x000000007EF81000-memory.dmp
memory/620-842-0x0000000002070000-0x00000000020B0000-memory.dmp
memory/620-841-0x0000000002070000-0x00000000020B0000-memory.dmp
memory/620-840-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
memory/2532-839-0x0000000000940000-0x000000000096B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 840dbb0fe1a72373c492c712ccab0dad |
| SHA1 | 7220960dbd82d10353865f2ffb2f1a975f718097 |
| SHA256 | 8f4fedc6cf7eed58a5886d5e9eee58fe44767d2ed605a31325965c3c2ab33a77 |
| SHA512 | 843901db92fe11c62d3e06e6a6c0331cbdaf0e8e4dfb7ec74a4c246b1623d2aa86e003503fa6edfcf10c782e677e94e3e72e660e76bfe874295ff6603515b536 |
memory/620-874-0x000000007EF60000-0x000000007EF61000-memory.dmp
memory/620-873-0x000000007EF40000-0x000000007EF41000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 10:11
Reported
2024-11-20 10:13
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
DragonForce
Dragonforce family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\ProgramData\C3AF.tmp | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Windows\splwow64.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPbu5si5qkslj0o1j0yr1mza6wd.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPpfzziou4a8qw8ba5puhs015kc.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPly7fsv3tyu42bijhp7cht7dob.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\C3AF.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
| N/A | N/A | C:\ProgramData\C3AF.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe
"C:\Users\Admin\AppData\Local\Temp\82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{81D1C2E4-51A7-489D-9A3A-8900B463FB30}.xps" 133765710986170000
C:\ProgramData\C3AF.tmp
"C:\ProgramData\C3AF.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C3AF.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/1964-0-0x00000000005B0000-0x00000000005DB000-memory.dmp
memory/1964-3-0x0000000000D00000-0x0000000000D10000-memory.dmp
memory/1964-2-0x0000000000D00000-0x0000000000D10000-memory.dmp
memory/1964-1-0x0000000000D00000-0x0000000000D10000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\GGGGGGGGGGG
| MD5 | c23e6c9a9fb16ac804782d6b7f22d70f |
| SHA1 | fb14e6ca366b4a74365a5391516327dae55bcb0b |
| SHA256 | 2e9fa4a4a7bc39675f269baea5ccb0752e2fd63fa8a94c02d4ce7f77515b2407 |
| SHA512 | 4b5b212e1e6cf98b2b7c71cffc8b163df2d3533201f7b398f6fdcba271a55af1a27d6a6d46df0ee813927a6cee8481ac5dbeabf86b80c4355be352194a9d4ad2 |
F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\DDDDDDDDDDD
| MD5 | 40386006c807f6391de884e1d204b1ea |
| SHA1 | 1282d618423df55eb0ee42dfe9ec5fd04309f014 |
| SHA256 | 5d92b1c9e0ceca1ad3140a6c976ca8745139ebba4ea4be2f62641e9207fb8dfb |
| SHA512 | f858806c4271992ce1aeb949c1af9506b106b4f71a0ce9e352c0ae9b05cbfae6e960ab3e1a24f484a446eb5044b23325e8f976e6b785704e0dd0f0487285fd89 |
C:\EUPTJQjet.README.txt
| MD5 | 3c4c2e7981c6b3e64fcb8d5d38b7fd51 |
| SHA1 | d36176986570e5240da839a086da0b62eb70bf55 |
| SHA256 | 2d3c75ade4ebea8dc21de93f2116620ebebcf1faf4ddaf18ad2e4d56a9968b7e |
| SHA512 | 7e2cd86b7e7e9df4a163e139377a531cb779cf6cb546a782181a258d9b048640d99dce0b0382e215d5c19f16de1cef27fa64fec249e8c8bc35f13c9a741cea03 |
memory/1964-2804-0x00000000005B0000-0x00000000005DB000-memory.dmp
memory/1964-2807-0x0000000000D00000-0x0000000000D10000-memory.dmp
memory/1964-2806-0x0000000000D00000-0x0000000000D10000-memory.dmp
memory/1964-2805-0x0000000000D00000-0x0000000000D10000-memory.dmp
C:\ProgramData\C3AF.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/4068-2823-0x00007FF8F4A30000-0x00007FF8F4A40000-memory.dmp
memory/4068-2825-0x00007FF8F4A30000-0x00007FF8F4A40000-memory.dmp
memory/4068-2824-0x00007FF8F4A30000-0x00007FF8F4A40000-memory.dmp
memory/4068-2826-0x00007FF8F4A30000-0x00007FF8F4A40000-memory.dmp
memory/4068-2827-0x00007FF8F4A30000-0x00007FF8F4A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | efac65d3d2aebd84fb3ae27ffe8a9e21 |
| SHA1 | d3ab4159b5f9afa8a6b64983a40e7cff1b9c116b |
| SHA256 | 9d4d9c6e7872e0562257e041e4a70421d780272880fb9f3a0a77164f99e4cacd |
| SHA512 | cd6aa3dfff19fa9d1d41373e54e92b4b514a9d414a9e074e0eae3294b7987cf9c67f4b4fd6e7549fa5953cbb07d0e5274b3bc2c6057fcfb6ad9130991cac29e0 |
memory/4068-2857-0x00007FF8F21C0000-0x00007FF8F21D0000-memory.dmp
memory/4068-2858-0x00007FF8F21C0000-0x00007FF8F21D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{78BA106C-E964-4014-B6C4-33E5181CA33F}
| MD5 | 9230a1b1304a8f36c82b12f070193de8 |
| SHA1 | d889a79185f706348a78da51c324764c08aa3779 |
| SHA256 | 4cdd0e4eeec3e2c06bb9a7e1f653493db5bc5f7d7b56de9e7660b6f004e03c2b |
| SHA512 | 573e0735fe6cb3d292a46bf6803d141b2c5acaa044bb4f4d38e5a88bb323eaad5976fe1b2548bceab21219ce0074c0810202b432d01704b9d63598686258ecac |
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
| MD5 | 6536026df4ce939aefb49ebd8d92880d |
| SHA1 | 01bd494b87b2172522750d654d3d475db98bc408 |
| SHA256 | 5092f6fe0a047946c5acf95733d9f1839d4efffc476b529b2cb35cfc77c4e018 |
| SHA512 | 4e079401223b02b9d830b16af8da444d557fcdecace62289fb6395732498b60a12486e1e95cc8f6818b28ca2802ed6152603977bac99156a064197edba76053e |