Analysis Overview
SHA256
3a46534271954db3df6dcc13b13fc69c7f7cc95c0a6f59b46778299c4168c658
Threat Level: Known bad
The file 2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit was found to be: Known bad.
Malicious Activity Summary
Lockbit
Renames multiple (15584) files with added filename extension
Modifies boot configuration data using bcdedit
Deletes shadow copies
Deletes backup catalog
Enumerates connected drives
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-01 00:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-01 00:38
Reported
2024-03-01 00:49
Platform
win11-20240221-en
Max time kernel
631s
Max time network
517s
Command Line
Signatures
Lockbit
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (15584) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe\"" | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.nuspec.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\file_icons.png.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ne.txt.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_xd.svg.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_removeme-default_18.svg.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\af_get.svg.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BSSYM7.TTF.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz.txt.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook2x.png.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\ui-strings.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp.lockbit | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\Taskmgr.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings | C:\Windows\System32\Taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 104.86.110.112:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 20.42.65.89:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.250:135 | tcp | |
| N/A | 10.127.0.206:135 | tcp | |
| N/A | 10.127.0.249:135 | tcp | |
| N/A | 10.127.0.205:135 | tcp | |
| N/A | 10.127.0.248:135 | tcp | |
| N/A | 10.127.0.204:135 | tcp | |
| N/A | 10.127.0.203:135 | tcp | |
| N/A | 10.127.0.246:135 | tcp | |
| N/A | 10.127.0.247:135 | tcp | |
| N/A | 10.127.0.208:135 | tcp | |
| N/A | 10.127.0.210:135 | tcp | |
| N/A | 10.127.0.209:135 | tcp | |
| N/A | 10.127.0.211:135 | tcp | |
| N/A | 10.127.0.239:135 | tcp | |
| N/A | 10.127.0.60:135 | tcp | |
| N/A | 10.127.0.59:135 | tcp | |
| N/A | 10.127.0.56:135 | tcp | |
| N/A | 10.127.0.58:135 | tcp | |
| N/A | 10.127.0.57:135 | tcp | |
| N/A | 10.127.0.55:135 | tcp | |
| N/A | 10.127.0.54:135 | tcp | |
| N/A | 10.127.0.53:135 | tcp | |
| N/A | 10.127.0.52:135 | tcp | |
| N/A | 10.127.0.51:135 | tcp | |
| N/A | 10.127.0.50:135 | tcp | |
| N/A | 10.127.0.49:135 | tcp | |
| N/A | 10.127.0.48:135 | tcp | |
| N/A | 10.127.0.47:135 | tcp | |
| N/A | 10.127.0.46:135 | tcp | |
| N/A | 10.127.0.44:135 | tcp | |
| N/A | 10.127.0.43:135 | tcp | |
| N/A | 10.127.0.45:135 | tcp | |
| N/A | 10.127.0.42:135 | tcp | |
| N/A | 10.127.0.41:135 | tcp | |
| N/A | 10.127.0.40:135 | tcp | |
| N/A | 10.127.0.39:135 | tcp | |
| N/A | 10.127.0.38:135 | tcp | |
| N/A | 10.127.0.37:135 | tcp | |
| N/A | 10.127.0.36:135 | tcp | |
| N/A | 10.127.0.35:135 | tcp | |
| N/A | 10.127.0.34:135 | tcp | |
| N/A | 10.127.0.33:135 | tcp | |
| N/A | 10.127.0.32:135 | tcp | |
| N/A | 10.127.0.31:135 | tcp | |
| N/A | 10.127.0.28:135 | tcp | |
| N/A | 10.127.0.30:135 | tcp | |
| N/A | 10.127.0.27:135 | tcp | |
| N/A | 10.127.0.26:135 | tcp | |
| N/A | 10.127.0.25:135 | tcp | |
| N/A | 10.127.0.24:135 | tcp | |
| N/A | 10.127.0.23:135 | tcp | |
| N/A | 10.127.0.22:135 | tcp | |
| N/A | 10.127.0.21:135 | tcp | |
| N/A | 10.127.0.20:135 | tcp | |
| N/A | 10.127.0.19:135 | tcp | |
| N/A | 10.127.0.18:135 | tcp | |
| N/A | 10.127.0.17:135 | tcp | |
| N/A | 10.127.0.16:135 | tcp | |
| N/A | 10.127.0.15:135 | tcp | |
| N/A | 10.127.0.14:135 | tcp | |
| N/A | 10.127.0.13:135 | tcp | |
| N/A | 10.127.0.11:135 | tcp | |
| N/A | 10.127.0.12:135 | tcp | |
| N/A | 10.127.0.10:135 | tcp | |
| N/A | 10.127.0.9:135 | tcp | |
| N/A | 10.127.0.8:135 | tcp | |
| N/A | 10.127.0.7:135 | tcp | |
| N/A | 10.127.0.6:135 | tcp | |
| N/A | 10.127.0.4:135 | tcp | |
| N/A | 10.127.0.5:135 | tcp | |
| N/A | 10.127.0.3:135 | tcp | |
| N/A | 10.127.0.1:135 | tcp | |
| N/A | 10.127.0.2:135 | tcp | |
| N/A | 10.127.0.240:135 | tcp | |
| N/A | 10.127.0.0:135 | tcp | |
| N/A | 10.127.0.217:135 | tcp | |
| N/A | 10.127.0.254:135 | tcp | |
| N/A | 10.127.0.61:135 | tcp | |
| N/A | 10.127.0.62:135 | tcp | |
| N/A | 10.127.0.64:135 | tcp | |
| N/A | 10.127.0.63:135 | tcp | |
| N/A | 10.127.0.65:135 | tcp | |
| N/A | 10.127.0.67:135 | tcp | |
| N/A | 10.127.0.66:135 | tcp | |
| N/A | 10.127.0.68:135 | tcp | |
| N/A | 10.127.0.69:135 | tcp | |
| N/A | 10.127.0.70:135 | tcp | |
| N/A | 10.127.0.71:135 | tcp | |
| N/A | 10.127.0.72:135 | tcp | |
| N/A | 10.127.0.73:135 | tcp | |
| N/A | 10.127.0.74:135 | tcp | |
| N/A | 10.127.0.75:135 | tcp | |
| N/A | 10.127.0.76:135 | tcp | |
| N/A | 10.127.0.77:135 | tcp | |
| N/A | 10.127.0.79:135 | tcp | |
| N/A | 10.127.0.80:135 | tcp | |
| N/A | 10.127.0.81:135 | tcp | |
| N/A | 10.127.0.78:135 | tcp | |
| N/A | 10.127.0.83:135 | tcp | |
| N/A | 10.127.0.84:135 | tcp | |
| N/A | 10.127.0.85:135 | tcp | |
| N/A | 10.127.0.82:135 | tcp | |
| N/A | 10.127.0.87:135 | tcp | |
| N/A | 10.127.0.88:135 | tcp | |
| N/A | 10.127.0.89:135 | tcp | |
| N/A | 10.127.0.86:135 | tcp | |
| N/A | 10.127.0.91:135 | tcp | |
| N/A | 10.127.0.92:135 | tcp | |
| N/A | 10.127.0.93:135 | tcp | |
| N/A | 10.127.0.90:135 | tcp | |
| N/A | 10.127.0.95:135 | tcp | |
| N/A | 10.127.0.94:135 | tcp | |
| N/A | 10.127.0.96:135 | tcp | |
| N/A | 10.127.0.97:135 | tcp | |
| N/A | 10.127.0.98:135 | tcp | |
| N/A | 10.127.0.99:135 | tcp | |
| N/A | 10.127.0.101:135 | tcp | |
| N/A | 10.127.0.102:135 | tcp | |
| N/A | 10.127.0.100:135 | tcp | |
| N/A | 10.127.0.104:135 | tcp | |
| N/A | 10.127.0.103:135 | tcp | |
| N/A | 10.127.0.105:135 | tcp | |
| N/A | 10.127.0.106:135 | tcp | |
| N/A | 10.127.0.107:135 | tcp | |
| N/A | 10.127.0.108:135 | tcp | |
| N/A | 10.127.0.109:135 | tcp | |
| N/A | 10.127.0.110:135 | tcp | |
| N/A | 10.127.0.111:135 | tcp | |
| N/A | 10.127.0.112:135 | tcp | |
| N/A | 10.127.0.113:135 | tcp | |
| N/A | 10.127.0.114:135 | tcp | |
| N/A | 10.127.0.115:135 | tcp | |
| N/A | 10.127.0.116:135 | tcp | |
| N/A | 10.127.0.117:135 | tcp | |
| N/A | 10.127.0.118:135 | tcp | |
| N/A | 10.127.0.119:135 | tcp | |
| N/A | 10.127.0.120:135 | tcp | |
| N/A | 10.127.0.121:135 | tcp | |
| N/A | 10.127.0.122:135 | tcp | |
| N/A | 10.127.0.123:135 | tcp | |
| N/A | 10.127.0.124:135 | tcp | |
| N/A | 10.127.0.126:135 | tcp | |
| N/A | 10.127.0.127:135 | tcp | |
| N/A | 10.127.0.125:135 | tcp | |
| N/A | 10.127.0.128:135 | tcp | |
| N/A | 10.127.0.130:135 | tcp | |
| N/A | 10.127.0.131:135 | tcp | |
| N/A | 10.127.0.129:135 | tcp | |
| N/A | 10.127.0.133:135 | tcp | |
| N/A | 10.127.0.134:135 | tcp | |
| N/A | 10.127.0.135:135 | tcp | |
| N/A | 10.127.0.132:135 | tcp | |
| N/A | 10.127.0.137:135 | tcp | |
| N/A | 10.127.0.138:135 | tcp | |
| N/A | 10.127.0.139:135 | tcp | |
| N/A | 10.127.0.136:135 | tcp | |
| N/A | 10.127.0.142:135 | tcp | |
| N/A | 10.127.0.141:135 | tcp | |
| N/A | 10.127.0.140:135 | tcp | |
| N/A | 10.127.0.143:135 | tcp | |
| N/A | 10.127.0.144:135 | tcp | |
| N/A | 10.127.0.145:135 | tcp | |
| N/A | 10.127.0.147:135 | tcp | |
| N/A | 10.127.0.148:135 | tcp | |
| N/A | 10.127.0.146:135 | tcp | |
| N/A | 10.127.0.150:135 | tcp | |
| N/A | 10.127.0.152:135 | tcp | |
| N/A | 10.127.0.151:135 | tcp | |
| N/A | 10.127.0.153:135 | tcp | |
| N/A | 10.127.0.154:135 | tcp | |
| N/A | 10.127.0.155:135 | tcp | |
| N/A | 10.127.0.157:135 | tcp | |
| N/A | 10.127.0.149:135 | tcp | |
| N/A | 10.127.0.156:135 | tcp | |
| N/A | 10.127.0.159:135 | tcp | |
| N/A | 10.127.0.158:135 | tcp | |
| N/A | 10.127.0.160:135 | tcp | |
| N/A | 10.127.0.162:135 | tcp | |
| N/A | 10.127.0.161:135 | tcp | |
| N/A | 10.127.0.163:135 | tcp | |
| N/A | 10.127.0.164:135 | tcp | |
| N/A | 10.127.0.165:135 | tcp | |
| N/A | 10.127.0.166:135 | tcp | |
| N/A | 10.127.0.167:135 | tcp | |
| N/A | 10.127.0.168:135 | tcp | |
| N/A | 10.127.0.169:135 | tcp | |
| N/A | 10.127.0.170:135 | tcp | |
| N/A | 10.127.0.171:135 | tcp | |
| N/A | 10.127.0.172:135 | tcp | |
| N/A | 10.127.0.173:135 | tcp | |
| N/A | 10.127.0.175:135 | tcp | |
| N/A | 10.127.0.176:135 | tcp | |
| N/A | 10.127.0.174:135 | tcp | |
| N/A | 10.127.0.177:135 | tcp | |
| N/A | 10.127.0.178:135 | tcp | |
| N/A | 10.127.0.179:135 | tcp | |
| N/A | 10.127.0.180:135 | tcp | |
| N/A | 10.127.0.181:135 | tcp | |
| N/A | 10.127.0.182:135 | tcp | |
| N/A | 10.127.0.183:135 | tcp | |
| N/A | 10.127.0.184:135 | tcp | |
| N/A | 10.127.0.236:135 | tcp | |
| N/A | 10.127.0.216:135 | tcp | |
| N/A | 10.127.0.215:135 | tcp | |
| N/A | 10.127.0.237:135 | tcp | |
| N/A | 10.127.0.251:135 | tcp | |
| N/A | 10.127.0.252:135 | tcp | |
| N/A | 10.127.0.214:135 | tcp | |
| N/A | 10.127.0.238:135 | tcp | |
| N/A | 10.127.0.213:135 | tcp | |
| N/A | 10.127.0.218:135 | tcp | |
| N/A | 10.127.0.219:135 | tcp | |
| N/A | 10.127.0.221:135 | tcp | |
| N/A | 10.127.0.220:135 | tcp | |
| N/A | 10.127.0.222:135 | tcp | |
| N/A | 10.127.0.224:135 | tcp | |
| N/A | 10.127.0.223:135 | tcp | |
| N/A | 10.127.0.225:135 | tcp | |
| N/A | 10.127.0.226:135 | tcp | |
| N/A | 10.127.0.228:135 | tcp | |
| N/A | 10.127.0.187:135 | tcp | |
| N/A | 10.127.0.186:135 | tcp | |
| N/A | 10.127.0.242:135 | tcp | |
| N/A | 10.127.0.188:135 | tcp | |
| N/A | 10.127.0.189:135 | tcp | |
| N/A | 10.127.0.207:135 | tcp | |
| N/A | 10.127.0.192:135 | tcp | |
| N/A | 10.127.0.212:135 | tcp | |
| N/A | 10.127.0.193:135 | tcp | |
| N/A | 10.127.0.194:135 | tcp | |
| N/A | 10.127.0.191:135 | tcp | |
| N/A | 10.127.0.196:135 | tcp | |
| N/A | 10.127.0.197:135 | tcp | |
| N/A | 10.127.0.195:135 | tcp | |
| N/A | 10.127.0.190:135 | tcp | |
| N/A | 10.127.0.200:135 | tcp | |
| N/A | 10.127.0.199:135 | tcp | |
| N/A | 10.127.0.202:135 | tcp | |
| N/A | 10.127.0.198:135 | tcp | |
| N/A | 10.127.0.201:135 | tcp | |
| N/A | 10.127.0.245:135 | tcp | |
| N/A | 10.127.0.243:135 | tcp | |
| N/A | 10.127.0.235:135 | tcp | |
| N/A | 10.127.0.244:135 | tcp | |
| N/A | 10.127.0.253:135 | tcp | |
| N/A | 10.127.0.241:135 | tcp | |
| N/A | 10.127.0.233:135 | tcp | |
| N/A | 10.127.0.230:135 | tcp | |
| N/A | 10.127.0.234:135 | tcp | |
| N/A | 10.127.0.229:135 | tcp | |
| N/A | 10.127.0.232:135 | tcp | |
| N/A | 10.127.0.227:135 | tcp | |
| N/A | 10.127.0.185:135 | tcp | |
| N/A | 10.127.0.231:135 | tcp |
Files
C:\Program Files\dotnet\Restore-My-Files.txt
| MD5 | 72331c56f418cca338bc31733d66abd2 |
| SHA1 | a23797ffda1eab000a0ac9ae04db698245e7ef18 |
| SHA256 | e11927fbf775250dd1cd09bf28548a873aa45901ca677fb7d27ac1ed35849933 |
| SHA512 | ea63c87b500c37682c2076596e3f02ca7d08e70d3d6da625743a0f8e46d72165251a0e4d72bd9ca51f932b2250118d2d958fd40ee0701fd435819ccc4afcdff0 |
memory/5340-3347-0x000002356C370000-0x000002356C371000-memory.dmp
memory/5340-3348-0x000002356C370000-0x000002356C371000-memory.dmp
memory/5340-3349-0x000002356C370000-0x000002356C371000-memory.dmp
memory/5340-3353-0x000002356C370000-0x000002356C371000-memory.dmp
memory/5340-3354-0x000002356C370000-0x000002356C371000-memory.dmp
memory/5340-3355-0x000002356C370000-0x000002356C371000-memory.dmp
memory/5340-3356-0x000002356C370000-0x000002356C371000-memory.dmp
memory/5340-3357-0x000002356C370000-0x000002356C371000-memory.dmp
memory/5340-3358-0x000002356C370000-0x000002356C371000-memory.dmp
memory/5340-3359-0x000002356C370000-0x000002356C371000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-01 00:38
Reported
2024-03-01 00:40
Platform
macos-20240214-en
Max time kernel
151s
Max time network
145s
Command Line
Signatures
Processes
/usr/libexec/xpcproxy
[xpcproxy com.apple.pluginkit.pkd]
/usr/libexec/pkd
[/usr/libexec/pkd]
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe]
/bin/zsh
[/bin/zsh -c /Users/run/2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe]
/Users/run/2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe
[/Users/run/2024-02-28_5d066d873d1736570f2d10c182dfebd2_lockbit.exe]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.icloud.findmydeviced]
/usr/libexec/findmydeviced
[/usr/libexec/findmydeviced]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.cfprefsd.xpc.agent]
/usr/sbin/cfprefsd
[/usr/sbin/cfprefsd agent]
/usr/bin/bzip2
[/usr/bin/bzip2 -f /var/log/wifi.log.0]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2481EFE7/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.suggestd]
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.knowledge-agent]
/usr/libexec/knowledge-agent
[/usr/libexec/knowledge-agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.siri.context.service]
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.tailspind]
/usr/libexec/tailspind
[/usr/libexec/tailspind]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | 33.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | gspe1-ssl.ls.apple.com.edgesuite.net | udp |
| GB | 104.91.71.85:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| GB | 104.91.71.85:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
| US | 8.8.8.8:53 | 50-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| FR | 40.79.141.154:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | 45.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 13-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 41-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 24.courier-push-apple.com.akadns.net | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/Caches/GeoServices/Resources/altitude-1188.xml
| MD5 | 3e6423b24f263da56088a101653606cd |
| SHA1 | 7c43adc6c23442858bf0dcdf84b5a08323fba317 |
| SHA256 | 95e4aa9570e1acd3de701ac19c395d80a710275d6e052c598c09cc1ed710c398 |
| SHA512 | 3f85d2f77102790e8ee82c1f8797c754167a79af91dfdd5377e7681370f01540234017eb24be89cc7a4da5e70005bf35b069d21f5bf70cc59efe1abd6dd8c255 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | 1a6e5f9fba79761997ace8016b7339fa |
| SHA1 | 3ea6b7cb8d06ce964d418551fc19d614d73b2ca4 |
| SHA256 | 9e5eae78f4f8efaef4c7db8509258d05e628b4a31a1753b13e340acb75d84cbd |
| SHA512 | 5f868154381ad22d4a040909b0eb51ba06dc5a6d3a4956883439f9accc4dbd9b1c090feb247d979941ff4fa83b478e1f66fd0913371287b1de8c5c2064c1136e |