lockbit | 707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

Resubmissions

17-04-2024 10:53

240417-my9fhaeb8s 10

Analysis

max time kernel
241s
max time network
239s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 10:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

LockBit-main.zip
Size

292KB
MD5

68309717a780fd8b4d1a1680874d3e12
SHA1

4cfe4f5bbd98fa7e966184e647910d675cdbda43
SHA256

707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881
SHA512

e16de0338b1e1487803d37da66d16bc2f2644138615cbce648ae355f088912a04d1ce128a44797ff8c4dfc53c998058432052746c98c687670e4100194013149
SSDEEP

6144:n42LBVCsV+PkMeW9zTiY/NaQmHst5ySPzmcfIMwmafvR:n4EzwkMeWgY1NmyESPB1/aXR

Score

10^/10

lockbit ransomware spyware stealer

Malware Config

Extracted

Path

C:\lwvHVrFiF.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002343a-13.dat	family_lockbit

Renames multiple (633) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	B88E.tmp

Executes dropped EXE 20 IoCs

pid	Process
4868	LB3.exe
5152	B88E.tmp
5844	LB3Decryptor.exe
3792	LB3Decryptor.exe
2668	keygen.exe
4108	builder.exe
4468	builder.exe
1932	builder.exe
1120	builder.exe
1484	builder.exe
1288	builder.exe
5296	keygen.exe
4220	builder.exe
2220	builder.exe
5956	builder.exe
2648	builder.exe
5200	builder.exe
5264	builder.exe
5128	LB3.exe
8768	LB3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2177723727-746291240-1644359950-1000\desktop.ini	LB3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\desktop.ini	LB3.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPlj9ezhbl6pokyat5t4mc110rd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPwvupk0n6vjmv8aq7nj_e_00rc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP0829ju0p4dbs05c8hlqg2ro0b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00003.SPL	splwow64.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\lwvHVrFiF.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\lwvHVrFiF.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5152	B88E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\Desktop	LB3.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lwvHVrFiF\DefaultIcon\ = "C:\\ProgramData\\lwvHVrFiF.ico"	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.JJTViax1G\ = "JJTViax1G"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lwvHVrFiF	LB3Decryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JJTViax1G\DefaultIcon	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lxb4unUdA\ = "lxb4unUdA"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lxb4unUdA\DefaultIcon	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lxb4unUdA\DefaultIcon\ = "C:\\ProgramData\\lxb4unUdA.ico"	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lwvHVrFiF\ = "lwvHVrFiF"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lwvHVrFiF\DefaultIcon	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LWVHVRFIF\DEFAULTICON	LB3Decryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lwvHVrFiF	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lwvHVrFiF	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JJTViax1G\DefaultIcon\ = "C:\\ProgramData\\JJTViax1G.ico"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JJTViax1G	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lxb4unUdA	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lxb4unUdA	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	OpenWith.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lwvHVrFiF	LB3Decryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.JJTViax1G	LB3.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5800	ONENOTE.EXE
5800	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe
4868	LB3.exe

Suspicious behavior: RenamesItself 3 IoCs

pid	Process
4868	LB3.exe
5844	LB3Decryptor.exe
5128	LB3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeDebugPrivilege	4868	LB3.exe
Token: 36	4868	LB3.exe
Token: SeImpersonatePrivilege	4868	LB3.exe
Token: SeIncBasePriorityPrivilege	4868	LB3.exe
Token: SeIncreaseQuotaPrivilege	4868	LB3.exe
Token: 33	4868	LB3.exe
Token: SeManageVolumePrivilege	4868	LB3.exe
Token: SeProfSingleProcessPrivilege	4868	LB3.exe
Token: SeRestorePrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSystemProfilePrivilege	4868	LB3.exe
Token: SeTakeOwnershipPrivilege	4868	LB3.exe
Token: SeShutdownPrivilege	4868	LB3.exe
Token: SeDebugPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeBackupPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe
Token: SeSecurityPrivilege	4868	LB3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5844	LB3Decryptor.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5800	ONENOTE.EXE
5844	LB3Decryptor.exe
3792	LB3Decryptor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1736	1016	cmd.exe	99
PID 1016 wrote to memory of 1736	1016	cmd.exe	99
PID 1016 wrote to memory of 1736	1016	cmd.exe	99
PID 1016 wrote to memory of 4412	1016	cmd.exe	100
PID 1016 wrote to memory of 4412	1016	cmd.exe	100
PID 1016 wrote to memory of 4412	1016	cmd.exe	100
PID 1016 wrote to memory of 4404	1016	cmd.exe	101
PID 1016 wrote to memory of 4404	1016	cmd.exe	101
PID 1016 wrote to memory of 4404	1016	cmd.exe	101
PID 1016 wrote to memory of 1136	1016	cmd.exe	102
PID 1016 wrote to memory of 1136	1016	cmd.exe	102
PID 1016 wrote to memory of 1136	1016	cmd.exe	102
PID 1016 wrote to memory of 220	1016	cmd.exe	103
PID 1016 wrote to memory of 220	1016	cmd.exe	103
PID 1016 wrote to memory of 220	1016	cmd.exe	103
PID 1016 wrote to memory of 1384	1016	cmd.exe	104
PID 1016 wrote to memory of 1384	1016	cmd.exe	104
PID 1016 wrote to memory of 1384	1016	cmd.exe	104
PID 1016 wrote to memory of 224	1016	cmd.exe	105
PID 1016 wrote to memory of 224	1016	cmd.exe	105
PID 1016 wrote to memory of 224	1016	cmd.exe	105
PID 4868 wrote to memory of 4900	4868	LB3.exe	109
PID 4868 wrote to memory of 4900	4868	LB3.exe	109
PID 1464 wrote to memory of 5800	1464	printfilterpipelinesvc.exe	113
PID 1464 wrote to memory of 5800	1464	printfilterpipelinesvc.exe	113
PID 4700 wrote to memory of 1524	4700	OpenWith.exe	114
PID 4700 wrote to memory of 1524	4700	OpenWith.exe	114
PID 4868 wrote to memory of 5152	4868	LB3.exe	115
PID 4868 wrote to memory of 5152	4868	LB3.exe	115
PID 4868 wrote to memory of 5152	4868	LB3.exe	115
PID 4868 wrote to memory of 5152	4868	LB3.exe	115
PID 5152 wrote to memory of 1908	5152	B88E.tmp	116
PID 5152 wrote to memory of 1908	5152	B88E.tmp	116
PID 5152 wrote to memory of 1908	5152	B88E.tmp	116
PID 1268 wrote to memory of 2668	1268	cmd.exe	130
PID 1268 wrote to memory of 2668	1268	cmd.exe	130
PID 1268 wrote to memory of 2668	1268	cmd.exe	130
PID 1268 wrote to memory of 4108	1268	cmd.exe	131
PID 1268 wrote to memory of 4108	1268	cmd.exe	131
PID 1268 wrote to memory of 4108	1268	cmd.exe	131
PID 1268 wrote to memory of 4468	1268	cmd.exe	132
PID 1268 wrote to memory of 4468	1268	cmd.exe	132
PID 1268 wrote to memory of 4468	1268	cmd.exe	132
PID 1268 wrote to memory of 1932	1268	cmd.exe	133
PID 1268 wrote to memory of 1932	1268	cmd.exe	133
PID 1268 wrote to memory of 1932	1268	cmd.exe	133
PID 1268 wrote to memory of 1120	1268	cmd.exe	134
PID 1268 wrote to memory of 1120	1268	cmd.exe	134
PID 1268 wrote to memory of 1120	1268	cmd.exe	134
PID 1268 wrote to memory of 1484	1268	cmd.exe	135
PID 1268 wrote to memory of 1484	1268	cmd.exe	135
PID 1268 wrote to memory of 1484	1268	cmd.exe	135
PID 1268 wrote to memory of 1288	1268	cmd.exe	136
PID 1268 wrote to memory of 1288	1268	cmd.exe	136
PID 1268 wrote to memory of 1288	1268	cmd.exe	136
PID 4576 wrote to memory of 5296	4576	cmd.exe	139
PID 4576 wrote to memory of 5296	4576	cmd.exe	139
PID 4576 wrote to memory of 5296	4576	cmd.exe	139
PID 4576 wrote to memory of 4220	4576	cmd.exe	140
PID 4576 wrote to memory of 4220	4576	cmd.exe	140
PID 4576 wrote to memory of 4220	4576	cmd.exe	140
PID 4576 wrote to memory of 2220	4576	cmd.exe	141
PID 4576 wrote to memory of 2220	4576	cmd.exe	141
PID 4576 wrote to memory of 2220	4576	cmd.exe	141

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LockBit-main.zip
1⤵
PID:3632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-main\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\Desktop\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  PID:1736
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  PID:4412
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  PID:4404
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  PID:1136
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  PID:220
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  PID:1384
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  PID:224

C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:4900
- C:\ProgramData\B88E.tmp
  "C:\ProgramData\B88E.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B88E.tmp >> NUL
    3⤵
    PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-main\Build\Password_dll.txt.lwvHVrFiF
  2⤵
  PID:1524

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{509E758B-7B8C-4BF3-B809-2BA19CF8DC7F}.xps" 133575643762960000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5800

C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5844

C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3792

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-main\Build\DECRYPTION_ID.txt
1⤵
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-main\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\Desktop\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-main\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\Desktop\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:5296
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:5956
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:5200
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:5264

C:\Users\Admin\Desktop\LockBit-main\n\LB3.exe
"C:\Users\Admin\Desktop\LockBit-main\n\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: RenamesItself
PID:5128

C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:8768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDD

Filesize
344B

MD5
5f891604fe130e0ff1ef3022101ea186

SHA1
6f1cd70f54bb3b8a23ddcfcefd2bb2af9e48741c

SHA256
5909a7224fd186d13ee06d32367fffc024ccea9fa96a6f4d00a58e1c93a753dd

SHA512
783dbdb8e2a9fba76acda240c8d8aa518df010452cde0eec87c46c6b90affb005439c1139b890722efbbac41fe033c9cb414973a83230118e802fcf65e5e9772

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDDD

Filesize
344B

MD5
34f78ce5901ea139d7c08fe35ef1d4d9

SHA1
201cf9a312fc9bc3ded8e58e6bfeac74000ab774

SHA256
c02b3435924169e890771038476b39ee5055ac06d5475bcf7810242bb1f14fdc

SHA512
a4748afe6f497649e7579a70a775375aeb15ac3e49a993dd3be5662e0ea318b4918a83e6797f382fbef3a5956e989f4b39a3f154e1a548735e27488669c411a0

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDDDDDDD

Filesize
149KB

MD5
d6f426dd64b3333ee7b3dfbb3e02eb8d

SHA1
b99dc891b249ed74a5a263afa99d0d4acb5d9fd8

SHA256
c3d9080bbe0c718507e3f99d405b42dfbea5bfc48b7a17467eb04301015b32d4

SHA512
67618a2708d071882e42a5c7a849a880888b99a3eb129a967cccd0a810a5c4c4fbfc0cb22a3b84d2744fc0da0f24472f1faa44106a0f031b1f24929814c3ba0a

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDDDDDDDDDDD

Filesize
54KB

MD5
06e630163922aab352daac4d05283131

SHA1
e4a069100ce9dafb85639f44110f234254c1ee13

SHA256
f7f39d18ba80c2be8fcd88a94e4090bc3c0d8ccd7e3525f3edf3694177ff3a9d

SHA512
f89a79dbe6f0c47a480e4b863209a0039c0c375e5d8598dd2be35b2f859e427227938743e6779d03c4735daf05e990f9f3d178e34b7de724a609df136081b52c

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDDDDDDDDDDD

Filesize
2KB

MD5
4d0275a141d4a981acf53876ae5c9e78

SHA1
1488305a4b72183d5cf924d1e053f027bf78ef1f

SHA256
80a8018de8e1eaebaef562c26f229fd4257ed5040fe477247b156754a0e4d0e3

SHA512
3eba9713ff1b1e231ae953800a5d7c9d6f29831e539a5b10d55f70958dbd54a7501ddb60257c721a5d6b70af6c67a181368524bf667229300c71fab20e5fddc7

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDDDDDDDDDDD

Filesize
152KB

MD5
a341a4c2c8c7de0a6acdf66a7502666d

SHA1
ca5ad9ce90fc5cfc7d226e08ca91a0fa4a03ef7b

SHA256
5620eaa16fc1824ecc59a111650ac75a979f2901b5654c6d7a23da352bb43769

SHA512
b3aa1b49c82d14b6376be55e14c36d8a164171d8a51c97d169561abf487998b8a13edafdf7f48ff9ce7b5cc2fc271fc09550b981625ae23431ca5611c31a1423

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDDDDDDDDDDD

Filesize
1KB

MD5
03019472a005445f72dea01f91ac8386

SHA1
e2621ae91eaa2801079afa0b9d88126350ac817c

SHA256
6be8f5dae4a3e6f35108798633e6a4cf3f176149b9c3db86059057a94a12d7a2

SHA512
5c0ae556c9b554605aa1caea58964ebb8ae7aeb4efe47a5e5eac0f3a8768b0634c20165cad6e0b8db33252b8bc43105875355e6440ea575fc36a71cf324fc143

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDDDDDDDDDDDD

Filesize
16B

MD5
3e52d8c022ebd975b6df4e237e38c847

SHA1
f02fab448df27b318a25fceb60fa6630e0546364

SHA256
d7675037b65609ee2df971532fe951781ecc58c1279398a9bdaf2edaf2bb599b

SHA512
df8168fce0b30afeeaa8d6e8a80b553c450f74def9a7255427ebb5bad740e71587e9bd5610f12001e900d6a30fd08f55f9937bb5d86fe8633af9615fd0f3afe6

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDDDDDDDDDDDDDDDD

Filesize
148KB

MD5
c7998741b71770cc1071e653cac7b3dd

SHA1
7377f7f403aec5d4b1285d2e70ba957bc29daa9d

SHA256
2b26454c37aa820b5131f03f1236a4a7686da456ca9a56c24e36b6b5e62c2a61

SHA512
b2625ba9612c08a239929bd3f40108d6442f2c8d8efe2bda78ccb47829d024133d8734bcf9a251e6c529b80788ab9de6f72c7d8d4cdf51e706ac1edeb4a49ca3

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\$R73A5G6\DDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
106KB

MD5
c24479d7b02b9def066a97e6067b2490

SHA1
a2d38c870f34d8c6a2d2f87404cf5d916b15ff18

SHA256
7424bc0a28dc01e7003ff7519750088fd442201f3fb7ff6ee8683c3daa7c913f

SHA512
d3d1ad915983c136168c0fbf102b3c169b5dd734d87cd7196a366aaf9df302ac1e7f0005f25e74ce138a859405c5411ca674f765f6333ccccec8b23e9543ed50

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\DDDDDDDD

Filesize
112B

MD5
2cedd963b37462ef1b9e1cb1e881d66c

SHA1
4246895d50d1da6f2788d412f0962b443ee8f8cd

SHA256
360c05b575a5cc9caedb0e473186730458d6191af406a38bd0a78b71a334e503

SHA512
36fe42b46ff808b9f68bfa8a4c819e0440ae3141bc3570ad1afcb3c3839dccb289923cf972a604741d11afde4aa5f5434767a416f85c928d84691ed0297ec3a2

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\DDDDDDDDDDD

Filesize
129B

MD5
5c335c6dea7a42085491d9ee64e927f6

SHA1
727e3c8cf398cdcc071d267d24d1d2249520645b

SHA256
dd8b4eea4684edd22001f2b07767414cf670a7c5a660f87f531b70cfcac958c2

SHA512
0ef039c139c07fc23589feece34c14e7d7aa2235e29862321d74d148f0812f71b5125495f5fdcb6d67c354293e5fdd19e098b043c3e776433452203b8228c75f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2177723727-746291240-1644359950-1000\YYYYYYYYYYY

Filesize
129B

MD5
414da3cc01ccd10f9905643e032733c3

SHA1
3ddf6ed138874394e203dd1d2767b38ef8b56147

SHA256
2f9c22fad8d6e47730409402d4357cfdf80409fb1bf35103b69590123ede64ed

SHA512
978565860427812ed21c54c345fe31692b92f588ec61f0eb51fe6367cf474dfd9057c63305666d77c94e186b1770b4f4b35fb01f1517d7980516047be5a67577

Download Submit
C:\ProgramData\B88E.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc

Filesize
36KB

MD5
eab75a01498a0489b0c35e8b7d0036e5

SHA1
fd80fe2630e0443d1a1cef2bdb21257f3a162f86

SHA256
fdf01d2265452465fcbed01f1fdd994d8cbb41a40bbb1988166604c5450ead47

SHA512
2ec6c4f34dcf00b6588b536f15e3fe4d98a0b663c8d2a2df06aa7cface88e072e2c2b1b9aaf4dc5a17b29023a85297f1a007ff60b5d6d0c65d1546bf0e12dd45

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3a32eb41-d706-418c-9b91-d3e14facd0d8}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3a32eb41-d706-418c-9b91-d3e14facd0d8}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573951951820063.txt

Filesize
77KB

MD5
e28a497e4354e7d029c604033b70aa09

SHA1
bcd63bd5160b7ea3be74a2fd33169d349f813d90

SHA256
d80449ce6fd9b74a8a28f4f331398d009d9b5ba8b0abaff786d4aa3815358996

SHA512
6298b1e28203b76f3a29e855e85b0cb1edef0607b19f6a60035af147c91ae2e88badd8ee4707c970597febf922dccb5a774620534ea702b90998b1b8c8a39405

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573957476033336.txt

Filesize
48KB

MD5
fb78065187348f227fd882921b094074

SHA1
7fb91851b3fffaa5d28e3e434c0490822b880937

SHA256
a25c40c18d36e6932c43fc6f76de4f7826608775bf87d88a385ce692d883daf3

SHA512
0cacbcc7bc0d80170ee810bf233724f0ba4f4fe462107de2bc48c8a8e1c7546e9714db244c672830fe887559c9e59b3ead6504fc6305b67a6ae596e43c569ea0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573960313703468.txt

Filesize
66KB

MD5
47c5469d38803a4a184cb8573aed02fc

SHA1
0d3748757c4206f410409bc608c4d389b51c53d9

SHA256
fdbfb574f8a4620613186b6ab4e64e8e76ddfc27b06751d4b7c599f302761c64

SHA512
e96a8e460027fbf742205d7bd779693a0a78245f23525618c7410bbc9686e34ec360c50cc9a35d2b7eee2db9b7171eb2196c9197dfa797c30120d4f358c959f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat

Filesize
8KB

MD5
a8308d2f3dde0745e8b678bf69a2ecd0

SHA1
c0ee6155b9b6913c69678f323e2eabfd377c479a

SHA256
7fbb3e503ed8a4a8e5d5fab601883cbb31d2e06d6b598460e570fb7a763ee555

SHA512
9a86d28d40efc655390fea3b78396415ea1b915a1a0ec49bd67073825cfea1a8d94723277186e791614804a5ea2c12f97ac31fad2bf0d91e8e035bde2d026893

Download Submit
C:\Users\Admin\AppData\Local\Temp\{234E8C58-ECE6-4C9F-86D8-F9F2A0873EBA}

Filesize
4KB

MD5
1bab2104babdb4db9f27d11184f5ca6e

SHA1
f5a78857b6c9763dbd182767fa07fd0af9025bc9

SHA256
be8fbdb40d35d429c4579ee320eefd4475d78989b919b7b5bbf8ea4e03728e19

SHA512
8591c0f9232e4ac6f2aed6bd8b3d066aa5901a16dc2bc35ee7d0432b40b2483ef145da98129c8e374f4c18acedd61a92a311fa4400ef188082c19dc3bf339ef6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
4615fb8a74bbd4d1b565b959312cc2b8

SHA1
82369b42f01563ac916e0e51a3f3ab15c4b8fb97

SHA256
a5b27e862d4d872a0c08c9971a3881d1f0a29c22be7c9c3d8656b81beb7adc19

SHA512
2d74f2af3c764a4b6b327d0773592bd2b7c02d2efc5a332cd1bce4357e2140080e3c30765f68198409f218324c8b02fa24ac7a5b96e128411b1b42a1d057e37d

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\DDDDDDD

Filesize
153KB

MD5
e143a21459d3333f9f7847ce8c7c7a1c

SHA1
c4f7ed53f82a1e4b6880b92bebe5d54bcf64560a

SHA256
f2834da3a18364bf6ecd5006e6b8ae28eaac0477d91fe84c6eecdaff6e8e1f56

SHA512
162529e417fd723c069f3acb16cb61830ee6bf89d8641bf0d02b29c01c03b8b7340581cc8029d3a05d38856c66ecf7b5fe6611416ed75f3a48c245c33916dc14

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\DECRYPTION_ID.txt

Filesize
265B

MD5
c84b2aa99287cebce7fb1b8b66baab23

SHA1
259956051a1b42ce31d309a99b6a0c51c6f5b43a

SHA256
89b89dce91fd074b484c2be8e10185ed98d4d4b5000dd04a5718dcd64b5037d9

SHA512
1453ff4ac6899c787f3aac3a3a079e34c277ebc09a3eae85ddd4da6318b5f0dd9748dd0324780c5b9048a7fc9098af023a00b48e91fbcfa0221b9eb87d979319

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe

Filesize
153KB

MD5
5b70730ba07c704f82f224b1c4e262af

SHA1
38161e799145fa1c24cb2db943c7eaa352c7234d

SHA256
88dcb152bd591029d0f10741c87903585b44e64de5b051ecfb19d38036250216

SHA512
41bca097c24d449c120d6e0e5c8754c2fdbd8588add5a32f34cac0830ab177ad4e91e189cb26f108dbd2424dc9370d124d9b14c763a95b4ca80133b4c700d8a5

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe

Filesize
54KB

MD5
d7fa81a4cdaca7de140820b4c139bd1e

SHA1
b183cadeebafdea297613e295321a88245a5555b

SHA256
768fa3008dcd5b9aac1a7494cf1c5fdae01d5fe3cfd808c57749dcd6a11a34eb

SHA512
5791e6e650c66751f8ce40dea9cab181484fe58029f0ad96cebad94c91e603f83eabaa606c9ba1d3d3366608a78c238768ab1b48dda65dae60e646dafedd7d61

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\Password_dll.txt

Filesize
2KB

MD5
42387b657af764b33b902a8584a2c52d

SHA1
3df2e7cbaac066e297b611e167c9015716afb87b

SHA256
ca4d6ba092e465df0eae2ec97f9ded7f8db09592df1fa35212cd185cd0cabe55

SHA512
d3d68818887868fc23ecc5ed6d5c8ff20158727c950c49ea2dc4372f47aae0e086f4c274083599715591f6a630ee93de51dec8ee8a72a40c899c30f5f2a874f6

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\Password_exe.txt

Filesize
2KB

MD5
bdb4ddcfb1c88cc6623ec56150087be5

SHA1
8f1865338659256094a06094f3848b1b12ff8c16

SHA256
b006d340eb4aa1ee2b7a402479c631966bee57d95f36387e269d2fcae7bdf578

SHA512
2a482b4e13bfccaa5fcc9f8a460b8cf71e7c9c4a6da13904ade8a0b857d545cf65eebd68d99a5234507933c7a962541a5cca14dd684efcb6d8dd9c7f22b70b69

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\priv.key

Filesize
344B

MD5
e4a62bc34681dc52b28a521ac453a4c2

SHA1
d60a5741c25682cbf9fe1849f32761fa10e5bd76

SHA256
53970d5172d4da67163046a9ce0c1458d48ab0df30d55db65a1940ccf8700b47

SHA512
4fa6fc662727e328be1cfc0626279a004680f84f8fd8fc6f180ddeda26a4c23a32b47c08c32a737357ced8349cca58bce93d2a386371ffe5e4fd63f15bc569b4

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\pub.key

Filesize
344B

MD5
800806e81cae8dfec8c491e098857e83

SHA1
e610b8b5bafe515a4d13d48c3be0c53a66c35569

SHA256
5f8033242a822c23ae633f12bff896821bd7ded7875cacbe182d9ca069a83278

SHA512
f5336151965e711d8dab6a1d320bc7a8080988cafba5a0f43f081d26ae007ffd0e340afee546861aa134c66f6638b56fe712730931f45d74cd06692b1a39628b

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
8dab5b43f6ab04b08ad79408c1fa6c4e

SHA1
cdb14ee80117e100ce93e56066e38736861675c4

SHA256
b6c4d431be1790c54453bf44e5f7595b0633b14699759928acf839e7ae280181

SHA512
ef22039ddda89454e766a3a7eb4097bbe5735c66102bc05f50d414f30408f3ea025cd00c276edd02d02cfda794962eec766adbedf3dce95549e8366968dbb1a1

Download Submit
C:\Users\Admin\Pictures\CompareTest.wmf.lwvHVrFiF

Filesize
177KB

MD5
927056a6996b8d82ac04f31d52385f22

SHA1
73d3b550c7f6d800c1c0acf80b2da986a3eafdf7

SHA256
757a23b10804f75baa370a406fb31abdd95bc1d8b6d640757d923f6ba5cbcd4d

SHA512
85c463d60d6c3159d65c6dc6471d95a5a23fae1585e26df67929e4093cbd2631f6d1a76694f4cb7fc1c846d00d0a6f824290c06499e5a4e1ba9c8888cd31aa6d

Download Submit
C:\Users\Admin\Pictures\ConfirmGroup.eps.lwvHVrFiF

Filesize
288KB

MD5
067bf4b75f3f1b353f315498093a7ff1

SHA1
a7839bf8066669bda54b2476ee6d3a619a8ab301

SHA256
5b1a3d37889c51ca23c590117b2487fe5cd5de04f2cb1aadbd766335c4ea18f6

SHA512
de0374958f8e613f16307bb6aea1c656f8d512c14f97dc2a6937daa97d7270aae67ab8991d72c3c9bb1ef9cdc2db6d534ae6ad3c79f05b927fe226c330424148

Download Submit
C:\Users\Admin\Searches\winrt--{S-1-5-21-2177723727-746291240-1644359950-1000}-.searchconnector-ms.lwvHVrFiF

Filesize
1KB

MD5
9f06072a1476b13e63fa7f2ef43ec0ec

SHA1
e06800165f8b4bb9f29af0680e49cd8a0d3c4f68

SHA256
5211e160cff7a1e8464fb70af95983ef8cac9e289bf9b3f87a5f891f2d461a18

SHA512
ab38fd265e69cbba890335b60643fe1a7bea57356703a4cfa39130b530277d0dead4476cb5b8e6854489f3ea3d303b45f07512579c39906e4e96c222a8b0ed51

Download Submit
C:\lwvHVrFiF.README.txt

Filesize
6KB

MD5
dd746ace17e44ace00885b91400f11d5

SHA1
4a0302d2dca400598f396e4230fdae71779cbeaa

SHA256
b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272

SHA512
8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.lwvHVrFiF

Filesize
379KB

MD5
0e1fbc1ee468a068a622af40c5344a77

SHA1
d9b013173af5cbb3a0ae5c2c328760df1a17e000

SHA256
98f2248aca46d7d7bda7acd27e4f6849ba72f9f9c88c0c21bb4f44dd6294092c

SHA512
981042fbbbe6788727f41725e46b3444493b50bcec938cd16bbdfda9c1b3ed60169908ad65ba17aa833536d185a347b6fd465c15f0f50608616750172790368a

Download Submit
C:\vcredist2010_x64.log.html.lwvHVrFiF

Filesize
86KB

MD5
68b10ba5d98dbd4d86e2d6375f00d27a

SHA1
d8485954ac0159476c5cae44083efbfea17c579b

SHA256
ac5267c3652b3321b8d2a1314d94fed22c81849c093bff440956096687fb295b

SHA512
70ed98ed8af1531a05d36732de80b8aaceaa60737ef16d5fa3a8c5b815f05f63df1424d77d4f0bac1c8ac3ab089f811818adfcffa94660ec90d2fed502f28c59

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.lwvHVrFiF

Filesize
395KB

MD5
9ccc594f2b7f2d38db102cd6aea2aac7

SHA1
3800ca6039760dd01f92de50806cdfeb7674e387

SHA256
9f596b989c49fe60debf2253f0c9ffddf1e59635e541990cd027d05bb0ee9e9a

SHA512
fb262df88d812b7019ea5ed3b863a0b0d93015d2fe840025ed841928e0c2fe7fc4b77ccbe092c09b9b8aa323b0e682a7b27874d6c549b21049ba1fa8c25ec090

Download Submit
C:\vcredist2010_x86.log.html.lwvHVrFiF

Filesize
81KB

MD5
a7a5aca79e543f1082986483fe450ca0

SHA1
de2c4ec4f64844fa1bcc5d33b54384d0029da48c

SHA256
9de9ab50b479372948acbf6e42f5fd6fc8580ccb04cab97bab8e42f3bfbc3ea5

SHA512
09d1b056955d2e2033ca4853ccecf07bf3e4609325abcc0077fde4a35d55308d8a506ca17e647beab310cb733e25d4d284ad0e4e71bf91162dbdd4140c2e4354

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.lwvHVrFiF

Filesize
168KB

MD5
352911ba9a477524c492ee4a5befe3a3

SHA1
1b38c26612b103b4722c7071a0549b9d19dd8661

SHA256
33c83708a72d4d6c5b53081b22ec27d474d8a9ffab80ec6925c53732254b8466

SHA512
c4f9014b8cd36981a91e5ef3c097a7b1e516f2ea3d0b17bb753376ba34a2a67a9deedeaf93226c9feeba25c6e4fc23a77b04d197d1eff0c8a020f4c748063890

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.lwvHVrFiF

Filesize
195KB

MD5
6bb8a5b066815b28d69c75412ab028c2

SHA1
a862d2b8ef58b97d95215205e665bfd521cc80ca

SHA256
c9b0c3f53118b268a3e003079f6044edef664e98dcdaf5649da1917c1b6f2430

SHA512
3a7f70a616004abaf9ec5c7905e3c2de04986aad0a3d06ca122e09a2ca9782e93d667bd4c5ad57454368d130bd443b5d3a2c52bd57b03e7ab69f99ea67b62bf5

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.lwvHVrFiF

Filesize
171KB

MD5
a512f35aef18cd72cfc5301f3978e697

SHA1
2e5f4af88292586e45b14e22269d2b5b418825be

SHA256
077aa4d2d3b3c49e5d6c5f7c36f54060dcc4a71e647f0c2c782472167157bcad

SHA512
0345801eda423c11f8115b6a5ee0b379cc37bd56615a5035aabc61da5d12da98ac43777d17ef9f76b584f93b2037b3698b4936bb4eb02a8f95b78e60dd3912bc

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.lwvHVrFiF

Filesize
208KB

MD5
bd1623cb6c9f4449cefcbd5feecb1a72

SHA1
9a9162dc83939dee80aaf7fc0797972fed558e34

SHA256
7240c3a60b7aa828c4809c91c57c638a5ae1172ccb0c429a3ee258414c7f33eb

SHA512
c46c4ac2eb09039e1b08767c99b98b67b29298c33a2441791bc0285adf5b6de484f56c1cc90b4003cde133d8653eeb2cede2b32854eb605b5ce536f86bdfcd2e

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.lwvHVrFiF

Filesize
170KB

MD5
8b0056e752446b4b4ec1924c5ed8e62e

SHA1
c2a94353d5aba20eea5a2e019721f5b1ded62d06

SHA256
0c6ce1acd02304287f865f7c26d70d5c1ec74c9b688115f3341d1868abe2fbb7

SHA512
73b72796eaba45e2180d7bbeede4130651703d62a6ff79d6840857524e48514d59027215196e1462cb68836a982ff658f1b16823b96794abc837b0210c3bdcef

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.lwvHVrFiF

Filesize
191KB

MD5
f177bef56accf0b32d90483d18a7fb4a

SHA1
b6ddd26b07768def30d8924ea837f3be6a06913c

SHA256
1cef72f28b73aab1c21056d39e97739919d7e66ac1946ccc24d3487371779deb

SHA512
208a4022d7271225c3233dfbd06ce6e35d7f33309e3fd43794d5a7caf8c961b0cbbe3c262b99ff73d61f5acc240d678aceb2dbc01de1fb9fc32cb445f00f3c64

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.lwvHVrFiF

Filesize
170KB

MD5
eab5e2c4a91baa1d3feb57d047e137e9

SHA1
88867e44c3f406badff48bf05e3fddcb754d5c77

SHA256
7ffd79deafe064fe48dd3d714f58e8b2ab676b23e61b59cc5d18004836377b25

SHA512
feadbf6c6c5dd93c1005eeeecfe4f738e27260f9413ec9911719387757db094cefe5243d6e4ddee201e18ad2c1bf3b91fd401277989f47d0224b0798665e64a4

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.lwvHVrFiF

Filesize
199KB

MD5
8abe8e654d82bc35be40f988afae5302

SHA1
61d317181b6e85c4972f01dcb3716ca138e49aa7

SHA256
dc567d1ee19be63c0465a109db657a81769afebb7ddf8df89b21c96773296dc0

SHA512
1275eb1f3834ca48827d1259708201d5c8024e51dc15938de64bf1425fa0dda90492070c9f57db7203f7c0195be46d573c80f2a348daae58af0c1a9df0399b1a

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.lwvHVrFiF

Filesize
123KB

MD5
a41c2b3c70c052502e31269e090b2b1e

SHA1
7b33310c1fcccd515dbdc5b4fa2aa9b6d072f2b7

SHA256
881bab499667169a22ce7494ecde440c2f813349c5fe3cddf4a2b4afc3e241b5

SHA512
6a3ed13604a49c8b82d0844a2db94e87b528de301304c0e76e7742c82ff1e059ceb781ad8c0f846a8d46e63460f34b08237aa1e66222833d0c5b5204e8087942

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.lwvHVrFiF

Filesize
130KB

MD5
b2e597aa91080fb052673faaeba7e8f0

SHA1
2537c87516a59b502eed989822976a62f73e5ad9

SHA256
6f40fdb25008bbb9f5a11322f837f8d8928092bfb83d1348a51b0a715ca78553

SHA512
779bdf622e40a4a40469f8a080c587e95ed27538f7cdc7de79e15dcf2bd34d71e5c4d445939c6c05761edb72fec300ecab3b07e94d37d8092dc9f58850f3d5e7

Download Submit
C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.lwvHVrFiF

Filesize
123KB

MD5
86347c80cf58671d92551544c1876eeb

SHA1
3cd9dd566ba327440a2c69806e907efb3b11a02e

SHA256
576cb656ff62eabe65f872341920fae8f71f6068615882d75f41f64955ca28ac

SHA512
b338fcd93a1d336509e754ef257d84fb178daed76db963cf5eedebd9fc89ed1735a1c6607d0d1698215ee516a166a9b23b0571b22cf71019414097e9b7e20229

Download Submit
C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.lwvHVrFiF

Filesize
135KB

MD5
cb53fc7644dadede2744b071eb10d535

SHA1
21a0d4d713858260f70c2b3f48ca3b3a8cb26edd

SHA256
def39dde95b0655162bedd027734809e0e0d3a0a471bce5fb733d99e189c7dea

SHA512
5242bbc86dad89cd0c7580f53bd305253c4848a16a8b1c122db0b2cf4d1946dee0d1fb0a4e5ebd9e9e5b4b0a58f6aa385f26436845335c40293ce11725a9f47b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2177723727-746291240-1644359950-1000\DDDDDDDDDDD

Filesize
129B

MD5
2fc3442cec4a1d093d7bb9e552b6375c

SHA1
2719692b19c3ce2b6e91df8958ee6ec42ac0fea1

SHA256
94a2532d348a1266eaf9f3c5d28e126d563372b95222c95e68e0d4d48b0f8310

SHA512
d8de793661ce6570229ff2149db0a58c60f4808560b794543b691136399078b292189de3d504445154557c8273462ed43d245a1220e5e6c350bea8c57d90c54e

Download Submit
memory/4868-16-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/4868-17-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/4868-15-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/5128-3592-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/5128-3593-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/5128-3594-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/5152-2857-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/5152-2859-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/5152-2856-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/5152-2858-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/5800-2863-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2853-0x00007FFF20DD0000-0x00007FFF20DE0000-memory.dmp

Filesize
64KB

Download
memory/5800-2861-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2904-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2901-0x00007FFF20DD0000-0x00007FFF20DE0000-memory.dmp

Filesize
64KB

Download
memory/5800-2869-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2870-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2866-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2868-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2867-0x00007FFF1E7A0000-0x00007FFF1E7B0000-memory.dmp

Filesize
64KB

Download
memory/5800-2865-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2862-0x00007FFF1E7A0000-0x00007FFF1E7B0000-memory.dmp

Filesize
64KB

Download
memory/5800-2864-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2908-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2903-0x00007FFF20DD0000-0x00007FFF20DE0000-memory.dmp

Filesize
64KB

Download
memory/5800-2860-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2902-0x00007FFF20DD0000-0x00007FFF20DE0000-memory.dmp

Filesize
64KB

Download
memory/5800-2905-0x00007FFF20DD0000-0x00007FFF20DE0000-memory.dmp

Filesize
64KB

Download
memory/5800-2907-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2855-0x00007FFF20DD0000-0x00007FFF20DE0000-memory.dmp

Filesize
64KB

Download
memory/5800-2852-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2854-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2906-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2850-0x00007FFF20DD0000-0x00007FFF20DE0000-memory.dmp

Filesize
64KB

Download
memory/5800-2851-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/5800-2819-0x00007FFF20DD0000-0x00007FFF20DE0000-memory.dmp

Filesize
64KB

Download
memory/5800-2849-0x00007FFF20DD0000-0x00007FFF20DE0000-memory.dmp

Filesize
64KB

Download
memory/5800-2848-0x00007FFF60D50000-0x00007FFF60F45000-memory.dmp

Filesize
2.0MB

Download
memory/8768-6640-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/8768-6641-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/8768-6642-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads