lockbit | 707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

Resubmissions

17-04-2024 10:53

240417-my9fhaeb8s 10

Analysis

max time kernel
2494s
max time network
2605s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-main.zip
Size

292KB
MD5

68309717a780fd8b4d1a1680874d3e12
SHA1

4cfe4f5bbd98fa7e966184e647910d675cdbda43
SHA256

707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881
SHA512

e16de0338b1e1487803d37da66d16bc2f2644138615cbce648ae355f088912a04d1ce128a44797ff8c4dfc53c998058432052746c98c687670e4100194013149
SSDEEP

6144:n42LBVCsV+PkMeW9zTiY/NaQmHst5ySPzmcfIMwmafvR:n4EzwkMeWgY1NmyESPB1/aXR

Score

10^/10

lockbit ransomware spyware stealer

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002340d-284.dat	family_lockbit

Renames multiple (705) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation	8D3B.tmp

Executes dropped EXE 3 IoCs

pid	Process
2780	LB3.exe
5424	8D3B.tmp
2872	LB3Decryptor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4092317236-2027488869-1227795436-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4092317236-2027488869-1227795436-1000\desktop.ini	LB3.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPr9yw0el063pb0bnuwlm8ahxdb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPjtq_p60efqpbvl0depg709__b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPfzja1ar0nohlxwpgzqpozrwbb.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\vmLZZJ2wA.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\vmLZZJ2wA.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5424	8D3B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vmLZZJ2wA	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vmLZZJ2wA\DefaultIcon	LB3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vmLZZJ2wA\ = "vmLZZJ2wA"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.VMLZZJ2WA	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\VMLZZJ2WA\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\vmLZZJ2wA	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vmLZZJ2wA\DefaultIcon\ = "C:\\ProgramData\\vmLZZJ2wA.ico"	LB3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "6"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vmLZZJ2wA	LB3.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5060	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5380	ONENOTE.EXE
5380	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe
2780	LB3.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2780	LB3.exe
2872	LB3Decryptor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeDebugPrivilege	1672	firefox.exe
Token: SeAssignPrimaryTokenPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeDebugPrivilege	2780	LB3.exe
Token: 36	2780	LB3.exe
Token: SeImpersonatePrivilege	2780	LB3.exe
Token: SeIncBasePriorityPrivilege	2780	LB3.exe
Token: SeIncreaseQuotaPrivilege	2780	LB3.exe
Token: 33	2780	LB3.exe
Token: SeManageVolumePrivilege	2780	LB3.exe
Token: SeProfSingleProcessPrivilege	2780	LB3.exe
Token: SeRestorePrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeSystemProfilePrivilege	2780	LB3.exe
Token: SeTakeOwnershipPrivilege	2780	LB3.exe
Token: SeShutdownPrivilege	2780	LB3.exe
Token: SeDebugPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeBackupPrivilege	2780	LB3.exe
Token: SeSecurityPrivilege	2780	LB3.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1624	NOTEPAD.EXE
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe
1672	firefox.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1672	firefox.exe
1672	firefox.exe
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
2872	LB3Decryptor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1624	1552	OpenWith.exe	99
PID 1552 wrote to memory of 1624	1552	OpenWith.exe	99
PID 2312 wrote to memory of 4892	2312	cmd.exe	102
PID 2312 wrote to memory of 4892	2312	cmd.exe	102
PID 2312 wrote to memory of 4892	2312	cmd.exe	102
PID 2312 wrote to memory of 3340	2312	cmd.exe	103
PID 2312 wrote to memory of 3340	2312	cmd.exe	103
PID 2312 wrote to memory of 3340	2312	cmd.exe	103
PID 2312 wrote to memory of 1936	2312	cmd.exe	104
PID 2312 wrote to memory of 1936	2312	cmd.exe	104
PID 2312 wrote to memory of 1936	2312	cmd.exe	104
PID 2312 wrote to memory of 4384	2312	cmd.exe	105
PID 2312 wrote to memory of 4384	2312	cmd.exe	105
PID 2312 wrote to memory of 4384	2312	cmd.exe	105
PID 2312 wrote to memory of 1064	2312	cmd.exe	106
PID 2312 wrote to memory of 1064	2312	cmd.exe	106
PID 2312 wrote to memory of 1064	2312	cmd.exe	106
PID 2312 wrote to memory of 4404	2312	cmd.exe	107
PID 2312 wrote to memory of 4404	2312	cmd.exe	107
PID 2312 wrote to memory of 4404	2312	cmd.exe	107
PID 2312 wrote to memory of 2188	2312	cmd.exe	108
PID 2312 wrote to memory of 2188	2312	cmd.exe	108
PID 2312 wrote to memory of 2188	2312	cmd.exe	108
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 4420 wrote to memory of 1672	4420	firefox.exe	112
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113
PID 1672 wrote to memory of 1848	1672	firefox.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LockBit-main.zip
1⤵
PID:2888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-main\Build.bat" "
1⤵
PID:1228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-main\config.json
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-main\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\Desktop\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  PID:4892
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  PID:3340
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  PID:1936
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  PID:4384
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  PID:1064
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  PID:4404
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  PID:2188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.0.2023833040\1097270979" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1863c78-7f5f-48dd-b380-3f8d2e97aefc} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 1852 23e6ff1ab58 gpu
    3⤵
    PID:1848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.1.2021553875\1804948465" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b9d32c8-0dd9-4295-bba2-0b7a64520138} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 2420 23e63289c58 socket
    3⤵
    PID:388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.2.517974258\19641495" -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3120 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a29768a3-cd18-4ce6-aad8-6ded2df8d5bf} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 3184 23e6ef9fa58 tab
    3⤵
    PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.3.2134716763\2056743852" -childID 2 -isForBrowser -prefsHandle 4164 -prefMapHandle 4160 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4034a41e-d42e-433b-b696-4f8e189c4344} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 4176 23e752dee58 tab
    3⤵
    PID:428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.4.926510934\624627857" -childID 3 -isForBrowser -prefsHandle 5024 -prefMapHandle 4388 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f4d5ae-b049-4fa7-92e1-12c1a6176186} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 4424 23e77b9c858 tab
    3⤵
    PID:528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.5.803715139\1192563270" -childID 4 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c65df3f-c7ae-471e-a111-0033632ec429} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 5216 23e77b9ce58 tab
    3⤵
    PID:2680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.6.299747433\1556337596" -childID 5 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee5da80a-bf36-41aa-9994-9d5adc43da83} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 5408 23e77bae958 tab
    3⤵
    PID:1184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.7.1391017481\1164383554" -childID 6 -isForBrowser -prefsHandle 1244 -prefMapHandle 2764 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aed0aa8c-efaf-4718-b8cf-dee7bc3990a4} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 4432 23e72a83258 tab
    3⤵
    PID:2484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1672.8.298920933\561166829" -childID 7 -isForBrowser -prefsHandle 4580 -prefMapHandle 5836 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76250667-5b91-463e-9c49-8f038b25dd5e} 1672 "\\.\pipe\gecko-crash-server-pipe.1672" 5488 23e74bf3658 tab
    3⤵
    PID:1852

C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2780
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:2196
- C:\ProgramData\8D3B.tmp
  "C:\ProgramData\8D3B.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8D3B.tmp >> NUL
    3⤵
    PID:5568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2020

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\vmLZZJ2wA.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5060

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:1852
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B34551BC-A652-4CB5-A3B4-0953D995848B}.xps" 133576226226400000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5380

C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-main\Build\DECRYPTION_ID.txt
1⤵
PID:2452

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4092317236-2027488869-1227795436-1000\DDDDDDDDDDD

Filesize
129B

MD5
c6e8d52faf31ada14fc469816aa44ac5

SHA1
d9a1a8abdf9dc496ce3c78913eb3f33fa4750790

SHA256
ad546c1b55981334c4d313f7d676171cf9e9a73c312e809f7d08dd21f9386bc7

SHA512
d383d4453dae53a367739b1ba777776327b892a5c1c782c26a1005bd457e0a8554358c44a472d5ef45518dc840ac7c03ac6459d60d8942287f0784775bd78c64

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
fd2919f9914f475fe5d58217af48f3f1

SHA1
8b7ede3c841da88f3fd9c2970e05d97588fdab8f

SHA256
43793cc29af4992d6ba52e776f3eca28f3ecc2234f35ee2af0381a0a9341ff1c

SHA512
0630699364c4baa63be01a9acdc863ac33f5398ad76858aba481a1511e1713422e5d29701ebdb0a053317d04c0ffa0e769fe2fd174847b6d21eeb5ecd12eb24e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
e404fd5f7809b5960137a5408543bffb

SHA1
a09fe386891cd473ab878aef886e5f2abee6eab3

SHA256
7f80438653a0b5b1518b9997e3bad94565a8472db9f846545b9bf74efb3e483f

SHA512
436eaf92bca777d1d1b466e3adf90f736bf213a7e41d52f2008a06413eb041e104eb0356e63a723ccf962d69c7d05b798d26f997089ba9075c0ba68f87794638

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
723422922a2b7c3f8d5b8ba04d56a3a1

SHA1
5711287070c23feb31c479e7650e97eba3686192

SHA256
6694f0ca4ac25922cad6009d535c849f8f409f319a39bd890432e0763b8dddfd

SHA512
4128f72b8cb82a1bc5fe2d5f657f03b0cc806bc43e4671b8c81f41da729165ba46e4156ffa1aba66311e60d0ffa8a0f1ea1abaa8a6b78b0ed23c25291790c8fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\cache2\entries\01C69DBF3143318810B66B3160CB5C06806A166C

Filesize
9KB

MD5
291344914140a77e0168aa3118c36499

SHA1
eb350c0756641e00b06cef2ff839fd57fc365d73

SHA256
089cb0e7dbc32ce8929964d58bed0a155c48705ddeef2dad0dd306fc71eb05a6

SHA512
afd7caa0332443c10e4bf59230986d4efa7cac6b292e8aafa03092f645072fb2cf85c762fd975caffd8a7dc6b6d655a2b269d4cdb2033b12c7e8207d4e0b52b4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

Filesize
9KB

MD5
b75720e346fd6c82cdac94235e49a3fb

SHA1
8214ba5f8b3b3cb106024bef8bdfa7b395fcaca0

SHA256
85802c3b8df39f9627939410632a32dcb8f483185a3d848e55276ee738088a87

SHA512
dbfe1f1bed636ba51b3952e79ce2f55b700be9b09add646b28009bd01bcf276190d8b96e2b9212a93fdbd696efb7bbce598f7c00dc061f41c2aa2fbaf381c63c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\cache2\entries\0464B99D517E33CB4860D4A5E76213BC3ECBD77E

Filesize
9KB

MD5
2f495338c47e601e3073b1a1c22667ab

SHA1
ef94d15213480055b4afa918f6e945c282744eca

SHA256
a3739834b6d0b3c7f2653c0da2409e3653e08039717d9f21d24c0a720763f81c

SHA512
2b0d862b4080ea7b609e45008a1f61f42b86f7869ebab82a965f16a8ef9201e8e5f94a35eef86e4b455992229056d1b636cb7a3ddfe34162781ba37e4982c23e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\cache2\entries\046F58810902AFE5C8DAB3BCF3F338CA6CAA29E6

Filesize
47KB

MD5
55a94864c656ad3ef48f16e535a406fb

SHA1
78d3607bd7c9ef190ee074cced93694c10e0da78

SHA256
2026bf87409ea8dadf690e5f105c8c049ec5cb936a6191fae5f0cb7428c92ea9

SHA512
ad8c1cb1e49fa90f986d593f8b3578964b2f3915100c7526c4bb0418043a616ea211b8c525d870fbd676613cf570fc913fcb206cd009c3eb87c307fdb2c51e0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\cache2\entries\06283131E8D5A93DBD1E7B95A0455D65D3076938

Filesize
26KB

MD5
35ff880f01f33c11438f3ad4d7d756f9

SHA1
01b4e541eb6eeba79cd776e9c1ec7988204f1cd8

SHA256
ab717ba3cf37abcb845a2eb5a34d6b9ad9856d27f6a1d4e405a1adc6e38a941a

SHA512
1daa9bbad5d3e3833d782b6d20885eb9ea621558f347964e33f5c5647a00e7bf54523ed631d5b09915214653bc8bd2522e935aae8c2fbb22afa84acca65033a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\cache2\entries\084DD282C76BDD86DC0D25B3089DA08F7521FACE

Filesize
9KB

MD5
885616774033fe7866709a17ccdee71a

SHA1
b9fb24c74374a7684ce570526e41b1e436bc8364

SHA256
36d80a5aa14fed6623a65f527f20ec56bd30c403b1d514b6b0d7ce24aec5228d

SHA512
c9f240793a78fe153d82df716e0a8e26fbf33ab851dd572267e51fd998df4d096eed68786ccbb8c69265ea6383e1e83bfa20afc8eef405d45f25d55272ed50e3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\cache2\entries\0857593FA63F2F3DF9DD42474BF1C2211531A542

Filesize
39KB

MD5
29ecd2ef7c870ca93c129f4b1afedbd2

SHA1
f42d23bc285e6eb507e2a5cfd5d9cb2598bcc088

SHA256
86054b70dbcb46b9b797dc851bdd6bd912d9590beaba572f4117b973031e6486

SHA512
e209b2ed1aeee616f5afbca01f97e892bd8b12bb31db71e6e10fa106ae0acbfe858c2b9e26ff69a1dec73811aacbf4c011255be7e12ba02a4fa7d9abe188f54d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

Filesize
15KB

MD5
08d2804fc4e833f4110afca1b37ff0ed

SHA1
f11e2a8029b09dcf5b8198cfdeb3f5ebcf282528

SHA256
f94151047f07e26ea07bf702e4b14b8617f5cca62898a09d1039a225336660a4

SHA512
8dd95058937e8cdfee3f79a286558c20f93a7feec67db636469775aa3a286065135f1ff9969d5a62bb3fbaf2319d82c6952c95fcba6beb1ce2d4f034937f8979

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lazanq5n.default-release\cache2\entries\10CD6AA2E8995A228854FA5243EC1288D6DD2E81

Filesize
98KB

MD5
5716f26827ec4f220442a473d3f3d387

SHA1
356b53d4e434a5db8301bdd701bb9a4d5328b306

SHA256
54b515bf2e0a1d3bc4e593cecf595a026ea687658117c74b6338e54b99cf7259

SHA512
355d68e163659926be698e2f2c63aadc48b2f809754086ee5a8d367a01c8ce7216a50cf4bca4bad65e2bf43fcb401eddbb2b5f96778c4c764f55c743168ea18a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc

Filesize
36KB

MD5
eab75a01498a0489b0c35e8b7d0036e5

SHA1
fd80fe2630e0443d1a1cef2bdb21257f3a162f86

SHA256
fdf01d2265452465fcbed01f1fdd994d8cbb41a40bbb1988166604c5450ead47

SHA512
2ec6c4f34dcf00b6588b536f15e3fe4d98a0b663c8d2a2df06aa7cface88e072e2c2b1b9aaf4dc5a17b29023a85297f1a007ff60b5d6d0c65d1546bf0e12dd45

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573953826726285.txt

Filesize
77KB

MD5
af2afbaf9f6bc62965ab8161f642209f

SHA1
1e0d846bbf4f5430e48fe913683375e0c03f92b3

SHA256
b4a05db9b7770ce4a7607213669213f0a7c83ec8d0adb2735431b9496469fbc5

SHA512
935f1f7c2af32460050d84f6a6c569fe70d8baeaeb932860d644335495be27d72fbffc13c3b71e88eeb6e865a39ed4bfd81a92a4a31bea1a21d4c132b5d84cbb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573954076162011.txt

Filesize
49KB

MD5
5b7ef33d77cefec480d1bca586e58949

SHA1
c0c575edcfc3a993b9ba421f248f67ef81db1820

SHA256
72e8641658ad12f3252c493ae4a470d2f4d77a2ca1f04cc42bf6176718337792

SHA512
25029255b55e478dc8c4baf102c837727e7ae0642e1966f42ba79310555ef64a2bc962feca5c96d3660faf5dd92d1423f69051a609eeb28d22d46188c019f684

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573962467996891.txt

Filesize
63KB

MD5
4e22536ec6a21c126b05688501bc1b7c

SHA1
872bbce035672e9065318141635c5be5c85a2d2b

SHA256
884357cde21420a607301868e1522efb84c56daa011d24505cefdaa9929d054a

SHA512
2d3ccd6f90ef1c7585a643a4d153c1e0a77868ef08a9e0fa5935b7fa9e531feb846e5befafe6826e39f6ce25c760668d252e52cb514a7885e79876d8a4217395

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133576225074090330.txt

Filesize
75KB

MD5
a79ccd9f30959c9eada5b1d3b715102a

SHA1
977639b0494437dcef07a46e6fe2b5c55babc63c

SHA256
4bf7a3306fad96d1bc04284d49311685d9e8cf9d8677d00705a77f2cb8607af4

SHA512
020432c39fcf5e2fa8bc1370ab9ff0f225becc7c682896f8a1ab546433f7fda4a5b558d5bb38394dc36b6737b3b0d65b8b8dc4633e2e9af3cddef053874bf4de

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat

Filesize
8KB

MD5
a8308d2f3dde0745e8b678bf69a2ecd0

SHA1
c0ee6155b9b6913c69678f323e2eabfd377c479a

SHA256
7fbb3e503ed8a4a8e5d5fab601883cbb31d2e06d6b598460e570fb7a763ee555

SHA512
9a86d28d40efc655390fea3b78396415ea1b915a1a0ec49bd67073825cfea1a8d94723277186e791614804a5ea2c12f97ac31fad2bf0d91e8e035bde2d026893

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9ED112B-9DB1-4EC5-9307-56513023A95D}

Filesize
4KB

MD5
c835dd34847a8f171824fa6b090072e8

SHA1
794e4fbe7f4725e0148ec16d45ab5571ddb20834

SHA256
ad83229cba3429672b8fce7be85eadad6f840fb8b76799ad7cc81d9514e9ca34

SHA512
742f5770f4304c5f556d9a49193f95751744830534e968f57b56aecba707dbbe05f3786e65983643de6f399244719fc0ad7bd752387d5eceac9ec47fd5a1c8f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\addonStartup.json.lz4

Filesize
5KB

MD5
0a9ae589abdd0dcfaa83dc589326509c

SHA1
bccdf7374113c40479f1de94e96401dc6b51bde8

SHA256
30a1f4f76aba3f96553dbfb7a679b432c6e5dd120c4398c4e74eea77a09bc03d

SHA512
51ad80a1ac3e25e393dafab4d5dfae1c7dd5c432b7f3f8e5e3e6b51269374b18983bf410c81ceb155b1532c9fa5aacbb874aff54f78bbed09c13f20ab9f01fa9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\addonStartup.json.lz4

Filesize
5KB

MD5
93dcabc828a5d4f7f594cf422ddf9107

SHA1
6a1894a89d18fc9c9e6ef97baa6b356e7444cb65

SHA256
ffd3715cd910d270768338f45a78ed8d3942f36c1d771c15688c0eb49f277ce9

SHA512
288c60d551d04d04e531a967bb2cda51ba8b6155420138e89e15d228dc544c5b95bd11ab200d89e4d3718238272fb5dd32594145d8753a36fb34308490a090d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\cert9.db

Filesize
224KB

MD5
75957c0a1e0c6a8466a756622406a808

SHA1
5cf37086f16e434e85d5adf7f9e313d3ea3cd72e

SHA256
8436f582794dbd37cc4f76101c52aae92d91e8d6d778a22d6cea3cf0e105e9ea

SHA512
fe8f25b885f66b2e293b07eca94f52a4725b982b30b377129102397122bece3fd8bd18c5dcdf7cdc6eba664cc07db21c041287bab0790354f16290380dce6765

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\cookies.sqlite

Filesize
512KB

MD5
b0870e93a7b8e2e3660a340240d18052

SHA1
fbae4f6288482f266e0808b9b08f51221a77c9e5

SHA256
d060cd5d30d0ba4f6e3d937ca9a7208c34c8065885d6d165cf1348448b2dbc5e

SHA512
ff93ea33fb182dd91adbfe458920329130b20eb01998b0c37fcfa0a9639abc25abc3563a8423e92915c929f7dcd78b05844e3b8d10facd620a85be4d7fd362df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\cookies.sqlite-wal

Filesize
512KB

MD5
1923820e7529c12a734de0c37182e0dc

SHA1
89ba479feb5fd3af52a65e0574ce7f9f3bdedbc8

SHA256
1a4ce4bae3be9af4c5228e43ab9dabdae15b3dedc67499c58174949123d9b5ed

SHA512
0c5c6e1af9325d32ab2c53b3abb4c7c29b8ccbae1d11078d243602cce0f9afa2c92ab6baeee791a0daee0730277ae739469720ec4c7ece7163e0ae30d26082b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\crashes\store.json.mozlz4

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\crashes\store.json.mozlz4

Filesize
313B

MD5
10785aaf939007dbd2b5a3cd205d21e2

SHA1
13e4e1e83831fac79786da3525af40a228d6fdc5

SHA256
5763b4652c990e74e17cce95680aab992a1f534b6569dfe94c6aa0cc31500bc2

SHA512
4ac5411c8ccfc81a1d800eac8212c2b792032fa5eafc6fb46f75ae684bb6b44c3db9f2d0c158f464edb5944bf31da224eb5ec1ae351b18c840ab1cf178886bde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\datareporting\aborted-session-ping

Filesize
53KB

MD5
2dbc7f2fe799fc01489cd6e2749245fd

SHA1
6230e05614f4a8e8b145ab3ad5579499dfd16d7c

SHA256
b1ee12ff3dbfa98770b7f0648305777a8d00c043aff7d1fd42dd27a66bf6244b

SHA512
f20fc391363fa68fa36591fd7caa5be5bf23a677147889e260e71d8ac9e85cde4965722ffb9a1a8ae3449cf420977d35195564972f71c81565de4a1e8fd59cac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\datareporting\session-state.json

Filesize
408B

MD5
34c3245279a868d23d759238fbd2f9ca

SHA1
1b76d750a5cb99124ee1963cbbcd13639178e01e

SHA256
c1e0850d6f0b4eee6f54096c8084e7440260752c2e07f6ae5f7184defafe9bb7

SHA512
27e4adf7524319248025e20cb64cceaf0abd4cbb6e7770b5a54267ca86c3cfe824680bb4973a834833a4bc47cc74de6759342b9296c47ba01d340da155163e75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\datareporting\state.json

Filesize
51B

MD5
3e32e2cc1ed028dd8ff9b06f50a4707b

SHA1
b3910351bd8e13ad1479db699cf6fac6544a5bef

SHA256
4a3a666d98e61b5fe06fecac56807137a0fffb4bb71d4c3b16baa8702dde738c

SHA512
4585ee9ec04adf138727cd039a9cbe78db6cf2926f6ce92524312a42efd1250100848a919ec4b833f9a013181ce93734575b86eed37f1bf32effa3237eba84db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\favicons.sqlite-wal

Filesize
256KB

MD5
ca690ebcb32efe33b9c79e6bd38e8f74

SHA1
833daa97ed363b6d8467d5dbd20cdb66f557bb2e

SHA256
80a967d68e31c9f9cc683fdfafc604aecad354582fd6569ad2ab498919fb4cc8

SHA512
b85f0310834d2acf3b2cfb79449bf66183570f096620e72854390df2cbd3ec8ad25ad1a213bf2e635c060835cb135d9fad4955aa954e61d92feaf8844d13f9e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\permissions.sqlite

Filesize
96KB

MD5
3098cb441923e3caf6cd1943fc114b58

SHA1
36d6a129ab11ba5e0440b822a7652e11552b7fc3

SHA256
26fd1048f86f1b979a23153ad908a359fcb49fe91b1e255803640ea611ec65e2

SHA512
d23fd75113184e9355494cdae661357a754f0eabe16aa1405e08499a52a450d7c0b957d63dbd11cc0482964e446628e2496d6f58c5fc671ce47a8de332612f2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\places.sqlite-wal

Filesize
1.0MB

MD5
a386edb6fe357f336ad941b637206357

SHA1
97817fb137d967808a1b61e5b13ebe0836020331

SHA256
747a2a11c2fb52657e27eec2679c776551dcb6821b48f52428a391e25b0a52ef

SHA512
4ad92655ed954cb97b1b87c29d652425cd7a0e86c98f507277e2419ff2d36acef652f82672f66342bb77d7e4b825be27656d3d4a0460236fe2b69c478c422b06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\prefs-1.js

Filesize
7KB

MD5
f834b4378a855365a2ace71605c58f44

SHA1
7b6ffbbee53db9f87bd5b17865c55dfaf39ad5cb

SHA256
1ef502d6c9072f3efde81105ea1fededb20909fd893436a98ed5169c6f9a8062

SHA512
1c331f7113fa4e64d3ef2e5b551b406aebf3dbba1bcccfc174874d5d07b6047e6bd26456131386ceb21f5157e29d3ee86244d1a83ba9dd179997fa3a48c21f5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\prefs.js

Filesize
7KB

MD5
d9352ad26bef4322be1faeeff255a969

SHA1
1aab9f5d868484a46e15a4ac9c3d72e878ec1dfb

SHA256
afcdf9a0d506d37b4bbfb63c0652e4fc2b38a6e67cf8ba834eb691e82c14ca10

SHA512
64cc82ca441d9fb90decc964a3cb71984578c1cc209322855309c73b175791f73650292b34fca4ccce1e8848c2dbd42d4f7eae1bfddb4b1e3a7aab29d2faf5d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\protections.sqlite

Filesize
64KB

MD5
a7da7ab11f0c8d926e2b625d831bc095

SHA1
185fa0686f1d9f92f0ee5a414fe4c75ac0934f0f

SHA256
ed190f8990898283f5e9aee22bd20ba4c902f30d2869dcf126f7f0919a4cc1f0

SHA512
1a0c0bbef172763aa54e355113433785700e7371d6087c32824368c1edb7d79e0bb0028d650e974cf5126512c6abe5ba224b0e9d19071def76918b5614fb1ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\sessionCheckpoints.json

Filesize
343B

MD5
4d5e7501545dd626ad8cb1f8a6352273

SHA1
66b96392a09cb7a2d8b2f7aa544875c71fa02316

SHA256
c6ca4e7bef3b8070ce5c76d3c344ee72878eaa8e9f4b15b090ad76956350c02b

SHA512
4a9afb5f003b1e53d4c1e6db65749c6404f5ec2669ac58b24bede9044d32455d5af081af4121cab926c193c356ee880cd606aa09c383e4c4c803ce9a277f18db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
4a3995cfee8899dc17f28e35de14bf6e

SHA1
ba5570034a2a29fcdfa0857e3a8a02fbd69504dc

SHA256
f50cede5d8aff27ec85be57a9d5fc5ecded5d5bf0d7575166b119f209665a902

SHA512
797a78691b8a0bbfec6ff57e2aa94930da29adbb505d34e9a9e0b6c12419e33816a4d4f09ee7acbf7904bf78102207a413d06444974af95f3a37b1db23f9aa85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
54ef09304e962b733defb4f7aff49ade

SHA1
0b4a54e886fa6583d8d9931b025d49a240c6346a

SHA256
1d99659c0294b24dd854f75eb35cb5eb15a617ed43ee5ed5462a1e15b497d358

SHA512
f7de0418fc0d692fb1aca702e101d6fe90c4ed9dad8d8f52d2c10a69944d10b4bef16e41ed75444c4c4b41884575e9a239528e5fb618ef50645a88696b7d3d44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
af8f1442879791861e75bf624e527465

SHA1
dbb326dc4e5bff94c30140c1f40fdb422050915f

SHA256
8460d52e67686a4cfdb50d501a8adecbb90deb5062e763186eb1a64d66efb125

SHA512
61512d5ae1e7f03bec275041580760b4e21e2406b97ddbbe58d5f0c3d665f690813166886b232326fcaa98c2740b889f6b1c993751e11c9bf6858c5f501c4bd2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
7a0375014804dce7fbfa437356de5489

SHA1
c4617b7e8e52de147993f9ce6b0d3e94a9c271cd

SHA256
949fc80026090c5b7c191b90127caf476dbadbd18a327bb5dde5802bd4580ad4

SHA512
bf875407d8902e863a4b5f128026573fed94bb3ae5e002cb0274ff828d1d1c792e2482f2977d5afce54b6461b46dde0e83bed63a196ea22107a3560115c1ef60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
69d8a50cb811c5cd1f1f124720db10bd

SHA1
f1f7ada962721ac17bcd94b5ba703a0921397ca4

SHA256
9ec9df13bd123d754ddad5cfe5deb63e2eb34020282695019bd50849e9ca8deb

SHA512
fb639ed19362e900d2d7a5d8b797e5c5f1c1d9a105c1db29363d6de282222042a4cfd3ceba27ce136bfbb23aea58ed94e3877b74592a0dc81bd7916ba2c6486f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\storage.sqlite

Filesize
4KB

MD5
4dc00fb93c249e6a9753f3aa9bd886b7

SHA1
f5a34bfdb1c9eff1f8848ddc8b774399f8d9d40b

SHA256
d15ce3f3c9ba90e2162c09ea0c7357c6370bbd26344ab0f53326f7524d6740c1

SHA512
56262e2adfa7c667be1d05ea915297ff84e031cad22ee0f2e71fc787967cf57209f755e1602c9260e8346f58b59f53fa34afd484df4169c4aa43dc5ebd79af2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
a623029e1a42dc3b694868e66e9f23d5

SHA1
5f32b70d9bf41daaccc740fb26d8ba301726216d

SHA256
7a1c31674786429093826e74b89eaa36fc6f4fbe56bef20b05931b9342127d96

SHA512
c28a384dddd3ad7c494d0d20b7c4d46601f372fa979c561990f408cf2051d3b442ecb5f734bebf992ba09433efb65d80ab531496ba7fcd890b3ab0b6ec031069

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
216KB

MD5
1ede163c9141a7d317e2265e79416bf9

SHA1
fec61651fd5fa6012454cf33764cd3d360b7a9b8

SHA256
419be7292d53ba51a6ed83ad6a5fb11b01aff19d0e2eac88be6bc7e47e821dc0

SHA512
1e5648b5ac65191a4e96d848002f14de69c56dc680086be0144ec842747d91d4a75d14e3dcf2b8d032d764e0187044184e081db6421a4a592b090ae035b50f58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\targeting.snapshot.json

Filesize
4KB

MD5
98c044c2371717e7c57764ad65af4c5e

SHA1
fad8c15da1cedc21bd5c37dadb16603eb0bb8c6f

SHA256
ecc01683908996780ff38ef41924f71e8282dea5efff471f9afd6148ae4eec89

SHA512
e76ec541fc3040f86d1ff26e0c47f13a10e0cbbc7b9c15cc55b22da4c5d1e0065ce2ee70989a9e8f5bd96ca7aaaba5284c641c1b2d6a7c787876ceeba0dafb73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\targeting.snapshot.json

Filesize
4KB

MD5
ab8975fe9cf1e2da927df39ddfa097b8

SHA1
75c75ae56c469ffdfa4e173d894016e7985e153f

SHA256
669dc8c0c67bc19ac0e658287f89406095b3febc7e8ebcfad21da3af9f091077

SHA512
988e76b6660e640d27ddf58972a2e4c698ee654860ba1eda8464383f9cfb58331caa828b78e68d44c266c179eec8a76f66cf6a5d98f0869a778d8b749d6fe942

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lazanq5n.default-release\xulstore.json

Filesize
384B

MD5
67c19a80987caa4ab94c5e336f1572f7

SHA1
c1023be5d395d39bf0ca0909d2a6c0a2f4f083aa

SHA256
c9fe7203e0d12a5e24bae29425c0ba5c067d5daff8e60709ba31595a0df1e762

SHA512
e42b9e9a74bb58d8aa52141000cbb39ea4a0caa373cd1fd4ac9da72aa47b20ae01f7df2a4a8a13883ef6b3faa92d4bde258c2f6713dd76a7fc1b63109ed20f72

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\DDDDDDD

Filesize
145KB

MD5
e8bc49526f037160297b18683d9bea76

SHA1
63636f8a07aceb2bba2ba3d6af3c987e9733d442

SHA256
6b46e9e54711d06c2fcf3ec80e1b5ad86869011aae350e164e70b6f38d590b9c

SHA512
a846c03e7d3631d3959f51178fe52f3347529886e4643a3da40dd5d0bcef9806a8d13ebd317c3e3fd121f96cb10ecf4e0ef28660fbf220f3b353705f234fa9c4

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\DECRYPTION_ID.txt

Filesize
265B

MD5
cb32e5355d674ddce69f6089ccfe0350

SHA1
168bff2cc75a89289fe270e893854919e9d76c5b

SHA256
8caae2a8f7870a742513e16baf70b140585304384547891567c431f0ea9bbab0

SHA512
8f9e535ef2cdac723173587b8b23f899daead2f569bb5a1473858a5dc3e4585bed95371accda24849b5ab36007461b33383d31f7d8ca39484175c1e5c501c16a

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe

Filesize
145KB

MD5
d465256929b10a7634515d9773c6b36d

SHA1
a64cbaf45268620bbcecef06d3f2b2c5bbcb3921

SHA256
326e475a222104666017bceaf533296f87fad637553412526841b75a870cc23a

SHA512
e42daf53c15022d33f6aedc1287fe91fffac03540e54b3ea72289e1204572b878484c65e07fa80830cc59bebe16c395177bb3aaa174cb1b8e299a3f640a6ba2e

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\Password_dll.txt

Filesize
2KB

MD5
1ea59aaae8859bdfa4552baa69a89f57

SHA1
6349f25b2cf32abc994ae379ec21bb855f717ad1

SHA256
5059fc23d239835d951ef4ba139685f0c4287e25e51da9b5a34e7253d0a52b44

SHA512
63c9d0b5c52f3b777e7ed36dfd84d68ab2feeef527c03c6bc5052ef44de765eb0bbff4eb905e42df61bcdbb97ef4f524c5c1d05c767d9ba4adb93ce7cd850974

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\Password_exe.txt

Filesize
2KB

MD5
dd17200a4add1c073253c022d6cdbf9b

SHA1
481b63675d1e25cdc93452f95c24d66437f8b47f

SHA256
9eb35afc8ae576dc4947fb0273c7b60aa877a7b0a76ab0f4bb50fc9be8dc7911

SHA512
8dfb4359ece7d490c58c6dcd3cff4078408884ea051af592e897f74901682f11aaa2ba9959a27704dabc7028f37ca2b486287a8bab69304af8c6e88b0b05e2b6

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\priv.key

Filesize
344B

MD5
6931e14227b06b5efca94314aac1b597

SHA1
2d5c6a33f2b3603cec9dfd082eac5c3dc1b17c79

SHA256
92ffdc54fa7eb3d52cc802b5b543c8f7fba7c0af7b7ee19aa6ed23455e263fc5

SHA512
5b1c9dcd7b0690c3b05a82997429685204af5e07cb5ca6f76e00b3e6906522007b3301a639775146df2c3202bc12e3a83dba9b708124ce5ad8f1029078de1b48

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\pub.key

Filesize
344B

MD5
4ea31e7aaf6077b05980b477392890bb

SHA1
3c905ec461c7d510be952522b47a4e6688933792

SHA256
c8871a7a529157006a7d971d72a18f933e6523adc98df1bf9f65ab0a5c8b44e2

SHA512
d70e078775879e66139ddd7df4db169e87416d0754934927a0b7d91ff40c19e358c139bcd6ad8f88d508cc30706316be5c64c8c0bca75fcc7fd72aa9ed6e9877

Download Submit
C:\Users\Admin\Desktop\LockBit-main\config.json

Filesize
2KB

MD5
623a807f68b42e15acf8afc9c02f7757

SHA1
4d0eb05d1abaddc3bfdd406b93d864a492685a42

SHA256
b8bed18aa71000397a7211de0bdab3a68dd202bb4547e43723dfa2099f548662

SHA512
195e199d8a904db023644f6909e7d1793a53ce359ba1fab8570356dcf8139982909828cbbf41dd9f2f9256b1b0e3b727868109dfea5ff05fbcff912c27ae2a0e

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
62b9b558a57aae5452f7dc3b0e5cb449

SHA1
7c6234b53c78e8d348fa8f8f1b6180a3278e8904

SHA256
8e1774d3a86bb096f1e7bf3dacd879bcd6c5e040e240b75465314f18eb22939f

SHA512
e98bb2f4a49e846292cf36ebab5528a60c2706607b0d93fd09a1d5b803afc0354fa072cafdb9ef6dc973f8f3a61c49db38326628b64d515c5abea84e5eb4e1b0

Download Submit
C:\vmLZZJ2wA.README.txt

Filesize
109B

MD5
f841e2181d4fc4e4f504e9f545edd8f9

SHA1
3fb3c5e17962fd48f8f358ceb26c37615eb480f8

SHA256
611b0622ca65cd568c8c9822e1feea0115f916d1647e4af6ca5862de26707dbb

SHA512
bb045d8e86e1ca3a6f1e782c8351a8af9e154d25f66f4043dbc25f7c20576c1c3f3841d67858c89af018a93ffa5794518698dd9b5b8737fa1bb7ab796fbc7bf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4092317236-2027488869-1227795436-1000\EEEEEEEEEEE

Filesize
129B

MD5
03a2fba0c1acc5134ce2583991be7108

SHA1
e9c8585abbc5e48051ed8dc0e60b920479216ef5

SHA256
ce3c2eddf98560bdc41eb35d66014ce4c9212ed1640f4d311a889dfbae0665e5

SHA512
70a7855269f83333377f41645d2262bcae97acf271cb430b96e86029814d01bf4616c415033d9a9727a935acd3de4abf45feb373636a922cd73a600a9fb5358f

Download Submit
memory/2780-288-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/2780-287-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/2780-286-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/2780-3153-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/2780-3152-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/5380-3211-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3246-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3213-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3210-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3214-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3209-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3208-0x00007FFED0E40000-0x00007FFED0E50000-memory.dmp

Filesize
64KB

Download
memory/5380-3238-0x00007FFED31B0000-0x00007FFED31C0000-memory.dmp

Filesize
64KB

Download
memory/5380-3239-0x00007FFED31B0000-0x00007FFED31C0000-memory.dmp

Filesize
64KB

Download
memory/5380-3240-0x00007FFED31B0000-0x00007FFED31C0000-memory.dmp

Filesize
64KB

Download
memory/5380-3242-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3241-0x00007FFED31B0000-0x00007FFED31C0000-memory.dmp

Filesize
64KB

Download
memory/5380-3243-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3244-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3245-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3212-0x00007FFED0E40000-0x00007FFED0E50000-memory.dmp

Filesize
64KB

Download
memory/5380-3167-0x00007FFED31B0000-0x00007FFED31C0000-memory.dmp

Filesize
64KB

Download
memory/5380-3168-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3182-0x00007FFED31B0000-0x00007FFED31C0000-memory.dmp

Filesize
64KB

Download
memory/5380-3205-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3204-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3169-0x00007FFED31B0000-0x00007FFED31C0000-memory.dmp

Filesize
64KB

Download
memory/5380-3200-0x00007FFED31B0000-0x00007FFED31C0000-memory.dmp

Filesize
64KB

Download
memory/5380-3203-0x00007FFED31B0000-0x00007FFED31C0000-memory.dmp

Filesize
64KB

Download
memory/5380-3202-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3201-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5380-3199-0x00007FFF13130000-0x00007FFF13325000-memory.dmp

Filesize
2.0MB

Download
memory/5424-3206-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/5424-3207-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/5424-3247-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download