lockbit | hxxps://github[.]com/Tennessene/LockBit/tree/main

Resubmissions

12-11-2024 21:23

241112-z8p6ts1hmr 10

12-11-2024 21:18

241112-z5s4bavlep 10

Analysis

max time kernel
176s
max time network
159s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-11-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Tennessene/LockBit/tree/main

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\x30D41fxL.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0002000000040d0b-325.dat	family_lockbit

Renames multiple (438) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	2AC0.tmp

Executes dropped EXE 2 IoCs

pid	Process
4564	LB3.exe
3124	2AC0.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3495501434-311648039-2993076821-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3495501434-311648039-2993076821-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPk_cwfgl3gzqzbmexf_64ouk0b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPq0jtuybv1qmqu6vaccv0ir6vb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP2jk3vslj4mdl4_78xr1dqgusd.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\x30D41fxL.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\x30D41fxL.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3124	2AC0.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2AC0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133759199257548885"	chrome.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.x30D41fxL\ = "x30D41fxL"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\x30D41fxL\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\x30D41fxL	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\x30D41fxL\DefaultIcon\ = "C:\\ProgramData\\x30D41fxL.ico"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.x30D41fxL	LB3.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2276	NOTEPAD.EXE
2104	NOTEPAD.EXE
4452	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5216	ONENOTE.EXE
5216	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe
4564	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
792	OpenWith.exe
2584	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeCreatePagefilePrivilege	1796	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
5216	ONENOTE.EXE
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
792	OpenWith.exe
2584	OpenWith.exe
2584	OpenWith.exe
2584	OpenWith.exe
2584	OpenWith.exe
2584	OpenWith.exe
2584	OpenWith.exe
2584	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 3284	1796	chrome.exe	83
PID 1796 wrote to memory of 3284	1796	chrome.exe	83
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 2396	1796	chrome.exe	84
PID 1796 wrote to memory of 4680	1796	chrome.exe	85
PID 1796 wrote to memory of 4680	1796	chrome.exe	85
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86
PID 1796 wrote to memory of 4748	1796	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Tennessene/LockBit/tree/main
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x21c,0x22c,0x7ffa18d2cc40,0x7ffa18d2cc4c,0x7ffa18d2cc58
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,2315931616143844096,17881161267729287700,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1800,i,2315931616143844096,17881161267729287700,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,2315931616143844096,17881161267729287700,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,2315931616143844096,17881161267729287700,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,2315931616143844096,17881161267729287700,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,2315931616143844096,17881161267729287700,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4432,i,2315931616143844096,17881161267729287700,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:4136

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4128

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\importatne.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1120

C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exe
"C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build.bat" "
1⤵
PID:2456
- C:\Users\Admin\Downloads\LockBit-main\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3832
- C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1640
- C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1824
- C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3864
- C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496

C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\LB3.exe
"C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4564
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:768
- C:\ProgramData\2AC0.tmp
  "C:\ProgramData\2AC0.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2AC0.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1972

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:5160
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{CD96EEEB-D88C-4BCD-B8AF-9A197C00262A}.xps" 133759200293400000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:792
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\importatne.txt.x30D41fxL
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2584
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SelectGroup.emz.x30D41fxL
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3495501434-311648039-2993076821-1000\YYYYYYYYYYY

Filesize
129B

MD5
02aca7a570cf73bc3a9351e3739756a9

SHA1
c64a25c936c5b6587f4c59a9b118e9331738b608

SHA256
6c9b22dde909f4658b77a43fa76e10071657b2b7a0fd3691ccfd9564cce418ee

SHA512
a154dfef94e4d61cb9559734dc39f9b8f9cbc20a703bc992e734e864d007e2883cd812a72b9c55a6dcfd956f3df64d1202d18605ed231679d287a97aae9acc6e

Download Submit
C:\ProgramData\2AC0.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
279B

MD5
5d5b4dc9b030b689ce23b75bbe2f008b

SHA1
7a9b7af582067618e82ff9e5ddcd01b32b12978d

SHA256
8322c2609e8700974d8064b1e2a3396a357eb0bde7710029f4439855dd078be6

SHA512
ead6fa0d7c481e1a41cb6d5e39ff78db27157d24ee145dc2211a107527f3121bc1603416a6a09196d238970832fb528a45a58279ae2469672e190c6a8dd8ece0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
980680428b098a7380415788d2761183

SHA1
ab34dd0f23b34a8f742ffc26d27b8f902bd92bf9

SHA256
872acad1b72075f97aed512792555bcbe64812567f6dd06c12d86b25107d0782

SHA512
853bce7208d5566b0d40a8557ae2cf1a019bbb0b31e05909307a8e01c829e901d7a618a755020512527052bb3e68661efe3927884dd84b16dbc68fa5abf0e344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
db4b2ebebeedc5c5947150cde74700cc

SHA1
d018f97e881e7a052d5babe505830e102bbe0e2b

SHA256
04df116de16d8ff9cb819e902ff0e66e7811614a2726636295ac16e77daccab4

SHA512
950101ebb4eed4f20f355c97c8712e40a9accee0cb5d4f1898f262ded2a453ff458eb0ffd07adc6ffd29916b6bf82200ec7424126d386ccf1df0b79728a02fea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7f12ab6cb57ea1311cb813b48c8d2856

SHA1
b27fc7468fd2969f46d1a09593b8b39cb8bf6d9f

SHA256
075d2026c6c491959b5d685741cbb15f96a322b5563681aa531ed259f8049741

SHA512
e4c791d4e8d107b74316c9e5c1c7031dde1ccf1cd1844fcf451adeec12136dfbcb7f3abeedabdbf0e649a8b31c46e1f7213e61ca5d2637b50ef8969141e37300

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6079d80f9baa68ea2e6af15c68d84429

SHA1
9e238a14480b52f14d3aff8fe480cb723b20af77

SHA256
7ac38701b2a7abc48f119ba06a7d4198a49de3e10f086b5310e80954bab42725

SHA512
934942fefdf247de32f3361be184b9d7ce675abfc27adc435563c51f343aa124df0071c5d9d094bd371fcd6f9c8483ff4dc75254d04d30891c776f2994a308d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
12c8b3dea0ccf9610ffbacf9827f355d

SHA1
0950a9b565c43878fc3f30222b7a92cfd730812b

SHA256
328d2410c1c045a3aecfdef22d9197aaa76ea0d8b99661983eac4ab921a4421b

SHA512
c7ee8a08e40b91b8d7b8523ecb2443c7c9de8c0600b19b960b4a67309196de0a70bf29bb66b149cfbe0ea16b72ede19d428b8c9fd6d2a740cec60627ded7a21f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7d9079e1f68a1a42b2a4505f05c23dc

SHA1
bba1861da9973a5beca4e4d25cac49de9e0e284e

SHA256
4bc011a85c873585d1ebbefde008d51113f9f63c295e58c28ef777271b591ef5

SHA512
1f3a95abe48f572ee2356e95a4be445a7db1ecdf6855c17accc525499e628caba1399a75939a86289f02acaa2e16bf93517c08e1a8d567b17d8b9c109a0443ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a495c298-f300-4d70-a8f6-da74e22d52fb.tmp

Filesize
9KB

MD5
fda9f1368c366805f2ee287d2f6df8e1

SHA1
9db433a06290ab176d66395ad0c63270cfabcf2a

SHA256
2e9434e875795783e3e863ca05c4ffe3d8bd2f20bacf7f621eb4a905f2ba49c6

SHA512
58b5eea523c70a86831da7e503843a40781f4bbefe753663b21795985d2518fb617a69e3bb502d84013e6c6e067556bf15ba8d08b8cce853daac872e2287e883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
1355a9df63da0eecec41d234c6ba8e7b

SHA1
64ecfba652eaa141fa6d0de50725660a7caf779c

SHA256
4562fd8dc7da1838ec46cf3b0d7af1013a6797615cc28b573cb32f633851a984

SHA512
66910942038a2ef38c9eec1e1fc617ef50df650e4856a0184384c28cc4f4411f1672e55db53fd6f1a6af32f75a7747a49f818e3b379a7bcf831c1cbee0498265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
8efc7688cff503a97887f9c990b6c310

SHA1
ef36e5e894dffedf22f9f719e329b325ddb021f6

SHA256
07e8491ec8deae5df21763819f487158a1ecb252448a04a5b927b609c2781749

SHA512
0f4dc841a07e825efd7298dacd9d59522c54522a7af0b07dcd78d52cd4fa69e8e412ee4e702c7ecd17cf973b10c65aaded49219b328cecf672a2fd37e71b7e44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
a70d579cc25c06c7bbca5880052a262f

SHA1
102fb6023ec3914dc55c9ae0be32df3a5effd9b5

SHA256
fb4530abb32f142b915b90a570d626a9fc3c4bd12a7eb6602fdfc55704eb57d9

SHA512
318c82a25853b2dd60fdd334dd254d8d1315fff8bb1b2db724d75317811bf8f7befe69bfc2740407c541e82e49569db0560ac14e82273cc19b6230bb85e9b1d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000001

Filesize
16KB

MD5
964165fd5317fc48fce60cf5bd91e3ee

SHA1
a0f1adc1aae52b022fa0437bf13342301867c015

SHA256
73436f0861e72826459e650eec0566203369a4037ede6666ca252e155070d3d5

SHA512
19115ec47baf7548f24f7298b2ec6a3879925407b8b0b3526e5de4066150e99beedd5e673cad633da7cc3b175a0d073805ad222603314574b392086295b4f13b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000002

Filesize
19KB

MD5
257c08c1bd310030d4e0363830843ddd

SHA1
36b8ae9f6508c6fbac29b2fa55ee6ff896271e7e

SHA256
75805831e1d767a50b164146e843d8fbd3e93671188ef8e2b9a142a06afb1a93

SHA512
7870c2fd10e22da55ff888e6fd6467a4a7f7bddbac755b7a56359dd4bb331fe4930bf8156c3e22e990306d3849d6f24a7f2a639f180df817e78df5da0963405b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000003

Filesize
19KB

MD5
c6922150255f791eecc461a587f608c6

SHA1
6cdcef7d0cd09e56628cd9445ae9a9d9aca6cbfa

SHA256
bc49a943246d736480fbbb80dace1da30c257650c1d8bd9b1131975b0daf324c

SHA512
787bca86edd76e254b0ab5ab3f83845506cd091b05478f028d7007d42111eb396b5145039ffa93f85733a6f00ec18a86e7a3a166706ce7a7a585a709b056da5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000004

Filesize
16KB

MD5
03eb47013ef9386afdb3ef50e2ea31b5

SHA1
fbec35fb4db53947cebfbbadcf88f9afda82fe6d

SHA256
270b019fc07ecb933e88691a19eae979668c2ac78c6be7d1028790cc9236b9d2

SHA512
b128c926280bdeb58f12aba3070a972810af935bec3e85358067ac678625ed966d9cb2106525b2958db694733d928e55d5fb41e5610d9f865a30f6639933779d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
516b50b6e39d5c5d7bf7bb0447b5e2e3

SHA1
c3a1cfcc0904fcb2370ba19ceb3a24bad6948998

SHA256
24b7f6510512777812aa812849afdca6c7af599e1d1d75cd09ea05e3654b4bd0

SHA512
1cf9c8b3156830aba876ba50168c107ff3bd9c4b960ee965f8d595f2f43f71fbb7a073c85971fa0365691a17b049a02bfb3e22a5db8b215e0a55a7ebf75a34ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
346B

MD5
a169daf4ba17a491f74b1f1962ff0824

SHA1
7faeba0284f8260c446071847bfaad259f4c6426

SHA256
b5c4e4490755741620a4fe420e668bc23ffb4da5508b49bf9fc2669fa7ab061f

SHA512
51b466e2a24668f4194a74f268fcac0221a3608fb101a40fe7de2dc0a2fbd3e1841e25e04661ec61cd745d976e86b3973f8039e0282782f5d5128ac282116ef7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
256B

MD5
cfcabb4e86b96456c1a00b2019fb444c

SHA1
acfdb65fa26cdc6aa9bf215810ff4d73c1f63627

SHA256
c3c9a0d4d3aa3914cb6c0f444f2948ebfc1214464da4378257388d5f51fd4fc7

SHA512
2d2229c64b0921b073f0090e9d02ea3df0d65dd3d30bc947af0e883f1a46a4f97cf2c55c390c02b4005f25cfa5fbdeb1cc9ff4d70e94551588afb20c47ecc123

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
c54085fb253bbe934208728d336ae1f7

SHA1
bbabf6a3d61f6368c2ab482334c54c8d17f51888

SHA256
8aac850eede4691b90e06dd2ad8842444b86a63c1718b24094045e4e499a359e

SHA512
be724de451444d1ab6ade147a27a82fae752e816665cbbf69457a6fd7886d23eabb2efa6283a66dd1185871a967a22c5e551424d58738243157e3175c55e9492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
ecff877a8111b61310cc1095f9deefcc

SHA1
baacd45b7696ee5c3da719e2af367eb7eeaf5eec

SHA256
9a26bbd318229ee16850401a8b14180db4ddb0183fbfe3a34283263a101186e3

SHA512
2b915dd18bb233e5ba3e8f8f8d73b5d05b4524d9b04f6355ad2806e7503cd57e0575d0be519b9e66cecc79c6e4471dc1419ca797718afc38ebc0908820300edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
45b992da0d48ce56b391548155a345a9

SHA1
801677f51b1764a7e06899c5819ae68fb06253c2

SHA256
774da8fe61560bc22b3cc644dc61eb74383f49a463aca421a40593efa478a827

SHA512
1e3caf553b5f73740e1bb9329ee4ac7a09d59c19c4ca119453582cc9cc0281ab94f2ce32de322747f658ac63a9c45c71c2eadebe9310b87375bd60845436f4d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
2e30a33bbde5bf54f5c44243a0d7a942

SHA1
119a8f104d9be90bfee49630871204c324d2e980

SHA256
de6418a14a88932dac6b168d70d0c9c02d0e65aa2b2b218cefcd0ec340563f77

SHA512
5d24cc205dd327daf837c96dd37b9c69bd9908422474fdac9730ba5af07d9f2b3871327953fb4bacff60c23d9fb26cd9b024ebf2f98e8672b6345aa1e1e9ed1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ebebafecfbeb8b4ec7608dc1f0ebb973

SHA1
00252fb682b2183cbbce97b5ce235ac60ff82ee8

SHA256
eefc51d580135d44a4f228fbef4cd0d170d0135ca056aa70c225ed228964e36f

SHA512
e5dce578258036f04f6ae3620c212440753d41326b2245ea685088b41fcd42c06604b010e1052354416398156d3471539be5f6eaf337532a26350bb278fe82b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
67ba5479ff85c58cfc1a54f4899a3e57

SHA1
11d591dec42a5c3e43c1da3fa0353060e58bcf8c

SHA256
d7bdde43e5b20632aae08380bf03d087698d31ab49a48e24296ba4fe66b10dd9

SHA512
63519d006b0b9a4c6efeaf3fa009ff2119d7d3136d8f20b00150bfa9990a9ce85c87862afcbfab00b1993d54841ec8648a85273b588dd09bef79296902df097f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
320B

MD5
6a5d353968aeabd8e63f053269cdd6ce

SHA1
6890305fca440cb49cca13d38d01f59835d61a5b

SHA256
402ea1d22c7996c6b52dba0f5862d69f4a8709bc3cf1a42506ae765308822aad

SHA512
84413948815d4115ad9631bb20334d3934521f257cfb5cf3dbb0e13c5c4e413a01023705433e3c90d4b7f3519edb526940b697409c316fabfcad89848fbe6215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
a8555b7ee6597b8a83fa11d12d26ed32

SHA1
7110f5232442e80c4fec3b14e950c922d8099453

SHA256
f8d53609e3aa1f18b919243d4543c342736f876ab880edddf2acb02c769becd1

SHA512
d5cded09b7fda503ad9bb5812cf7934c194ccc842bcd8e514910b359a8b0d6a5c27d4bc3878e8c5257a98ec0c352c5c5c5b6cedb004e758b5b7115f5a3b896d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db

Filesize
28KB

MD5
ac427bffda6c63cac1983ca5a1211291

SHA1
3758674909a95a79d18613aa1c1618e2f6e7acfa

SHA256
3d6c82ae7a07b2b6a24ba0ce97fe178b9675ed6a1e2fe05f9f717900f8bf4245

SHA512
b6d070d6a398c661177cd69c466f4bea200a83e4d0807ede0fb8e6ccf10a84810c8ca821f3a1f130b29034e947f00ce243aacf1e42c58caaac7d721b13d77411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db-journal

Filesize
24KB

MD5
03d82ef6b1a9055af325e1c7e6a9c733

SHA1
c03d393454f6d939148f121bfc9a019a7fa006ad

SHA256
3c1de7b81179d700a6591a3daefb5aa2535838ed7d4ccbee9ba5643467809ad1

SHA512
d0e80d553233502a8f3c753afa2bd865cdeb38926b16adba9965c06b7416d5633eb42e0d7a98d07b18edb9008dd10a261af61d40b9df4185f7957d79e1b2079d

Download Submit
C:\Users\Admin\Desktop\SelectGroup.emz.x30D41fxL

Filesize
231KB

MD5
3e4b8926f22d1c70e611de831d604f1d

SHA1
745114bea27bb8dfbf0834eabff55e4c942142ed

SHA256
7c7a4e3bb6cf53edba87508ba41e3dc4a17a0515fced2d9bb9a2041f09d22b98

SHA512
395f3262892725347552988a14fbc5bb555e4a9417c27b43ca9a6c6c482be5dea35eb1e4ef3c7d9601f46b77496747cc2acccc2979c38f0d525fcec7b14764a8

Download Submit
C:\Users\Admin\Desktop\importatne.txt

Filesize
372B

MD5
e5c79fb2ba62afa46d4980ab997331e0

SHA1
38377f8ab9dd2f931968710d1e8717833263b98b

SHA256
309fe49a6f7ba0ea10484a0c91dac794a4e3e1b62f32ddfefd9f3efe160a1928

SHA512
72f996db5447a02185b84ef203841edc730c10ba464fc0a5f6575eacf76c81cd283e6e77d9a8d4767f9d1272ec0f517a34b544575e10d03006519d31ade99f37

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
a6070b694fbe5a62c395faa21ca93ddf

SHA1
2994cbbf39a473116b31ac08dc876d43212d8804

SHA256
d230f74771f87c943797988b1b9c055793152e9347484d3667f28288dc2e8150

SHA512
ca3785d0afdf1c14a85c6d42862ef768b64a0424f1a0ede7e7450ed27dcb4629f9aba90a08a55ce070db58b66da61cb95631fdb57c170800f749acf95908c222

Download Submit
C:\Users\Admin\Downloads\LockBit-main.zip

Filesize
292KB

MD5
3e58f47f5e5824297ade885f1f589499

SHA1
74713b3b06b68655bb1956bb23a40c3e9cc694eb

SHA256
295c20b24594152a2f50de8ef41ff416590562c84d3823545012b0282b3fec54

SHA512
d1d9b35786bde57c6a4857e8aa9048a9b0bc1043c014d698de45973543c7361756ea98146acdfad6c02834150eb38108f1a3b2796495ced8e665894cf1f17c57

Download Submit
C:\Users\Admin\Downloads\LockBit-main.zip.crdownload

Filesize
292KB

MD5
68309717a780fd8b4d1a1680874d3e12

SHA1
4cfe4f5bbd98fa7e966184e647910d675cdbda43

SHA256
707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

SHA512
e16de0338b1e1487803d37da66d16bc2f2644138615cbce648ae355f088912a04d1ce128a44797ff8c4dfc53c998058432052746c98c687670e4100194013149

Download Submit
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\CCCCCCC

Filesize
153KB

MD5
fe1316722a0db4ca2a47a1484d39a48a

SHA1
c3fd442d14e90f6d85928e0b5f4e3c48c99da310

SHA256
0e9c1232f308715e532c6ae49fb80b1b6d4e9de816dc552b8ecdfa5354d3ac5f

SHA512
dcca5134e786895938588a03df41dd2711fd934f56305cab2c04fc45592a066a7bd53b5ec6e1537b4b4dab9ae0650713c4612ffaa864c0330bf49f24a91d0b8f

Download Submit
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\DECRYPTION_ID.txt

Filesize
265B

MD5
51785f2218bfb18afd5bb479d087ee9b

SHA1
a71aaaad95238fa96e22a20d769ff9d8ac8ce8b6

SHA256
4ec1539332c3ddef98a7b9901a6b7d5639eeeb5ebe5714913c4095ed14aa0b56

SHA512
d53729cd8a588eba5c3cf81a5104310c4edaad0898009b55d288522cac79d6b11366be8a6e04dc8d850ffc78b1b2bd6eb5c2cbd8f95d48ddde1eb76792ee84ec

Download Submit
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\LB3.exe

Filesize
153KB

MD5
fed09a78f34af983a31fae50debc5f26

SHA1
2dc74037931b726cbcf0a3b5546ec87815a95fa9

SHA256
8f6791e60f5bb78b5c23e005a7b25b3fe68ddca225363d249e17ea098e22cd8c

SHA512
fa074d1c31d9a0f3dbeba39cc67ffc0117feb1a11d8c5876ed704fb9c087f2ed3e293f287e71179dfe370a2d98c759b9e34de46b7b2a943566b747440d628fdb

Download Submit
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\Password_dll.txt

Filesize
2KB

MD5
fb86b6bb0d3d5d7aa6a66d2667569942

SHA1
304d9fa3dcf64bbd54597bdcfd9b44ce9771430f

SHA256
7509d0f61d7a4d8ccdea89fc26920067ce6f52833abd381e8de4072285be7cf2

SHA512
302cc0f04e27f0e7ac4754dba8fdc3766e9bceb3a55fbbf3a42e841f45132926cef649bff7456474a74c619296fae342939d3dd093d2adbf8b2f3373eabb28c4

Download Submit
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\Password_exe.txt

Filesize
2KB

MD5
ea1368e48132ed20f58b04b540d15b23

SHA1
cd8ab5e2e677271018f06542e19c8c2b1902abf3

SHA256
61f3363e10d6ddb6d772edc4855116f9fa53f40140b897b2ca3f59da9260bc2e

SHA512
d51dcde2d763b42e5d38bd5fe85c1d9cb4de537577c3666b19f75d59701d37762cce779edbacf8a2d5f0fe3ab9eeb9be9844ceefecf905807e904c99bb6fccf7

Download Submit
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\priv.key

Filesize
344B

MD5
d065902adaef11085739da7d135d9c4d

SHA1
b93abd0d3010ce00afe7479402e223aed719450c

SHA256
789262e9da421a206b6a210d7eb2e7f643d34220e78a32d35a586276d23c77ac

SHA512
cb5eb5e78390889cfcb6b4db533fc0916a50e2e3b22008e761072d3655c7bd19fc604458e0751942d87252b74207cfcdd6a72b8222b6f9d5248fd816fc45612d

Download Submit
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\pub.key

Filesize
344B

MD5
858fc59914f5ec6a530ccecd19f02102

SHA1
10d95facc0f693e9900c2533c6cccb7ae696d1df

SHA256
7d583f197e1366e3b5343454a30e719a519d2d9594139f1865cb0c759237d7b2

SHA512
9d855f9fd508373bef219c7dfcc1a00300caa9d31f4866e47b052ea062a512fbba54c9afe20aab03858f7a99a67017b16449c4abccebc0e42d39ef476ecc5266

Download Submit
C:\x30D41fxL.README.txt

Filesize
6KB

MD5
dd746ace17e44ace00885b91400f11d5

SHA1
4a0302d2dca400598f396e4230fdae71779cbeaa

SHA256
b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272

SHA512
8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3495501434-311648039-2993076821-1000\DDDDDDDDDDD

Filesize
129B

MD5
a705aeb9c0918c86bf7751ac55510f0c

SHA1
9e25f3f2b6398d1d24c3718a9c1ed2f5cc19d839

SHA256
e785bb5f5e9f9ac411eb0d163cafc41b0bf6d6273b5ca5c705501bb0160c52f1

SHA512
1f3fafc634aa7ba87f9efd6585e85fb6c4144fb2befc81f83b2dcc1e2552c91421b5e35d07a886b110c0709097da8937bc229792b386b61cf13b9cb24915bfab

Download Submit
memory/5216-2115-0x00007FF9E8610000-0x00007FF9E8620000-memory.dmp

Filesize
64KB

Download
memory/5216-2114-0x00007FF9E8610000-0x00007FF9E8620000-memory.dmp

Filesize
64KB

Download
memory/5216-2117-0x00007FF9E8610000-0x00007FF9E8620000-memory.dmp

Filesize
64KB

Download
memory/5216-2118-0x00007FF9E8610000-0x00007FF9E8620000-memory.dmp

Filesize
64KB

Download
memory/5216-2116-0x00007FF9E8610000-0x00007FF9E8620000-memory.dmp

Filesize
64KB

Download
memory/5216-2151-0x00007FF9E5C50000-0x00007FF9E5C60000-memory.dmp

Filesize
64KB

Download
memory/5216-2152-0x00007FF9E5C50000-0x00007FF9E5C60000-memory.dmp

Filesize
64KB

Download