Analysis
-
max time kernel
270s -
max time network
278s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 21:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Tennessene/LockBit/tree/main
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
https://github.com/Tennessene/LockBit/tree/main
Resource
win10ltsc2021-20241023-en
General
-
Target
https://github.com/Tennessene/LockBit/tree/main
Malware Config
Extracted
C:\Users\Admin\bzmeMijnq.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000023cf9-270.dat family_lockbit -
Renames multiple (632) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 945C.tmp -
Executes dropped EXE 2 IoCs
pid Process 5640 LB3.exe 8176 945C.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPitnjsl7qlltj5x7xxy00_ri8b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP3f5a8nq0wklsyc2c0a27q_rbc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP24fhs02ojpx50pgcqq8pn7li.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\bzmeMijnq.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\bzmeMijnq.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 8176 945C.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 945C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bzmeMijnq\DefaultIcon\ = "C:\\ProgramData\\bzmeMijnq.ico" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bzmeMijnq LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bzmeMijnq\ = "bzmeMijnq" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bzmeMijnq\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bzmeMijnq LB3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3412 msedge.exe 3412 msedge.exe 4808 msedge.exe 4808 msedge.exe 2232 identity_helper.exe 2232 identity_helper.exe 4832 msedge.exe 4832 msedge.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe 5640 LB3.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeDebugPrivilege 5640 LB3.exe Token: 36 5640 LB3.exe Token: SeImpersonatePrivilege 5640 LB3.exe Token: SeIncBasePriorityPrivilege 5640 LB3.exe Token: SeIncreaseQuotaPrivilege 5640 LB3.exe Token: 33 5640 LB3.exe Token: SeManageVolumePrivilege 5640 LB3.exe Token: SeProfSingleProcessPrivilege 5640 LB3.exe Token: SeRestorePrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSystemProfilePrivilege 5640 LB3.exe Token: SeTakeOwnershipPrivilege 5640 LB3.exe Token: SeShutdownPrivilege 5640 LB3.exe Token: SeDebugPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeBackupPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe Token: SeSecurityPrivilege 5640 LB3.exe -
Suspicious use of FindShellTrayWindow 61 IoCs
pid Process 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe 6008 chrome.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE 8020 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4808 wrote to memory of 4856 4808 msedge.exe 83 PID 4808 wrote to memory of 4856 4808 msedge.exe 83 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 2896 4808 msedge.exe 84 PID 4808 wrote to memory of 3412 4808 msedge.exe 85 PID 4808 wrote to memory of 3412 4808 msedge.exe 85 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86 PID 4808 wrote to memory of 4864 4808 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Tennessene/LockBit/tree/main1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef75646f8,0x7ffef7564708,0x7ffef75647182⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:2896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:82⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5780 /prefetch:82⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:12⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵PID:740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,13797502178551848690,850854709891311740,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 /prefetch:22⤵PID:3952
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3624
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:632
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build.bat" "1⤵PID:4984
-
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\keygen.exekeygen -path Build -pubkey pub.key -privkey priv.key2⤵
- System Location Discovery: System Language Discovery
PID:5280
-
-
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exebuilder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe2⤵
- System Location Discovery: System Language Discovery
PID:5312
-
-
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exebuilder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe2⤵
- System Location Discovery: System Language Discovery
PID:5336
-
-
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exebuilder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe2⤵
- System Location Discovery: System Language Discovery
PID:5360
-
-
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exebuilder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll2⤵
- System Location Discovery: System Language Discovery
PID:5384
-
-
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exebuilder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll2⤵
- System Location Discovery: System Language Discovery
PID:5404
-
-
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\builder.exebuilder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll2⤵
- System Location Discovery: System Language Discovery
PID:5428
-
-
C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\LB3.exe"C:\Users\Admin\Downloads\LockBit-main\LockBit-main\Build\LB3.exe"1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5640 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:7812
-
-
C:\ProgramData\945C.tmp"C:\ProgramData\945C.tmp"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:8176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\945C.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:7112
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:7816
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
PID:4836 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EE018391-6B8E-47BA-8381-E1AD1EF9F6A1}.xps" 1337592029317300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:8020
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Google\Chrome\User Data\bzmeMijnq.README.txt1⤵PID:1908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6008 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffee616cc40,0x7ffee616cc4c,0x7ffee616cc582⤵PID:5008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,703617987618207379,1740893702211553744,262144 --variations-seed-version --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:5900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,703617987618207379,1740893702211553744,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:32⤵PID:6060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,703617987618207379,1740893702211553744,262144 --variations-seed-version --mojo-platform-channel-handle=2324 /prefetch:82⤵PID:6088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,703617987618207379,1740893702211553744,262144 --variations-seed-version --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:6272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,703617987618207379,1740893702211553744,262144 --variations-seed-version --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:6420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,703617987618207379,1740893702211553744,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:12⤵PID:6752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,703617987618207379,1740893702211553744,262144 --variations-seed-version --mojo-platform-channel-handle=4560 /prefetch:82⤵PID:6892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,703617987618207379,1740893702211553744,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:82⤵PID:6896
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:6724
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD58fce428e37720e2154933943df3d9d3c
SHA1c57a25bab9f392864c12272263198a53fc9082da
SHA2567dc5547bc43ad23f29defa97274c779b9c935f180051f4363cb1a54ad9117ae9
SHA512ce45fc9c0e5042131c28977ae95ed4d86baa7418aff6e4e24b0a2c9bd83658784ba82ab39577eabedf1681ce9d0f45cc1dd6ed0417572c827718428e7964e4db
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
40B
MD5ebab856aebcb8d2c3e0ba01cdf5456d8
SHA116672dd3d1e71a454784a6915f9ecc70a5ad5c2f
SHA2569c587feb6ae105900a2c2c4bacfdc6fa8b287db7a10bc107e93e591be334cda1
SHA51218a63748d0f657e38c27ce4bc13533aa73e62cd64f910199c0721ba3be21244cdb16bbc9de405cd486c1feb83b1c7c632fb522554954a76cdbba1691e5b8cec1
-
Filesize
192KB
MD5a8cf54419129b874864cf206392ece0f
SHA12d8f78e5d6951faedba3257d5794227f34c50967
SHA256b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f
SHA51202a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\04907c3b-c6be-44c8-b153-558ba0a53189.tmp
Filesize1KB
MD59ae781bdbe5cd607358efd0cabbe4f76
SHA1cea2f068b887757d202ee418b70b6ddeb886eb32
SHA256d219cd2d5d52536904f2f9655ced1e0f25e6c8de5bbfc504897f8e948db1132f
SHA5127229eb0b134f480f8495363b62e544b9316a43f69669bc3728f76468a5465ed5af0bce8d824c61c7e0f85a6eb9b23ca965e4d35b1d38aaefa739e7c26202fe91
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5f384729a257f5f1fa467fab585013c28
SHA1a908fed2db7e1d95be287045fa7656ff1d810e3f
SHA25616c7abc36d9f05aabc2d0fd12543a05a2bb19981878be062536f845f36ea8b41
SHA5129ed6143e8a6b6e29c0fecb10b0d95a7a024e137d4d117b159e63b2ad33fbf1a03e6fc5de21d71aa1a3b73a9977d5ff2e613b79ce3cde36e94a2270fe967be5b9
-
Filesize
8KB
MD502d54c8fabb668a8186812f58df1cc5c
SHA1e4afb51d45de221a91ae5a59c30934048e49473a
SHA25649c17713d11a55c99507e4e54394a1981bf250b642371cfa468aed89201f23ce
SHA512170a83a59cc8542682c66bc11963df7ac02b456b9b49c4812183c56fb738c60734ce67d4c52ece5a47bdae82a6ae636375dcbd92ee246d6f83bcdd2417f05b84
-
Filesize
15KB
MD54b91fcbf38eb006d77f4cd3f21e4fb30
SHA16b7a333b6d8db42d5bef1573acb2fa7070d2865b
SHA256af1e553717cc673235516b0e8790577205a2df0c687681ad7945457e54d8e844
SHA512a3218b8fcca56050b44da90b38ce9595de0fde1181fca4d87ce647dfaa933be9e3bdd344f09d76bf16e4bdcacc41c087806c4f6b42c2c165e28e298e1d102cc2
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
3KB
MD51ef15435901321c4440b4481767da685
SHA1e8fd5614677d737be5fb4a77691b7ed6654bd962
SHA256c11e6fd3a80a385be1372d04afe5c21b5120e2095503615fde4e4b5ccd892d8b
SHA512e763272982021bb651599f89f4fdbdab9734a98d557c8404d320838dacd505c265b54a6748f7bba0d28269c0c438bf255ef73797c3eee43744655b4aef6bcc6f
-
Filesize
1KB
MD5beda72f7593231e6c503fdcc2a28287d
SHA1afa9da05f14f849f93d6b31ee2e950288bae006f
SHA256c8143893215a5197dff0718709af4a049015d55f5cbd8a7fc731124022b6755e
SHA5127fcb58a90f406baaefb1773fb9bf1d7eeda4d07260cf80e10fc490e743bdc9aaf022bc134ce8e91f77846c00050175e437a71ec34777d1f6b4bf9b73f097a7ce
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD57bc6d57d30657dfbe4d6c50a2502acb0
SHA146d8ee1a0400f6c50a9ab6a75bac8b97c0a7ec1f
SHA25636ad3a5fea4b760c6860b397a172aca22bead8a66c86609a63ae44aed9c18668
SHA5122ef64d286e421735a01cdae30efa66119db1a9820928971f50954f69f91c0c4d3a4e18073329441b0d4be033cdaf84fb1095fc4605eccd3d3f4c0822377e4914
-
Filesize
573B
MD5f01cae1f6f3fa0a9f461b20229a21996
SHA12485db248b0e14ce5bd0e8b88ad7ff5b38d76b8d
SHA256b9ee52306a8ff806e76b636a469b41449796122a8b7e964cf32d11e94cc9ec50
SHA51236953fb88392aa6a7b53dd57c8742395b74850c18052656ea0559b43ff007f2edf7001c68fe2a030f999bc65919ff17c681d4abf9e3d9510cc959a123c493621
-
Filesize
6KB
MD5b214375213149ab5707abdfc53435d5f
SHA1163a3ab86a574a74dc97105217d9860db55ab5b2
SHA256daf79efe4ab3ef2a3bdc1079a613253e1830bf8b8384481da9e140fe05f49f70
SHA512b9cbd870e55dd22cb546c5abc23f1dceebfa6ab2fa512d15514058e3dae1a09729824f68b0df3c4afa1e0a208a42fa84f7a5b90687221959f2fbe0a52d373fae
-
Filesize
5KB
MD564fe58fafcfb06165a42423bd67e304c
SHA15a8ce28370aec7dbf77599b141eb9300e0deba79
SHA256175f130a3e4b065c06d84ee9021ade294dfd33fdc0271e17fc7e77e171e114d9
SHA5128be1e1947efb40dcab9c8164af215f5edadc6e856f573cbfed7fa7e8f4bf86291d01a9e00c7276044639f0e65df713d61705901a842df078e6c9fb3a5f7ce430
-
Filesize
1KB
MD52fdfdc76c3b8f58c819fb8487bb69cfd
SHA104353cce14d75981e3635ed70b51701bb4d08fe4
SHA2565c85864239d5fa92e5af7eef5b395199d033cf408ed25a9a738c58baff1160b2
SHA512f56475d5786a9c6d518c1687aa6558f15f408255b1c8d9cae9b3d2cf3df5d31bdc9c0a3722a3cbb8db72d1eed0d0f25e94d9d6d47797aaeef41b7b1192c05d00
-
Filesize
1KB
MD5003adc17d9b7e3ce4dfafdab42cda86e
SHA14868aea0c87bf69269f3a0ee6457c9eb359bd63d
SHA256bdcddc71c03512a49434dd7a5a3c00d39365398003c1bc25e1d1a1272dd13ad2
SHA512351b789c14b3938c04acd8cece9155d346192f4f7d5a9f8a6c87b80586129e06c9521bfe14bc3793cfa837991b24f34da01e2fc1e5d32d6debe503451e529f63
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e54cc2e9-f01b-4602-8ddb-922c07985b10.tmp
Filesize6KB
MD5369f04bc973914110a75b63ed34e1df0
SHA102f918faec3b95d80d046890c3c1030906180111
SHA2564b2ad737ce457c9786d035b74e74d36c889e92caef15c93542318865a224821e
SHA51277e5daabaac2c1ba963f6e924cbbe7801cb8371ef828a5aa15bbf8b20992f8fb56b587c95ed9d324155cf59d8698ef275f1462b2af0f9792e6100f7ee96d2e71
-
Filesize
10KB
MD5cb5fbe39d93a90ef3486a6edc67cbc3c
SHA1f459cc6d717bba8c978708027fb659dccc6f744a
SHA256140d9099aa6245826b04323585a5d7f2d658e19278079d19e3a10854881f898a
SHA5122992fac6d1dcfc237416149084d7783289b14b5e94d26a67c038c8af5d2732a37f52416d8c53cbcfdb9f7e2a93bc0eab74f07661c395a220db6dcb9151de6378
-
Filesize
10KB
MD5a543f15e3b853011d724e0334676b402
SHA1982eac7f372f2bcf48e6ed3dd8ddaa1e7c891d21
SHA256bb634b151b82dd0a4ceff31272f42fdb0f2187a6c66b1e17c89ac26de55cda2f
SHA512cd216d18f9bd1a125d2df99e40372545f7829635b8de9cf04dba4d6277d547420ca2437c6a49a88d1085ce21ba46c116b606f9bdaecb7dc27b7bcb1959bc661c
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5216958546cc8e85fa23fd44f12ed4e7a
SHA19532e07cb78fc190f29deb9f6027fd6568ac0905
SHA2563d2652cf1f35fff5415a67f4d6322bfa4da2fe7392d13b76486b31eeb5fbdf2f
SHA512c7c8819d26810ab89ee99e912792cd271985da6e579892774ef4894d72f9894b3ca9a4a2cd8203747ee6774efc52cb87ceab6e7824b28d15b2fa58e34f300919
-
Filesize
279B
MD587def067c64206b419aa8a1f7447678f
SHA1a01904245ea9b28ac9f9e421c2981cff8cab4742
SHA256296e4e3fc8717ee7130197328723bf558b57468dfbb0eccdaa5ee9912a8379fa
SHA512a21aa1fbee458b4cd8c38e45863b8009babf1c574f251cc5ded152803655f1d476d9b4acfaf7772f9a4e465fb2c4ea3fc79944d9d104dc68ffcf78eb924c85af
-
Filesize
4KB
MD5bc4f080c0ca80866d18abb09456ae36e
SHA189a6539e56e4c66c52a48e316394823c5790c612
SHA256d801bfa8b367b0abeedea02dac4e7a2da07246db875ca34436d535423143afc9
SHA5126d5f562a320af7ee3b1a4f0601b36c9147fc848d4dcb982ed40a0e16b4b62e5e78679509b8e5371e326c61aa2ecab03a8b617effa1e7c7ac0d22523e24d0d319
-
Filesize
4KB
MD50430e82ca269a00c54d0005700f63ea4
SHA13ad414e2a9823f92b502f610818e8e5325f542d2
SHA256a0a2b3a27f68d78629a619fea8a936319b4ff2b243c955967306e1c0c44410c7
SHA512ccf3d3a774c3fd15fa6a892450fac1bda3716e3d3f140bda0b13f850afec60ff13a730ec2fdb480b0121fe56aa3848de9ce6e3f5089fbc884fd42126b3101de9
-
Filesize
292KB
MD568309717a780fd8b4d1a1680874d3e12
SHA14cfe4f5bbd98fa7e966184e647910d675cdbda43
SHA256707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881
SHA512e16de0338b1e1487803d37da66d16bc2f2644138615cbce648ae355f088912a04d1ce128a44797ff8c4dfc53c998058432052746c98c687670e4100194013149
-
Filesize
292KB
MD5a990e0c49042216f87312b773f3818a3
SHA1254922de0cf470521b1d96b912bc23b7506e6ab3
SHA256f0b22b05f86effc70bc32d138460a27d45e8dac07fd35eb7808618e03f03d06a
SHA5128dc3ad757b811efe8618d6d4203e29014e06bd4e2c4de2685065bc37e47aaef17d3b7b69e1489fe243e626aa202cab3408203d0ab07585923e0099310682dd9a
-
Filesize
153KB
MD50d0d137f99e5cfb1489e84f9dd676def
SHA1e7d7bb5a8619167eb3dcad655b2bca7f376c521a
SHA256e8e5312ccca6d9a961e53d53b647a5ea204a0f31ec2e2646eb7b7850c61cd5b6
SHA5120fb2879d75c028fc3516701a85581a52e06638548363daa3df734796637bcfa8f0cbe2a050e9c324eb2b76a3207bf7e0d86eeb603d8e78764981e5458c086040
-
Filesize
265B
MD55ada6b8098265c9db025246a5b41d00f
SHA1b94f05308564d67c0cf267e192cd98db2e5d9c4e
SHA2561dccfe5d310cfe4a8ad315bf684445a7dad16ca0c04a24893f0d05643b069881
SHA512e88e91a5b72fea7ee0bc687ccb4baabc7a7fa8f2b2d8420b6522bfcb73d01bb08fe9ec167f29075f71f79bd6bd4cb89d86c96d35745bae95d8f70c6d54a28896
-
Filesize
153KB
MD59db7f546ab294a8c5dde9e2d214faade
SHA19244ca70fe730a3f05ed933934e7ff432c82d5ca
SHA256c2185457b142dcbca302828f32699220a448c7f293fb4892c581c9095cfa51f4
SHA512973a80e92e2b10b7a8282037f41736397bfd6d25c5f941ee33f03f2c2f93575ffab4997ef537f24d52b9b109dceb6b232190aa321802ca822136570dfa587846
-
Filesize
2KB
MD571a6bb8de21f116e469772c86574c1a6
SHA1a39e7295a4f535b5ea9f00a36493fb0ba6657ead
SHA2560553b50a46985d58e89a847cdc505ba04ea3b1e26a39833c5a159bade9cd920f
SHA51215dc5e6902374640e4ce0af1238c908a43c12ba9e510d692bdb852651b5af7c919c7b2402b0e1a7172be080ef80932a847057287644dd17b4a9a07f8a7da1c81
-
Filesize
2KB
MD5046df9ae90ab34d409712e5a1fa38603
SHA12b5a9bbc8493d957ba85215aac63de482a0ece6e
SHA2568ce1ea8417db9edb05127af53858bf607722850243aae3c65646b9b5fc27f057
SHA512fd04a4d8c7c85795ab097eb04ecfcb2d8e76a28095f5c49055d0a8355c7d9078facdd8e35c93ca36aa17cddfd0876db84103e434641ff84512b02bd295de372c
-
Filesize
344B
MD5a53ce919dbe28f7ec365440bd02634da
SHA1279bcce5f3ba3ca07538fb3893fb2cbb59b63c05
SHA2562900416a0682b192f14740b64b22e392b099e81ce3895f38a9a1f85cd183bb14
SHA5123e238fdf429f80273ccc45875c61bdb2d2c0987c6ef4e4be1c97c88c4bceeb35b1cd922d5a83865bec248f8655d19bab74461c9f331d09652f9f51582c9123a3
-
Filesize
344B
MD50b49abd1381b048250235093f39bcfba
SHA1b7cfd219e254e0b3c08c25e43e57c76e79a4be92
SHA25639849f4bb409a41f5b316ff02a42b9879a1a88348de9ede051c93b8e5f074677
SHA512b3644067dcc01d750b4ad8a6b3211cc7bc526e3a163a8d7b71cd90a07bb65882838c876af61ffc7db81b53dd43dc9643ce968a68e81f76e112ddbeed039517e9
-
Filesize
6KB
MD5dd746ace17e44ace00885b91400f11d5
SHA14a0302d2dca400598f396e4230fdae71779cbeaa
SHA256b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA5128ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1
-
Filesize
129B
MD51dbb7e719a67ac0f40af5241d603ebba
SHA1589b18ddcc204d19ae0b79d6fc10cce087f793e8
SHA2568f2ee806d3bc2e429573150dc4deeb0723ae501cfbb21f8894b4fd7f2e06a4b9
SHA512bc916d33d0756111c916f766c5f8f24d369a92cdf63ebf8bc4f8cae24250a190aec48afb72f7ecd410cbe81ef76fce7ea09a9842abae017c93bbe5fdd537cbd9