lockbit | hxxps://samples[.]vx-underground[.]org/Samples/Families/LockBitRansomware/Samples/Windows%20and%20Linux%20samples/fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94[.]7z

Analysis

max time kernel
168s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://samples.vx-underground.org/Samples/Families/LockBitRansomware/Samples/Windows%20and%20Linux%20samples/fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.7z

Score

10^/10

lockbit defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: ED5B850F872B4667E50C2D1483A57F97

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE is not expected to spawn this process	2484	980	OfficeC2RClient.exe	159

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1088	bcdedit.exe
300	bcdedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

Executes dropped EXE 1 IoCs

pid	Process
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7A5B5A0F-2B2B-4608-3525-352A782E1CB3} = "\"C:\\Users\\Admin\\Downloads\\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94\\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe\""	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta"	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\ED5B85.ico	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\Windows\system32\spool\PRINTERS\00003.SPL	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\Windows\system32\spool\PRINTERS\PPtv3xzgtj74z_e5twyco6kyj0d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP061hintaq02swimt42bgk5bkc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP0ofoeo9s4gl1x4b5b0ka8bexc.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAE3.tmp.bmp"	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\images\checkmark-2x.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\skypeforbusinessvl_kms_client-ul-oob.xrm-ms	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files\microsoft office\root\office16\msipc\bg\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\js\nls\cs-cz\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\app\dev\nls\ko-kr\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\theme-2x.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\plug_ins\acroform\pmp\datamatrix.pmp	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\zh-cn\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\java\jdk-1.8\jre\legal\jdk\colorimaging.md	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\proplusvl_mak-ppd.xrm-ms	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\java\jdk-1.8\jre\lib\security\public_suffix_list.dat	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\videolan\vlc\locale\en_gb\lc_messages\vlc.mo	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\task-handler\js\nls\pt-br\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\send-for-sign\js\nls\eu-es\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\css\main.css	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\ro-ro\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\scan-files\images\themeless\inline-error-2x.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\search-summary\js\nls\sl-sl\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\office16\1033\officeinventoryagentfallback.xml	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\office16\interceptor.tlb	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\videolan\vlc\lua\http\js\jquery.jstree.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\java\jre-1.8\lib\ext\cldrdata.jar	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\office16\1033\invite or link.one	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\proplusr_trial-ul-oob.xrm-ms	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\editpdf\js\nls\pl-pl\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\signatures\js\nls\en-gb\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\ro-ro\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\document themes 16\ion.thmx	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\home\images\themes\dark\icons.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\task-handler\images\example_icons.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\7-zip\license.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\add-account\js\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\java\jre-1.8\lib\ext\localedata.jar	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\o365smallbuspremr_grace-ppd.xrm-ms	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files\videolan\vlc\locale\pl\lc_messages\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files\microsoft office\root\office16\msipc\fi\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\images\themes\dark\new_icons.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\mondor_subtest2-pl.xrm-ms	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\standardr_retail-ppd.xrm-ms	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\ro-ro\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\images\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\java\jre-1.8\lib\javaws.jar	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files\microsoft office\root\office16\fpa_f2\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\images\core_icons_retina.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\unified-share\images\completecheckmark2x.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\uss-search\js\nls\ca-es\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\java\jdk-1.8\jre\lib\tzmappings	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\core\dev\nls\ja-jp\ui-strings.js	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File created	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer\js\nls\fr-ma\Restore-My-Files.txt	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\office16\addins\powerpivot excel add-in\resources\1033\powerpivotexcelclientaddin.rll	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_share_18.svg	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\java\jdk-1.8\include\jdwptransport.h	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
File opened for modification	C:\program files\microsoft office\root\licenses16\standard2019r_trial-ul-oob.xrm-ms	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3768	3828	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2284	cmd.exe
4508	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4220	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\TileWallpaper = "0"	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallpaperStyle = "2"	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762836332249461"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\ED5B85.ico"	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\shell\Open\Command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Admin\\Desktop\\LockBit_Ransomware.hta\""	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\Registry\Machine\Software\Classes\htafile\DefaultIcon	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\windows\\SysWow64\\ED5B85.ico"	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\ = "LockBit"	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\Registry\Machine\Software\Classes\Lockbit	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\Registry\Machine\Software\Classes\Lockbit\shell\Open\Command	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{68A91FF2-6033-42A9-B12B-324BC785A477}	chrome.exe
Key created	\Registry\Machine\Software\Classes\.lockbit	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\Registry\Machine\Software\Classes\.lockbit\DefaultIcon	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\ED5B85.ico"	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\Registry\Machine\Software\Classes\Lockbit\DefaultIcon	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	chrome.exe
Key created	\Registry\Machine\Software\Classes\Lockbit\shell	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Key created	\Registry\Machine\Software\Classes\Lockbit\shell\Open	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lockbit\ = "LockBit Class"	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4508	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
2276	chrome.exe
2276	chrome.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
5968	taskmgr.exe
5968	taskmgr.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3292	taskmgr.exe
3292	taskmgr.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3292	taskmgr.exe
3292	taskmgr.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3292	taskmgr.exe
3292	taskmgr.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3292	taskmgr.exe
3292	taskmgr.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3292	taskmgr.exe
3292	taskmgr.exe
3292	taskmgr.exe
3292	taskmgr.exe
3292	taskmgr.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3292	taskmgr.exe
3292	taskmgr.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3292	taskmgr.exe
3292	taskmgr.exe
3292	taskmgr.exe
3292	taskmgr.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3488	fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
3292	taskmgr.exe
3292	taskmgr.exe
3292	taskmgr.exe
3292	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3292	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeRestorePrivilege	4636	7zG.exe
Token: 35	4636	7zG.exe
Token: SeSecurityPrivilege	4636	7zG.exe
Token: SeSecurityPrivilege	4636	7zG.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeCreatePagefilePrivilege	2276	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4636	7zG.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe
5968	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2116	4236	chrome.exe	83
PID 4236 wrote to memory of 2116	4236	chrome.exe	83
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 2680	4236	chrome.exe	85
PID 4236 wrote to memory of 1872	4236	chrome.exe	86
PID 4236 wrote to memory of 1872	4236	chrome.exe	86
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87
PID 4236 wrote to memory of 2144	4236	chrome.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://samples.vx-underground.org/Samples/Families/LockBitRansomware/Samples/Windows%20and%20Linux%20samples/fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.7z
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff2764cc40,0x7fff2764cc4c,0x7fff2764cc58
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,3709855115859142351,18400531638967613992,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,3709855115859142351,18400531638967613992,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,3709855115859142351,18400531638967613992,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,3709855115859142351,18400531638967613992,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3709855115859142351,18400531638967613992,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,3709855115859142351,18400531638967613992,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4980,i,3709855115859142351,18400531638967613992,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:4356

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2188

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94\" -spe -an -ai#7zMap20735:188:7zEvent4973
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff2764cc40,0x7fff2764cc4c,0x7fff2764cc58
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5332,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5212,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5532,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:2
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4804,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5436,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5872,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3404,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3444,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5508,i,1149982996513371279,15379845019214641107,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:6052

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\430f015e62c1a1063e98ee14980649957ffc1d481d6dc0f51a68e6e6a9e25820\" -spe -an -ai#7zMap14081:188:7zEvent25606
1⤵
PID:5196

C:\Users\Admin\Downloads\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe
"C:\Users\Admin\Downloads\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1636
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4220
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:2724
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1088
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:300
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1732
    3⤵
    - Program crash
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\Downloads\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe" & Del /f /q "C:\Users\Admin\Downloads\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2284
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4508
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\Downloads\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5468

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5968

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5616

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:5584
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B49FECE9-A006-43D2-B5E5-D7108B290704}.xps" 133762837622020000
  2⤵
  PID:980
- - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    OfficeC2RClient.exe /error PID=980 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
    3⤵
    - Process spawned unexpected child process
    - Suspicious use of SetWindowsHookEx
    PID:2484

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Restore-My-Files.txt
1⤵
PID:3652

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Restore-My-Files.txt
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3828 -ip 3828
1⤵
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\Restore-My-Files.txt

Filesize
512B

MD5
8f4f26484185a338e2c1fcd40ff09adc

SHA1
97dc1e3596e7b4a90fb6bfdfe33dbb1a7b5fd838

SHA256
f7410a19ebefd2fa9db0f0c3a592a2a0d7085d5122a143a6724a6a42a613c7b3

SHA512
d2d4d98dc26e07126ac2fbeb68cebb49fffdef18ea061ab23ca62eec9cee047e7e892fd02614a71e2a06db4fd17577a91749678f56f832a7f55b6ff1989a9fe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5a25166e-7e4c-446b-82a6-a1e0f337c8c1.tmp

Filesize
232KB

MD5
68715d9af4bb1bd6b3760ba7fd86847c

SHA1
0e2fad4f2791a28ee0fae3d32ff738b6dbe60111

SHA256
830abfd4008a96031fd6512a3598bfbb657baa1760486e774a6799e591dca76c

SHA512
56269a18bf6418e350253799bb097b17a85436bb80babf069e50daa488d852898fe894837caf8d9e0ab245fba432a9eafa0b4da49fbdfdfdce038f73939dfe99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1fd21a5228803360e7498b21377bd349

SHA1
c028d9a423b995bb2f9d9b56ef09e5a4f9535b38

SHA256
920270c469d0fdd572881597d30bae6f24faec32c8a1e7e689186947ac7958d3

SHA512
c2324e1b0a32c3d4abdac5ee1c2e663d1e49c24c17f0b5a5dac56cc867f67d2665f29148de2773f2e048292b189d136876b557ae9837517f612155633cbb09b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8f78b1fc56d7772edd50b58f30bf7fa3

SHA1
d55de3170ba137ecbc4c22c32837093c75d7eee8

SHA256
54da9c44764d54249c5cc882e4b4c2d48c2104624dd069a4068b09af2f6fc34b

SHA512
3b70a720e02d52f640d6510e7b5a731a5a58f6c12629b1f9d626fde1e98789625f7a0f30aee65df3b565a923dd5d9b418fb9a8a69ab60f85bdcafd65fc0ecde1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
be436018ede7e11961b91f5dacc4e453

SHA1
9bccc969df6968fa0e8a5620789ad4a5fa20bd31

SHA256
8d023b47a611604197b44377d979855a767d75835ccbb3853d86c3aa86f45564

SHA512
8cc1147d9ff2fd0fc6ca6f9c84a0e7853ecff81743065b404d1d0ceb1487b487b35c7c8196cf9ea8a2984b51fb9717c4a4b73630030e9e52613d69ac7c4b885e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
00b1b3a15d46354c50411cfcf3802c2a

SHA1
cee423c68c840fc01c9b1a5a2f4b46f685ad9d47

SHA256
c64a714adb537b7f3a7b99f9ab47e2adc4677189f2791705bcd4b985e47d9665

SHA512
b5f1db6cf77c19c8372950a0632d53b4b84872d4e14a0c7057c12177b9d20a5afe8a0fad7f5dd2ade1936926586362bb9dbcd1b6d5578a39f80ec3592f3e307d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
b569e8db585fed25c46ebd61f16000a3

SHA1
5da8cb9acc0867b559fd869c6b06ed6ee34c0c0a

SHA256
5617f08bc2b5f0e3f34129364da6804b36f39a3e9f9d6ba70a6cde9b683ae96f

SHA512
63fbdef934b9fb2c041985bfc90eb498348e52906efd1c2d5be895b4d9fb85a18942e2063c2a12fa3be1a431cdf09b5c2e78fddba94ca140374ccea4914b52a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
7f03ff7e19db7e2955891cc05a4ee768

SHA1
a8e35b3b58eb88542fa2e63181acb210f029601b

SHA256
9d50f7b4e4fad97e50481bb9da432c7b50f91b3e9b0361bb7bf9bc088ca0fded

SHA512
1e60665f9fdfd085ed4ecdb90089b613c3e4652890a2598baae0815ff9c382e25e2d6492092eb66eca2b68de25facd6a52b00e9633ca60c4751bba36990b092c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
317B

MD5
238402d883c5510ec9fd9ad0342c629f

SHA1
3000356cc92be190eb9155ddcf233aab50ab8b06

SHA256
50b6ebd8b1c8120e306a0ae8fe86065e53e8f6f16872e2ee0e98ce5b6cabba86

SHA512
c7914ff9d0c9d1a46b1173f47e96eb4e1a7e8dbc084d4e98144263a3ee1ffd66f21cb3ce785213bb599bd7787f24e6a341834a9be0bfd180825a1f07a1200d3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG

Filesize
327B

MD5
cdf2369cea8de50dbd552769f8db02cd

SHA1
0096dcb028a29837995dd83ff03239138e475403

SHA256
6a14cbd4c18bcb8a5aef2438b1a1f6ec7420463bda0cf83bcc6ae2a09de0fdf1

SHA512
a737fbaf30fb04a5b771265c757d2f3e159b4e82c6096be83f2003a72eefaf9fdd29759d3798e7ceb6006882b8c5ff06ee0d04310443b7b96a418bbb90a29e8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
e5513741ca6b82c7fb097969b69888ed

SHA1
ec11889e680d30addf6b16a11bba36b12443c9e9

SHA256
cb96d80d09fbcc1b321a33c4924a5819e44684dd22cf7b92c44b1b793779d254

SHA512
49ad7c04a4f8d167b65d9fd532becc5ade6d0378aff4104433d705f4bb4c9937fcf4959968901524650885b0d185229f80848aeed6aededf11459eea64015a5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History-journal

Filesize
60KB

MD5
87cea9072c4faa52e6764e76e3762486

SHA1
3a44670c839a6362e002d87f6782f062451bf3d5

SHA256
266eb969e798974e1643f5953770819e23368ecb491ea99534afc97126ac7d24

SHA512
4880f8bf5ad5b37380b8b7bd5d20a62583aa56cb3b4eeab8b0e92710468390af81c08025baa7fe6b80c44a0ee3c307ab65ca7ec5d06100803e184a2b99ed2435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
34f81139534febd92a22a5ed16c2bc6b

SHA1
9362cecb47601f51221b8a007166e26d7f71c2ab

SHA256
2d32c205c21ed60156910be54f78d806654ab0755382992a2c0ca219fc4a0dad

SHA512
eabd3774b48a75b555ba53444985a1ccccbace18f324c026a640627d2f00b5fc5387961af36d69ba0a420fabe103fa63056cc5ecfc1b2ac982b89cb63c0293b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e2dcd046538f20c651ce42915da60bc7

SHA1
0515f18c9ed2090d64131ac22678055e8048925e

SHA256
e2de4f91cbd948b1dcb64183164b429053291b30723d2f3c898f613b88f9eb68

SHA512
8353a0d4f214b298b91a40b5cfd5166dd2fb01d0acf9aa735f201f6e3f2fd6a68a3087c95fb2c71d92310ec6f856bb5f510d33f0c0cba6c5e779e7d7c0a2d68a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d17d5650b3f8a0c1aaad923daaa9c9c0

SHA1
061848df6c7bc20ce818c1dfef0ce416bda92bd6

SHA256
abf3289347cdddc89a82673be625dbad6a94e4c7e81e946522c0f163932eb5aa

SHA512
97d89356a033e4c11164f5b3aea48fc395e5726e6d973b39db4c320a01ef88220446284b4b5b4b071af7970891a5f0c8aed41f7a1553b781e86a3f81ae9b12f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
7a8c7d898387e20ca2d9356128a8095d

SHA1
682db4e9b58ad29dd76eab40ebc604ca848e03df

SHA256
79b373bc39d08f25d108e0bf66f64bad37924cf34f7f31525cfdd0aa77988476

SHA512
297416adbd21962aa2f486ae4ac4decfa48ab05af50c4369f9bf4405248982f75aa0ac47f114c6e712083795da586108077bbd526a958e0fb063da2cc661f58a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6d4fcb6c1f524835d207f95092033f0c

SHA1
e9758d2a1e32f3167f3d2d2c4ee9973b02347ca8

SHA256
2ba832ea66e52a59c1602d724f0856adef11241ee3d0fc63534e5d0258515e1f

SHA512
42c2cd7e3313e41c3a757e8b11b0699349008da6b4bffaf1e49926c7bc16ca933a1b873ed003bdebe89b80cf25ea63f82cb46f874c7f342798b07b6dd200ac9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0e4e904f1d4555ee601277cc905d4d77

SHA1
511d4734878a03a00066a55892ce4c77af4a3533

SHA256
e52d6ee7e1fb72ee0f1955036838282e9d7ca38cfe9c5a120e630554ee178157

SHA512
e48b84076788ab836efb694c83793a28ad66d6432ae1b7e84e4b274de30cf15df5e76dd2372c2a0bbc8eb8af8902ffd446241cb82ab264c2d5f60f2cb19acb7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b9de157dd49ce13443848318346c7d99

SHA1
21c044cc52616ef65b2ac14fc6ef33bdeff5b411

SHA256
c1e2b2f05fb4cf1e3e786887b6bd16a7da7b54a2085342d7f6a3e8838a3ef4a6

SHA512
e594d2cfb5e82ad8d0f991a827f1e78db172ceeb576cbbfc36c876639b8f2a61455e98760ae0bf527a61e04ac8b10cb198aec5e60462db1087c587946da4f285

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9a847cf6f34b79ee258cc85f41e06df4

SHA1
98588e2040d0cb697d1705266186bf1eb5c75493

SHA256
c393b04aef0deac72a061b9245ed69cc4875ea7c9e32670002248b11b3d29097

SHA512
4b7b199c8f7565eafc7857f5ad22ecf013d5868af9b1f21eb89899b503128f0f1a1ea655010f2c018b199115f9142fcb9204c4ebc74a6a86ace5231a84eb9f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
41780879aff9a4566813f50727323742

SHA1
ae4606b8eafe6b918f7c8e3965e961d3d7e53619

SHA256
ddc3c25df6bb905f248dcda4fbbdd8aea9f237a49d04059b24fe9daca4297eef

SHA512
0a1077953e88ada0464d4b4faf91699e90dc33e777d3154b64f331a4f51f6d3ea1b8c2e24d45bc5261b0f4fc57e28ad5c5d1f4895a0c3d37119339e1ef9f0add

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6cf11545e01bff71611576ef593ec7c

SHA1
d0ec574f38d4705277525211bbe59573f4488243

SHA256
38ea58b17c0ed84efe7dd565b4ce4e70c158d70c5972a46a7adb61e48870213b

SHA512
3533fe9f5ce83eb5ee88535a48ce4831b443acf39512e70eef31dd87b8d953bb25086a835dbcf796c9be126260bcc4e28ad15f5af10fb0cd5a3e930999eea22b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c3c33e6635c37803597ca5d190695ecd

SHA1
2a0100e25afbc489d7b9153f0d509018da0379df

SHA256
fcd07711f66029ef0d4454bdb1fca9062b2219c0b5ae0b30758f82a16a7c76da

SHA512
0deea4a608d4e144b098c631f926933a6d95d145a1ada0493432c77e0ce2a0de12dcd1d8801e961a60c50e2df8efb76edc1d76f28e11a67035dbcdaa1b28da66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b4ac493c23bd3fa687607e20791babcd

SHA1
2c9c1c4fba5dc5f1a2be8e02766746f13bbf1187

SHA256
4868aaf4e0abc0f38f8e9e0aa936bef707142b2cfd72fc7e2c176d914e9828e2

SHA512
3c75417b9f70bdf3e9d90c93dd891a7f6ce022ec721a4ea8809bfbcfe74d4dab3333a4da3cdc15161d623e330c7685533ae971856c160fb550c9b3ee87ff8cb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
890c5c96f0f676679897304534025d3e

SHA1
d1a33f1236b39220a7f7d1eb00f65ad53767f71e

SHA256
d1ab7839663574df8907cc9db99fadf452589d67ffa5ba90e7fec5ff69e4c172

SHA512
379cc0520087dfc6388ad32d37adecc23df6a1dd282d5f47ab75c5a97c56c8b55037103274b7e0bf19c614175c8780415b27092dc67f3418100862f8877a24ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
c00a4ece8f6cf29e3ea3c89770690664

SHA1
c17e4f7c8611fc42ade246a64a988da1782c0e9d

SHA256
bf784c107fb28e335a120255f85ca7570f0e78d3a0456313fdef59933ef919c6

SHA512
5aa6545d78d68441d8287e72ec92bbc78cada64964bf91dd12dda6bf396032c817018c5fed346a51bd3b40b3385e657eb79a2ca24aef834a03494a6ee76bd211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e7a87bfa049e770b65b291e613aa2c53

SHA1
a08864b4b0fd96e5a5fefc259776fe3d96048e53

SHA256
7ae1a72a2b2691ebaaece1999d1b1b0f2513ad3052d7acc0afcab46a5f6a94a4

SHA512
532ac36045a11d556bf4297680fec39fd2459b318ebf9e00140d5aa0d052703df77d67e3d1a75ecd320eeb3a7a1080087e0af0598c96584f47fce13c2cf95129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
308B

MD5
4e7982b86b3d7d916b7722aa3b3f0669

SHA1
ce4e874903cb71d9012cc7654ca7a6ba5e4f7efd

SHA256
cbee1100a2c9add47776b7e416b58a809f6feb9fe458bef8185b0c176b5db340

SHA512
c4dda8b36e90a327061dab901730f47fc23cca129b02a157f1ed0c566a1d6dddf272a4e74d3acbf14eb3a7fac0820387a584db9e19ca299724ed7f3030f891bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
2faba9e6fdd2e6431c005e5a8ad47eb3

SHA1
c1c5d97f8b7e4250ddf78a107df03647c3e1c4bb

SHA256
b31247744f60b381b32d2f818ae93c4389091896f154a6910b5aa8ac613bd1d2

SHA512
229fe8f721bfc330657b791502115cf579a854b9800512830f1bd151491ff6a1048e39619dd96123600455cf1db64e72dba77ae6b5e6444f236284b70069724a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13376283634327312

Filesize
454B

MD5
c00871deb4a7753da86844b0cd4c6d30

SHA1
a1d7cbdd0210be12cde4a64a4e1323b02a5078ac

SHA256
c9c8a3b84b21c2bf043d5987f38700a38f37d4fc960aa0599f13ec233f3bc1cb

SHA512
594d7b94c6327b5414dde069f21298e6831db6e91901b4c188d52b932c0a9c9f6e3488c001b57de68042bddf4fdb29a16096e7d07a9b77848124b8d4982f1417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
8ab8f843706085fa429f9da6a1d07139

SHA1
160b7361646886faefc6563cc611c3ca305286bd

SHA256
45fc58ed552c8cd57f440fd89f1898cf1f74d50c91162f7730a4eafbcfcb7b80

SHA512
c00b7980ec5cf97026d94d948de2f9dcc31d3f7cc4d002831a314940386f96e88dd86b08d8fe0d7aedf095a5c6b87c94b91d5571b6d91c46da37ec1fe0bb7e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
2797092413edf8344c557d8c5f9ad3a9

SHA1
567800204b893d82826fed0a3c15f2cf381ea4e5

SHA256
9ca1dc1699780e35adf64a7e9e4cc7f1f9aa90fc107eb0727198a21beef6e8ce

SHA512
6b97b57cfd88396ad3d0dad50a2ba378086ca2f22ee3798cdca5025849d47b6cd4c903a28e3337251137fd7fd35c0a214ad8217b4a4d6b8f5954c66bab4d02d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
101B

MD5
a658dd6c900c11bd9f71b41b9d1e1bb9

SHA1
6797104dfef8a0339f50899b8fc985f0deef3fb7

SHA256
db73114933eeff5cb11b92eb7cd504939e31f77a441371dae349b62e824bf740

SHA512
3ae8650d3881cb8218942ef982b92aaf91d1627689ebfbaf743515953a0d6fcfccd3ccf6305ebe8049e7e9cf47a217517a851daca967a5d6f4aff1c2cab43f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe588410.TMP

Filesize
165B

MD5
80c2ccf2edaa55e93399f5c42df89e3c

SHA1
492c6f7a9e70ee76d613e356a77aee060f529852

SHA256
317eeaaa5a9ec5b9067a0592401f37c2f9c6625bb2167f919422029a9fbfdae8

SHA512
7a973d685e9a35e01865dbf2dddbb3eafe19313ad1dae116b0e54e0c153b30763267ff89d858c2501f9035415bdabfb57668eda6db6f1548da97a72451aad843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager

Filesize
40KB

MD5
aa8c4a9f2cd5dfe78827171e9cc389a0

SHA1
6e6605ae976e00b632e4a4df39a1393ac909cbd2

SHA256
f1eb66bcb461ea3300fecdc739097338f0a3f0cb989da749e30b29c39be41cd3

SHA512
d959e7a2a9fbfea17d0a92883cf6a6a2432d566af45ef88f04807b81d4030c1c875d09b3f297993076644811ed4f93e1ad5a51e91602e9f5b7ff4769692b2815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
8KB

MD5
efec4c3c14b4480d9ffab20d14e29ac9

SHA1
7910a704d54c825a20b6a67b6a65e4aea25b217b

SHA256
87f01bb4fdcff984b959bccedf31d12ff83cb5a584816461326afe116efec63d

SHA512
1c76172e60f42efa4f2bc6c50081412cfa35fdfa331c52ce9f6fcf4176f09fd44e831860ffd2ef03d9f7284dc6a31b90861335f5e114a1347be5d7f44c3c26f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
17KB

MD5
2d96ba4a11b178a6b84aaa1dbb45ff6e

SHA1
19956c0cbc9c4c327658329f7260bf7ced744a40

SHA256
ba1c25b87dd50b328b82008d592b1a9a530073d17efd81b19409e51dae99dbda

SHA512
782c19832fd79ea20ce04ffe616a94e79f5ba248f20749da46bb99001779a1986447eac5609b3da2aebc8c636f5fc30fe391ea994374994313120b370439b154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
9564777f65aaf9006fb6fe88d7106fcd

SHA1
86f03a3848370072277ce290c6fec7b7b5a49a6f

SHA256
5380e76f3795f2474b858cd6e210d6be115075a3ef1ccd2d72bec5ee527c49cd

SHA512
bd7273565746ce94d0746ac8af44ab449f2ba633098ba1109c9d707ca47abd5000dc9315c73b8aeb0a0b0d47a63b5bfbbc63cf8a22cdf9d0d62e0c1884cd43dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
b929e77800ac39e2df35dc2812b851e3

SHA1
c54cff1159b9137cc081c82a26ec7169f191cb63

SHA256
9c592ee5b8a897b4fd0932a84b4bd0cf0336eaf3a83abfd541ca306051a32ac4

SHA512
04d9d9afab3b928fc095e1ef9465e6245474e80cd2639130e53f895d4f7eb4dcd42e8001a589bd97bd5f2146aed36fe36fbf0e45af28c76df736d9f46ac31d02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
920d0dd8c5b17023e32db4ef50b895f1

SHA1
a890c12e8e6f03cd9b8ae4c6d3fd8bce01e3122d

SHA256
6026af305c81c5da967e4dc6876aaaa3b97e6a1910ae969af533aa07506a24f0

SHA512
6924c23ca5d7014217e734b3c00d0a9e0c911c9ee034a012acd2f6bd5650606b03e00ed95eb9642c57dec9b3c0ee14c770b9f59e15c1bae52385f921bfd372ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
6dec0bebb19d6713862027ddbb5e558d

SHA1
9af78b0954fd8296567b04410f1795cb4f8c57f0

SHA256
5d721d78577f5fd043b041dbfdf9b3e6354f927576dfe5fe256e873d89bc80e8

SHA512
61dce2709dc6643727fe6674ab150e731ff44ae0703bb7cae1f838d4f448bea17415b74f20afbecb00e522e080427894cf7fb34c6962400cf745725319718606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
0f91f18784163564466b62f3e9dd09d5

SHA1
a6ba5e89ca63835f15eafa59998d069b3e734cf7

SHA256
7e12081acd8090ba4b16a76a5edbff830c0fea093dd0774fe03183f6190f6205

SHA512
64bb521f921eef5fc6aa2a3916771ab398551eb6c9f9fe96ee77b79c5c3c8eb4f74ca85b285a34af157d097be3ea4f93e6ee004f614f3fc0d3f5184c4a43eb63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
d82c5aed63f4b5ddea6518cae3e6a7d4

SHA1
804e1ec6375db736b6f337d42813bf09bac10547

SHA256
910f9ab4ee3cc8a24ae70d8560f2e65c14949f59ed5d512091fbbb5c9977b0bc

SHA512
f53d5ea8dedaf387f3b0d7d8bd2dbe8e9e364c209c49f7ab00f8d5d19e46d3965441dbde71bee43124b347e917d4daaa949014fed308aab072d353489bc668ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
d4a65ee404703f82ccdeb89531f2da50

SHA1
88c73fbcb0b314da5544153fd956297d41493faf

SHA256
00c54d41b198ae4dc68cc3a662daf1fb12555bb33960e380ad6b1cf7541ffffc

SHA512
2596c21aaa6ef12a053b9b5f4ce00e071af25c92e284c16cb963880cbad5e60da74bd60641a43aaa1bfdbc35515cbef10dc4e580f3485103f9a9207388188c9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
7eed22e09085e56c3d1d35b891fddb1e

SHA1
a341135f66a86b311fef6b13484478675e593ebb

SHA256
dd97ffb4394f2de70422211f9e2d4f5e449b120d9d957eee8fc60d0aea36afee

SHA512
d9391bf1ef1a96306cc040b8211dfddb57b337c9bf3769629dea0f5a98ce6f27297815b845dc97876844f442fbb1cd9d19b0aaf4209ea9a2e00d960bf6d966b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b69ade6d-f816-4872-b2de-feb79b96b486.tmp

Filesize
116KB

MD5
c486266779ca95ddea93a8253025b639

SHA1
35e7fff23f9c5faf02dce9980e08c8734f93d694

SHA256
6a1a6b4d2f16f64eb7b1316d3ea82fd7da64f728bd94674f8c33976d6c241996

SHA512
87422530ac3b56c271eddad6971740563a7b931f1e51fa03dced6ec23597c0bc0727ef54f573f66d2be875c6c7940937627a142894e24bbb964dccea55ca067b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db-journal

Filesize
4KB

MD5
af0352d6dd0d6fdd4b897dd9207b1c13

SHA1
2be58ad887433b5c1bee47e9ec8de5bc93186e11

SHA256
15d18d1a00d9e72426deb2a8e00487a6ba0e3b4463d5fb2f69a3931ff308f41a

SHA512
805c715bd39225a24beb6fb824c55dba398e3b0811f28518244641efde6322e8fffa6ab41f00a883f08b45a521afe39d32cd038a7272506fe804d0e93ccd9d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\a18e2b63-f2d9-49a8-a673-33decdc5bde4.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2276_2117879404\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2276_2117879404\d528db56-6016-4ff7-b660-b9248cb81885.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\Downloads\430f015e62c1a1063e98ee14980649957ffc1d481d6dc0f51a68e6e6a9e25820.7z.crdownload

Filesize
1.0MB

MD5
c9aea18b253b9501a69dbe399f1bb3ff

SHA1
9ac88d4e0e8a0c7d3a854f81b7e66efecf689af3

SHA256
03f293861075aea69218529d77c9c727e05377acc1007d27c3d0d36908bfedc7

SHA512
d74a08b41bf895837c6c779a9bf3c5b314fec35dca9c87a966c754701a57045e524206718a1c5e1abb733bfebb3989d72b0a058673cd2a3e8fe71d6f35bb6b5a

Download Submit
C:\Users\Admin\Downloads\fc720ba95ab46e6a5f9fd7f6b1f240cd9b29cd96f6cb075f0459fac230f7de94.7z.crdownload

Filesize
256KB

MD5
7d6db8f098e3a5c137aba2249452e892

SHA1
b8e8a5971b8eed6155523292e419f98402be5e40

SHA256
ee066e4909721c85acbb612000e2a0268ae14d2f6533e0e9d2721587083a1bec

SHA512
7d3233f456c393ffe806f942f0414688939ba273c841d247d17303205b378224d4a3eaafb2a3bc6d8d4ee61adebaf20565b6786c2fc3d628ca6ce0b7dba4c677

Download Submit
memory/5968-7950-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download
memory/5968-7951-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download
memory/5968-7949-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download
memory/5968-7961-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download
memory/5968-7960-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download
memory/5968-7959-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download
memory/5968-7958-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download
memory/5968-7957-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download
memory/5968-7956-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download
memory/5968-7955-0x0000014D5D360000-0x0000014D5D361000-memory.dmp

Filesize
4KB

Download