lockbit | hxxps://github[.]com/Tennessene/LockBit

Analysis

max time kernel
231s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Tennessene/LockBit

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\d1ntMCSCb.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d6e-387.dat	family_lockbit
behavioral1/memory/2296-4108-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit
behavioral1/memory/2296-4109-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit
behavioral1/memory/3596-4110-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit

Renames multiple (638) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	C480.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	95BA.tmp

Executes dropped EXE 17 IoCs

pid	Process
1848	LB3Decryptor.exe
4728	LB3Decryptor.exe
4932	LB3.exe
5188	C480.tmp
4988	LB3Decryptor.exe
2296	LB3_pass.exe
3596	LB3_pass.exe
2568	keygen.exe
860	builder.exe
1688	builder.exe
4128	builder.exe
1728	builder.exe
1784	builder.exe
3900	builder.exe
6408	LB3.exe
6136	95BA.tmp
5804	LB3Decryptor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini	LB3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PP7_gij0fx7t6rzitq07f4ar0tb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPj14clpminl01szia1b_ell8kb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00003.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPx0p4_dv3vlz7mj3okzequj90d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPc3nxnpb20cpttne2u04o3_a8d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPpp46kd2ytgs8nzwq58vl1w7pb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPjni1syezqsj3brphlp3xck1gd.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 6 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xJ5SImvxQ.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xJ5SImvxQ.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\d1ntMCSCb.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\d1ntMCSCb.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5188	C480.tmp
6136	95BA.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
316	2296	WerFault.exe	165
2400	3596	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C480.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3Decryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3Decryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3Decryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95BA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3Decryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.d1ntMCSCb	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\d1ntMCSCb	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\D1NTMCSCB\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.D1NTMCSCB	LB3Decryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xJ5SImvxQ	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xJ5SImvxQ\ = "xJ5SImvxQ"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xJ5SImvxQ	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.XJ5SIMVXQ	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\d1ntMCSCb\DefaultIcon\ = "C:\\ProgramData\\d1ntMCSCb.ico"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xJ5SImvxQ\DefaultIcon	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xJ5SImvxQ\DefaultIcon\ = "C:\\ProgramData\\xJ5SImvxQ.ico"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\XJ5SIMVXQ\DEFAULTICON	LB3Decryptor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.d1ntMCSCb\ = "d1ntMCSCb"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d1ntMCSCb\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d1ntMCSCb	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xJ5SImvxQ	LB3Decryptor.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
316	ONENOTE.EXE
316	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1220	msedge.exe
1220	msedge.exe
1644	msedge.exe
1644	msedge.exe
4280	identity_helper.exe
4280	identity_helper.exe
1688	msedge.exe
1688	msedge.exe
1848	LB3Decryptor.exe
1848	LB3Decryptor.exe
4728	LB3Decryptor.exe
4728	LB3Decryptor.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe
4932	LB3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1848	LB3Decryptor.exe
Token: SeDebugPrivilege	1848	LB3Decryptor.exe
Token: 36	1848	LB3Decryptor.exe
Token: SeImpersonatePrivilege	1848	LB3Decryptor.exe
Token: SeIncBasePriorityPrivilege	1848	LB3Decryptor.exe
Token: SeIncreaseQuotaPrivilege	1848	LB3Decryptor.exe
Token: 33	1848	LB3Decryptor.exe
Token: SeManageVolumePrivilege	1848	LB3Decryptor.exe
Token: SeProfSingleProcessPrivilege	1848	LB3Decryptor.exe
Token: SeRestorePrivilege	1848	LB3Decryptor.exe
Token: SeSecurityPrivilege	1848	LB3Decryptor.exe
Token: SeSystemProfilePrivilege	1848	LB3Decryptor.exe
Token: SeTakeOwnershipPrivilege	1848	LB3Decryptor.exe
Token: SeBackupPrivilege	4728	LB3Decryptor.exe
Token: SeDebugPrivilege	4728	LB3Decryptor.exe
Token: 36	4728	LB3Decryptor.exe
Token: SeImpersonatePrivilege	4728	LB3Decryptor.exe
Token: SeIncBasePriorityPrivilege	4728	LB3Decryptor.exe
Token: SeIncreaseQuotaPrivilege	4728	LB3Decryptor.exe
Token: 33	4728	LB3Decryptor.exe
Token: SeManageVolumePrivilege	4728	LB3Decryptor.exe
Token: SeProfSingleProcessPrivilege	4728	LB3Decryptor.exe
Token: SeRestorePrivilege	4728	LB3Decryptor.exe
Token: SeSecurityPrivilege	4728	LB3Decryptor.exe
Token: SeSystemProfilePrivilege	4728	LB3Decryptor.exe
Token: SeTakeOwnershipPrivilege	4728	LB3Decryptor.exe
Token: SeAssignPrimaryTokenPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeDebugPrivilege	4932	LB3.exe
Token: 36	4932	LB3.exe
Token: SeImpersonatePrivilege	4932	LB3.exe
Token: SeIncBasePriorityPrivilege	4932	LB3.exe
Token: SeIncreaseQuotaPrivilege	4932	LB3.exe
Token: 33	4932	LB3.exe
Token: SeManageVolumePrivilege	4932	LB3.exe
Token: SeProfSingleProcessPrivilege	4932	LB3.exe
Token: SeRestorePrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeSystemProfilePrivilege	4932	LB3.exe
Token: SeTakeOwnershipPrivilege	4932	LB3.exe
Token: SeShutdownPrivilege	4932	LB3.exe
Token: SeDebugPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeSecurityPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe
Token: SeBackupPrivilege	4932	LB3.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
2412	NOTEPAD.EXE
4052	NOTEPAD.EXE
4988	LB3Decryptor.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
1848	LB3Decryptor.exe
4728	LB3Decryptor.exe
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
316	ONENOTE.EXE
4988	LB3Decryptor.exe
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
6436	ONENOTE.EXE
5804	LB3Decryptor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 5072	1644	msedge.exe	83
PID 1644 wrote to memory of 5072	1644	msedge.exe	83
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 3816	1644	msedge.exe	84
PID 1644 wrote to memory of 1220	1644	msedge.exe	85
PID 1644 wrote to memory of 1220	1644	msedge.exe	85
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86
PID 1644 wrote to memory of 3164	1644	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Tennessene/LockBit
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec26e46f8,0x7ffec26e4708,0x7ffec26e4718
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,18283555698911157639,4681414442777715972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3340

C:\Users\Admin\Desktop\LockBit-1.0\keygen.exe
"C:\Users\Admin\Desktop\LockBit-1.0\keygen.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-1.0\Build.bat" "
1⤵
PID:4712
- C:\Users\Admin\Desktop\LockBit-1.0\keygen.exe
  keygen -path "C:\Users\Admin\Desktop\LockBit-1.0\Build" -pubkey pub.key -privkey priv.key
  2⤵
  PID:4224
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type dec -privkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\priv.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -exe -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -exe -pass -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_pass.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -dll -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_Rundll32.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -dll -pass -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_Rundll32_pass.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4312
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -ref -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_ReflectiveDll_DllMain.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3976

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-1.0\Build\DECRYPTION_ID.txt
1⤵
PID:1440

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-1.0\Build\Password_exe.txt
1⤵
PID:3352

C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1848

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-1.0\Build\DECRYPTION_ID.txt
1⤵
PID:5048

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-1.0\Build\Password_exe.txt
1⤵
PID:2980

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-1.0\Build\DECRYPTION_ID.txt
1⤵
PID:1688

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-1.0\Build\Password_dll.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:4052

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-1.0\Build\Password_exe.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:2412

C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1528
- C:\ProgramData\C480.tmp
  "C:\ProgramData\C480.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:5188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C480.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3552

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:4868
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{012F47CE-7872-4238-BD19-75C434554D00}.xps" 133797224410960000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:316
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{F6DA1F23-59B0-4687-AC55-23D8DED04CAA}.xps" 133797224935330000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6436

C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_pass.exe
"C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 220
  2⤵
  - Program crash
  PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2296 -ip 2296
1⤵
PID:5840

C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_pass.exe
"C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
PID:3596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 220
  2⤵
  - Program crash
  PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3596 -ip 3596
1⤵
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-1.0\Build.bat" "
1⤵
PID:856
- C:\Users\Admin\Desktop\LockBit-1.0\keygen.exe
  keygen -path "C:\Users\Admin\Desktop\LockBit-1.0\Build" -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type dec -privkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\priv.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:860
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -exe -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -exe -pass -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_pass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4128
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -dll -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_Rundll32.dll"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -dll -pass -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_Rundll32_pass.dll"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Users\Admin\Desktop\LockBit-1.0\builder.exe
  builder -type enc -ref -pubkey "C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key" -config config.json -ofile "C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3_ReflectiveDll_DllMain.dll"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3900

C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
PID:6408
- C:\ProgramData\95BA.tmp
  "C:\ProgramData\95BA.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:6136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\95BA.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-1.0\Build\xJ5SImvxQ.README.txt
1⤵
PID:9188

C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\DDDDDDDDDDD

Filesize
129B

MD5
b1f17136b0906290053e9a8e5a64222a

SHA1
d6b827b965a5a3eb713675cf66254efeafa72978

SHA256
64bfeb3d25a444e69ebee3030326ad28fb058339c17bb91b8a45c1dc40b147d6

SHA512
7565284ffc825bd85c598f99e19a8635d07e9bab2dcc93dc10d145e2eec5b667a8b8efec0a1f3ea961a05fe648417f78fd014d9f713d18703cad725c24f395e9

Download Submit
C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\DDDDDDDDDDD

Filesize
129B

MD5
10c833d2fdc4810cb571deb4d5363dd1

SHA1
453e9b80f51dc8799694ab386ab015e147189e01

SHA256
92f12976fcab25c577c6951e0c0d8ec29e246252f927472e180399d8c03e36e9

SHA512
9a3a2c76d52e853be2c75d66051af52b8cca0bf5100ebaa0eb303483687934ef4783243f4a245a5dfce2297ddecb68da85a8ec14de777ff4a0bc77baa671df42

Download Submit
C:\ProgramData\C480.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Filesize
264KB

MD5
e8e0483c1fb791eb9451839273cee4ac

SHA1
05ee3c57d07a548b95fd3005c2e7ff5fcbe9067a

SHA256
fcdded4b86c9dbfe1cf537d6aa7d185e994d1b2d92a3132262c15d8da662eab2

SHA512
95e378a48fa52e787ad9a58c4261ce81f5320c64e109585601315c207fa3c390b7fffc6d394173daba74622c21f685f3af8cf8e2f46fe5edbda8dd9d3934e5cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx

Filesize
3.0MB

MD5
d1dd210d6b1312cb342b56d02bd5e651

SHA1
1e5f8def40bb0cb0f7156b9c2bab9efb49cfb699

SHA256
bbd05cf6097ac9b1f89ea29d2542c1b7b67ee46848393895f5a9e43fa1f621e5

SHA512
37a33d86aa47380aa21b17b41dfc8d04f464de7e71820900397436d0916e91b353f184cefe0ad16ae7902f0128aae786d78f14b58beee0c46d583cf1bfd557b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ff9999a38258fb887fef4c215a6bfcf9

SHA1
2853cceb2779009c5689b3aa932f56c2044c5910

SHA256
f8acbdb987556db3c8312e5c592697af830c90582ba791aa98bdcfd74ea1d767

SHA512
d79e8faa9716920b87085a06a48a9a3a64498bcd44d8b967139f2da815b79d843ea286c9365cf82e17ae9edc7369af758729959564db05db3a581f8fd5703caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b9e9278889c7f62d8ef4bc0d886a0c3c

SHA1
829e70ecbea7f28564f1e551aafb98baa2db7313

SHA256
0579260ca1fef58482f3d7a4ad151ec15aae13886446a70e22512fecf9d0d89a

SHA512
f71e8eaa6b4b5d9eea2ccbf87293b6c69426d377389fdef5d5704f4af1197265f9d8716b7d9998cff1e91a45b67e0ecca3e548e3d9955fdee6454f461ff59ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
986bb379da214dfb99a36e580b201811

SHA1
f9ae21229915155499efbee262111ceba50a73c8

SHA256
4a912448c0241f56ff36fd8642fbf110e63c7d2e9aab650bff232b0a04ae114d

SHA512
7487f2220f2814ad19d30fcca3c1a88c21fbff9159393078c34c1747a2fb20628c759c887432402cfe43c55d7449181a117064bafd5e11f70fe63be9de1c17ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c3e7b128242326c23711e5f4aaa39292

SHA1
0924f3773408e41c61d24398e14abbd96625d846

SHA256
f2cc5cdcf9de8fe0120e17d9eeda6353f7672f87e103bf5ecd0904150578d124

SHA512
83cb5bf440ca1f9af10e6eb6d1eb335bff34a20ba4e2870c4ff267f1de86e178e658ad7b04ffd0df5d7a233aad9208bc63eb7e742a5ca530f4f05c0558fae1ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
334e63bb2255034e217b6b8dfaa74c34

SHA1
6a5d1bae954eeded44921d8dad3816257666053c

SHA256
99ab38ad148dce47a3442f99c3fca7f461c3fea500d9f68227232ef73ea53c4a

SHA512
4729850722173a39d81e025cbb2e79cdc91439c98aa00fb0afae4250b60a4a4bc093d405293b9ee4c37269a229f15dd7f1b4fe2e237cb9ed07e454d8ea5c67fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ee53a4aa881ceba7f5af4173713a322

SHA1
fbcf2d551b083596e16d3c67b07effba243f2fe2

SHA256
cbf9cd0483fe071c8abac25d9be00ee7df559455624a7e0391c971ef270a5076

SHA512
7f1d395e2c20515c50d68d8abbb06b457ec0177d3a80889f05fbf2660c111d93cfc25ebb1d112229716fb246e25f5845bcc5b205e029fb7949e1a5ce325f0f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
35b87cd4ead0be5e00975c02dbd8576f

SHA1
a62a0ec8b1d9c5ae359c60dbc27a05a4a9eb1c7e

SHA256
30677751823c3a56b455f0124089c7334ca454f910adcf741497dbe84c0f0c1d

SHA512
217019767d5e6cf30ffbe7778928f6fa89451a34e1c40768ece4a24543a25abb749f225d4fe4ec1346a31bd88a00d7f210cdb384e1e4aff6b7972b5b533af09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76d5018899f4aea4880fcfad0f106d26

SHA1
8d433e71d249721c00a7181f5120948013b388e0

SHA256
30f907207f29a301d85e3f3fef5a81327d55ed8b1a45438c4a1e5e829fbd6695

SHA512
1022b213f5a19dbc88842d0370ea3180e643eb591810baead2103e62cde4572ea57882df6050c87555aab17ea974d51b7c85e1214552002c97c860c091bbc293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
55ebe1e16a0eb17fab3d17be73308f77

SHA1
78115a6ad5d46e18b8523f7d2c1ba661bd7bb69b

SHA256
10de650a71d8d5d548923f7fa73e0c5a45770118fa8ac180fb4a8b452f3e1e05

SHA512
de090645ab1ab24c88cb3d707d46033eb2d6d99458251772742404c940f19c21a2b90a7925db4ce81bfac3a983d2fe13c2481a1367264592ac88e299ac5621ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e024dcd3e280556f50eaffe5a9e12df

SHA1
0980d53583b6c9fbe4640e13a2b91eef76d4e027

SHA256
6cde6301ab53000920ebec67f9586d79c4f731f5981b5de46ec22edae56990d1

SHA512
1445662759d3bfc641c257d4f9ac58adf76a3ce12529cc7d3036f50c600a4c4d7ad5e031ee35c7f793a103ca1b5d6c1095b0cd72c0be550cd4c0a5d97be3fd1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fbb5.TMP

Filesize
874B

MD5
c5c6a34b888f6dbdafdf646431f39ed7

SHA1
29fb10e491aea0cecad3d9c79e46fb4bfd4b0913

SHA256
3fb6cdee8eb149f28d918a109cf9e3d16d997cbf97594bf00113d0c6bd75776b

SHA512
64038f3786bde23cfe17c407355833504ae952294fb145f1fdbcd3cec26b664db34b8f8a2c875176b302c3a59a8b376b65f3ee47d1cce8e66ab3826c870e99ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
62b35f628cf13961c581e0edce486bc2

SHA1
4ef3735f308987471c9f9412f04364339cef1c9d

SHA256
17efaa218f3e767d99fa79b1440907018bc0776744ece4e57b40f0bf9a11be32

SHA512
3ce73469c1b437ff4b733d21635648a5229a5ceaaef349b5bc18ee0bd32deb5ca23d0c72be68b3a0a52a5bf02f83673c591df14ee5f807cce87125e789d85a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
742d4932d320b1ab0323e50df1d440d9

SHA1
ed73249839d6b4d9963861aafe1caf97149ac942

SHA256
9cd801dae938eb90ab82f22d71f27683b467fceb615a06d6404a21aa4fc00b1f

SHA512
b18ea0595d33718cb48877f511bf772609938fd6213ec54764db51f8ce41751cd8620732bb7d9e3b573fa0254ee877b2ba34cafcc902691ccc9b92b11b5feb8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
6a76c5dbdee99e49a694d6312172fa23

SHA1
c1ae3c25f535467844fb063571df3e6feb07e09a

SHA256
8e9783cfa43cf2c269c3423928084e18b2661fae622c2dbd9f6f90a7085ffa7a

SHA512
5ae26bf67f4342a1f99213247eba7d69b44b8853ab7747e56c9c4a2cba2da4dd342ed12fe3bbe392809beafefede990a9e755d749a1f4501a04af28f8f33be95

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{51325390-AE6A-68FC-A315-0950CC83A166}

Filesize
36KB

MD5
8ab0ccfe101f2a223bf9fc11f910ec64

SHA1
86a7cf51b399bb786896fb77f59ee8b4844f5afe

SHA256
8cc15be591c4f70f964d3554be30283f925747d09eb71692bf40b8125e2bb68a

SHA512
b862068ea8bdb828186c2bc693b1e99d622a48a82eea13886090c44e17d132ad1a96bae4a96214d9a8abeb22f7c85f4ef25a000cc1bf977fd43e67bf1064a61e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc

Filesize
36KB

MD5
eab75a01498a0489b0c35e8b7d0036e5

SHA1
fd80fe2630e0443d1a1cef2bdb21257f3a162f86

SHA256
fdf01d2265452465fcbed01f1fdd994d8cbb41a40bbb1988166604c5450ead47

SHA512
2ec6c4f34dcf00b6588b536f15e3fe4d98a0b663c8d2a2df06aa7cface88e072e2c2b1b9aaf4dc5a17b29023a85297f1a007ff60b5d6d0c65d1546bf0e12dd45

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_NEWS_txt

Filesize
36KB

MD5
968e7d1aa993ef1052b35a95c51946d5

SHA1
c67817521eb4f70d692d3d29b32676b1871e3d40

SHA256
719fb4e7016e1c4fff64166a8809a6ffe5d16ba0a40e4e8593ba7f664337e239

SHA512
3382a01b518c38859c1ffc8799aacb941fd7bedd2cecaab4fc8e7fe8e44aeb6acf3997b844b9b5d8ddf4e72331e33972606cab1e9d8b527bf80ef7a9a0136022

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{86adf6ab-7c6a-4a39-b307-46b5e082d68b}\Apps.index

Filesize
1.0MB

MD5
9dfafe498add3d29708eecb00967371a

SHA1
47ad4bade78d04a2a460daaf54b4b11211bec88b

SHA256
031e536c2dd798a3ba693e4b5ffb014ba06b9175e45b51846f663c318e1d0bef

SHA512
4de96f5d4bd63c36b72f4598943f5ee61e7473567cf904f06292fe3fcc0a4e31eccab3115c98d6000799a05aff8e21587f8feb38cc7cc6484135df788f66c823

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{956eb289-a20a-456a-8100-e4caacde1a1d}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{956eb289-a20a-456a-8100-e4caacde1a1d}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658865736960.txt

Filesize
77KB

MD5
03b05a9ae05009ecfa8bb2546d91b295

SHA1
c4cd57d3447073e1101838a991878fa645097834

SHA256
b855ec7fae4a31384a7d7037388330c1b56c20e66afe47432becf076feb6f8d2

SHA512
7f4b2b6d63717b2bdbb80ec0b1472be6058c2979ba21e5b2e65463bc1382c9b897275ec6c29e9127c2a607d49387d314d44a50f967398a3917a604246e92ebc7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt

Filesize
47KB

MD5
2b01d2a2020e15bc13b94e2a342c9f7d

SHA1
8a7c51f3a7bde54c87fb0cd95779858f27c8fcfd

SHA256
2bc6a5b0918d7dde1fd4b07d79638761d6f4a16813c03303ba8f3c58a6d2f44f

SHA512
aac776dc22720c8cee30161249e165be6b04f7cb3058bb3771df43cba46255d988a496159a5b19fb5749d1a3b5a848fa60d31c58c925ab9721828b0559d45db8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666145703406.txt

Filesize
65KB

MD5
45f5e32d526230a0a91c803d040880ad

SHA1
dc6d20324ac7f9f7c813b85bb895c9ed3f72bd3c

SHA256
94e414deb8664f125e96af25d50ffc6dcb9ebe556a8113cdadb09e7c8c0a290f

SHA512
7b2cd12e8129f8c63265c09fa93e333abc8a0d7b38cb6957f9719cc16ff38d1d6d3f5b728a6ddfebecd2f12957a9ef54bdf6607efcc868f7a7e92cdd44668d74

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727713476690718.txt

Filesize
75KB

MD5
5da9c6084c0611a39aae6b124d1c5779

SHA1
c9e6d15b59492fc2a90a4b41490979e9f40036c3

SHA256
823f7252e9ee585f1664d446a77d97c566648e5675d698617442a598e7796a7d

SHA512
a38699d87d9807f3c00abf1fc9c06f5a463609ddc03d1bc124b8cbe00db4fbd3743e89eea7ba301f9bd79bb7a4933af5bcaedb0fb72ad81086a4378a9e2a253e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat

Filesize
8KB

MD5
a8308d2f3dde0745e8b678bf69a2ecd0

SHA1
c0ee6155b9b6913c69678f323e2eabfd377c479a

SHA256
7fbb3e503ed8a4a8e5d5fab601883cbb31d2e06d6b598460e570fb7a763ee555

SHA512
9a86d28d40efc655390fea3b78396415ea1b915a1a0ec49bd67073825cfea1a8d94723277186e791614804a5ea2c12f97ac31fad2bf0d91e8e035bde2d026893

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct264B.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\{09125D41-D6E4-4966-8D30-18F30D3DCCA2}

Filesize
4KB

MD5
c20eb28b211d12004513df202651cd1f

SHA1
2c4239b6c01511d4fd40991b0f3d764d5a170e55

SHA256
3316c6f9b0d1dd4345b73e71d599ad5e65e8afc84b8abf611a97f1c814c3fafd

SHA512
57f91452a7272acbe065e58eb44b42e2ec3a15600d109f5e60426d3a073a7f42a2dc996a9d4528f31d009dc1eac48f7f5c1455307e4013a268aabcb7a9c8487b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm

Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
62eaa948168dfdcfc2dba38270256b9d

SHA1
7fde700c14136d974545553b29ec975af174a5e5

SHA256
0c68e1e62fa73deab8d0dff418956349ff05d18472d01cbdd9f5b5f7de193a35

SHA512
bde8058e11d11040cf2a9ebc49fc55be4ecb7b1e25720a85d0a6174abeee5200281f867900ee884978cdc84c33fc6fe30a6d750289c9195dc4a3402626946060

Download Submit
C:\Users\Admin\Desktop\LockBit-1.0\Build\CCCCCCC

Filesize
153KB

MD5
67dfea4f814c8634bb4cf8fd1671db52

SHA1
27f149de876695fe9dae3ff8361c97ce9a566542

SHA256
895dda60c05fef01d4efc8717667a60a92d785fecde4c3601baef8b7f30afa3a

SHA512
2948bb4f7d5f03c77ebc93b206c0c91bf4995808933fa238a86c6d2cc9aba1c1daca6e285fe73e0886e932c9c7eb223709e8cbf80fddd5840adcd129c0436815

Download Submit
C:\Users\Admin\Desktop\LockBit-1.0\Build\DECRYPTION_ID.txt

Filesize
16B

MD5
551825363f24ba2b5634b091ae73b3c8

SHA1
28560d66d70c715d1c9fa86a5aea20042386bf19

SHA256
63201fad201a795cf8cb08344cfb9823559ba9b36e3c2e277543d2dfe6e2f9c6

SHA512
87312d5c5286b47f64e36b9c819e28acb31a1a947775d2276201d8fc7124e5825e310b3c51668bfb783c388753c7589b9c81a5345fb8d64f0a799824f534fd45

Download Submit
C:\Users\Admin\Desktop\LockBit-1.0\Build\IIIIIII

Filesize
153KB

MD5
9789af89e08a2552467eca6662a07885

SHA1
a0850b180e26fe4804096cc22d26fed7995c417a

SHA256
1054c5b48e6a1022bf5218352afdd0fdafe07da3eff55a1ee059c361a8e92f50

SHA512
53124bb92dda60dc5faf9e79343702231414a048f61b15da7301264fe24a269691a33237645dc5a79d3597cf1db17a026b996548faa131e36f4156449cda5575

Download Submit
C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3.exe

Filesize
153KB

MD5
3afff1d0c3e7320bcf83da1581891b6c

SHA1
6d873d495f22fb7b9a22b54e647a2e0429a0a33f

SHA256
118dce9b4c7d47dfe66cb263bdfd1f2baaae87329834c5e19c776d848b964d13

SHA512
116618a3b54a946d780de05cf06fe57c5c857457da803a431b2cf607e194e4f6636e37d535f667abbaaca8f729f913f0035805e2bff6824fc8c2a09a681a018e

Download Submit
C:\Users\Admin\Desktop\LockBit-1.0\Build\LB3Decryptor.exe

Filesize
54KB

MD5
4ba754182d3316ff5cf66cf651d3c335

SHA1
29b247e9098e963722ed3015bf369fe773b90ec6

SHA256
617a242f9b6b0f8d037fb2023978cd17a1fcf24ecf60905ed1d38679b9830b40

SHA512
72b2b3baa77ab97e68e288ceafc19293818553d55ee2e74fa199466126c1b692c97c13560e635a33aebcf88eef60bef18353d6b96f47d5cde6c076d1cfa15155

Download Submit
C:\Users\Admin\Desktop\LockBit-1.0\Build\Password_dll.txt

Filesize
1KB

MD5
d0089671ebc9316914a522e94112bc84

SHA1
a4239bbd40076594c5ea5c1ce0f396ebd693fe3d

SHA256
8b3a904fde7e8af7814caeae21e44b643d28c784e2b790cec49320620cf46a4f

SHA512
180e5378b59d62e19e6ef96bc708e6e3441d79ef72e3215e59b44f8d98e4c7bee51d02044118b77a2cce4a35149f57579782a16ffe4eb8d75c552ab4fb63d928

Download Submit
C:\Users\Admin\Desktop\LockBit-1.0\Build\Password_exe.txt

Filesize
2KB

MD5
fbcd957777b76757cd659b687a8df8cb

SHA1
7751af109b29e996180e9fc438d4811c86e82f4c

SHA256
301ee50059175ac3b70baa143dc50cd6f5b1ac2ea6599d9750ca6f6370cd4ddc

SHA512
24e3a14e85125b57edc77da22e4d412683dc9cb5c5c974cf6d2716b92386b4b2117448558f4c62e14f34468d2942b0e8103ff4ba0eef9499122160d7cf1ff56d

Download Submit
C:\Users\Admin\Desktop\LockBit-1.0\Build\priv.key

Filesize
344B

MD5
391286e1d871956bf5f1aacbf3671a5b

SHA1
000a3fde51de5e67d16e3f7e553244cb7b1abb4a

SHA256
a230ee0647ad8bcb3855c3084a38c096653bee9ec145199cd3e048508199c150

SHA512
f01d252e332f3351936744d5f97f401add24c6b2a82d96b05e0aa420c7df4f039d9f6c4cb14658c3eacd3849fb7ccd24c5c105ca22556540f0c18eb30ddf91f7

Download Submit
C:\Users\Admin\Desktop\LockBit-1.0\Build\pub.key

Filesize
344B

MD5
3f90557fe777d9a0ec14163d0d3a7de1

SHA1
9fb3a0478bb56c4922544b4e9445dfd47d6be5f6

SHA256
6a67c7f08edb5f8524b0017bd623cedb392d35ae6f7296405fbe7d5d836b882b

SHA512
e694d8ba4cfe8e7510ee8221e6963979302156b69ad50b730b411d708ae82a1ee127c9a3ddec06dcf1dc490b308b73cca5970b82901451921c01a3551f2c1872

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
03ab3480f3a1e884cc41680a73a7172d

SHA1
7d95f219f26dc2a77072f366e5700c39617d6bfd

SHA256
671389ba0606911071e50de650dfb4c2b4db67920447cb92278cf0c2367e6f27

SHA512
e3c90bb501cf29d4344f446892f52ed1a9da9344fa655a822dfd8083945432c7393f5d00d176b8deda6f9b0643ed4a883a46f8fcf8e6e861b543ca145bf92a2f

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
c0ceae83b70eb9c4596e52babf0fc6e2

SHA1
3ca7caf85c109277cfd1b99755e8b10af858ebda

SHA256
2f10ceddd75a838af80a63c7d983ad9d97c67acc917851ddbf9199e16c11fd3d

SHA512
9ffd04374ee53854e1fa7f4d124a472757874dd7707d8ec0e2604d49b6709b280c44736523dd5d408164b644cd4d4389aded09ff66da5edc2e70b3d2f95d5404

Download Submit
C:\Users\Admin\Downloads\LockBit-1.0.zip

Filesize
291KB

MD5
e5274ad5e40fb5ed4f1f178b661a7c4f

SHA1
d103f53d7b1af533de9be84f3db9ab09c4fee5fd

SHA256
73cfd649e81c65584dc29b8a07a0735aad8bda2bf201cee1648b82f298bba8a0

SHA512
56df781294fbee08d4175c84f95368252cec56b80769be53065caff866101dac5996a296f8b166fea6128ddcd9df31ccb4945088ecf897a168e1c17bd5e0e991

Download Submit
C:\Users\Admin\Downloads\LockBit-1.0.zip

Filesize
291KB

MD5
cac10a0d52e4b5a3fe4a837fe0b1d09b

SHA1
a3ff8adaec7245d4667a0758b125fb001307bfc2

SHA256
75a08da6fc59e7b83c65f37ecc68c6c2395cb308bfae7510bdaa05c1b6614115

SHA512
8086ce7aaa767bbee11a99f161f5b2533fca63632e8382d20d6e494b8eb70de04a1a76ad48b36c4f050e8512e96e3bc0935fde20ff393215543cd0cab4e6d9f5

Download Submit
C:\d1ntMCSCb.README.txt

Filesize
6KB

MD5
dd746ace17e44ace00885b91400f11d5

SHA1
4a0302d2dca400598f396e4230fdae71779cbeaa

SHA256
b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272

SHA512
8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.d1ntMCSCb

Filesize
380KB

MD5
eaebf9c6776d5456047f75098c3951aa

SHA1
dd4ba2e10e0cb1ae354d06c8029d16c945cc7767

SHA256
dc2c05f3e4c2363aa8be0d2bc476622722d7fe97697224047e660309eadcd588

SHA512
5fe4eec6adb6c277d240a02b1de8c32066a7e3c9331cccdf9e85642798bdc83d07127f818cad7747d7c629bef0340501ee35025e85353c417be9e22e47b59096

Download Submit
C:\vcredist2010_x64.log.html.d1ntMCSCb

Filesize
86KB

MD5
06ed8fa4c17896b1cd1ab2b160fad58e

SHA1
5a13e6bc1ce8be18c01138248a1c930fe7ee1272

SHA256
32b5ed12a23eb2aad944e9036757ca7141a9506ad12ee5ef88002f588884c373

SHA512
ec0e808c5466d7611f05d08b48cc03ad61c38b41edf515f668e96b554799e659b9571eb8199a55eb99fafc48e39f8768e1cf1004ed19c40eb35013064dca734d

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.d1ntMCSCb

Filesize
395KB

MD5
b119ebf8b4160747a6da928e5d0fc43e

SHA1
6873152f406d423685eb5730713d88a35f695943

SHA256
7ffeb7761f17310e6fd4386a41ad0a059f40725727b9d3ac46d2adf222026932

SHA512
351d9a631003bdd4194ef4bb6062e8376b2e27f387fed3385d4eff84f75a9b7cbdc6be2787e10f6ea7fd719fb6d153a5fa3ce5013687df2c27f455b23bfe14dc

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
1acbc4d9ec8df51bc7d91dd5e7054b50

SHA1
8a446c9bfdc397b856f83f91101b85a2eb3eb083

SHA256
8465ae6aff354fec5f1efc6650f7bce30cf780f1ff3bfe95184136a5cb7952de

SHA512
7d08c0cf1c6f177fe3458ec2b754adac6a0e41c7a3474bb997902f6887eb0fa406e4a03f1f00475c5d3956bdc8ff12725d8a61916c7428ef867fa4f0e1088cf9

Download Submit
C:\vcredist2010_x86.log.html.d1ntMCSCb

Filesize
81KB

MD5
8ec35efbd14bdc4f9732d3521b9cadce

SHA1
b895031c71164a61682023e095dc8ca014a3514f

SHA256
ff77c25f19eecbb29edf6c1727b41534cbdad03ad42dc3e6abd90109ce62e1ce

SHA512
113cd68a3c326f5e4fd422602836f49b5fb44452302723acc40a662b91e43f340bff9ae9ca6dae9496df427a481e0505b7e46662ed2b2a5ec40a4a47a87db2dc

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.d1ntMCSCb

Filesize
168KB

MD5
39342457fa7c623b87b9989597582634

SHA1
0faa09c5550dd4096d506e806ff4b919db27be8a

SHA256
024c48c9ed5ff114f994b6c639b8efc167ae9dee433634ca07ff245152bb107a

SHA512
c68f9d67cf6c868ae554834475f99814ab47cd8d284935358c691caee2f540a73341a7c1ffe5b539609d41135af9d92600dd4152cd8fb6a47383c1448f74f723

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.d1ntMCSCb

Filesize
195KB

MD5
a9969b119cea1affe766647fa6f7b63b

SHA1
5f52cae4f10653832ff3a2cf4bf1ec12db154f8c

SHA256
d56656363aba3d1e3ba9b0f29c5acc8972f673070d0a1352c0d26d49942ffbd9

SHA512
4aa027bd895409c7ee14b457c81dd8385d74172f76e8e44b34b3730bdb883c530f38d2fb7193f29248cbb694299396616495cc9efba7a6507ffcf8f7fcd856fd

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.d1ntMCSCb

Filesize
171KB

MD5
59b9e6cfbcf78923a81f47f9e6ca569e

SHA1
ff6d671c30a917bc5ee6de9784ec5b484c77dbd4

SHA256
2aeb19624f2939d5ff85cb13fd18850310407fcd34eece65b542d72cfccc37a7

SHA512
51b1c819906e05b2f2ac1aaabecbc359eccb2ee5632e009b8730aa3dc26aecd7c581383966bbcca0c87d82c5cd1acecf88ab404cb2b132d62d34f902c4379d36

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.d1ntMCSCb

Filesize
208KB

MD5
fcb01b140321296d409cf3ad5d0320a1

SHA1
36e2e1c035a524ff16fee9db14b65bb50f0f6695

SHA256
3029b80f553797ee1629d2a7934751b8feda89ff06d7083b4f97a72837e150ba

SHA512
bbea0f686c10ebb5a5d095551fe3a4f2b9065d26ef45abe36befda0a8f1ddbadc47e58e1ccee2a763720f55996ae2ca5ac23df07da8ca006534d1a66a117e0a2

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.d1ntMCSCb

Filesize
170KB

MD5
27ea475c0c7d6d4484b5afd2151cf757

SHA1
f83e6a76bbfb401e2d26d2e08ab22a33536a97af

SHA256
db232faedc4a5b96ce8137077a4cc21c7f49120c77cceb678c40f526189df016

SHA512
b259ece79fa19838b7e32c2dbb82e3b84b7894fc413eed1f5da650959a9e36f46ebb7267881c4bb10272ff8c7c01ce063e8a164813aa811a10498a7bb2136401

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\DDDDDDDDDDD

Filesize
129B

MD5
3a2bbee772e8b05544c020c07868d438

SHA1
ecd6ea68c32367dc8bead09638ac33e352e683f3

SHA256
550ac26c6cea3e37d5000cdd736869f1dbc74e8e31b4ec7867b3c00d12afa346

SHA512
793187d611d5e819da0f5cfa78e713ccaaa1892d5483dc17517138f7eedb537af9a536b0d289b939ab79dcbb5593c5fe416d35ab06ad3aa43962790d9e5aac77

Download Submit
memory/316-3436-0x00007FFE8F440000-0x00007FFE8F450000-memory.dmp

Filesize
64KB

Download
memory/316-3401-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download
memory/316-3407-0x00007FFE8F440000-0x00007FFE8F450000-memory.dmp

Filesize
64KB

Download
memory/316-3398-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download
memory/316-3400-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download
memory/316-3399-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download
memory/316-3402-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download
memory/2296-4109-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2296-4108-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3596-4110-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6436-7087-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download
memory/6436-7086-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download
memory/6436-7083-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download
memory/6436-7085-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download
memory/6436-7084-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

Filesize
64KB

Download