Overview

overview

10

Static

static

3

48116c6b90...37.exe

windows10-ltsc 2021-x64

10

Resubmissions

29-12-2024 13:04

241229-qay7easkhp 10

29-12-2024 04:36

241229-e8kwwsspht 10

Analysis

  • max time kernel
    101s
  • max time network
    100s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29-12-2024 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037.exe

  • Size

    959KB

  • MD5

    aae021c0f8b3d4d319235d1025c1f35d

  • SHA1

    c0893afb208b4ae591e8bf130b5c2077771e7706

  • SHA256

    48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037

  • SHA512

    f3fcf2d08fca0a679e08de4912dd4cca5f2aa4af3d500702568c7e6bb53680bfd7dac991126a8cf47faf0d2f8f067a50d123568b5c2a85811e347a0da62855df

  • SSDEEP

    24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpdGF:Ujrc2So1Ff+B3k796o

Score
10/10
lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt

Ransom Note
LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: C9429E1B932B36E888604C33D7CA4A48
URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\Users\Admin\Desktop\LockBit_Ransomware.hta

Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="x-ua-compatible" content="ie=9" /><title>LockBit</title><hta:application id=LockBit applicationName=LockBit selection=no scroll=no contextmenu=no innerBorder=no windowState=maximize minimizeButton=no singleInstance=yes sysMenu=no /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><style>html{font-size:100%}body{position:relative;border:0;font-family:Arial;padding:1% 0 0;margin:0;width:100vw;height:100vh;overflow:hidden}*{font-size:1rem}.g1{content:"";position:absolute;left:0;top:50%;transform:translateY(-50%);height:368px;width:150px;z-index:-1}.g2{z-index:-1;content:"";position:absolute;right:0;top:50%;transform:translateY(-50%);height:368px;width:150px}.container{width:90%;margin:auto}.container img{max-width:100%}.ht{margin-bottom:1%;position:relative;padding-left:16px;font-weight:900;font-size:1rem;line-height:100%;letter-spacing:.05em;text-transform:uppercase;color:#dedede}.hb{margin-bottom:1%}.hb img{width:850px;max-width:100%}.hi{margin-bottom:1rem;background:#fcfcfd;border:1px dashed #f71b3a;box-sizing:border-box;border-radius:4px;padding:1rem 3rem;width:100%}.hit{margin-bottom:1%;font-weight:700;font-size:.9rem;line-height:100%;color:#222}.hib{font-weight:700;font-size:.9rem;line-height:100%;color:#f71b3a}.main-p{font-weight:700;font-size:1rem;line-height:125%;color:#333160}.mn{position:absolute;width:5%;height:276px;top:3rem}.mn img{max-width:90%}.ml1{position:absolute;width:50%;height:10rem;left:0;top:0;background:#f3f3fc;border:1px solid #cfd3da;box-sizing:border-box;padding:2%}.ml2{position:absolute;width:50%;height:13rem;left:0;top:11rem;background:#f3f3fc;border:1px solid #cfd3da;box-sizing:border-box;padding:2%}.mr3{position:absolute;padding:2%;width:48%;height:24rem;left:52%;top:0;background:#ffdfdf;border:1px solid #ffa5aa;box-sizing:border-box;border-radius:4px;font-size:15px;line-height:130%}.mlb{font-size:.8rem;line-height:1.2;color:#8988a4;margin-top:2%;margin-bottom:2%}.mlb img{max-width:14px}.sp1{left:0;top:50%;position:absolute;display:block;width:6px;height:6px;background:#f71b3a;transform:translateY(-50%) rotate(135deg)}.mll{font-size:.9rem;line-height:1.2;color:#333160;margin-bottom:2%;position:relative;padding-left:20px}.mll a{font-size:.8rem}.mlt{margin-bottom:15px;font-weight:700;font-size:.9rem;line-height:1.2;color:#333160}.mlt img{max-width:14px;position:relative}.mrli{font-size:.9rem;line-height:1.2;margin-bottom:2%;position:relative;padding-left:25px;color:#222}.mrli a{font-size:.9rem}</style><script type="text/javascript">function o(c){var d=new ActiveXObject("WScript.Shell");d.run(c.href)};</script></head><body bgcolor="#F8F8F8" text="buttontext"><img class="g1" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJYAAAFwAQMAAABgpRCKAAAABlBMVEXw8PDv7+81SmF7AAAAAXRSTlMBN+Ho8AAAAWpJREFUeAHt1slxBCEMhWFRs3AkhA7BIRAahEYIDoEQOM5CIfvOX2V5nwWOX+8t6RWirzIt1QamGayDaQY7gSlZBTuBKVkBO4ENMM1gFayBdTAly2AV7ATWwQaYZrACVsFOYB1sgClZBitgDewE1sGG0ZSsGK2CNbATWP/YDC/t6K9uYDsqe4Kyb/Pflx0Y9mUEC9CrHnrVgeHgRLANhimA+fkniAPDaU9gERJgI4PoCWAe0mMH5sAgytgSWIQMJdvIIC6D0TwZFGRnNEcGhSOT71iai/4ti39mJyim9bxly27TdFpkFayBnYzWly1btuxH7AVMElgAc2CSwCJYAPNgDkzIElgE24wWwLzRdkZzRpPvWFom+rPmjLYzmjda+EY/R7AEZpxBDxZuyPyN2+7Gzd2hya1buiFTmzmwHZgHiw+8l1q27PTD1r5h1WjFaBlMZhtG62AnsAZWwDKYzNbBGliZbchs9Z3eAJcyeuremDsyAAAAAElFTkSuQmCC" /><img class="g2" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJYAAAFwAQMAAABgpRCKAAAABlBMVEXv7+/w8PB6KHGJAAAAAnRSTlP/AZKwANwAAAGJSURBVHgB7dSHbQMhFMbxh1xQZwQWyA6MdozGCBmBEVB3QRApF3wk77P80l34q/+uH4Xqx56JWSRmO+LmuSXi5rll4haBEbcMLAEL3Apx2wFLwAIw4paB7YBFYAEYcSvAdsASsAjMAyNuBVgGtgMWheaBEbcitJ3QErAILADzwEhmBVheQGfig9ssncgCqyeLjfRioZkFVhfzb7QCZjrrbtesNJu4qbpYbo8AZjrbtUcAc52l9lhuqnYWZ1sB072F2Qww25ufzV2y9nrAKjfVW5ltJTTdW57NCM32tjtv7pKl2SahVZmpdxY/ZasvWXg1/cNmftX82fMsOg+YvVobNmxHvAgsAPPQ/rPRaDR64qQzN8dNVW4amAXmgE3cVOW2AqaBGaFZYA7YJLQqMyW01TdMQxu2+oYpoZHUJqE5YFZoBpgGtgJGyCZg7opsunKr123qBm115aavyFZCU9/ZDwywW2k08j9s4RsWhZaEtgOWgRWhVWQeWACWgO2AZWAVWQCWgBVg7MQX+2SwUiS8JcwAAAAASUVORK5CYII=" /><div class="container" style=""><div style="text-align:center;margin-bottom:15px"><img alt="" src="data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMTQ2IiBoZWlnaHQ9IjIwIiB2aWV3Qm94PSIwIDAgMTQ2IDIwIiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cGF0aCBmaWxsLXJ1bGU9ImV2ZW5vZGQiIGNsaXAtcnVsZT0iZXZlbm9kZCIgZD0iTTIxLjgzOTUgMTkuNTU3NUMyMy45NDE2IDE5LjA0MTIgMjYgMTcuODE3OCAyNiAxNC41MjExQzI2IDExLjY0NTYgMjUuMTMzNCAxMC4wNjQxIDIzLjk3NzggMTAuMDY0MUMyNS4xMzM0IDEwLjA2NDEgMjYgOC4zMzg4NCAyNiA1LjQ2MzM4QzI2IDMuODgxODcgMjUuMjc3OCAwIDE4Ljc3NzkgMEgxMi4wNDk0TDguNzI3MTEgMy4zMDY3N0gxMi41MDY3TDE0LjU1OSAxLjI2Mzk3TDE0LjYzMTQgMS4xOTIwMUgxNC43MzM2SDE3LjA0NDZIMTkuMjExNEMyMC4wMzk0IDEuMTkyMDEgMjEuMzQ5MyAxLjQxNDcxIDIyLjQ2MDkgMi4wNzEwNkMyMy41ODQgMi43MzQyNiAyNC41MTM2IDMuODQ4OTUgMjQuNTEzNiA1LjYwNzEzQzI0LjUxMzYgNy41NDA3MyAyMy44MzU2IDguNzA2NjUgMjIuNzkzMSA5LjM3MjMxQzIyLjMyMDUgOS42NzQxMiAyMS43ODIyIDkuODY2NjYgMjEuMjE3NiA5Ljk4NjM4QzIxLjc5MTMgMTAuMTcwNiAyMi4zMzMyIDEwLjQzNjMgMjIuODA2MSAxMC43ODI4QzIzLjgxNzggMTEuNTIzNyAyNC41MTM2IDEyLjYzNTggMjQuNTEzNiAxNC4wODk3QzI0LjUxMzYgMTUuMzUzMSAyNC4xNzcyIDE2LjUwNDcgMjMuMzE5OSAxNy4zMzg2QzIyLjcyMzIgMTcuOTE5MSAyMS44OTM4IDE4LjMyNjQgMjAuNzk3NyAxOC41MjA0TDIxLjgzOTUgMTkuNTU3NVpNMTIuMTM3NiA5LjkwMDQyTDEwLjU2ODcgOC4zMzg4NEgxNy44MjNMMTYuMjU0MSA5LjkwMDQySDEyLjEzNzZaTTEzLjg5MDkgMTEuNjQ1NkwxMi40NjY3IDEwLjIyOEgxNi4zMjIySDE2LjM5MDVMMTYuNDM4NyAxMC4xOEwxOC4yODg0IDguMzM4ODRIMTkuMzU1N0MyMS41MjIyIDguMzM4ODQgMjIuMzg5IDcuMDQ0ODggMjIuMzg5IDUuNzUwOTJDMjIuMzg5IDQuMzEzMTkgMjEuODExMiAzLjMwNjc3IDE5LjM1NTcgMy4zMDY3N0gxMy4yMDQ5TDE0LjgzNTggMS42ODMzOUgxNy4wNDQ2SDE5LjIxMTRDMTkuOTcyMSAxLjY4MzM5IDIxLjE5IDEuODkyMDIgMjIuMjA4OSAyLjQ5MzY4QzIzLjIxNjQgMy4wODg0OCAyNC4wMTk5IDQuMDU4NTIgMjQuMDE5OSA1LjYwNzEzQzI0LjAxOTkgNy40MTE2MSAyMy4zOTggOC40MDIyOSAyMi41MjY1IDguOTU4NzJDMjEuNjMyNSA5LjUyOTU5IDIwLjQzMDEgOS42NzQ2MyAxOS4yMTE0IDkuNjc0NjNWMTAuMTY2QzIwLjM5NDcgMTAuMTY2IDIxLjYwNTMgMTAuNTEzMyAyMi41MTM1IDExLjE3ODVDMjMuNDE1OCAxMS44MzkzIDI0LjAxOTkgMTIuODExOSAyNC4wMTk5IDE0LjA4OTdDMjQuMDE5OSAxNS4yNzA2IDIzLjcwNjQgMTYuMjc1NSAyMi45NzQ4IDE2Ljk4NzJDMjIuNDA4NCAxNy41MzgxIDIxLjU2NzMgMTcuOTM2OCAyMC4zNjQ0IDE4LjA4OTFMMTguOTQ2NCAxNi42Nzc3SDE5LjM1NTdDMjEuMjMzNCAxNi42Nzc3IDIyLjM4OSAxNS4yMzk5IDIyLjM4OSAxNC4wODk4QzIyLjM4OSAxMi45Mzk2IDIxLjgxMTIgMTEuNjQ1NiAxOS4zNTU3IDExLjY0NTZIMTMuODkwOVpNNS41MTMxNSAzLjMwNjc3TDMuODgyMjMgMS42ODMzOUg2LjIxMTUzSDYuMzEzNzJMNi4zODU5NiAxLjYxMTQzTDguMDA0ODcgMEgxMS4zNTExTDguMDI5MDcgMy4zMDY3N0g1LjUxMzE1Wk0xLjk4MDYxIDMuNDk2NzZMMy4zNDgyNCA0Ljg1ODA1VjkuMTE2MDdMMCAxMi40NDg3VjguMjU1MzdMMS45MDgyIDYuMzU1OTVMMS45ODA2MSA2LjI4Mzk5VjYuMTgyMjFWMy40OTY3NlpNMy4zODg1NiAxLjE5MjAxSDYuMTA5MThMNy4zMDY4MiAwSDMuMzQ4MjRIMi4xOTEwOEwzLjM4ODU2IDEuMTkyMDFaTTAuMDAwMzI4OTMzIDBIMFYwLjAwMDI2MTAyMUwwLjAwMDMyODkzMyAwWk0wIDEuNTI1MzdMMS40ODY5NCAzLjAwNTM3VjYuMDgwNDRMMCA3LjU2MDQ1VjEuNTI1MzdaTTE1LjIwODcgMTYuNjYzNkwxOC41NTY5IDE5Ljk5NjFDMTguMzQ0MiAyMC4wMDIyIDE4LjA2NzIgMjAuMDAwMiAxNy44MzA3IDE5Ljk5NjNIMTUuMzgzNEwxMi4wMzUyIDE2LjY2MzZIMTUuMjA4N1pNMCAxMy4xNDM3VjE5Ljk5NlYxOS45OTYzSDEwLjM1Mkw4Ljk5ODE0IDE4LjY0ODZIMS43MzM3N0gxLjQ4Njk0VjE4LjQwMjlWMTYuMTAyNlYxNi4wMDA4TDEuNTU5MTggMTUuOTI4OEwzLjM0ODI0IDE0LjE0ODFWOS44MTA5OEwwIDEzLjE0MzdaTTMuMzQ4MjQgMTQuODQzTDEuOTgwNjEgMTYuMjA0M1YxOC4xNTcySDkuMTAwMzNIOS4yMDI1Mkw5LjI3NDkzIDE4LjIyOTFMMTEuMDUwMiAxOS45OTYzSDE0LjY4NTJMMTEuMzM3IDE2LjY2MzZIMy4zNDgyNFYxNC44NDNaIiBmaWxsPSIjRjcxQjNBIi8+CjxwYXRoIGQ9Ik0xNDYgMkg4NVYxOEgxNDZWMloiIGZpbGw9IiNGNzFCM0EiLz4KPHBhdGggZD0iTTM1IDMuNjAxMDVIMzcuOTE2N1YxMy43OTEySDQxLjgzNzJWMTYuMjU4MUgzNVYzLjYwMTA1Wk01MC41MjU4IDMuMzE2NDFDNTIuNTIwNyAzLjMxNjQxIDU0LjE0OTUgMy45Mjk4OSA1NS40MTIyIDUuMTU3MDlDNTYuNzI1NCA2LjQzNDc0IDU3LjM4MTggOC4wMjg3MyA1Ny4zODE4IDkuOTM5MDZDNTcuMzgxOCAxMS44MjM5IDU2LjcyNTQgMTMuNDA1NCA1NS40MTIyIDE0LjY4MzFDNTQuMTM2OSAxNS45MjI4IDUyLjUwODEgMTYuNTQyNyA1MC41MjU4IDE2LjU0MjdDNDguNTMwOCAxNi41NDI3IDQ2Ljg4OTQgMTUuOTIyOCA0NS42MDE1IDE0LjY4MzFDNDQuOTgyOCAxNC4xMDExIDQ0LjQ5NjcgMTMuNDA1NCA0NC4xNDMyIDEyLjU5NTdDNDMuODAyMyAxMS43NzM1IDQzLjYzMTggMTAuOTAwNiA0My42MzE4IDkuOTc3MDJDNDMuNjMxOCA5LjA5MTM5IDQzLjgwODYgOC4yMTg0OSA0NC4xNjIxIDcuMzU4MzFDNDQuNTI4MyA2LjQ4NTQxIDQ1LjAwMTggNS43NTgwNyA0NS41ODI2IDUuMTc2MDZDNDYuODIgMy45MzYzNyA0OC40Njc3IDMuMzE2NDEgNTAuNTI1OCAzLjMxNjQxWk01MC41MDY5IDYuMDExMDFDNDkuMzgzMSA2LjAxMTAxIDQ4LjQ2MTQgNi4zNzE1NiA0Ny43NDE3IDcuMDkyNjVDNDYuOTk2NyA3LjgxMzc0IDQ2LjYyNDMgOC43Njg4IDQ2LjYyNDMgOS45NTgwNEM0Ni42MjQzIDExLjA5NjYgNDcuMDA5NCAxMi4wNDU0IDQ3Ljc3OTYgMTIuODA0NUM0OC41MTE5IDEzLjUwMDMgNDkuNDE0NyAxMy44NDgxIDUwLjQ4NzkgMTMuODQ4MUM1MS42MzY5IDEzLjg0ODEgNTIuNTcxMyAxMy40ODc2IDUzLjI5MSAxMi43NjY1QzU0LjAyMzMgMTIuMDU4MSA1NC4zODk0IDExLjExNTYgNTQuMzg5NCA5LjkzOTA2QzU0LjM4OTQgOC43NzUyNyA1NC4wMjMzIDcuODI2NDcgNTMuMjkxIDcuMDkyNjVDNTIuNTQ2IDYuMzcxNTYgNTEuNjE4IDYuMDExMDEgNTAuNTA2OSA2LjAxMTAxWk02OS44MTcgMTIuNTAwOFYxNS44NTk2QzY4LjkyMDYgMTYuMzE1IDY3Ljk5MjYgMTYuNTQyNyA2Ny4wMzI5IDE2LjU0MjdDNjQuOTc0OCAxNi41NDI3IDYzLjMyMDggMTUuOTI5MyA2Mi4wNzA4IDE0LjcwMjFDNjAuNzU3NyAxMy40MjQ0IDYwLjEwMTEgMTEuODIzOSA2MC4xMDExIDkuOTAxMTFDNjAuMTAxMSA4LjAwMzUgNjAuNzU3NyA2LjQxNTc2IDYyLjA3MDggNS4xMzgxMUM2My4zMjA4IDMuOTIzNjQgNjQuODkyOCAzLjMxNjQxIDY2Ljc4NjcgMy4zMTY0MUM2Ny43MjEgMy4zMTY0MSA2OC43MzEyIDMuNTUwMzcgNjkuODE3IDQuMDE4NTJWNy4zOTYyNkM2OC45NzEgNi40OTgxNCA2Ny45ODYxIDYuMDQ4OTYgNjYuODYyNSA2LjA0ODk2QzY1LjgyNyA2LjA0ODk2IDY0Ljk2ODUgNi4zNzc4MSA2NC4yODY3IDcuMDM1NzJDNjMuNDkxMiA3LjgwNzQ5IDYzLjA5MzUgOC43ODE1MiA2My4wOTM1IDkuOTU4MDRDNjMuMDkzNSAxMS4xMDkzIDYzLjQ1OTYgMTIuMDM5MiA2NC4xOTIgMTIuNzQ3NUM2NC44OTkgMTMuNDU1OSA2NS44MDgxIDEzLjgxMDIgNjYuOTE5MyAxMy44MTAyQzY3Ljk2NzIgMTMuODEwMiA2OC45MzMxIDEzLjM3MzcgNjkuODE3IDEyLjUwMDhaTTc2LjIwODUgMy42MDEwNVY4Ljg3NjRMODAuNTI2NyAzLjYwMTA1SDg0LjA4NzRMNzguOTczNyA5LjU5NzQ5TDg0LjQ4NTEgMTYuMjU4MUg4MC43MzUxTDc2LjIwODUgMTAuNjQxMlYxNi4yNTgxSDczLjI5MTlWMy42MDEwNUg3Ni4yMDg1WiIgZmlsbD0iIzIyMjIyMiIvPgo8cGF0aCBkPSJNODcuMTE3MiAzLjYwMTU2SDkwLjk4MDhDOTIuNDQ1NCAzLjYwMTU2IDkzLjUxODcgMy45MjQxNiA5NC4yMDA2IDQuNTY5MzRDOTQuODA2NiA1LjE1MTM1IDk1LjEwOTcgNS45NDgzNSA5NS4xMDk3IDYuOTYwMzNDOTUuMTA5NyA3LjU5Mjc5IDk0Ljk3MDggOC4xMzA2IDk0LjY5MyA4LjU3MzNDOTQuNDQwNSA4Ljk5MDc3IDk0LjA4NjkgOS4zMDA2NCA5My42MzI0IDkuNTAzMTNDOTQuMzM5NCA5LjYxNjk4IDk0LjkyMDMgOS45MDE2MyA5NS4zNzQ4IDEwLjM1NzFDOTUuOTE3OCAxMC45MDExIDk2LjE4OTIgMTEuNjUzNyA5Ni4xODkyIDEyLjYxNTJDOTYuMTg5MiAxMy42NjUxIDk1Ljg2MSAxNC41MTkxIDk1LjIwNDQgMTUuMTc3Qzk0LjQ1OTUgMTUuODk4MSA5My4zNDgzIDE2LjI1ODYgOTEuODcxIDE2LjI1ODZIODcuMTE3MlYzLjYwMTU2Wk04OS45OTYgNS44Nzg3VjguNzQ0MDhIOTAuNDY5NUM5MS4xMjYxIDguNzQ0MDggOTEuNjE4NiA4LjYyMzk4IDkxLjk0NjggOC4zODM1NEM5Mi4yODc3IDguMTQzMSA5Mi40NTgxIDcuNzcwMDUgOTIuNDU4MSA3LjI2Mzk1QzkyLjQ1ODEgNi44MDg1MiA5Mi4yOTM5IDYuNDU0MjMgOTEuOTY1NyA2LjIwMTI5QzkxLjY4NzggNS45ODYzIDkxLjE4MjkgNS44Nzg3IDkwLjQ1MDUgNS44Nzg3SDg5Ljk5NlpNODkuOTk2IDEwLjkwNzRWMTMuOTgxNUg5MC42OTY4QzkxLjc3MDEgMTMuOTgxNSA5Mi40ODk4IDEzLjgxMDcgOTIuODU1OSAxMy40NjkxQzkzLjEzMzcgMTMuMjE2MiA5My4yNzI1IDEyLjg2MTkgOTMuMjcyNSAxMi40MDY1QzkzLjI3MjUgMTEuOTYzOCA5My4xNCAxMS42MjIyIDkyLjg3NDggMTEuMzgxOEM5Mi41MzM5IDExLjA2NTQgOTEuODM5NCAxMC45MDc0IDkwLjc5MTUgMTAuOTA3NEg4OS45OTZaTTk5LjU1NTggMy42MDE1NkgxMDIuNDcyVjE2LjI1ODZIOTkuNTU1OFYzLjYwMTU2Wk0xMTMuNjAyIDYuMDY4NDVIMTEwLjg1NlYxNi4yNTg2SDEwNy45MzlWNi4wNjg0NUgxMDUuMTkzVjMuNjAxNTZIMTEzLjYwMlY2LjA2ODQ1WiIgZmlsbD0id2hpdGUiLz4KPHBhdGggZD0iTTEyNi4xNDYgMTMuNTNWMTZIMTE2LjQ1NkwxMjAuMjU2IDExLjg1OEMxMjEuMTgxIDEwLjgxOTMgMTIxLjg3MSA5Ljk1OCAxMjIuMzI3IDkuMjc0QzEyMi44MzQgOC40NjMzMyAxMjMuMDg3IDcuNzQ3NjcgMTIzLjA4NyA3LjEyN0MxMjMuMDg3IDYuNTk1IDEyMi45MjIgNi4xNzcgMTIyLjU5MyA1Ljg3M0MxMjIuMzI3IDUuNjMyMzMgMTIxLjk0MSA1LjUxMiAxMjEuNDM0IDUuNTEyQzEyMC45NCA1LjUxMiAxMjAuNTU0IDUuNjY0IDEyMC4yNzUgNS45NjhDMTE5LjkyIDYuMzYwNjcgMTE5Ljc0MyA2Ljg4IDExOS43NDMgNy41MjZIMTE2LjgxN0MxMTYuOTMxIDYuMjA4NjcgMTE3LjM2OCA1LjE1MSAxMTguMTI4IDQuMzUzQzExOC45NTEgMy40NzkgMTIwLjExNyAzLjA0MiAxMjEuNjI0IDMuMDQyQzEyMi45NzkgMy4wNDIgMTI0LjA3NSAzLjQ0MSAxMjQuOTExIDQuMjM5QzEyNS42OTYgNS4wMjQzMyAxMjYuMDg5IDYuMDM3NjcgMTI2LjA4OSA3LjI3OUMxMjYuMDg5IDguMjU0MzMgMTI1Ljc3MiA5LjE4NTMzIDEyNS4xMzkgMTAuMDcyQzEyNC43NTkgMTAuNjA0IDEyNC4wODEgMTEuMzMyMyAxMjMuMTA2IDEyLjI1N0wxMjEuNzc2IDEzLjUzSDEyNi4xNDZaTTEyNy44NDkgMTUuODFDMTI3LjUxOSAxNS40NjggMTI3LjM1NSAxNS4wNTYzIDEyNy4zNTUgMTQuNTc1QzEyNy4zNTUgMTQuMDkzNyAxMjcuNTE5IDEzLjY4ODMgMTI3Ljg0OSAxMy4zNTlDMTI4LjE5MSAxMy4wMTcgMTI4LjYwMiAxMi44NDYgMTI5LjA4NCAxMi44NDZDMTI5LjU2NSAxMi44NDYgMTI5Ljk3IDEzLjAxNyAxMzAuMyAxMy4zNTlDMTMwLjY0MiAxMy42ODgzIDEzMC44MTMgMTQuMDkzNyAxMzAuODEzIDE0LjU3NUMxMzAuODEzIDE1LjA1NjMgMTMwLjY0MiAxNS40NjggMTMwLjMgMTUuODFDMTI5Ljk3IDE2LjEzOTMgMTI5LjU2NSAxNi4zMDQgMTI5LjA4NCAxNi4zMDRDMTI4LjYwMiAxNi4zMDQgMTI4LjE5MSAxNi4xMzkzIDEyNy44NDkgMTUuODFaTTE0MS42ODcgOS42NzNDMTQxLjY4NyAxMi4wMDM3IDE0MS4wNzkgMTMuNzcwNyAxMzkuODYzIDE0Ljk3NEMxMzguOTYzIDE1Ljg0OCAxMzcuODMgMTYuMjg1IDEzNi40NjIgMTYuMjg1QzEzNS4xMTkgMTYuMjg1IDEzMy45OTggMTUuODQ4IDEzMy4wOTkgMTQuOTc0QzEzMS44ODMgMTMuNzcwNyAxMzEuMjc1IDEyLjAwMzcgMTMxLjI3NSA5LjY3M0MxMzEuMjc1IDcuMzA0MzMgMTMxLjg4MyA1LjUzMSAxMzMuMDk5IDQuMzUzQzEzMy45OTggMy40NzkgMTM1LjExOSAzLjA0MiAxMzYuNDYyIDMuMDQyQzEzNy44MyAzLjA0MiAxMzguOTYzIDMuNDc5IDEzOS44NjMgNC4zNTNDMTQxLjA3OSA1LjUzMSAxNDEuNjg3IDcuMzA0MzMgMTQxLjY4NyA5LjY3M1pNMTM3LjY1OSA2LjAyNUMxMzcuMzI5IDUuNzA4MzMgMTM2LjkzNyA1LjU1IDEzNi40ODEgNS41NUMxMzYuMDI1IDUuNTUgMTM1LjYzMiA1LjcwODMzIDEzNS4zMDMgNi4wMjVDMTM0LjU5MyA2LjcyMTY3IDEzNC4yMzkgNy45MzEzMyAxMzQuMjM5IDkuNjU0QzEzNC4yMzkgMTEuMzg5MyAxMzQuNTkzIDEyLjYwNTMgMTM1LjMwMyAxMy4zMDJDMTM1LjYzMiAxMy42MTg3IDEzNi4wMjUgMTMuNzc3IDEzNi40ODEgMTMuNzc3QzEzNi45MzcgMTMuNzc3IDEzNy4zMjkgMTMuNjE4NyAxMzcuNjU5IDEzLjMwMkMxMzguMzY4IDEyLjYwNTMgMTM4LjcyMyAxMS4zODkzIDEzOC43MjMgOS42NTRDMTM4LjcyMyA3LjkzMTMzIDEzOC4zNjggNi43MjE2NyAxMzcuNjU5IDYuMDI1WiIgZmlsbD0id2hpdGUiLz4KPC9zdmc+Cg==" /></div><div class="hb" style="text-align:center"><img alt="" src="data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNTc5IiBoZWlnaHQ9IjI1IiB2aWV3Qm94PSIwIDAgNTc5IDI1IiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cmVjdCB4PSI5OSIgd2lkdGg9IjE3OSIgaGVpZ2h0PSIyNSIgZmlsbD0iI0Y3MUIzQSIvPgo8cmVjdCB4PSIzMjUiIHdpZHRoPSIyNTQiIGhlaWdodD0iMjUiIGZpbGw9IiNGNzFCM0EiLz4KPHBhdGggZD0iTTEzLjM2IDIwSDEwLjY3Mkw5LjYxNiAxNi45NTJINC4xNjhMMy4xMTIgMjBIMC40MjRMNS40NCA1LjY0OEg4LjM2OEwxMy4zNiAyMFpNOC44MjQgMTQuNTUyTDYuOTA0IDguODg4TDQuOTYgMTQuNTUySDguODI0Wk0yNC4xMDc5IDIwSDE1LjIyNzlWNS42NDhIMTcuNzQ3OVYxNy42SDI0LjEwNzlWMjBaTTM1LjYzOTEgMjBIMjYuNzU5MVY1LjY0OEgyOS4yNzkxVjE3LjZIMzUuNjM5MVYyMFpNNTQuNDUwOCA1LjY0OEw0OS42OTg4IDEzLjczNlYyMEg0Ny4xNzg4VjEzLjczNkw0Mi40NzQ4IDUuNjQ4SDQ1LjI1ODhMNDguNDUwOCAxMS4wOTZMNTEuNjQyOCA1LjY0OEg1NC40NTA4Wk02Ny4zMjc2IDE2LjU5MkM2Ny4zMjc2IDE3LjEyIDY3LjE5OTYgMTcuNTc2IDY2Ljk0MzYgMTcuOTZDNjYuNzUxNiAxOC4yMTYgNjYuNDYzNiAxOC41MzYgNjYuMDc5NiAxOC45MkM2NS43MTE2IDE5LjMwNCA2NS40MTU2IDE5LjU2IDY1LjE5MTYgMTkuNjg4QzY0LjcyNzYgMTkuOTc2IDY0LjIzMTYgMjAuMTIgNjMuNzAzNiAyMC4xMkg2MC4wNTU2QzU5LjUyNzYgMjAuMTIgNTkuMDMxNiAxOS45NzYgNTguNTY3NiAxOS42ODhDNTguMzQzNiAxOS41NiA1OC4wMzE2IDE5LjMwNCA1Ny42MzE2IDE4LjkyQzU3LjI0NzYgMTguNTIgNTYuOTc1NiAxOC4yIDU2LjgxNTYgMTcuOTZDNTYuNTU5NiAxNy41NzYgNTYuNDMxNiAxNy4xMiA1Ni40MzE2IDE2LjU5MlY5LjA4QzU2LjQzMTYgOC41NTIgNTYuNTU5NiA4LjA5NiA1Ni44MTU2IDcuNzEyQzU2Ljk3NTYgNy40NzIgNTcuMjQ3NiA3LjE2IDU3LjYzMTYgNi43NzZDNTguMDMxNiA2LjM3NiA1OC4zNDM2IDYuMTEyIDU4LjU2NzYgNS45ODRDNTkuMDMxNiA1LjY5NiA1OS41Mjc2IDUuNTUyIDYwLjA1NTYgNS41NTJINjMuNzAzNkM2NC4yMzE2IDUuNTUyIDY0LjcyNzYgNS42OTYgNjUuMTkxNiA1Ljk4NEM2NS40MTU2IDYuMTEyIDY1LjcxMTYgNi4zNjggNjYuMDc5NiA2Ljc1MkM2Ni40NjM2IDcuMTM2IDY2Ljc1MTYgNy40NTYgNjYuOTQzNiA3LjcxMkM2Ny4xOTk2IDguMDk2IDY3LjMyNzYgOC41NTIgNjcuMzI3NiA5LjA4VjE2LjU5MlpNNTguOTUxNiA5LjE1MlYxNi41NjhDNTguOTUxNiAxNi42MTYgNTguOTU5NiAxNi42NDggNTguOTc1NiAxNi42NjRDNTkuMjk1NiAxNy4xNDQgNTkuNjQ3NiAxNy40ODggNjAuMDMxNiAxNy42OTZDNjAuMDYzNiAxNy43MTIgNjAuMTAzNiAxNy43MiA2MC4xNTE2IDE3LjcySDYzLjYwNzZDNjMuNjU1NiAxNy43MiA2My42OTU2IDE3LjcxMiA2My43Mjc2IDE3LjY5NkM2NC4xMTE2IDE3LjQ4OCA2NC40NjM2IDE3LjE0NCA2NC43ODM2IDE2LjY2NEw2NC44MDc2IDE2LjU2OFY5LjE1MkM2NC44MDc2IDkuMDg4IDY0Ljc5OTYgOS4wNDggNjQuNzgzNiA5LjAzMkM2NC40NDc2IDguNTM2IDY0LjA5NTYgOC4xODQgNjMuNzI3NiA3Ljk3NkM2My42OTU2IDcuOTYgNjMuNjU1NiA3Ljk1MiA2My42MDc2IDcuOTUySDYwLjE1MTZDNjAuMDg3NiA3Ljk1MiA2MC4wNDc2IDcuOTYgNjAuMDMxNiA3Ljk3NkM1OS42NjM2IDguMTg0IDU5LjMxMTYgOC41MzYgNTguOTc1NiA5LjAzMkw1OC45NTE2IDkuMTUyWk03OC4wNzY0IDE2LjU2OFY1LjY0OEg4MC41OTY0VjE2LjU5MkM4MC41OTY0IDE3LjEyIDgwLjQ2ODQgMTcuNTc2IDgwLjIxMjQgMTcuOTZDODAuMDM2NCAxOC4yIDc5Ljc1NjQgMTguNTIgNzkuMzcyNCAxOC45MkM3OS4wMDQ0IDE5LjMwNCA3OC43MDA0IDE5LjU2IDc4LjQ2MDQgMTkuNjg4Qzc3Ljk5NjQgMTkuOTc2IDc3LjUwODQgMjAuMTIgNzYuOTk2NCAyMC4xMkg3My45NDg0QzczLjQyMDQgMjAuMTIgNzIuOTI0NCAxOS45NzYgNzIuNDYwNCAxOS42ODhDNzIuMjM2NCAxOS41NiA3MS45MjQ0IDE5LjMwNCA3MS41MjQ0IDE4LjkyQzcxLjE0MDQgMTguNTIgNzAuODY4NCAxOC4yIDcwLjcwODQgMTcuOTZDNzAuNDUyNCAxNy41NzYgNzAuMzI0NCAxNy4xMiA3MC4zM
URLs

http-equiv="Content-Type"

http-equiv="x-ua-compatible"

https://decoding.at

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 16 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Runs .reg file with regedit 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037.exe
    "C:\Users\Admin\AppData\Local\Temp\48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4288
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1692
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4700
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2544
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1688
        3⤵
        • Program crash
        PID:1492
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3276
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3208
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\48116c6b904486d50de874c9afe866a2e4f66c1fdbef60ccdae2b440ebe64037.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1816
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\sendclose.xps.lockbit
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:780
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2544 -ip 2544
    1⤵
      PID:1964
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta"
      1⤵
        PID:2004
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" "C:\Users\Admin\Desktop\LockBit_Ransomware.hta"
        1⤵
          PID:3944
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\unprotectresume.tiff.lockbit
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:4600
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Restore-My-Files.txt
          1⤵
            PID:1504
          • C:\Windows\regedit.exe
            "regedit.exe" "C:\Users\Admin\Desktop\ConvertToJoin.reg"
            1⤵
            • Runs .reg file with regedit
            PID:2716
          • C:\Windows\system32\notepad.exe
            "C:\Windows\system32\notepad.exe" "C:\Users\Admin\Desktop\ConvertToJoin.reg"
            1⤵
            • Opens file in notepad (likely ransom note)
            PID:5000

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Windows Management Instrumentation

          1
          T1047

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Direct Volume Access

          1
          T1006

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Network Service Discovery

          1
          T1046

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          2
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Defacement

          1
          T1491

          Inhibit System Recovery

          3
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
            Filesize

            512B

            MD5

            cb29b8f5932d50f484431e4b2dd3b560

            SHA1

            891987f0435079f183e2ed11acc4f4c74121ec1a

            SHA256

            a80e37cbfc309392aa4f12fa0dfa7bd3232c9d27296d4e2036747e56bef032c0

            SHA512

            472345be42a423314fb68ae163f06183185e6d4a7608b44c805e51c882a4822f812764f8f0a447e8610ccd8bf6ed5b007e6e8bfe1debf4fc412f19a2b6c75f3b

            Download Submit

          • C:\Users\Admin\Desktop\LockBit_Ransomware.hta
            Filesize

            46KB

            MD5

            c15c6adc8c923ad87981f289025c37b2

            SHA1

            bfe6533f4afe3255046f7178f289a4c75ad89e76

            SHA256

            90f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1

            SHA512

            31dd03b208e00ac012fbe4189d5af1306cc8e3640d40efefab4aa1cabab3c4735eef0cb65e7750c3c77021934e145398e5e26389975cf36b193c8f622a5fde83

            Download Submit

          • C:\Users\Admin\Desktop\sendclose.xps.lockbit
            Filesize

            144KB

            MD5

            4254f03935a00f5337d07f1c90048d23

            SHA1

            3ace986bf7cc98fd5b2b86fceff57c215d8a488b

            SHA256

            71f3dd5adfd0ca199e7fd2800c200941bebaf36bdb918f0e984f4fea5bff5560

            SHA512

            4cd2d89ccd760e47f395dbd6c449ecf0d0c1d575d144aff0779cc14a07679ce9aca3010a58a655ea6c6040dc7b91cb4024a6683f25714ea58900096b17a6e33a

            Download Submit

          • C:\Users\Admin\Desktop\unprotectresume.tiff.lockbit
            Filesize

            270KB

            MD5

            e987cb815d6139f440ede889db4984b0

            SHA1

            dcfca522bcaca224e676c80234798a0194510344

            SHA256

            a4b85be4f0a847b8da4ea73559b46348acd4b387b76e251a01c02781afff5850

            SHA512

            688d5ad17b8e7df5f45c030dcddd45fc63ecaf252763dad77990e3c06dae9c6623a02dacd660582cd7cbffae771bbb776fab2071d03e5459d0128e121b4e586d

            Download Submit