blackmatter | 707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

Resubmissions

02-01-2025 17:47

250102-wctmlasqdn 10

02-01-2025 17:37

250102-v7dn7asnel 10

31-12-2024 15:09

241231-sjtdmaylbk 10

31-12-2024 14:28

241231-rtcm7axjej 10

Analysis

max time kernel
259s
max time network
261s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-01-2025 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-main.zip
Size

292KB
MD5

68309717a780fd8b4d1a1680874d3e12
SHA1

4cfe4f5bbd98fa7e966184e647910d675cdbda43
SHA256

707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881
SHA512

e16de0338b1e1487803d37da66d16bc2f2644138615cbce648ae355f088912a04d1ce128a44797ff8c4dfc53c998058432052746c98c687670e4100194013149
SSDEEP

6144:n42LBVCsV+PkMeW9zTiY/NaQmHst5ySPzmcfIMwmafvR:n4EzwkMeWgY1NmyESPB1/aXR

Score

10^/10

blackmatter lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Family

blackmatter

Version

25.239

Extracted

Path

C:\Users\YsgFj49Wb.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Blackmatter family
blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 5 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab29-19.dat	family_lockbit
behavioral1/files/0x001900000002ab33-551.dat	family_lockbit
behavioral1/memory/3456-552-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit
behavioral1/memory/3456-554-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit
behavioral1/files/0x001900000002ab31-556.dat	family_lockbit

Renames multiple (519) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 13 IoCs

pid	Process
3628	keygen.exe
960	keygen.exe
3724	keygen.exe
712	builder.exe
1548	builder.exe
416	builder.exe
3480	builder.exe
412	builder.exe
844	builder.exe
3456	LB3_pass.exe
3340	LB3.exe
2468	LB3Decryptor.exe
4508	3B70.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1537126222-899333903-2037027349-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1537126222-899333903-2037027349-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPjoq4y_t45zqv03qauztoduym.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPpbt3vpekarb95uxjoufg5g68c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP00rrelfh2oj9bz7cp5ytyiz0c.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\YsgFj49Wb.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\YsgFj49Wb.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4508	3B70.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2312	3456	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3Decryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3B70.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3_pass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop	LB3.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.YsgFj49Wb\ = "YsgFj49Wb"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YsgFj49Wb	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\YSGFJ49WB\DEFAULTICON	LB3Decryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.YsgFj49Wb	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.YSGFJ49WB	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YsgFj49Wb\DefaultIcon	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YsgFj49Wb\DefaultIcon\ = "C:\\ProgramData\\YsgFj49Wb.ico"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\YsgFj49Wb	LB3Decryptor.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2736	Winword.exe
2736	Winword.exe
4476	ONENOTE.EXE
4476	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe
3340	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5000	7zFM.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
3340	LB3.exe
2468	LB3Decryptor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5000	7zFM.exe
Token: 35	5000	7zFM.exe
Token: SeSecurityPrivilege	5000	7zFM.exe
Token: SeAssignPrimaryTokenPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeDebugPrivilege	3340	LB3.exe
Token: 36	3340	LB3.exe
Token: SeImpersonatePrivilege	3340	LB3.exe
Token: SeIncBasePriorityPrivilege	3340	LB3.exe
Token: SeIncreaseQuotaPrivilege	3340	LB3.exe
Token: 33	3340	LB3.exe
Token: SeManageVolumePrivilege	3340	LB3.exe
Token: SeProfSingleProcessPrivilege	3340	LB3.exe
Token: SeRestorePrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSystemProfilePrivilege	3340	LB3.exe
Token: SeTakeOwnershipPrivilege	3340	LB3.exe
Token: SeShutdownPrivilege	3340	LB3.exe
Token: SeDebugPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeSecurityPrivilege	3340	LB3.exe
Token: SeBackupPrivilege	3340	LB3.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5000	7zFM.exe
5000	7zFM.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
1508	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2352	OpenWith.exe
2736	Winword.exe
2736	Winword.exe
2736	Winword.exe
2736	Winword.exe
2736	Winword.exe
2736	Winword.exe
2736	Winword.exe
2736	Winword.exe
2468	LB3Decryptor.exe
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE
4476	ONENOTE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3724	3456	cmd.exe	85
PID 3456 wrote to memory of 3724	3456	cmd.exe	85
PID 3456 wrote to memory of 3724	3456	cmd.exe	85
PID 3456 wrote to memory of 712	3456	cmd.exe	86
PID 3456 wrote to memory of 712	3456	cmd.exe	86
PID 3456 wrote to memory of 712	3456	cmd.exe	86
PID 3456 wrote to memory of 1548	3456	cmd.exe	87
PID 3456 wrote to memory of 1548	3456	cmd.exe	87
PID 3456 wrote to memory of 1548	3456	cmd.exe	87
PID 3456 wrote to memory of 416	3456	cmd.exe	88
PID 3456 wrote to memory of 416	3456	cmd.exe	88
PID 3456 wrote to memory of 416	3456	cmd.exe	88
PID 3456 wrote to memory of 3480	3456	cmd.exe	89
PID 3456 wrote to memory of 3480	3456	cmd.exe	89
PID 3456 wrote to memory of 3480	3456	cmd.exe	89
PID 3456 wrote to memory of 412	3456	cmd.exe	90
PID 3456 wrote to memory of 412	3456	cmd.exe	90
PID 3456 wrote to memory of 412	3456	cmd.exe	90
PID 3456 wrote to memory of 844	3456	cmd.exe	91
PID 3456 wrote to memory of 844	3456	cmd.exe	91
PID 3456 wrote to memory of 844	3456	cmd.exe	91
PID 2352 wrote to memory of 2736	2352	OpenWith.exe	94
PID 2352 wrote to memory of 2736	2352	OpenWith.exe	94
PID 3340 wrote to memory of 4368	3340	LB3.exe	105
PID 3340 wrote to memory of 4368	3340	LB3.exe	105
PID 3128 wrote to memory of 4476	3128	printfilterpipelinesvc.exe	109
PID 3128 wrote to memory of 4476	3128	printfilterpipelinesvc.exe	109
PID 3340 wrote to memory of 4508	3340	LB3.exe	110
PID 3340 wrote to memory of 4508	3340	LB3.exe	110
PID 3340 wrote to memory of 4508	3340	LB3.exe	110
PID 3340 wrote to memory of 4508	3340	LB3.exe	110
PID 4508 wrote to memory of 2768	4508	3B70.tmp	111
PID 4508 wrote to memory of 2768	4508	3B70.tmp	111
PID 4508 wrote to memory of 2768	4508	3B70.tmp	111

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit-main.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:928

C:\Users\Admin\Documents\LockBit-main\keygen.exe
"C:\Users\Admin\Documents\LockBit-main\keygen.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628

C:\Users\Admin\Documents\LockBit-main\keygen.exe
"C:\Users\Admin\Documents\LockBit-main\keygen.exe"
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\LockBit-main\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\Documents\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Users\Admin\Documents\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:712
- C:\Users\Admin\Documents\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Users\Admin\Documents\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:416
- C:\Users\Admin\Documents\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3480
- C:\Users\Admin\Documents\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:412
- C:\Users\Admin\Documents\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Documents\LockBit-main\config.json"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2736

C:\Users\Admin\Documents\LockBit-main\Build\LB3_pass.exe
"C:\Users\Admin\Documents\LockBit-main\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 276
  2⤵
  - Program crash
  PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3456 -ip 3456
1⤵
PID:1892

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\LockBit-main\Build\DECRYPTION_ID.txt
1⤵
PID:4296

C:\Users\Admin\Documents\LockBit-main\Build\LB3.exe
"C:\Users\Admin\Documents\LockBit-main\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:4368
- C:\ProgramData\3B70.tmp
  "C:\ProgramData\3B70.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B70.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2500

C:\Users\Admin\Documents\LockBit-main\Build\LB3Decryptor.exe
"C:\Users\Admin\Documents\LockBit-main\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9FEC90A5-991C-4079-9F8D-74A6F43851E3}.xps" 133803135882090000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1537126222-899333903-2037027349-1000\DDDDDDDDDDD

Filesize
129B

MD5
28079cf3a4dc53b653e07827a7a7b9c4

SHA1
f84f71a84c9a1799696f09713c0147b767c9ce3b

SHA256
000fa1f33dff695a7dd0ae819aa5c6b49b9ba91262044043172d81afc2663800

SHA512
81c0d0392ce6dcfc307a539b824ee4d2b5a1cfb71d93966d673db84a74e3059e781c30d24daf421e59bd5de0e19f2522eb4438c20ce0791e3544f69f09b0b75e

Download Submit
C:\ProgramData\3B70.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Filesize
264KB

MD5
e8e0483c1fb791eb9451839273cee4ac

SHA1
05ee3c57d07a548b95fd3005c2e7ff5fcbe9067a

SHA256
fcdded4b86c9dbfe1cf537d6aa7d185e994d1b2d92a3132262c15d8da662eab2

SHA512
95e378a48fa52e787ad9a58c4261ce81f5320c64e109585601315c207fa3c390b7fffc6d394173daba74622c21f685f3af8cf8e2f46fe5edbda8dd9d3934e5cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

Filesize
3.0MB

MD5
d1dd210d6b1312cb342b56d02bd5e651

SHA1
1e5f8def40bb0cb0f7156b9c2bab9efb49cfb699

SHA256
bbd05cf6097ac9b1f89ea29d2542c1b7b67ee46848393895f5a9e43fa1f621e5

SHA512
37a33d86aa47380aa21b17b41dfc8d04f464de7e71820900397436d0916e91b353f184cefe0ad16ae7902f0128aae786d78f14b58beee0c46d583cf1bfd557b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\index

Filesize
256KB

MD5
3350bba093971efff3c352083e3339d6

SHA1
88a013638c5a770bd296d3c00391652547b3a798

SHA256
f518480e8602bd5e0e8c5381d83659d9ebed036a077bc444152f3ad84c1f1c13

SHA512
369bd3cf51e4e73a8a9dd4f4af46b313e7f88d4d3a9c7800a57c698ea8bfcc74b5e9f1d3deebf82acc2b3cb9c06aad8809d7783ee82daa987304eba155069957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\674CAFFD-8626-42FD-B8EB-233C0FFC1F74

Filesize
177KB

MD5
b65267a94146e643ffe945408ef6d66f

SHA1
56c8bab626246034730f5b5dbd199874758f004a

SHA256
752636cdbfff7994989cb36b662b3f00da21519f65c1edfcf5601f54a8c04ac8

SHA512
f149d2f944900d5fe834daadd6e1283b2c22db3a7e49b2b6e64a5a9a0faa4e0e651e30f8ed0402088708f4e8138cb74b1073bf04c8d3c855310c1cd9b406cdb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
1KB

MD5
3f1535054d4f9626f0eb10cee47f076e

SHA1
92ef4f27a33f7704952ecdba4fa69c68fc32fd4b

SHA256
4ab29996d02d93cad184dd05f7a027d00425b90f5657f1e51cc4c37297a0035a

SHA512
2e0ec758b2c28c8db9f7b5edbbe8130f049e66842f2f5cc1c013cf23f7c4443cd211ba297250471cdb4f91f1e3251c1e3f7e2151c576fd1a1ae6a36c3776c6e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin

Filesize
4KB

MD5
a1a1017a6a7928761ceb56d1d950e123

SHA1
28272e9c7f816a1ce8f2033fc00f489005332365

SHA256
72f066cd34ea71d0e1b28fb60d663b0372c5254e1a8239c94a164eef9389db88

SHA512
10f4557f102230126bc86cd4b49c93365c38d5cbeac51f4691b90d861098866a2bdefeba507731d4fa14367fee430453bd716157f9074ef643f2b949b09e1530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Filesize
2KB

MD5
edb5ed43cc6038500a54b90bec493628

SHA1
a8cd63f3914e4347f4c5552fb922c6c03917f45f

SHA256
9f3312e33eb78c6952b5a5d881bbd18751fcfac41d648c6f053ce781342a504f

SHA512
4ebcefd69a4c249aa3b0f00a954c4e463da22fc9ca0b61a0dc46079b438138c509b22188d966fff6599a3a604858bc4cc8fe6e0685a764e8e0477ab7a237db32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BP.bin

Filesize
12KB

MD5
17e9ff9f735102231846936f0e2baf1a

SHA1
9ec1ae8a3ad55c48c02427d842d6e38da85b5145

SHA256
dd1ca8da90893e0b63abfdd9e60cf2bf844b311964e9d9ddb855c21fca156ebb

SHA512
71e690d6c87b09659296e6e6ddc8e3f91035dd80c5ce875fa557763e8138900c27fb492885291cee203d65bcee8c20c9c39e0590a5fd32b8a00beb3e3f6d6e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BR.bin

Filesize
18KB

MD5
ae32e846559d576fd263bd69fedbec28

SHA1
d481df71c858baecfe33418002d368f2dcf68d4a

SHA256
6e21222b0eadab8d3cfb0c7d14941d196165d6709271af317d099f12403cd352

SHA512
9aa4a6dd01d3b745d674721765f2bfccab584ca0603f222edbe9a88190a2a57438041e7a3706cc0656a6abb79aa18118319f210effe3dd917e7b94a6294bd346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BS.bin

Filesize
3KB

MD5
995ceacad563f849c4142b6a6f29f081

SHA1
44cb3b867cd2917541b7d5aaed2f14f10febb0fd

SHA256
3691fb8c60ea1b827092f05fbb1807e34726016c6ff56698d7b81c44d519d22a

SHA512
3c8efeb966b075d06d8344483352bf92c9292f9970c9377be254eb355efaf017916737aeccdc704b84d532b7229f9908951a6f2cc3fad810791cab224401ad3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BT.bin

Filesize
1KB

MD5
d5f7a65469623327f799b516acbffd2f

SHA1
76c6333c14af3a7ea091819953e6e12dc289a12c

SHA256
f476fae1c6d79069239c471d182631ab343749c22b1a6990250465c7ec3738fe

SHA512
351b9e455e97e6247e64e4bc1b59c9524e70ae0d09d3b6fb96937378a70536483b00426ee69c3590dd415a8265d21fd031b524b90e4e86814ec9ad704e57793e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BV.bin

Filesize
2KB

MD5
73e38124f94ad20a2f1571fbbe11aeec

SHA1
87fb8056dc7a0a3b70d51426771c4cce2099cfe5

SHA256
a700b63b30cbbe5230cc5e977d651e178ea87e73eab18c8d5ffb1362149addf7

SHA512
320fce64dd6f975384bec9267348cd5cd24a55b13bb09fef1238c2216ad8ecabdccc15601a079ce092acfa4954829ffeb06fbb0631f6ae26e3a39e43c102048b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000C2.bin

Filesize
3KB

MD5
c451b2a146bdd7ef33ab3ea27268796d

SHA1
c040ba2f31342cbcbf597c96d4d6edb83d473b77

SHA256
4c264b2a6e88712234daa8e3a8d630cbf4eeb338554cb0b794d8031f8943ee65

SHA512
55915a304b261bc6f38f5cfe0389d5195f85fe2c1da325019c3aa391e8b1773091e078a35bd57f8cee0ba035956382ae33790ef462053fce711eea9665b7f917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000C3.bin

Filesize
14KB

MD5
7ceb71f78a193f8c9f7ffda5f81aebd8

SHA1
eec1597705eff1a527c246b86a71878185ba6b1b

SHA256
77911ff7aeab8fccaf36de6e1183ffe1a6c27f77b5714ee780976ce5189e8fd0

SHA512
1d1ab19b64e1e2abca61ae78b3b50310b0a6cf19d2ecfcb4499d8d0bf68600b4d95bc0945ef9ff9b1d016ed61eac518dcca1a426f460317c07ad51e2e047948c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000C5.bin

Filesize
12KB

MD5
0693dabbbc411538d209f32e22f622f6

SHA1
fb7e675406fa123cdb7e058d336742d6a2e8dc8e

SHA256
2dfb2e7a1a3aa43c673d2ee540d3c366ceb12105eb5441f98992fc06f4284013

SHA512
f07732660ec62dae58eb02e2e9476007ea92bf826f642bca547097136aea01d29ff69d9b0cd0f5d65a5e15aa66ca4aa4804aa171a3504aab198631c643c90c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000C7.bin

Filesize
15KB

MD5
3a5cd52e925a7c4a345047d8f06c3c41

SHA1
9c02828d83206bbd3eb58930c8c65a6ca5dbcf40

SHA256
477277e8caaae1d3b3eab5b3660239aeeabc433743a191727b1a71e529872ac7

SHA512
8d8b6ac645ecc7c8bd374e6190819006c71ac0b5993419c42463009116214e5ec4b4235d94b4ae4cda132e7dda9807adc51525824ac5f12696517ffc8890891e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000C8.bin

Filesize
3KB

MD5
29b87beec5d3899824aa390530cd47fb

SHA1
55108e8e5692e4444f72ee5ceb91915e7a2aefc8

SHA256
f00e4f1c9b1d9abeaaec8e5cab02a07fd74f00ace15e36c6f6469de5ab07a9fc

SHA512
1a5ad45bba8c29c32cdd3c4d1e460c30eca305d851faac73df165306bc338337525680b9906d367a0cd3852b9d2daaa8fd0603276ba969495b4e29c7ec8a3530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000C9.bin

Filesize
1KB

MD5
b1fde66f75507567b5f0c6c07b01a3a1

SHA1
80b8e6a923e853232f66c874367e90b5c9cad7ae

SHA256
b9c82d2f31bbe409d159ee3c9129cbaac7c6f6c81637ab9b6dab3c11aa74b7f1

SHA512
fc8c6038d3c2f5765d7524e969574acd10af6fccfd45fe7c6dd4a8c2669b13ee3fb1a8833e94a046ab7037018170b5b87b1a2742e0e10557c413ad634bdf343e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CA.bin

Filesize
2KB

MD5
6efe6733e10e011ffdd6711b5f37c9e2

SHA1
c72549e824ead899944a38c46fbc28bdcdaad611

SHA256
92b5056daa03df3ea85af49ffe4f9cfe8699bdf3539576a99f02418ff49ad9cb

SHA512
ec14b553a5780cd9b33d438ce13a6932de43e346d8d2dec8d093a6a2048675423948f8e2c604a73460980c3c68d9276b65d76c2a6bc7b24fdf10ca92fda2583e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CC.bin

Filesize
2KB

MD5
91cb7f1273aa003076401081b8a22237

SHA1
5157144069e7d2fdae60b397be5851e75bdf7707

SHA256
80682dd6472e8d1136bc5e20f6de87b595562414b19eab8e965736fe992921b0

SHA512
5a8e3c0ed0db94bfe359c63793f12f3d7b3c37f3a13a5c96634ba1dc8c9e50fb1142fe4752fd9fbfa39a682f78c54af868ad337eaa787801fe5f66d8f55a8196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CD.bin

Filesize
11KB

MD5
31579ca3352df8fa4e3e7f48c7cdf672

SHA1
aa682a3c781bf8ee43b5edc9718e64cb79135f25

SHA256
b0e7824bee2c896279457d87e61e902431beb528d830524cc4dfae126e89fc24

SHA512
782ff9492e3ecb11c72d316ddd94d1f3e94cd908fc9452a37da6ca30abcfe9ab2bcced8583a569da68626bcec730408af86997e295637bf64aff5bc768f3e309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CE.bin

Filesize
14KB

MD5
3e9f7d399df9cad3669b7a5445ef7074

SHA1
2fbc965dc03ef9203581f595e0d7ab1734726ed7

SHA256
76c80e31f37248c3c787f7972a7b22038390f9d81e72e650071a6f36d36af27a

SHA512
326f8f9cbf829bf80aaa96062a57255a36ee04de310634327aa075d14129cfa8e36e48ab2a00b10f9bdc1d94f1ac7a9e41d0d063361920a0332ec124bdf4c3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CF.bin

Filesize
11KB

MD5
163e6791c87e4999c343ec5e23843b15

SHA1
43ce3bae19e22876483a7fd0e93db45790373600

SHA256
deb2b126977ea150e49cdb3acf4f5387639c7b7b5583454edf55adf83dfab720

SHA512
98be1f4684f99a9fd2f313b09a113b5c310ec8ba8eb0ebf5fd69765e5b48b001d39999e3f25a7e76c7344dcf57b4f0bf2e4614fb0e0dfccb6f02e6d1caaf7fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CG.bin

Filesize
4KB

MD5
bc6c08f8c2c6d1eee95abfc40c3c3669

SHA1
44de7375375880acc24938d7e92a837e85c35321

SHA256
6e54b502c46e1afa57e28b8accce24f102399f31407827a91e4cd7a42fcbc746

SHA512
2af4a9b87fa4f362926cd77f272cecbe3ed4f0e110fb8f30f661df7c61b77b9fd8e7716eef9177b1038b68c792ca4f844f729daa48b2e38b9945ec9cb44bb720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CH.bin

Filesize
4KB

MD5
817d5a35edb2b0e052194d4f49fda19c

SHA1
fa6cb2016c5f43b76102b63d60359139227e07ea

SHA256
0a87b8418b7f8e6e117badda11d7cdd38b8b7320c6ba3d3e9af93eb9acb2ce14

SHA512
e0686bdbfc589401f0eaae2b1598199efa285f8392742b1c928b9274088804b23dcb584b6fef68ce6d7e54dff9c10338104f4c0f3f80a04471f0b2e8f9935cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CI.bin

Filesize
7KB

MD5
5b386bf9a20766956a84f67f913f23d7

SHA1
6e72e51f5b4fa64e52d2b80b41409b3db927a3c7

SHA256
ddf6a1d5b29bd69c65a148b1247fde8389cc56865e4398e4cbdcbd68a6555043

SHA512
99b4109439d9a688d7747c6847e0ff7399cda01a89c3181789f913e757a82ee4727f95e506f4b01930efc7c6e229b94bb89e385b56bc009ab5cfe332585660c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CJ.bin

Filesize
2KB

MD5
e88131c9aac52649ff044905acab9b76

SHA1
34ae73b9165cbed0ddf33ac20e4b3e7d622c19bf

SHA256
30f22340f582f9a352a7ed3048d1088f178e83ccaacac1ccfd86852c8f9c78e3

SHA512
97afe8f3a2a3138613934ac737c390a35f6757bfc3d381ea7c7cd148f739932380dcd46d0ba6f590c274f8bfb4d4286b3c0433aa69e090102a8a9abdd7c97eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CK.bin

Filesize
4KB

MD5
7f161b19b937ab48d4fd2f6e5e16fdbd

SHA1
bdce4f1c73e87e609a7fdf245a512ca4f73b35b9

SHA256
c863c5e71d1116d69561bd0637f4fe4c4240e9ced05b8a5b056073ad13e6495d

SHA512
e915b76faac9512d2ad11cf4e4530a19bea1c7d8508bc218c69cb041f1eeaba3e2e03b1d56e61b032a6418829752c21b8354af1335466d7e1528a06e6742a461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CL.bin

Filesize
11KB

MD5
875cfb3b5c3619253223731e8c9879e5

SHA1
6372f4f5beb6eeae3edbe5b62ee73039b40ad01e

SHA256
cc69bae5d2c8f56b28ba4e3c6a11f57c4e8ccce69943acfbe7e63b4fc90ee5f2

SHA512
47f45a3275b8454f8000f4567153dd7d4af3012005d8e34cb18aed6ad69083bec753e607f275fbf3efccb7ba00310a04adfbd5fa5b73e6bbe47ce73901c35ca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CM.bin

Filesize
12KB

MD5
01367feee0a83e8765e971e0d3740900

SHA1
cae1fd22ce2539fa2acc0242c615cb7ea3f866e1

SHA256
18b8e53505da3c412890f4d74ae2a6b26c4b0827e15e830f92a024d292af20ed

SHA512
8cfbdc014c42ae6417038b80424d2e9fbddd7dfddf579e349c3c17c9b52af33a72463154d29539457c4adab2db00cc28a67902fa8d9209e4af00edd46d52e5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CN.bin

Filesize
13KB

MD5
830632032c7ddbccde126f4bae935540

SHA1
9fef1da9ff1d7762b779553b5f873be54c8d01ef

SHA256
2328d09ec845433dc31808fd6b12616f1d28b9b3ba7dd969adeb6c32d8eb049a

SHA512
5c17ef9a0063499f2c34fab2c4d968d29e20f20868921fa914e5737995aa0c166f224995109ff7aca57b5b0f8647715dc670c4aee385f61b5f8e6e8422c49ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CO.bin

Filesize
4KB

MD5
8b3aec1986a522951942ba72b85ccaa0

SHA1
7e0dc78fc65ee4c804a4b0c72aa53e2dfdf26c14

SHA256
8b02cec726decf033b67689f369fde1002acfd5f8c32e0f248ac575997204f2f

SHA512
8ee1a1f6f0023eb4f60760c2e23eafd56e6d298cab49d819cf1d62c0ccf608d4211d3767856255f7cf8ff45ad835fe5475eb92c608989c522cd48d00a050b189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CP.bin

Filesize
22KB

MD5
548d234c9ab4021ca5fab7bf22502465

SHA1
2f7495d250dc86ea99473cc342d164b859926021

SHA256
7d549c3418cd90f42571d00936b23d242837ce2a8b19fc4c719e182ecb2624c6

SHA512
261523f5eae6fce2829b53aac5938b1a0021c119e00ce82effdbd690fe71064e0f3b313ed1ab2f67a16c488ad5b1a91f5af98029d88a7896f271c108410d42c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CQ.bin

Filesize
16KB

MD5
708e8eb906bc105cca0535ae669aa651

SHA1
38d82dedfe97d3001188c2e18fe13bd741fd520f

SHA256
1c3d07765294566e17270d0f3b9257a3db7905d4e7ef746aee80cd591ce0308f

SHA512
1efc74c28190dee2d2732390b74049a1b120f05efb8dc6925207c6990ad20450ffab40249899a9dbb82e8f92a61f770e120a450caac7f8c5f0742586cce0edb6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3

Filesize
16KB

MD5
b8998f5a40022e872aa0f00046b52aeb

SHA1
ce16c57bd7ef15c5a35a98a3decbf22f9e855629

SHA256
b1230dec1ddc950312fda5f12bd61ec49902b0554276c0229b4f4d886a15b72b

SHA512
81928627e681700989c451cf77f29906a73d6e5d23735314b2f06d562a27f04f582dab1f9c22151adeaab67addd2582ef3a5a2a6c073212ba73e9334ab3d90d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d781ce67-f947-48af-b59e-8592e737f9a2}\Apps.index

Filesize
961KB

MD5
7e73f8b1d12afe903d0935d6e520ea86

SHA1
0bc533796873237b3b3cef1c75391d45204e8b69

SHA256
aa914d64cb8f179147dbdc555e3fac2f695651abef7401dfea5d51f2924ed46f

SHA512
74bedf93616b233b15b9661df7fa075c22cff03d93bc9b9452dc9b6b9aae20bbdb939026018949c0345cf3b96cc719fab35f0140b2ae7ae10c0391bf6cd93ac0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{592cdd76-2c1a-4696-8821-ef452b0c5af2}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{592cdd76-2c1a-4696-8821-ef452b0c5af2}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\settings.dat

Filesize
8KB

MD5
a8308d2f3dde0745e8b678bf69a2ecd0

SHA1
c0ee6155b9b6913c69678f323e2eabfd377c479a

SHA256
7fbb3e503ed8a4a8e5d5fab601883cbb31d2e06d6b598460e570fb7a763ee555

SHA512
9a86d28d40efc655390fea3b78396415ea1b915a1a0ec49bd67073825cfea1a8d94723277186e791614804a5ea2c12f97ac31fad2bf0d91e8e035bde2d026893

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD7F83.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct8E18.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\{10AAE5A3-1E23-49AB-86E5-44BF3B57D0FD}

Filesize
4KB

MD5
f95b446e78319d0558ec472f625d34ab

SHA1
cd250f8b94ac84e93ce5bbe0b4bdfc2c3ae45b0a

SHA256
7b68effcb373cd7d56ca62b9bc047274cf857ea7fe6bc616a5f240fc2ad4d283

SHA512
72e7aa0843d4cc29bfa41e8142ca3cf35d9486a975e697e64189776b285f60b9a923bb7086f68ae49ef708938562f2493c6b68bc77e6d65cadc4cdf0e9120af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3F8430B0-843B-448C-8990-40FCE7FA9C4C}

Filesize
1KB

MD5
ef9aa5b2adbe5df68ac4f4d716df7708

SHA1
363b93aaab9db2832f6ca0ee3c27c9310c344ba8

SHA256
3d94fcc4821a135abaae6579011441b94f9c04dad1e66bb5211b0c019a5968b9

SHA512
ec9b024aea46f7b97d14f0a7e12704d09b85f0017cc9e273ce50f2f889dfdae81de549ccd546bbb8f8baaaaab7781fef77bf783e02ccc9605304552f7dd5903d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{664C7EAA-2CF7-4E7D-8537-6CEE42D6E4BA}

Filesize
5KB

MD5
db48555480a383cd1d4dd00e2bcfcf29

SHA1
8060b6fe12175289f0a71f45b894030a0d9f1ab5

SHA256
807723d8f90a5bd41269a7a62817547026a117d666d5bef454eb699c97ca3fa2

SHA512
2614c04686299cee8d56577a1e836a26076d42e041c627177fdb295629f6a80190910947fa794a094c55a45c3d70725eef29097118e523a38b50c9263c771a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D6A75A6E-06F2-4037-8E64-6F3B8C7C1195}

Filesize
7KB

MD5
70daf02ec717ab54452fa4c707bcac74

SHA1
30f46fac5e96470848c5a948162cc12455a05154

SHA256
58469ba93ea36498ff9864eb54713a001c52106de97804506d82ee24b816712b

SHA512
e599fdc22a32cfedbb23eeceae0b278eab9a90959fe6acb40e2b201e45a7c19261aaf529e7a0d9caf2a9a4c64c7831343f3bc20810513990ad5d38a32741564f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
297B

MD5
da637ddcf02928214060f862e3b930d8

SHA1
ba4a0fc74fd9498b0637de32ec1072b215eedbd5

SHA256
d1d641dc3431e0d1b5b7f6fe282e7acf69bd9b9e89567d273062976d33f60e4e

SHA512
1e531fbb2818bc0db85903987510de368f032907d0a3ae907ed1d69c9a1480e37daf7876fe91c686cd10dd5e441c976232e1a4e14de2281e856f2b8a7f255ab3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\1xnt0n40.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\compatibility.ini

Filesize
200B

MD5
cc26e3da3f8a18ab0edaa8ba362f9efb

SHA1
4141308059d17d5d2d075bbbbd93450e2e1d1844

SHA256
c17ced564ba3438bd8fa8ca7d3c94897882692fa8676b4ea6bf4e260e971dedb

SHA512
a5d1c757788a1b38e2f96cbd814961402bbf0a690b86ccf2a7793aab22e51dc4b5d3a2e18ec6a79fd15126955200b56f12f189e924cd0f6ccaeebb4bb5f9ae34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\upgrade.jsonlz4-20240401114208

Filesize
869B

MD5
03da9995e2467f22558281dd18ae34d7

SHA1
c0f4017f63df29b3215bb4609e83424c5091a92c

SHA256
55a749ce66d1bcfe32dcf76f9926e2d65fe69a6891c1bf1351585b6d57a2786b

SHA512
73b6b0a4f9f36632ab3e00a0d93f8efd6053eab8ae076dc207885056815bb671ebdd87acccf4df0c1555c41ce16c1678c62afbe1b4980592f6003f9689bb1d9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm

Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
d3982a9f1c42b0348be5cadb26542ca3

SHA1
36539df09bf2ba78609752bae38e694d1191cb2c

SHA256
f1987d3535abe71296504efa0642e787a005377601b7dfa383cc38c06596741e

SHA512
b2dc1e3f1327121d9f050f2f50728ee5d7833a6cbc06137a6dc52cef5dbe4596a4ee2be87f973ad01563f40d49b33dce360fed40094ab1e76d5d15c6646ccbba

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build.bat

Filesize
1KB

MD5
b8f24efd1d30aac9d360db90c8717aee

SHA1
7d31372560f81ea24db57bb18d56143251a8b266

SHA256
95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed

SHA512
14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build\DDDDDDD

Filesize
153KB

MD5
08e6c4aa7c48efefbb135c737e89e5bf

SHA1
b5d3629353c8ca724c969d67c2b4d071061ea42c

SHA256
e310728cb9a600706e66eb6f4499b5ab686c6e206e7c02e7739536987a92f4d7

SHA512
b4cbf8c2f1381d05d5d0c4f89f33a36738c7a3129d4eb2f8639c363063b3456ad0d118a7c1d0e328cb82043095f8cb1037fbf78d69f76ad2168c85c6bdb96637

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build\DECRYPTION_ID.txt

Filesize
16B

MD5
ca37c0ed000ad64d72039528cae53634

SHA1
81e13aaaa1395406916fb9d747752b718a2a9f86

SHA256
48e2d4af97ffe1de9b47e9f295787259c8192ee7c15ea7174988a3083d84fefe

SHA512
bf1ab9d2e4388caf9995517a098d861599edafd5154659611422d428b680a33a211bce08b3b722ac9d0c8c342e5133c218abe4595327df6e43ec59985db189df

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build\LB3.exe

Filesize
153KB

MD5
270d0c128303bb02e4c9a4a1cf8ac5a6

SHA1
7adbd074439002dc39dc3091ffe13e491131b118

SHA256
6e1f2ef1ae9681a373d7b521785d2904e437913c06121bfef661a5636db56e9c

SHA512
b09bd3d919093b8b295ca3438748e65365ff3c1fe8c7fa588d5afab09b45621d51229630e3ff7d5f5ed1f17c290d7800e669d00be1b04546310cad1f6cb987d7

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build\LB3Decryptor.exe

Filesize
54KB

MD5
df06e8045f464e2d242938bc3574c841

SHA1
e0edb949338da9eabcf3a698b7846ee999982683

SHA256
712b548d85ab8cff5baf95ba709157e5ee9bf1a86a609285235e8b6612b173d5

SHA512
058be6951858d1b5e5626ca04e17644b8f1504ad948ba7a061a0f3555dc85032d95c755b9eb79aaaaca60e04f404b93c64c56dce4971a68ab1be3e984a4c001b

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build\LB3_pass.exe

Filesize
149KB

MD5
41819e2e64535dca399923f5322aa46c

SHA1
1813156ed77dbd18226fb893296248c3504c67d1

SHA256
13fb056f35a53573bd34f88881e435019fcf6e0e93262bf868951e2057a9009b

SHA512
fbf8dd4efc1e04d21b9ee9d069e510d40e55d68d0b895e3d3c48d35acd4dca6504b4679810875d5e5024cf13529dcf55bbcd9b37ecac1f37da02966ef099aea8

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build\Password_dll.txt

Filesize
2KB

MD5
90f5745467464171a34156bfee01530b

SHA1
535c9f2df3dec8e65bc9b20655ebb413fabea2e7

SHA256
81ab0388a04d3b50cf3b659f1497aee7d8e701fb269e76bd7f735ded9324c2a8

SHA512
de071f249b137c32c22c6d4b4a2677e0ed16ea5bb9f7c7bcf58f226c007b651ac17f95c491ceff2fd35065a10c65b08176794a4027f3d2a32dcb378aede3ba5f

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build\Password_exe.txt

Filesize
2KB

MD5
d1417ab29524ac2a41c4d400fae4258e

SHA1
0a8c1184ec37c1a00b2e5ace21a1fb02c179f1d9

SHA256
af60719e2a2131676b82f967442b6ad05f6d9b4bb4a86f6dc04111e031a8a628

SHA512
304ca57f698e47a3ce9b5abaaf61907c71ae7ab952f39229b11ba898f8d524cb406f0e21dea6addf63dc5c7fcd9f874e43420b3857c8204974e9f38d9047ae42

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build\priv.key

Filesize
344B

MD5
301e5e742bc4f4a1735c1ca22088826d

SHA1
5899ca4f9ff82dc267287f11c5ce682220c1aabe

SHA256
537f8f5c360eca590b8e0ad343f042397d8b9e99b73dece6452ef805ae516874

SHA512
d3dde9fe176558dac47c18e0059849f0cab37e38d06e619ec27d8c6c6f441ad9995f1d65d8f473beca81e5107105e2cef77fc1a4155b01cc08f84c6d518f183a

Download Submit
C:\Users\Admin\Documents\LockBit-main\Build\pub.key

Filesize
344B

MD5
aef794461d9a3e7119698d306c178967

SHA1
4352e2aeb4b58131cd99d8d76259c28945e5ddfe

SHA256
86ad351c61c76f45b033b56be088afd15cab78b640b1380caeda0f3d3c3d44ba

SHA512
2676bfbb65435caf48bb31666a2050c05480d4acc7f34a0b1187f6c35f3e175d4608e0e37bc25aa54173969bc99c820b8120b7f5ca25587b052155771a887335

Download Submit
C:\Users\Admin\Documents\LockBit-main\README.md

Filesize
4KB

MD5
dc8d96087e0094c3cc793b3445bef8de

SHA1
8bf22f847b778daeccf43468516e775bcda2802c

SHA256
64312260bf9f040c92ece170d05250526f138f059760b8a5b9023d6d38e71db1

SHA512
f939d6a2b9a957a5c0c45beda2e0103a84bc907e2fef0b747c91144b23c5663de388d3076fced1a5a696bb45e7314fd86f19f8fdd668d0d1aac3947290276c2e

Download Submit
C:\Users\Admin\Documents\LockBit-main\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Documents\LockBit-main\config.json

Filesize
8KB

MD5
de177fa08e9b2eaa378760afd53be6b2

SHA1
a18050f9e5f2412955df4b868ffb866209d2b84a

SHA256
d121f4293160e0a39cbb184c032cd45baf1372db00cd33afb0e166ac0a60ac4c

SHA512
44f4e745013eaa7d95486c91457c23fd9694f859920766f0139cf5ca9c84ff6c82d59be9675dd1a0c7b3216464c85cf732dbbdb0e641a5e47cbbf1830f4a0a8c

Download Submit
C:\Users\Admin\Documents\LockBit-main\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\Documents\LockBit-main\~$config.json

Filesize
404B

MD5
b53945745e06f922080e85212de7cc74

SHA1
3821b29c224a6186886e9c6fec5a27ef768d8a90

SHA256
c831a8e8a18769309d8054232a8bb67e053403e2dd705db9209059ddb4607277

SHA512
de165fba1cc257892444dfdef90d16b7c65b3281343558d2e17666cd410e139c8fd29dc52fae212dad3631e925882215820bf1d94fcc4b789f0fc017d6158706

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
9766522324deeaadc6f70161affa318a

SHA1
f074a77df5c7fa29e3cdda323e569afc21db1795

SHA256
1028d9f0dbfd8b7eac03724276fcb3a03a42528abf33dd61c3a6bb18064701a3

SHA512
a0910418c3ac8e8f6dea4dcf3cba186923559aa27c478e1e7e05b58f7b6a77eb8b72499b320f8ba22b4e7e7d0d09fb1184101ed6166b1f82714b506df61a1229

Download Submit
C:\Users\YsgFj49Wb.README.txt

Filesize
6KB

MD5
dd746ace17e44ace00885b91400f11d5

SHA1
4a0302d2dca400598f396e4230fdae71779cbeaa

SHA256
b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272

SHA512
8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.YsgFj49Wb

Filesize
380KB

MD5
338d93c826005bb9916f24179f77f917

SHA1
0e0bce2c733d704c1cab63576d91a071b079cd8a

SHA256
39ea824464c9dc1bef9e9ca92b9ed6bf407eee29383afb8c37454fe900125a1a

SHA512
196665c975f342e318997d4270da4b204fad2d81cc25efd9b53d6998c95d5692ec0144741329b9da1e3940425fc5aa811a698b3e6eb0fc6e9ebf480dea3dc84e

Download Submit
C:\vcredist2010_x64.log.html

Filesize
86KB

MD5
5d6a2289596ecc651353c90c78b0482e

SHA1
b33e9e0ba193c53fae9086501a83e843cf589d09

SHA256
91da3a79c79dfbe614e83cf89bd90369898a3956dcf1cceadc9df9c7533ea1b6

SHA512
72cd7155c20a3012b1e167d262b8891a448a9ae949dcab67c578c226f3ebd49ecdb3bb72e5383c5c18c7a0f1f7f054b76c56a8f2fda869fd979631cf56f48460

Download Submit
C:\vcredist2010_x64.log.html.YsgFj49Wb

Filesize
86KB

MD5
7c275caa86916b9880761783b611df24

SHA1
db5310dfcbc688d584fce210e0498a9177b5cb3c

SHA256
e34eba67f67b300229a536b4de11b3d9c81beae013143fe7ad9bc2f554f840fd

SHA512
f1d6bf58c18aab939ca7a7b5964c1e4014c3acf3778881ce50b6020e29d91ed624a5838f72553cd30c4a3c266917568d46ae205d64e41e52fcd7a591d9a9e100

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.YsgFj49Wb

Filesize
396KB

MD5
c8d8510f90725ae7fddeb4fa1f347228

SHA1
8e958b581fd3a7bc29a89bb31bab440c170e6c1b

SHA256
ef68867c521542b0f8f0ac358566dd8a575578638bd3933c967b36d8b501c84b

SHA512
bf60b1485260045373ecb4051499d5c4fa754f747810f5b71fa721343ab4582bbd4d6e55faf3c16d271839ed3164350372bc85236a51db381813b06209c6e3fc

Download Submit
C:\vcredist2010_x86.log.html.YsgFj49Wb

Filesize
81KB

MD5
28ec81097fb914298024d309aa59fec7

SHA1
c7edb0146855a00ca730113314e8d08c682e4fa1

SHA256
722d2e70da999c29defd02a4ee4cff3a809698bea9d296c46e14f718e21437f3

SHA512
2ed8d16bf5412fb57c7919977cda3d338b723b44057242b5ed1d1a7581dfc7ad043a90fe07b0ca03bf04c0777be60cb5adf42dd700cd8af63baa89e998e2e0ab

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.YsgFj49Wb

Filesize
168KB

MD5
85a38e704e488abe902822e139f4f3bc

SHA1
c21c8b824b81983514e3f087581ce569734ebf8e

SHA256
6e106585e86e276d1bad5fcc64bcef7c0a1e0b0f9116b528255cebbd20d1e7f6

SHA512
1a2287cefcc5894aa1f2d5c1fbc5a76aebb0fc703ed1d5bf6d7aea1aa9f0580b03bb4132a787cbe7ae90d113805d1d43817e0874591dd7c2213497e56e852e8a

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.YsgFj49Wb

Filesize
195KB

MD5
5924d09d15bed05a698787c0947f17cb

SHA1
596ee415d21cd6f0aff2f560ef13abef0c9235c3

SHA256
f5fe88ded29a1f3c29e2a27c64d66c968d703c994e1bca77df23796a52488b97

SHA512
443c25b6c82ebec92281efedb16ec7b51b5e66a1f933eccf6e776c8b855931e94f9290eadd175f3e754e3a0319154e52feeef8c01bb55c55ff1df1c82615a29e

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.YsgFj49Wb

Filesize
171KB

MD5
c90ffc349c7759ae1429e80542fb1a65

SHA1
8bebba6e0d62a9c54fb71d225b1d782fbb278a88

SHA256
efa18cb114d8c6d8f9f6adba87d0eb555e7c26f463061ccf8c06ec31424eb2ff

SHA512
a3788a11266aa0b77023b2f5190c5bf28c1c1801170b4e3cfd0780249e5c83a42df85430f862764fb70f3a436b72aa3d0d4e7206fb2296acd80cd76965bb857f

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.YsgFj49Wb

Filesize
208KB

MD5
7ab5308cbf1b8e4357124dfd810a7c3f

SHA1
a5dc69943ad6202fb855579e7e5cf41bd8c6ec6b

SHA256
fab405d12125980690bd66845985c5abd77e42d64ae62776e9a6ea8c794c72a0

SHA512
9dbfc452837655567d1557ced3a6e068fe5ff41c7339980c7dc9fd5c8f2dbdac2a8e7547e36da3e2149fb3f906a58c0673913203b42c681564a17c8d22391af5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1537126222-899333903-2037027349-1000\DDDDDDDDDDD

Filesize
129B

MD5
29b56aa54ef265b186da1d2208ebf10a

SHA1
47f0e8744243a2cb2d7d608f56cba58aa5b29126

SHA256
6c17a0de2e1304ef44b56fd157d4389eb565df06f387951a672c0cf7e755c506

SHA512
1b835e627cf82982cd717b6d32dcaba29e96612e24e33eefc6f0b54da064e006da213e2da48d2e36281525cf57d67d979a713e0e5f2b4dc37c5dc489626089ae

Download Submit
memory/2736-38-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/2736-41-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/2736-39-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/2736-40-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/2736-43-0x00007FFAC62D0000-0x00007FFAC62E0000-memory.dmp

Filesize
64KB

Download
memory/2736-42-0x00007FFAC62D0000-0x00007FFAC62E0000-memory.dmp

Filesize
64KB

Download
memory/2736-37-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/3456-552-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-554-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4476-3480-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/4476-3482-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/4476-3476-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/4476-3475-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/4476-3477-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/4476-3512-0x00007FFAC62D0000-0x00007FFAC62E0000-memory.dmp

Filesize
64KB

Download
memory/4476-3511-0x00007FFAC62D0000-0x00007FFAC62E0000-memory.dmp

Filesize
64KB

Download
memory/4476-5536-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/4476-5537-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/4476-5539-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download
memory/4476-5538-0x00007FFAC87B0000-0x00007FFAC87C0000-memory.dmp

Filesize
64KB

Download