Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

43ced481e0...e4.exe

windows7-x64

10

43ced481e0...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    98s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4.exe

  • Size

    174KB

  • MD5

    7f0312a1f928c3aeab672ca8d5afc6a9

  • SHA1

    efb367a61cb29e63a7269765c6071005a643a55d

  • SHA256

    43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4

  • SHA512

    854592111580d11597824a16b2d62ad313cf4ecdd2329cd9b333f2e3185f4cd21b16164f2e2330e3c5ecf5184471266528fa38d059920b900a32528f40bebcf6

  • SSDEEP

    3072:+yvWCxfzdNRvpEAdS3rDkALwlYu8+IFMyXJVlRGa5JJ5SU:NvWCxfz0gS7oczu8+IdXJVvbSU

Score
10/10
lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?85C01E35FD24495CDA0E673D14ED22C0 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?85C01E35FD24495CDA0E673D14ED22C0 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?85C01E35FD24495CDA0E673D14ED22C0

http://lockbitks2tvnmwk.onion/?85C01E35FD24495CDA0E673D14ED22C0

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?85C01E35FD24495CDA0E673D14ED22C0 Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?85C01E35FD24495CDA0E673D14ED22C0 This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?85C01E35FD24495CDA0E673D14ED22C0

http://lockbitks2tvnmwk.onion/?85C01E35FD24495CDA0E673D14ED22C0

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (9364) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 60 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4.exe
    "C:\Users\Admin\AppData\Local\Temp\43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3024
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:916
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2908
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2708
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2956
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"
      2⤵
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://lockbit-decryptor.top/?85C01E35FD24495CDA0E673D14ED22C0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2300
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:406530 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:876
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:603141 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1684
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:1782829 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:200
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.7 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1360
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2436
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2824
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1536
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1636
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2080
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1468 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:572

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt
        Filesize

        1KB

        MD5

        3ac54d4842e810d857a60301e261dee4

        SHA1

        984174bbfcc29ac5a3bacb2f1ac5d39c1f99244d

        SHA256

        620294c441850da44eefbeefecf3ff5557046efc06de616c8231999289f6e71f

        SHA512

        a532a77f14c0dfbf9678f1470e5c386221a4b45acf4ad210e3347e8f87bf930b8535f22089dbd0b099a5bb72ea2ba184834fad5f6982ce56d0bd093f1c7bed23

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        d56344afc08639cd338152b88f3954c0

        SHA1

        983ddab89378f729ebec19c7d611d270180f0523

        SHA256

        b6e2801f1dbe4de299e9ac07a2c0a845e381d8750c876f40b99c60032cdbb957

        SHA512

        2943a6d98e5587251d7265e577c50c7d6593772f2bf28349649309107db229c30d4c69865eab0800c5c1c41258f283f098f7ab7c945c15a6b545efa65f3e5292

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        9e6c01819f5a77c9ba60e84a839f682d

        SHA1

        419397e074d5dac59ba81af56e0a97c81eb48ce5

        SHA256

        e5dee6fd810e8a07c8a5910c6a9fab616ac1b2b9cf45c7b7eee1624cfd693dcf

        SHA512

        8b0a37350ee986ce30d8fd37fc5da8723df357ccfc9ac03c9b793b74e7a5fa20fb1d1795f19c4e50af1063b274cd9011ad957cb4bc86e7b19bc9512e3ba206ec

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        cfb6a5518d7502f85ddb4403127cf74b

        SHA1

        57236d9bb818dba74cda28763c6cca1e997beda7

        SHA256

        d391040c29643176e0b5341743916268e2d94c3714b7f7c74dd232a92e4bf421

        SHA512

        127245e4c83c5ad359101d66b1444b12a84053aa0a92e54c4c78c61ba1b041b930e1e3ea03123dfca32ee61841c34c42abc091d1b6e7023243327ece16a9b61a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        29850fb695294a32369a1bb8c1507099

        SHA1

        a657ca03e59eb4259ff10cdc2e884d04e10c2cbd

        SHA256

        b5302a6b6fb9d80862a9173c41d70508d8ff11d82e7460b14439c6a17e419408

        SHA512

        7a5474a972d095aca0b736d33e5d7108fcdaa81fd362027c08e575e035ae9a78ed68e14ce63e8fca23f9fc9513f228919828974ba96519eda3a717e00d26aad7

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        69014a2071372da9b3c1335357814466

        SHA1

        c7da5dba71b60a63e239701f52dd80244deeb741

        SHA256

        da39b43623efb38f5ef252c460a9259e00fda4009a7fef67abeabe8d04f22fde

        SHA512

        e141fd3a0340da1a4ae2a610191673c4002526318e95c8f59f99b292684763dc8ac8848bbbef19c2574c5824631057f555291b24a327c4418923684c5404a1e3

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        120848b7a0b7992f71f8a99a371ce58f

        SHA1

        0b0ddaec1dd051bbe9939f08c1ba3f2a11cba646

        SHA256

        b187a754b92618e904b165fa49ff4cbdc42a1a7637b877148c19499dc00aa93f

        SHA512

        e29c1cd53a24b2c000b7f727da3c5896913195e8973d49d6741d34f53947de43da1b29f1ea325b04ec9203a2c2def43630d15d85bea6759d389f5ccea2c71030

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        7f56dc4f4f2c64fa235aed9650d3deb7

        SHA1

        d30b0dac0e3974dd8447725b2107e9a8a9f44889

        SHA256

        034cf7de1b47ec34301e1b3ccc1e3ada758fde2cc6ca9b4bf5112ba595d5eec2

        SHA512

        b5f13114ed8acfb911b5e1575a553d95681f67f33684fe8177e26799bd8c7fadef19d33f3984c8339d675e588685a77b7c556a858561d4920a9d641393f4c90c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        18fcd18dee879d7b20c02ecc65c0c54b

        SHA1

        877718d04e99c60b9f3ef9978a2137291e572864

        SHA256

        d9e5ab271e24528d5105b2298e8cc8d6bcf4ffda54ea2364980b24b482900a76

        SHA512

        950a91a74bcae2cf6ddd68603a1512a5c8d4d337ad1edf2a4b238429d0eca05a1b11d38f4c208611057a62d64900670fbb60a658b35d4edb6640e9416348fab1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        328d7722501fffa529d9a8348f7b32bb

        SHA1

        3a18b27b440dd62a1504b43c2ba298c95692e019

        SHA256

        a249d34db5d91b3cab2f9be9f78de6e415e6d9808d500108c2a64a744009b0d8

        SHA512

        72d28da41d6f64b1a1fa9f86a3291e4f6e8ed7d25af4a8eeda77fb30a830199bcbbb61c2093936c577204cfa0840e2e442d65ea6e13910bfcff0bacab11b8575

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BEA84A01-D316-11EF-9B6B-D681211CE335}.dat
        Filesize

        5KB

        MD5

        60dee7dcc787d16d4e438076666c52e4

        SHA1

        481d142d8d100d20f1c1682b02c1bb45a4e85686

        SHA256

        ae1cf728d328fb625182f3233b4857f6cb8475954ed132dc7ad2be7c3bb31e43

        SHA512

        1d78e23132af06327ed9700c2608768e1762424fc4321ab5f6f28e755ec2fabad3bb6b692a1de3c64192ac44c3edd2714283da130badc3772517f70a0eed19ce

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BEAD0CC1-D316-11EF-9B6B-D681211CE335}.dat
        Filesize

        5KB

        MD5

        451418266297f7012aea6dde6bc5a701

        SHA1

        848248d30b13d69d841e2d85e5cfd51ccd7946ee

        SHA256

        99e5a241cf530c3cd5a94c92d439cbbeab2b09947dbb6e933ea2df41966585d0

        SHA512

        a3ea1149df83ac2e4a194318aefd4b212aaae268ab39140f27348f09bcb782ae1284b510c09c8ef7bbfb397b995795dc041a9e03e1bb4587e23c0859e5edead8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabA767.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarA7F8.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\Desktop\LockBit-note.hta
        Filesize

        17KB

        MD5

        193094b4e82d108d93fd25f2ba295484

        SHA1

        99b656cab6aa5e12df192023caaac52196f77368

        SHA256

        cfd0f3aa908b97cf03ffc52abbdf8a4f9f38c5c18cc5a869c6f9e40743087371

        SHA512

        d61a7806923d31a94f290b2075acedc91f588cfdbee5e5f26140cf69798bd09787954364ef33c221640c1983006542d9fe3bae4d59238b23264a66695e1ec7b0

        Download Submit

      • memory/1056-9941-0x0000000003750000-0x0000000003752000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1712-1-0x00000000009D0000-0x0000000000AD0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1712-9928-0x0000000000400000-0x00000000008CB000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1712-9929-0x00000000009D0000-0x0000000000AD0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1712-9930-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/1712-7111-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/1712-6137-0x0000000000400000-0x00000000008CB000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1712-6156-0x0000000000220000-0x0000000000246000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1712-4598-0x00000000009D0000-0x0000000000AD0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1712-3-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/1712-2-0x0000000000220000-0x0000000000246000-memory.dmp

        Filesize

        152KB

        Download