| IOC | Stage |
| Filename (7z.exe) | Collection |
| FTP to Russian geolocated IP from compromised system | Command and Control |
| Network Connections (IP) | |
| User Agent Strings | |
| Command interpreter (Plink.exe) | |
| Anydesk Usage (IP) | |
| Remote admin tool (AnyDeskMSI.exe) | |
| Tools (Action1, Atera, anydesk, fixme it, screenconnect, splashtop, zoho assist) | |
| Domain (eu1-dms.zoho[.]eu, fixme[.]it, unattended.techninline[.]net) | |
| Filename (c:\perflogs\lsass.dmp) | Credential Access |
| Filename (c:\users\ | |
| Filename (c:\users\ | |
| Group Policy Artifacts: NetworkShares.xml | Defense Evasion |
| Registry.pol | |
| Safe Mode Launch Commands | |
| Group Policy Artifacts: Services.xml | |
| Service Killed | |
| Filename (c:\users\ | |
| Filename (c:\users\ | |
| Filename (c:\perflogs\processhacker.exe) | |
| Registry Artifacts: Disable and Clear Windows Event Logs | |
| LockBit Command Line Parameters: -del (Self-delete) | |
| LockBit Command Line Parameters: -pass (32 character value) (Required) Password used to launch LockBit 3.0. | |
| Tool Download (IP and filename) | |
| Network scanning software (Netscan.exe) | Discovery |
| Filename (tniwinagent.exe) | |
| PowerShell script (123.ps1) | Execution |
| Force GPUpdate | |
| Filename (psexesvc.exe) | |
| Mutual Exclusion Object (Mutex) Created | |
| Filename (c:\windows\temp\screenconnect\23.8.5.8707\files\azure.msi) | Exfiltration |
| Volume Shadow Copy Deletion | Impact |
| LockBit Command Line Parameters: -path (File or path) Only encrypts provided file or folder. | |
| Lockbit 3.0 Ransom Note | |
| LockBit 3.0 Black Icon (and also registry artifacts) | |
| LockBit 3.0 Wallpaper (and also registry artifacts) | |
| LockBit Command Line Parameters: -wall (Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note) | |
| Volume Shadow Copy Deletion | |
| Group Policy Artifacts: Services.xml | |
| Service Killed | |
| Processes Killed | |
| Suspicious Email Activity | Initial Access |
| LockBit Command Line Parameters: -gspd (Spread laterally via group policy) & -psex (Spread laterally via admin shares) | Lateral Movement |
| Splashtop utility (SRUtility.exe) | |
| LockBit Command Line Parameters: -safe (Reboot host into Safe Mode) | Persistence |
| Registry Artifacts: Enable Automatic Logon | |
| Ransom Locations | |
| Scheduled task: \MEGA\MEGAcmd | |
| Scheduled task: UpdateAdobeTask | |
| Mag.dll | |
| UAC Bypass Via Elevated COM Interface | Privilege Escalation |
| LockBit Command Line Parameters: -safe (Reboot host into Safe Mode) | |
| Registry Artifacts: Enable Automatic Logon | |
| LockBit Command Line Parameters: -gdel (Remove LockBit 3.0 group policy changes) | |
| Group Policy Artifacts: NetworkShares.xml | |
| Force GPUpdate | |
| Ransom Locations |