blackmatter | b09403adcaf79f3602815c242b3698e43138156d848ac1b0802232d4afc36154

Resubmissions

13-11-2022 18:00

221113-wll9wacb66 10

22-09-2022 05:49

220922-gjgt2sabf4 10

21-09-2022 18:45

220921-xefn7aghd5 10

Analysis

max time kernel
948s
max time network
951s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip
Size

285KB
MD5

f871381769ec947b0028412b8e86669b
SHA1

1e11fb4df33528b64ce204283086d19eb25b01b3
SHA256

a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d
SHA512

db7853e47eea3bd589e0fc1323e73ac8114da08aa0de90debd1afe33b56fc8a15f8b0a06b995a9943f946a945e9b147784c1b384d21c09a10e13393d252637cf
SSDEEP

6144:Jyk7CEChoKaMDst7kVns958jCBoFXTZUBO+zu/GlndySugs7y3a4H:JPfChoKLDy7kW9EXTZUTi4Upgs7qH

Score

10^/10

blackmatter ransomware spyware stealer

Malware Config

Extracted

Path

C:\i3AiYnXkj.README.txt

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 9D0F7B44D7ACDCD3A686FC2C5D673E04 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Extracted

Family

blackmatter

Version

25.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Executes dropped EXE 11 IoCs

pid	Process
4352	keygen.exe
2264	builder.exe
4796	builder.exe
1496	builder.exe
3680	builder.exe
4844	builder.exe
3228	builder.exe
4964	builder.exe
4044	builder.exe
3572	LB3.exe
5036	52F8.tmp

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\GrantAdd.png => C:\Users\Admin\Pictures\GrantAdd.png.i3AiYnXkj	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\GrantAdd.png.i3AiYnXkj	LB3.exe
File renamed	C:\Users\Admin\Pictures\UpdateExport.png => C:\Users\Admin\Pictures\UpdateExport.png.i3AiYnXkj	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateExport.png.i3AiYnXkj	LB3.exe
File renamed	C:\Users\Admin\Pictures\WatchInstall.crw => C:\Users\Admin\Pictures\WatchInstall.crw.i3AiYnXkj	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\WatchInstall.crw.i3AiYnXkj	LB3.exe
File renamed	C:\Users\Admin\Pictures\DisableNew.tif => C:\Users\Admin\Pictures\DisableNew.tif.i3AiYnXkj	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\DisableNew.tif.i3AiYnXkj	LB3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	52F8.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	LB3.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\i3AiYnXkj.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\i3AiYnXkj.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5036	52F8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.i3AiYnXkj	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.i3AiYnXkj\ = "i3AiYnXkj"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\i3AiYnXkj\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\i3AiYnXkj	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\i3AiYnXkj\DefaultIcon\ = "C:\\ProgramData\\i3AiYnXkj.ico"	LB3.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe
3572	LB3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3572	LB3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4528	7zG.exe
Token: 35	4528	7zG.exe
Token: SeSecurityPrivilege	4528	7zG.exe
Token: SeSecurityPrivilege	4528	7zG.exe
Token: SeAssignPrimaryTokenPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeDebugPrivilege	3572	LB3.exe
Token: 36	3572	LB3.exe
Token: SeImpersonatePrivilege	3572	LB3.exe
Token: SeIncBasePriorityPrivilege	3572	LB3.exe
Token: SeIncreaseQuotaPrivilege	3572	LB3.exe
Token: 33	3572	LB3.exe
Token: SeManageVolumePrivilege	3572	LB3.exe
Token: SeProfSingleProcessPrivilege	3572	LB3.exe
Token: SeRestorePrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSystemProfilePrivilege	3572	LB3.exe
Token: SeTakeOwnershipPrivilege	3572	LB3.exe
Token: SeShutdownPrivilege	3572	LB3.exe
Token: SeDebugPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeBackupPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe
Token: SeSecurityPrivilege	3572	LB3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4528	7zG.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 4352	972	cmd.exe	106
PID 972 wrote to memory of 4352	972	cmd.exe	106
PID 972 wrote to memory of 4352	972	cmd.exe	106
PID 972 wrote to memory of 2264	972	cmd.exe	107
PID 972 wrote to memory of 2264	972	cmd.exe	107
PID 972 wrote to memory of 2264	972	cmd.exe	107
PID 972 wrote to memory of 4796	972	cmd.exe	108
PID 972 wrote to memory of 4796	972	cmd.exe	108
PID 972 wrote to memory of 4796	972	cmd.exe	108
PID 972 wrote to memory of 1496	972	cmd.exe	109
PID 972 wrote to memory of 1496	972	cmd.exe	109
PID 972 wrote to memory of 1496	972	cmd.exe	109
PID 972 wrote to memory of 3680	972	cmd.exe	110
PID 972 wrote to memory of 3680	972	cmd.exe	110
PID 972 wrote to memory of 3680	972	cmd.exe	110
PID 972 wrote to memory of 4844	972	cmd.exe	111
PID 972 wrote to memory of 4844	972	cmd.exe	111
PID 972 wrote to memory of 4844	972	cmd.exe	111
PID 972 wrote to memory of 3228	972	cmd.exe	112
PID 972 wrote to memory of 3228	972	cmd.exe	112
PID 972 wrote to memory of 3228	972	cmd.exe	112
PID 3572 wrote to memory of 5036	3572	LB3.exe	120
PID 3572 wrote to memory of 5036	3572	LB3.exe	120
PID 3572 wrote to memory of 5036	3572	LB3.exe	120
PID 3572 wrote to memory of 5036	3572	LB3.exe	120
PID 5036 wrote to memory of 1796	5036	52F8.tmp	121
PID 5036 wrote to memory of 1796	5036	52F8.tmp	121
PID 5036 wrote to memory of 1796	5036	52F8.tmp	121

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip
1⤵
PID:2444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1740

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\" -spe -an -ai#7zMap26329:208:7zEvent26100
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:972
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:3228

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe"
1⤵
- Executes dropped EXE
PID:4044

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572
- C:\ProgramData\52F8.tmp
  "C:\ProgramData\52F8.tmp"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\52F8.tmp >> NUL
    3⤵
    PID:1796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\AAAAAAAAAAA

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\BBBBBBBBBBB

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\CCCCCCCCCCC

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\DDDDDDDDDDD

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\EEEEEEEEEEE

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\FFFFFFFFFFF

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\GGGGGGGGGGG

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HHHHHHHHHHH

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\IIIIIIIIIII

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\JJJJJJJJJJJ

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\KKKKKKKKKKK

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\LLLLLLLLLLL

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\MMMMMMMMMMM

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\NNNNNNNNNNN

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\OOOOOOOOOOO

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\PPPPPPPPPPP

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\QQQQQQQQQQQ

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RRRRRRRRRRR

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\SSSSSSSSSSS

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\TTTTTTTTTTT

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\UUUUUUUUUUU

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\VVVVVVVVVVV

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\WWWWWWWWWWW

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\XXXXXXXXXXX

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\YYYYYYYYYYY

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini

Filesize
129B

MD5
35f302f01ca28ca38613f02a17d99d4e

SHA1
8f651f9b70f37321998ffcf29b40cdc659da4c14

SHA256
3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd

SHA512
e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

Download Submit
C:\ProgramData\52F8.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\52F8.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build.bat

Filesize
741B

MD5
4e46e28b2e61643f6af70a8b19e5cb1f

SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\DECRYPTION_ID.txt

Filesize
265B

MD5
7392e8a9a9825d686541613a7cfed547

SHA1
caac2bdaffa62a93a5933db56172a197d37b7ea3

SHA256
0fb54e8935f180960c9806166fd9cd3446cdb0aa0c9a22543c42f02bc817747f

SHA512
8440647704f373a74e9427599d26cefddd2cab5fb3ff7375cca8557ba8de9cb9a301bba8c1910984c4c6dffc0314f37f73a26622ac8588f7fea049db81bf141c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe

Filesize
153KB

MD5
30e338d5ce95a0b1cf0092463772304c

SHA1
ece7a5e9a33a7444bbe935b79faa135d2dadf7ac

SHA256
2cc3bb097d2105e50596f42850a4fd17dc3c8cdfc843cb3076dcaa90ee545d4a

SHA512
49090c62bdff25683e7c16062814e650732da972b23a305c231de18192580b9458b2e3ab087bc3fb2878578d6e2829f903c86783ebb0891590c12bd18794cb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe

Filesize
153KB

MD5
30e338d5ce95a0b1cf0092463772304c

SHA1
ece7a5e9a33a7444bbe935b79faa135d2dadf7ac

SHA256
2cc3bb097d2105e50596f42850a4fd17dc3c8cdfc843cb3076dcaa90ee545d4a

SHA512
49090c62bdff25683e7c16062814e650732da972b23a305c231de18192580b9458b2e3ab087bc3fb2878578d6e2829f903c86783ebb0891590c12bd18794cb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_dll.txt

Filesize
2KB

MD5
1e4bcf04cb3f2f1f39138ab27b85c55d

SHA1
6cbc27796f365fa093a8a45b73abc826c0378d41

SHA256
703978d41fadeef2a4c304e99cbc868699dce97991cbb9eb2a17166f63655d9e

SHA512
7cad1e9d9c2f0955ad9e71b814a01484c97938edc847908214db38b9c42b07d937ef86c6ca3f08d12fee4370ff937d9f9d3440a16e1cde704dc1459b2de0d883

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_exe.txt

Filesize
2KB

MD5
bf4e906f3074fc5aa945ba879bcc7a8b

SHA1
3938942e7086231072848884ef6ce5ac5fc80e00

SHA256
996a56cb9dae3ad4fda8cd622e1c3b95fe13499cb9191431327d061bb82d0635

SHA512
6d75cdd93c2c6dc2619f71a3db488e117ebcc76da6baa4573bf581713a9a387856503d67e886514dd1732e53f2ea429065ea56a61be13834ed382e216561f04c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\priv.key

Filesize
344B

MD5
4de623672150ec5a291ae52c6235fd93

SHA1
014b2fde6f041f6172703bc7a729457323776aeb

SHA256
c3734f20c4ee9b4bd094df51b1a6b3fb3d342af86ee14e836bbaa243607ba65d

SHA512
ae06ebd297fea78a71ee27074f8a1109242f3c217f6759fc453e0f1d97b3091fd5e3ce27be15134e452a61e2922da6a17b5d64bcc2c54f02b00c64e44e804f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key

Filesize
344B

MD5
4191626675e10aa3862f4bbcc12abeea

SHA1
4dcd95c42fb2e4db45044b4ab398c559e280c1e6

SHA256
017dc40ebdad87025ece6cbe298d801921273b27f64e6f79f3dfe5df372f849f

SHA512
8e406a0c33e306a9c40902575f5f79f50b6ed584fcef6bf000ad42f4dc0fd24783011396937e8100de1c8e5c417dc72581bb86c8a0cfc69a62e012a3a311ef27

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\config.json

Filesize
8KB

MD5
a6ba7b662de10b45ebe5b6b7edaa62a9

SHA1
f3ed67bdaef070cd5a213b89d53c5b8022d6f266

SHA256
3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8

SHA512
7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
memory/5036-188-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download