Malware Analysis Report

2024-10-16 03:22

Sample ID 220921-xefn7aghd5
Target a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip
SHA256 b09403adcaf79f3602815c242b3698e43138156d848ac1b0802232d4afc36154
Tags
blackmatter ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b09403adcaf79f3602815c242b3698e43138156d848ac1b0802232d4afc36154

Threat Level: Known bad

The file a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip was found to be: Known bad.

Malicious Activity Summary

blackmatter ransomware spyware stealer

BlackMatter Ransomware

Blackmatter family

Executes dropped EXE

Modifies extensions of user files

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-21 18:47

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-21 18:45

Reported

2022-09-21 19:06

Platform

win10v2004-20220901-en

Max time kernel

948s

Max time network

951s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip

Signatures

BlackMatter Ransomware

ransomware blackmatter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\GrantAdd.png => C:\Users\Admin\Pictures\GrantAdd.png.i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\GrantAdd.png.i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateExport.png => C:\Users\Admin\Pictures\UpdateExport.png.i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\UpdateExport.png.i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\WatchInstall.crw => C:\Users\Admin\Pictures\WatchInstall.crw.i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\WatchInstall.crw.i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\DisableNew.tif => C:\Users\Admin\Pictures\DisableNew.tif.i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableNew.tif.i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\ProgramData\52F8.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\i3AiYnXkj.bmp" C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\i3AiYnXkj.bmp" C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\52F8.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.i3AiYnXkj\ = "i3AiYnXkj" C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\i3AiYnXkj\DefaultIcon C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\i3AiYnXkj C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\i3AiYnXkj\DefaultIcon\ = "C:\\ProgramData\\i3AiYnXkj.ico" C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe
PID 972 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe
PID 972 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe
PID 972 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 972 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
PID 3572 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe C:\ProgramData\52F8.tmp
PID 3572 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe C:\ProgramData\52F8.tmp
PID 3572 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe C:\ProgramData\52F8.tmp
PID 3572 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe C:\ProgramData\52F8.tmp
PID 5036 wrote to memory of 1796 N/A C:\ProgramData\52F8.tmp C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 1796 N/A C:\ProgramData\52F8.tmp C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 1796 N/A C:\ProgramData\52F8.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\" -spe -an -ai#7zMap26329:208:7zEvent26100

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build.bat" "

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe

keygen -path C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32.dll

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe"

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe"

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe"

C:\ProgramData\52F8.tmp

"C:\ProgramData\52F8.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\52F8.tmp >> NUL

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding

Network

Country Destination Domain Proto
US 13.89.179.9:443 tcp
NL 104.80.225.205:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 13.107.42.16:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build.bat

MD5 4e46e28b2e61643f6af70a8b19e5cb1f
SHA1 804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256 8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512 009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

memory/4352-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe

MD5 71c3b2f765b04d0b7ea0328f6ce0c4e2
SHA1 bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4
SHA256 ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37
SHA512 1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe

MD5 71c3b2f765b04d0b7ea0328f6ce0c4e2
SHA1 bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4
SHA256 ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37
SHA512 1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

memory/2264-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\config.json

MD5 a6ba7b662de10b45ebe5b6b7edaa62a9
SHA1 f3ed67bdaef070cd5a213b89d53c5b8022d6f266
SHA256 3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8
SHA512 7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\priv.key

MD5 4de623672150ec5a291ae52c6235fd93
SHA1 014b2fde6f041f6172703bc7a729457323776aeb
SHA256 c3734f20c4ee9b4bd094df51b1a6b3fb3d342af86ee14e836bbaa243607ba65d
SHA512 ae06ebd297fea78a71ee27074f8a1109242f3c217f6759fc453e0f1d97b3091fd5e3ce27be15134e452a61e2922da6a17b5d64bcc2c54f02b00c64e44e804f21

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

memory/4796-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key

MD5 4191626675e10aa3862f4bbcc12abeea
SHA1 4dcd95c42fb2e4db45044b4ab398c559e280c1e6
SHA256 017dc40ebdad87025ece6cbe298d801921273b27f64e6f79f3dfe5df372f849f
SHA512 8e406a0c33e306a9c40902575f5f79f50b6ed584fcef6bf000ad42f4dc0fd24783011396937e8100de1c8e5c417dc72581bb86c8a0cfc69a62e012a3a311ef27

memory/1496-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

memory/3680-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

memory/4844-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

memory/3228-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

MD5 c2bc344f6dde0573ea9acdfb6698bf4c
SHA1 d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512 d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe

MD5 30e338d5ce95a0b1cf0092463772304c
SHA1 ece7a5e9a33a7444bbe935b79faa135d2dadf7ac
SHA256 2cc3bb097d2105e50596f42850a4fd17dc3c8cdfc843cb3076dcaa90ee545d4a
SHA512 49090c62bdff25683e7c16062814e650732da972b23a305c231de18192580b9458b2e3ab087bc3fb2878578d6e2829f903c86783ebb0891590c12bd18794cb70

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe

MD5 30e338d5ce95a0b1cf0092463772304c
SHA1 ece7a5e9a33a7444bbe935b79faa135d2dadf7ac
SHA256 2cc3bb097d2105e50596f42850a4fd17dc3c8cdfc843cb3076dcaa90ee545d4a
SHA512 49090c62bdff25683e7c16062814e650732da972b23a305c231de18192580b9458b2e3ab087bc3fb2878578d6e2829f903c86783ebb0891590c12bd18794cb70

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\LLLLLLLLLLL

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\KKKKKKKKKKK

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\JJJJJJJJJJJ

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\IIIIIIIIIII

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HHHHHHHHHHH

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\GGGGGGGGGGG

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\FFFFFFFFFFF

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\EEEEEEEEEEE

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\DDDDDDDDDDD

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\CCCCCCCCCCC

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\BBBBBBBBBBB

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\AAAAAAAAAAA

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\YYYYYYYYYYY

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RRRRRRRRRRR

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\PPPPPPPPPPP

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\MMMMMMMMMMM

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\OOOOOOOOOOO

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\NNNNNNNNNNN

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\XXXXXXXXXXX

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\WWWWWWWWWWW

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\VVVVVVVVVVV

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\UUUUUUUUUUU

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\TTTTTTTTTTT

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\SSSSSSSSSSS

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\QQQQQQQQQQQ

MD5 35f302f01ca28ca38613f02a17d99d4e
SHA1 8f651f9b70f37321998ffcf29b40cdc659da4c14
SHA256 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd
SHA512 e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_exe.txt

MD5 bf4e906f3074fc5aa945ba879bcc7a8b
SHA1 3938942e7086231072848884ef6ce5ac5fc80e00
SHA256 996a56cb9dae3ad4fda8cd622e1c3b95fe13499cb9191431327d061bb82d0635
SHA512 6d75cdd93c2c6dc2619f71a3db488e117ebcc76da6baa4573bf581713a9a387856503d67e886514dd1732e53f2ea429065ea56a61be13834ed382e216561f04c

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_dll.txt

MD5 1e4bcf04cb3f2f1f39138ab27b85c55d
SHA1 6cbc27796f365fa093a8a45b73abc826c0378d41
SHA256 703978d41fadeef2a4c304e99cbc868699dce97991cbb9eb2a17166f63655d9e
SHA512 7cad1e9d9c2f0955ad9e71b814a01484c97938edc847908214db38b9c42b07d937ef86c6ca3f08d12fee4370ff937d9f9d3440a16e1cde704dc1459b2de0d883

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\DECRYPTION_ID.txt

MD5 7392e8a9a9825d686541613a7cfed547
SHA1 caac2bdaffa62a93a5933db56172a197d37b7ea3
SHA256 0fb54e8935f180960c9806166fd9cd3446cdb0aa0c9a22543c42f02bc817747f
SHA512 8440647704f373a74e9427599d26cefddd2cab5fb3ff7375cca8557ba8de9cb9a301bba8c1910984c4c6dffc0314f37f73a26622ac8588f7fea049db81bf141c

memory/5036-185-0x0000000000000000-mapping.dmp

C:\ProgramData\52F8.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\52F8.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/5036-188-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1796-189-0x0000000000000000-mapping.dmp