Analysis Overview
SHA256
b09403adcaf79f3602815c242b3698e43138156d848ac1b0802232d4afc36154
Threat Level: Known bad
The file a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip was found to be: Known bad.
Malicious Activity Summary
BlackMatter Ransomware
Blackmatter family
Executes dropped EXE
Modifies extensions of user files
Checks computer location settings
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-21 18:47
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-21 18:45
Reported
2022-09-21 19:06
Platform
win10v2004-20220901-en
Max time kernel
948s
Max time network
951s
Command Line
Signatures
BlackMatter Ransomware
Executes dropped EXE
Modifies extensions of user files
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\ProgramData\52F8.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\i3AiYnXkj.bmp" | C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\i3AiYnXkj.bmp" | C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\52F8.tmp | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\" -spe -an -ai#7zMap26329:208:7zEvent26100
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build.bat" "
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe
keygen -path C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32.dll
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe"
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe"
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe"
C:\ProgramData\52F8.tmp
"C:\ProgramData\52F8.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\52F8.tmp >> NUL
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 13.89.179.9:443 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 13.107.42.16:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build.bat
| MD5 | 4e46e28b2e61643f6af70a8b19e5cb1f |
| SHA1 | 804a1d0c4a280b18e778e4b97f85562fa6d5a4e6 |
| SHA256 | 8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339 |
| SHA512 | 009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b |
memory/4352-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe
| MD5 | 71c3b2f765b04d0b7ea0328f6ce0c4e2 |
| SHA1 | bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4 |
| SHA256 | ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37 |
| SHA512 | 1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe
| MD5 | 71c3b2f765b04d0b7ea0328f6ce0c4e2 |
| SHA1 | bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4 |
| SHA256 | ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37 |
| SHA512 | 1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035 |
memory/2264-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\config.json
| MD5 | a6ba7b662de10b45ebe5b6b7edaa62a9 |
| SHA1 | f3ed67bdaef070cd5a213b89d53c5b8022d6f266 |
| SHA256 | 3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8 |
| SHA512 | 7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\priv.key
| MD5 | 4de623672150ec5a291ae52c6235fd93 |
| SHA1 | 014b2fde6f041f6172703bc7a729457323776aeb |
| SHA256 | c3734f20c4ee9b4bd094df51b1a6b3fb3d342af86ee14e836bbaa243607ba65d |
| SHA512 | ae06ebd297fea78a71ee27074f8a1109242f3c217f6759fc453e0f1d97b3091fd5e3ce27be15134e452a61e2922da6a17b5d64bcc2c54f02b00c64e44e804f21 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
memory/4796-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key
| MD5 | 4191626675e10aa3862f4bbcc12abeea |
| SHA1 | 4dcd95c42fb2e4db45044b4ab398c559e280c1e6 |
| SHA256 | 017dc40ebdad87025ece6cbe298d801921273b27f64e6f79f3dfe5df372f849f |
| SHA512 | 8e406a0c33e306a9c40902575f5f79f50b6ed584fcef6bf000ad42f4dc0fd24783011396937e8100de1c8e5c417dc72581bb86c8a0cfc69a62e012a3a311ef27 |
memory/1496-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
memory/3680-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
memory/4844-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
memory/3228-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
| MD5 | 30e338d5ce95a0b1cf0092463772304c |
| SHA1 | ece7a5e9a33a7444bbe935b79faa135d2dadf7ac |
| SHA256 | 2cc3bb097d2105e50596f42850a4fd17dc3c8cdfc843cb3076dcaa90ee545d4a |
| SHA512 | 49090c62bdff25683e7c16062814e650732da972b23a305c231de18192580b9458b2e3ab087bc3fb2878578d6e2829f903c86783ebb0891590c12bd18794cb70 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
| MD5 | 30e338d5ce95a0b1cf0092463772304c |
| SHA1 | ece7a5e9a33a7444bbe935b79faa135d2dadf7ac |
| SHA256 | 2cc3bb097d2105e50596f42850a4fd17dc3c8cdfc843cb3076dcaa90ee545d4a |
| SHA512 | 49090c62bdff25683e7c16062814e650732da972b23a305c231de18192580b9458b2e3ab087bc3fb2878578d6e2829f903c86783ebb0891590c12bd18794cb70 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\LLLLLLLLLLL
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\KKKKKKKKKKK
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\JJJJJJJJJJJ
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\IIIIIIIIIII
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HHHHHHHHHHH
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\GGGGGGGGGGG
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\FFFFFFFFFFF
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\EEEEEEEEEEE
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\DDDDDDDDDDD
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\CCCCCCCCCCC
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\BBBBBBBBBBB
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\AAAAAAAAAAA
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\YYYYYYYYYYY
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RRRRRRRRRRR
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\PPPPPPPPPPP
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\MMMMMMMMMMM
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\OOOOOOOOOOO
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\NNNNNNNNNNN
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\XXXXXXXXXXX
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\WWWWWWWWWWW
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\VVVVVVVVVVV
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\UUUUUUUUUUU
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\TTTTTTTTTTT
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\SSSSSSSSSSS
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\QQQQQQQQQQQ
| MD5 | 35f302f01ca28ca38613f02a17d99d4e |
| SHA1 | 8f651f9b70f37321998ffcf29b40cdc659da4c14 |
| SHA256 | 3ef55fc13822099b75e49555afdecdd752110d074986535e2e44c5ffe4fc11bd |
| SHA512 | e5d46d77b6948111ad3ed6e8156a72734f5b9be31ebd179c41feb826bfd0ef058a0dd67df609f10bee999b2fb81b486a586267dcd078c014ca7c80012d248be4 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_exe.txt
| MD5 | bf4e906f3074fc5aa945ba879bcc7a8b |
| SHA1 | 3938942e7086231072848884ef6ce5ac5fc80e00 |
| SHA256 | 996a56cb9dae3ad4fda8cd622e1c3b95fe13499cb9191431327d061bb82d0635 |
| SHA512 | 6d75cdd93c2c6dc2619f71a3db488e117ebcc76da6baa4573bf581713a9a387856503d67e886514dd1732e53f2ea429065ea56a61be13834ed382e216561f04c |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_dll.txt
| MD5 | 1e4bcf04cb3f2f1f39138ab27b85c55d |
| SHA1 | 6cbc27796f365fa093a8a45b73abc826c0378d41 |
| SHA256 | 703978d41fadeef2a4c304e99cbc868699dce97991cbb9eb2a17166f63655d9e |
| SHA512 | 7cad1e9d9c2f0955ad9e71b814a01484c97938edc847908214db38b9c42b07d937ef86c6ca3f08d12fee4370ff937d9f9d3440a16e1cde704dc1459b2de0d883 |
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\DECRYPTION_ID.txt
| MD5 | 7392e8a9a9825d686541613a7cfed547 |
| SHA1 | caac2bdaffa62a93a5933db56172a197d37b7ea3 |
| SHA256 | 0fb54e8935f180960c9806166fd9cd3446cdb0aa0c9a22543c42f02bc817747f |
| SHA512 | 8440647704f373a74e9427599d26cefddd2cab5fb3ff7375cca8557ba8de9cb9a301bba8c1910984c4c6dffc0314f37f73a26622ac8588f7fea049db81bf141c |
memory/5036-185-0x0000000000000000-mapping.dmp
C:\ProgramData\52F8.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\52F8.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/5036-188-0x0000000000400000-0x0000000000407000-memory.dmp
memory/1796-189-0x0000000000000000-mapping.dmp