Malware Analysis Report

2024-10-16 03:22

Sample ID 220922-d9btyahge7
Target LockBit30.zip
SHA256 d2942c6c19e67220d72bfb9a30b019627b950ff0fa8669a475d5730ff5097112
Tags
blackmatter ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2942c6c19e67220d72bfb9a30b019627b950ff0fa8669a475d5730ff5097112

Threat Level: Known bad

The file LockBit30.zip was found to be: Known bad.

Malicious Activity Summary

blackmatter ransomware spyware stealer

Blackmatter family

Executes dropped EXE

Modifies extensions of user files

Reads user/profile data of web browsers

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-22 03:42

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-22 03:42

Reported

2022-09-22 03:44

Platform

win10-20220812-en

Max time kernel

117s

Max time network

119s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LockBit30.zip

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
N/A N/A C:\ProgramData\F7C.tmp N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CloseWrite.raw.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatReset.raw.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
File opened for modification C:\Users\Admin\Pictures\SyncResize.crw.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\CloseWrite.raw.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\FormatReset.raw => C:\Users\Admin\Pictures\FormatReset.raw.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatReset.raw.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\PopConvert.tif => C:\Users\Admin\Pictures\PopConvert.tif.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\PopConvert.tif.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\SyncResize.crw => C:\Users\Admin\Pictures\SyncResize.crw.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\PopConvert.tif.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
File renamed C:\Users\Admin\Pictures\CloseWrite.raw => C:\Users\Admin\Pictures\CloseWrite.raw.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\SyncResize.crw.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\desktop.ini C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\F: C:\Windows\System32\unregmp2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\WallPaper C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ZImkTWSLZ.bmp" C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ZImkTWSLZ.bmp" C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\F7C.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZImkTWSLZ\DefaultIcon C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ZIMKTWSLZ\DEFAULTICON C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ZIMKTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\.ZIMKTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZImkTWSLZ\ = "ZImkTWSLZ" C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZImkTWSLZ C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZImkTWSLZ\DefaultIcon\ = "C:\\ProgramData\\ZImkTWSLZ.ico" C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 3188 N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe C:\ProgramData\F7C.tmp
PID 4020 wrote to memory of 3188 N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe C:\ProgramData\F7C.tmp
PID 4020 wrote to memory of 3188 N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe C:\ProgramData\F7C.tmp
PID 4020 wrote to memory of 3188 N/A C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe C:\ProgramData\F7C.tmp
PID 3188 wrote to memory of 4148 N/A C:\ProgramData\F7C.tmp C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 4148 N/A C:\ProgramData\F7C.tmp C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 4148 N/A C:\ProgramData\F7C.tmp C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 3572 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 664 wrote to memory of 3572 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 664 wrote to memory of 3572 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 664 wrote to memory of 3368 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 664 wrote to memory of 3368 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 664 wrote to memory of 3368 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3368 wrote to memory of 1852 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\System32\unregmp2.exe
PID 3368 wrote to memory of 1852 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\System32\unregmp2.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LockBit30.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\LockBit30\" -spe -an -ai#7zMap25827:76:7zEvent31992

C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe

"C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe

"C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe"

C:\ProgramData\F7C.tmp

"C:\ProgramData\F7C.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F7C.tmp >> NUL

C:\Windows\System32\xpsrchvw.exe

"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\SendDisconnect.eprtx"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\System32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 52.168.112.66:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 redir.metaservices.microsoft.com udp
FR 2.22.22.209:80 redir.metaservices.microsoft.com tcp
US 8.8.8.8:53 onlinestores.metaservices.microsoft.com udp
NL 104.109.143.11:80 onlinestores.metaservices.microsoft.com tcp

Files

C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe

MD5 c73eac0c837c3c5caca3a885f46c17d9
SHA1 a0ca9511b40c9c2451986ce179016ec4014e9adb
SHA256 e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe
SHA512 157c92e561cd18876ab60faf8a3d8e62633e7750accb965e86f3202b0d5ff902d3ae51fb41592d9be22672e67a713291e469a09be57e6f77dd6343090324792a

memory/4020-121-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-122-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-123-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-124-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-125-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-126-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-127-0x0000000077540000-0x00000000776CE000-memory.dmp

C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe

MD5 c73eac0c837c3c5caca3a885f46c17d9
SHA1 a0ca9511b40c9c2451986ce179016ec4014e9adb
SHA256 e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe
SHA512 157c92e561cd18876ab60faf8a3d8e62633e7750accb965e86f3202b0d5ff902d3ae51fb41592d9be22672e67a713291e469a09be57e6f77dd6343090324792a

memory/4020-129-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-130-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-131-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-132-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-133-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-134-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-135-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-136-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-137-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-138-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-139-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-140-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-141-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-142-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-143-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-144-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-145-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-146-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-147-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-148-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-149-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-150-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-151-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-152-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-153-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-154-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-155-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-156-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-157-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-158-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-159-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-160-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-161-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-162-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-163-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-164-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-165-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-166-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-167-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-168-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-169-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-170-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-171-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-172-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-173-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-174-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-175-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-177-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-176-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-178-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-179-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-180-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-181-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-182-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-183-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/4020-184-0x0000000077540000-0x00000000776CE000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\CCCCCCCCCCC

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\EEEEEEEEEEE

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\YYYYYYYYYYY

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\XXXXXXXXXXX

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\WWWWWWWWWWW

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\VVVVVVVVVVV

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\UUUUUUUUUUU

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\TTTTTTTTTTT

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\SSSSSSSSSSS

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\RRRRRRRRRRR

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\QQQQQQQQQQQ

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\PPPPPPPPPPP

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\OOOOOOOOOOO

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\NNNNNNNNNNN

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\LLLLLLLLLLL

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\MMMMMMMMMMM

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

memory/4020-191-0x0000000077540000-0x00000000776CE000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\HHHHHHHHHHH

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\DDDDDDDDDDD

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\KKKKKKKKKKK

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\JJJJJJJJJJJ

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\IIIIIIIIIII

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\GGGGGGGGGGG

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\FFFFFFFFFFF

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\BBBBBBBBBBB

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\AAAAAAAAAAA

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\desktop.ini

MD5 d202c665d3ebee7fe4a36d645eec9322
SHA1 21d3fa248b5eaae58883887c5062db825811858b
SHA256 8292b4c599ad9ec5457f95ff6ab4cb7ee757aaa917ce5293a3bdf005de4dda1a
SHA512 c406d48f3a2599fb203130c35d287a074c24dae857647ee1b484568e666a71726aafd602d06c9f7bb0169471e53d260312723ab87f34f3856a66ad226713dd8c

C:\Users\Admin\Desktop\LockBit30\config.json

MD5 ba4d91a714ad24355f632e9e9877be4a
SHA1 f8ad48931d522372e20a17377832d82a1e9f075c
SHA256 40bcc82b324cb56d9e2936c47f40c122f8a2dd7facd2e0bb4b44c2d7424dd3bb
SHA512 b366042d11997b6141e08dfdcfa21c9b7feeeff826e178cdbea30e82c2aaec776dc596caafbec7c64ea1d32c43eaef48fa6885edaa2ca76f6c2e247dfd0ffb9b

C:\Users\Admin\Desktop\LockBit30\Build\DECRYPTION_ID.txt

MD5 1789b065a81bdf73119ed277617f5460
SHA1 f6f37d269ac09c104c80ffbd33467757f83175b6
SHA256 5362b479c502a4e0e01faa80b8bc5a72f7b4e60d5ae8c13f6eba38e07753d8c7
SHA512 b7ea7d109943039a5f9c0910a671ee7b29bc846ecb8436369657e55c249c09aca52caf5702b2018e489e0d37ac55d6857c45f5a6c52af67e2b24611bca0063ee

C:\Users\Admin\Desktop\LockBit30\Build\Password_dll.txt

MD5 4b510b99ae51dc780a9e9ff7f7b87dba
SHA1 6a43f371a655ece7685964d4bb8e6174507648a1
SHA256 48142728b6ba5883f34da48983a98dfb1b18687b7bdfaaacf81462871bfc240f
SHA512 06ac8dc8c66ba66e95df344b9a1601f0ea66451b711de9c49fc9f8b49cf842caba45d50506eced0ccb9c0843de43f3adb649fea63d860457fb717cadf868a30c

C:\Users\Admin\Desktop\LockBit30\Build\Password_exe.txt

MD5 7a13795f02f1ea6db8b05fe13bfde9b1
SHA1 a784a0c14c1b1284b62274f67e4d1c55e7c9467d
SHA256 f3ee843dfec9535dcec1dd7ea5717c9e3d62a6429e5b921eaa73207c428fcd86
SHA512 c8ba98c95a4c7610c6016da63fa4e6ed7f4f75aec8f653850322de7660cd581f2b0de47c9cc501447b5300b0aecef3da7e08acd3e2e094889f6cb58734e6e8bd

C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe

MD5 d1c15784587717fe03448d0c4dc8dd5b
SHA1 f36ac101949a4fa8f604d561957fb9d3e1f73699
SHA256 4973313c1c003a27190fba0a43dda1be78891552c9fabaa0c65e0051965ceee7
SHA512 ef81b11962fb56a583c43ecdf0f8c66ef17850e85e56794b6c4ca328751609e4fe1fb1494e0e7315ff396510c467e440b74b62c105ce226f2fda49379d551a81

C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe

MD5 d1c15784587717fe03448d0c4dc8dd5b
SHA1 f36ac101949a4fa8f604d561957fb9d3e1f73699
SHA256 4973313c1c003a27190fba0a43dda1be78891552c9fabaa0c65e0051965ceee7
SHA512 ef81b11962fb56a583c43ecdf0f8c66ef17850e85e56794b6c4ca328751609e4fe1fb1494e0e7315ff396510c467e440b74b62c105ce226f2fda49379d551a81

C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.ZImkTWSLZ

MD5 c7d97e9b2821152cb945cef671a30115
SHA1 bafeb24c29df06b46e72fe96cef0375d95592df1
SHA256 27041dad2d4ae25df37382637f25382a44e034c141f7ef995f7d2774dbba9acb
SHA512 213693612c930fe39ce2e3ac78a76d27e4fa69c5d5a5ecf050a2bee54806e1207ece00e825dcf3188b397f8bb371d9b1df5c1abf04964434cbb5748a628aed6a

C:\Users\Admin\Pictures\My Wallpaper.jpg.ZImkTWSLZ

MD5 14e6f8d7c7035e5ab0864de9834ac7f8
SHA1 47dbb7e76dfba34e2c3d6d6aff9ccdee4a3eec81
SHA256 336e0be1d3d9f6555bef6f54966a38169f69e1f4b0f3eedcf6f1a4a1f44d2cec
SHA512 1a628becc6e190bf692fdfb7657384d7beb3f111300c728a36695f458627889b920fc2acbe28d3f497524439b1d418d0e3ac7d2cf473bbc1710ecf56afab43d7

C:\Users\Admin\Pictures\MergeTrace.gif.ZImkTWSLZ

MD5 5724c268ff2d137c05ee76c8c76c3108
SHA1 e4fd55febc45183a8111ec33d974eefaf2a30c93
SHA256 18a903f2508308530317112b0994faffb84ae188fcc8466412b925f3504ae4af
SHA512 c0e3b35d3bc5c7152e38841b385d13028fcda7ab3ee5f26f51b127bbd84fa7e462abb968ef3b0a4c85fa49dfc31ff7af221e555f85978ed777de1ccc1d162005

C:\Users\Admin\Pictures\FormatReset.raw.ZImkTWSLZ

MD5 e0340067840a4944852fbe1911fa6fdc
SHA1 498462219ab352f7a466dfacb398d47e6bd64423
SHA256 00e5e758add99b323dec158b967341c7baa277b98916ad84c29da8f1b4d1f55f
SHA512 fb52744aa2b5933f63c1995b31832686391497550cf2076c9e3b69d4c98d723336903764ae1954778f3d71fe6ba1dde01ccfd4f821b9bedd0d43a4b85071516a

C:\Users\Admin\Pictures\FormatConnect.emf.ZImkTWSLZ

MD5 77fb68af3afb2813ef299d34fdcbb3a1
SHA1 fc1562a4c4312f87f0ce7b8348a6d669d6287a57
SHA256 ddee3490b3fb49c04dd65a875168ad6cd87551c289d20c483626fa916ac7e261
SHA512 dfd8f0893afe143bdb8a0b7f9568a8978e5eb7074a17853d6857a569e544e1372da08f5e62f75a7568905c5346d6322715e7df18c7970b956a057f2da64e8c8c

C:\Users\Admin\Pictures\EnterUninstall.dib.ZImkTWSLZ

MD5 d76388f89306d11af6e2d7b8ddcef33d
SHA1 f5840e2900304fbe5637376634c234fd5ac3bcb5
SHA256 8e17eb9acdaf685291a7c3e01d3d3791b0dde4106b87d62ab89f7a5cf309d6c5
SHA512 be76bcfe69db51fc27425c8d0445b2452251c0f13f62c09af4db66364bf5084e796eabb2c50a4d1c1e6692e808d26ad418e7ea5b710378967655e61b0d94987b

C:\Users\Admin\Pictures\DisconnectJoin.cr2.ZImkTWSLZ

MD5 1d5ca5e79cfafbcf67bfe7b9954d6741
SHA1 beba045cf55de8ddd4c336d00afdb434cd6accbc
SHA256 9904f8543440598990b4072652aed00b5cd38c6e6eb45e7fc873887d23bfa8b7
SHA512 6fe451bbfe22d926211b7882c7c6e0e63b4e93a79d59858be72bae20e542f40ba2995b2ced9be1463c25665b35b35246f4affd950590ee081a041c305425d49d

C:\Users\Admin\Pictures\CloseWrite.raw.ZImkTWSLZ

MD5 443be5426e0fcdc8f50e87671a593fe1
SHA1 7fe6e68d1dd426185725c3c22d97b44b6a7a6f7d
SHA256 1c83605e64ff64dfee5031606d5d1596331e0d43ebe28490b1d42b9e892c6ecf
SHA512 b153fb10c9cbd90a63404ad09341e7df68f6fc1ad49fc65d45b642dfc65027548945d29e9974f137fdae98c37f369b9e66c66720c84979ebe393433459b47df1

C:\Users\Admin\Saved Games\ZImkTWSLZ.README.txt

MD5 b1561556b1d6a711c5bbc29b1491d415
SHA1 bdb43fb06a1e134ac46463a2f3ff074ac67579e0
SHA256 45f69127621d509f59481bdd54d266b67a90c3c77b8664ab81c44442319f97fe
SHA512 cbca6bbec48ce9c8bf70feeba7f006c3d44ff2720f3379b0b8794fac3a42593c72768b0d8447e4a656cc260b4944aa7334cdeb626bd895e77285b57b90b2f476

C:\Users\Admin\Searches\ZImkTWSLZ.README.txt

MD5 b1561556b1d6a711c5bbc29b1491d415
SHA1 bdb43fb06a1e134ac46463a2f3ff074ac67579e0
SHA256 45f69127621d509f59481bdd54d266b67a90c3c77b8664ab81c44442319f97fe
SHA512 cbca6bbec48ce9c8bf70feeba7f006c3d44ff2720f3379b0b8794fac3a42593c72768b0d8447e4a656cc260b4944aa7334cdeb626bd895e77285b57b90b2f476

C:\Users\Admin\Searches\winrt--{S-1-5-21-2482096546-1136599444-1359412500-1000}-.searchconnector-ms.ZImkTWSLZ

MD5 583690b0e47b651ce38f911a0e9f451c
SHA1 a84ba615a38920ae7e21c2eac17a1ca7d10ad572
SHA256 6c42f3bccc21b1e5cff4ab2155f91e11767c522b01f36555acab97461df157ce
SHA512 dcde738a767e444e96a4975bb13032d28bf2a788e974e7787a0ef27822cf45a0cb4fbe2c708a53044b6d377d6253f3870a28d35ddc3932511f464431a8829872

C:\Users\Admin\Videos\ZImkTWSLZ.README.txt

MD5 b1561556b1d6a711c5bbc29b1491d415
SHA1 bdb43fb06a1e134ac46463a2f3ff074ac67579e0
SHA256 45f69127621d509f59481bdd54d266b67a90c3c77b8664ab81c44442319f97fe
SHA512 cbca6bbec48ce9c8bf70feeba7f006c3d44ff2720f3379b0b8794fac3a42593c72768b0d8447e4a656cc260b4944aa7334cdeb626bd895e77285b57b90b2f476

C:\Users\Admin\ZImkTWSLZ.README.txt

MD5 b1561556b1d6a711c5bbc29b1491d415
SHA1 bdb43fb06a1e134ac46463a2f3ff074ac67579e0
SHA256 45f69127621d509f59481bdd54d266b67a90c3c77b8664ab81c44442319f97fe
SHA512 cbca6bbec48ce9c8bf70feeba7f006c3d44ff2720f3379b0b8794fac3a42593c72768b0d8447e4a656cc260b4944aa7334cdeb626bd895e77285b57b90b2f476

C:\Users\ZImkTWSLZ.README.txt

MD5 b1561556b1d6a711c5bbc29b1491d415
SHA1 bdb43fb06a1e134ac46463a2f3ff074ac67579e0
SHA256 45f69127621d509f59481bdd54d266b67a90c3c77b8664ab81c44442319f97fe
SHA512 cbca6bbec48ce9c8bf70feeba7f006c3d44ff2720f3379b0b8794fac3a42593c72768b0d8447e4a656cc260b4944aa7334cdeb626bd895e77285b57b90b2f476

C:\ZImkTWSLZ.README.txt

MD5 b1561556b1d6a711c5bbc29b1491d415
SHA1 bdb43fb06a1e134ac46463a2f3ff074ac67579e0
SHA256 45f69127621d509f59481bdd54d266b67a90c3c77b8664ab81c44442319f97fe
SHA512 cbca6bbec48ce9c8bf70feeba7f006c3d44ff2720f3379b0b8794fac3a42593c72768b0d8447e4a656cc260b4944aa7334cdeb626bd895e77285b57b90b2f476

C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.ZImkTWSLZ

MD5 2977134c694b733d6a6474b899c45060
SHA1 b707405a01aad33e56b3a08514f89a0e69542f93
SHA256 b35e4236e3e1afe9c9ae79e4afee7dd76dfc827b3659599d4c6c30722becfcfb
SHA512 bf62b7bab1e9268fca7d026178db46c41d6a637638c66794b9bdcf0cdc0bc89c84291d862164e917f9568e9ac472d8fff4b4bcbb25a4fcb4b44cf9b85acb9d24

C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.ZImkTWSLZ

MD5 72a7398473b450ab1900d7b12fd42378
SHA1 29252393099b52db79bc72050f0ee1865f0a9cb5
SHA256 0bcfbc2856ee6b177514e8a224b291d1bf05a9999b431e4beac6d06b97973f80
SHA512 657dfa4dfe84c058bcff09e3020f13f7f70f400bc75b5641fe952d8cb7c2d9e95f5296127c1e546e1ee1a541629a951711d867205f9eea4f83437ee8848a70ef

C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.ZImkTWSLZ

MD5 cb900627673c03b7418bbcdfbf2b60a2
SHA1 3067bc0377ad7c348ee49b7947fa648a7c8a2be3
SHA256 0df378ab0eb4c73d78780a4f8d089d3028a2d50cb065c9197368fbf0412c59ad
SHA512 4e43a0f203566528188ebdf84651e199e9abca3c4318905dae3cce620397bd01a6f4233b85febb2cbafb2a881b285167c705e4f1ecf0b6236f8788a4bad7de07

C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.ZImkTWSLZ

MD5 f3dd5ca1d0b1f5750f82b5589cb501f6
SHA1 346a91207f3615b62e5b6cae90e3cff90d18d996
SHA256 fade193ef71ea29b3e5a8c31e91a76312a278f698ba779b17539324fc2967ea4
SHA512 d5f2e27a117c1fb636609f9fc8b00e4a933de2d18481cecc807ce8bbc0016d66e26c9606d4b1c90ea244d2665421751153026930bcb6628dfaff0414f264dc7e

C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.ZImkTWSLZ

MD5 ceb0dbeaaccdc465d82a4ffbbc86da6d
SHA1 d20db7facd6c3d5c5d46341f6d8b98777b2fc7d5
SHA256 df8b626bbd57beed9fdf3d5e641dd93c954a38d1a5f7c998a398d6893a913613
SHA512 b61e24063b8fc63e72daf793ec9017c2f0ecb960566c888a3f0e571183361ee494e8889625aa55c2a508b675d2a9126b394d2eaa58e01984c613f734dac5627b

C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.ZImkTWSLZ

MD5 0f84843516f2d45e7d398d38b6446276
SHA1 1818283b21424f4c63d762c6675a20452e829d1e
SHA256 bc79283967639f4d86d44666be2c02d7a9ddaf6e79cd3f2aa0cab24731723b9a
SHA512 78217ea6adc5ce7c8e0269b58bb576443eebaa52c7a6eb265a7073119db865449adc206c74d9a0fa525af1013687d69f436b72eb499e5f07f4a0806fd5a7755c

C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.ZImkTWSLZ

MD5 99d0a4644276f61e8f973c6c59c4fe58
SHA1 0b7a04e73a780142b706b6ef4a60f94940bd7a36
SHA256 dd2ff7a6b8003a935f55ef3732ca3fba1b66a18cf31a12cf8b5e377bef943178
SHA512 74d08ad9efec55157cb44412f1a2b456e393d39bf0ce59583663cd607b24139aa64141d69de48b4a49ee41d89fa6bef87210b80b90ebde4c45c70a8f78e04759

C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.ZImkTWSLZ

MD5 82b7c169ff048ff8513574874e55430a
SHA1 f608065b60e5ec3833079cdadb08085a3b2cc5a1
SHA256 5079e0c5c4a71b0ba80428bd264d92796ce04c02e2bd0b02553047ca5e2cfba1
SHA512 b3390c4eec03d00a7b1553b06a1f4e61c3248a00ad3284756312b55cb995cfc9eb7f31705565a2d32fd2068c8aa7faec060a06311595f8a57693a577f164acb5

C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.ZImkTWSLZ

MD5 16a530620fdc507c183014913933c353
SHA1 acea7f2570a55bed0035a3b7f77c6dc9ebe3425d
SHA256 24635f0220850ae7f2a420f6148b1ae64cdfe0a30cada1292fe8254000d910d8
SHA512 e48a96a354044e07db22acdcb4db96ad2f450a4246e83e1dc7ac2dc0a61384f0e17e4b40faff1572ab356af4670f228dac7b370b848565df00af0e1707a69bc7

C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.ZImkTWSLZ

MD5 976d5ba441eb7193b56ecacea45bc149
SHA1 9e97dd6b3501022764323d97129a971ca6f04c4c
SHA256 d8cf6a1ac8b50d5b5312c2ac8a99e1edb9bd2d7f20f95986ca7ca0e30da65c0a
SHA512 13f9dcdc5bdf248dd239bfd361e9db77878bf5a27e147c2b9a0841fe04ecf588202cf6438b5210588a73e37747265cce73b69bb138aea03d07c896a12bed8f95

C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.ZImkTWSLZ

MD5 3acfb919ce88ad9a3c307149d6a7e85a
SHA1 221bf0c4b3fcbcfef69304088d839d72ac0cdd61
SHA256 7a9bf9dab058b8a22c4e2e54181d1e21aefd7a1dd1ea261d7b532ec07eaf83e3
SHA512 fc01b9f458e845018a2c2ee859f27097619f6b277854c06888269fa1e60a9809619762636e23bb579b6d689322627e030a88fb808ce64f13975df809dda5658b

C:\vcredist2010_x86.log.html.ZImkTWSLZ

MD5 07140c44defdfcac72d3882676f4bcc2
SHA1 c6292ff2e88d8d63c25a134e9322e45e56b85147
SHA256 ec4c3bb5a7666cb5d8208784f530db9b38c8bf4878391110187002b650fe0edc
SHA512 383882b9b000e3c2d421dfc8c758c436e5ce408c4f192ec72c42ebe0333c279e4c81ca0504db57019182d8aa8015220fb64b17ccfed032ecbbabe9940ba06ee4

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.ZImkTWSLZ

MD5 71c99abe76a6a7248b447b59c26f92f4
SHA1 4dde878b1e53fd1cf486290cd102ed7f5acb7504
SHA256 bafad65e67fde2af7cfd09cef58fbbcd7c3a775099b18b3b9cded309fc4561ff
SHA512 a92d3584410ad88b38d743279c6c8a75ddb0d8f76205b0f23195fe11f20cf62b5fcfd1005e122e385d28f2ba96602e85c24f7e2799c21d92447d5f09e6d3aedd

C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.ZImkTWSLZ

MD5 b1a1d2ab41b10d65a7bf08536441ff09
SHA1 80eac5a11651838171c0fad8d6c69ab21339cb9f
SHA256 f71329244455bc51512b05060cb7e5f2a6d9b20a8ccb4494d4b58734b7115b82
SHA512 cb2fb280686a39241d6e8e477881e7a85c65776d41c65ef11cdd0b2f8f34dfe67ad319ac7a24e7802ede9659458f1e4540ffbbc30d38caf0531691ad2d4858ba

C:\vcredist2010_x64.log.html.ZImkTWSLZ

MD5 5060ecb14d4dc46b512a3dd5d073ff49
SHA1 1f21bfa6c8535905e98e2e8efdfe57ad001a6c4b
SHA256 18c8639714b6c6de23f8c810ed4eff3fb2652434db8d6a5a56d15744636074c2
SHA512 7a35d1814549a8034e6a93bf822c5ff0fd85fac979401ed629f1eb8b96a802ee830673c02216d35f80871db53f27e2c17a1be1d84d1cea92e3424c763d3906c6

memory/3188-309-0x0000000000000000-mapping.dmp

memory/3188-353-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4148-357-0x0000000000000000-mapping.dmp

memory/3572-404-0x0000000000000000-mapping.dmp

memory/3368-406-0x0000000000000000-mapping.dmp

memory/1852-491-0x0000000000000000-mapping.dmp