blackmatter | b09403adcaf79f3602815c242b3698e43138156d848ac1b0802232d4afc36154

Resubmissions

13-11-2022 18:00

221113-wll9wacb66 10

22-09-2022 05:49

220922-gjgt2sabf4 10

21-09-2022 18:45

220921-xefn7aghd5 10

Analysis

max time kernel
1393s
max time network
1219s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2022 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip
Size

285KB
MD5

f871381769ec947b0028412b8e86669b
SHA1

1e11fb4df33528b64ce204283086d19eb25b01b3
SHA256

a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d
SHA512

db7853e47eea3bd589e0fc1323e73ac8114da08aa0de90debd1afe33b56fc8a15f8b0a06b995a9943f946a945e9b147784c1b384d21c09a10e13393d252637cf
SSDEEP

6144:Jyk7CEChoKaMDst7kVns958jCBoFXTZUBO+zu/GlndySugs7y3a4H:JPfChoKLDy7kW9EXTZUTi4Upgs7qH

Score

10^/10

blackmatter ransomware spyware stealer

Malware Config

Extracted

Path

C:\62ZdIU5ix.README.txt

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 7722410D2DBEA8D93F8A398CA186DEE1 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Extracted

Family

blackmatter

Version

25.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Executes dropped EXE 25 IoCs

pid	Process
2276	keygen.exe
2548	builder.exe
3512	builder.exe
3360	builder.exe
3928	builder.exe
3984	builder.exe
2760	builder.exe
2228	LB3_pass.exe
4772	LB3.exe
64	B5CE.tmp
1580	LB3Decryptor.exe
748	LB3_pass.exe
3660	LB3_pass.exe
3384	keygen.exe
4032	builder.exe
4828	builder.exe
3104	builder.exe
4356	builder.exe
4072	builder.exe
2664	builder.exe
5008	LB3.exe
1812	C209.tmp
1736	LB3Decryptor.exe
420	LB3_pass.exe
1128	LB3Decryptor.exe

Modifies extensions of user files 24 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\TraceResume.raw.OwEGtgGxQ	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\RedoPush.crw.OwEGtgGxQ	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\SyncInstall.tiff.62ZdIU5ix	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SyncInstall.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\SyncInstall.tiff	LB3.exe
File renamed	C:\Users\Admin\Pictures\RedoPush.crw => C:\Users\Admin\Pictures\RedoPush.crw.OwEGtgGxQ	LB3.exe
File renamed	C:\Users\Admin\Pictures\SyncInstall.tiff => C:\Users\Admin\Pictures\SyncInstall.tiff.OwEGtgGxQ	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SyncInstall.tiff.OwEGtgGxQ	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\TraceResume.raw.OwEGtgGxQ	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\SyncInstall.tiff	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\SyncInstall.tiff => C:\Users\Admin\Pictures\SyncInstall.tiff.62ZdIU5ix	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\TraceResume.raw.62ZdIU5ix	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\SyncInstall.tiff.62ZdIU5ix => C:\Users\Admin\Pictures\SyncInstall.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\RedoPush.crw.OwEGtgGxQ	LB3.exe
File renamed	C:\Users\Admin\Pictures\RedoPush.crw => C:\Users\Admin\Pictures\RedoPush.crw.62ZdIU5ix	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SyncInstall.tiff	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\TraceResume.raw.62ZdIU5ix	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SyncInstall.tiff.62ZdIU5ix	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\TraceResume.raw => C:\Users\Admin\Pictures\TraceResume.raw.OwEGtgGxQ	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SyncInstall.tiff.OwEGtgGxQ	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\SyncInstall.tiff.OwEGtgGxQ => C:\Users\Admin\Pictures\SyncInstall.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\RedoPush.crw.62ZdIU5ix	LB3.exe
File renamed	C:\Users\Admin\Pictures\TraceResume.raw => C:\Users\Admin\Pictures\TraceResume.raw.62ZdIU5ix	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\RedoPush.crw.62ZdIU5ix	LB3Decryptor.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	B5CE.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	C209.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	LB3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	LB3.exe

Sets desktop wallpaper using registry 2 TTPs 6 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\62ZdIU5ix.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\62ZdIU5ix.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\OwEGtgGxQ.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\OwEGtgGxQ.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
64	B5CE.tmp
1812	C209.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2408	2228	WerFault.exe	112
1400	748	WerFault.exe	130
4536	3660	WerFault.exe	133
1608	420	WerFault.exe	155

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	LB3Decryptor.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\62ZdIU5ix	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.OwEGtgGxQ	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\OwEGtgGxQ	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.OwEGtgGxQ	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\62ZdIU5ix\DefaultIcon\ = "C:\\ProgramData\\62ZdIU5ix.ico"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OwEGtgGxQ\DefaultIcon	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OwEGtgGxQ\DefaultIcon\ = "C:\\ProgramData\\OwEGtgGxQ.ico"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\OWEGTGGXQ\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.62ZdIU5ix	LB3Decryptor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.OwEGtgGxQ\ = "OwEGtgGxQ"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OwEGtgGxQ	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.62ZdIU5ix	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.62ZdIU5ix\ = "62ZdIU5ix"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\62ZdIU5ix\DefaultIcon	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\62ZDIU5IX\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\62ZdIU5ix	LB3Decryptor.exe

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

pid	Process
2408	NOTEPAD.EXE
4776	NOTEPAD.EXE
1316	NOTEPAD.EXE
220	NOTEPAD.EXE
1928	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
4772	LB3.exe
1580	LB3Decryptor.exe
1580	LB3Decryptor.exe
5008	LB3.exe
5008	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2536	OpenWith.exe
4132	OpenWith.exe

Suspicious behavior: RenamesItself 4 IoCs

pid	Process
4772	LB3.exe
1580	LB3Decryptor.exe
5008	LB3.exe
1128	LB3Decryptor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3100	7zG.exe
Token: 35	3100	7zG.exe
Token: SeSecurityPrivilege	3100	7zG.exe
Token: SeSecurityPrivilege	3100	7zG.exe
Token: SeAssignPrimaryTokenPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeDebugPrivilege	4772	LB3.exe
Token: 36	4772	LB3.exe
Token: SeImpersonatePrivilege	4772	LB3.exe
Token: SeIncBasePriorityPrivilege	4772	LB3.exe
Token: SeIncreaseQuotaPrivilege	4772	LB3.exe
Token: 33	4772	LB3.exe
Token: SeManageVolumePrivilege	4772	LB3.exe
Token: SeProfSingleProcessPrivilege	4772	LB3.exe
Token: SeRestorePrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSystemProfilePrivilege	4772	LB3.exe
Token: SeTakeOwnershipPrivilege	4772	LB3.exe
Token: SeShutdownPrivilege	4772	LB3.exe
Token: SeDebugPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeBackupPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe
Token: SeSecurityPrivilege	4772	LB3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3100	7zG.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
2536	OpenWith.exe
1580	LB3Decryptor.exe
1736	LB3Decryptor.exe
4392	OpenWith.exe
1128	LB3Decryptor.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe
4132	OpenWith.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2276	5092	cmd.exe	105
PID 5092 wrote to memory of 2276	5092	cmd.exe	105
PID 5092 wrote to memory of 2276	5092	cmd.exe	105
PID 5092 wrote to memory of 2548	5092	cmd.exe	106
PID 5092 wrote to memory of 2548	5092	cmd.exe	106
PID 5092 wrote to memory of 2548	5092	cmd.exe	106
PID 5092 wrote to memory of 3512	5092	cmd.exe	107
PID 5092 wrote to memory of 3512	5092	cmd.exe	107
PID 5092 wrote to memory of 3512	5092	cmd.exe	107
PID 5092 wrote to memory of 3360	5092	cmd.exe	108
PID 5092 wrote to memory of 3360	5092	cmd.exe	108
PID 5092 wrote to memory of 3360	5092	cmd.exe	108
PID 5092 wrote to memory of 3928	5092	cmd.exe	109
PID 5092 wrote to memory of 3928	5092	cmd.exe	109
PID 5092 wrote to memory of 3928	5092	cmd.exe	109
PID 5092 wrote to memory of 3984	5092	cmd.exe	110
PID 5092 wrote to memory of 3984	5092	cmd.exe	110
PID 5092 wrote to memory of 3984	5092	cmd.exe	110
PID 5092 wrote to memory of 2760	5092	cmd.exe	111
PID 5092 wrote to memory of 2760	5092	cmd.exe	111
PID 5092 wrote to memory of 2760	5092	cmd.exe	111
PID 2536 wrote to memory of 1316	2536	OpenWith.exe	122
PID 2536 wrote to memory of 1316	2536	OpenWith.exe	122
PID 4772 wrote to memory of 64	4772	LB3.exe	123
PID 4772 wrote to memory of 64	4772	LB3.exe	123
PID 4772 wrote to memory of 64	4772	LB3.exe	123
PID 4772 wrote to memory of 64	4772	LB3.exe	123
PID 64 wrote to memory of 3064	64	B5CE.tmp	125
PID 64 wrote to memory of 3064	64	B5CE.tmp	125
PID 64 wrote to memory of 3064	64	B5CE.tmp	125
PID 4936 wrote to memory of 3384	4936	cmd.exe	138
PID 4936 wrote to memory of 3384	4936	cmd.exe	138
PID 4936 wrote to memory of 3384	4936	cmd.exe	138
PID 4936 wrote to memory of 4032	4936	cmd.exe	139
PID 4936 wrote to memory of 4032	4936	cmd.exe	139
PID 4936 wrote to memory of 4032	4936	cmd.exe	139
PID 4936 wrote to memory of 4828	4936	cmd.exe	140
PID 4936 wrote to memory of 4828	4936	cmd.exe	140
PID 4936 wrote to memory of 4828	4936	cmd.exe	140
PID 4936 wrote to memory of 3104	4936	cmd.exe	141
PID 4936 wrote to memory of 3104	4936	cmd.exe	141
PID 4936 wrote to memory of 3104	4936	cmd.exe	141
PID 4936 wrote to memory of 4356	4936	cmd.exe	142
PID 4936 wrote to memory of 4356	4936	cmd.exe	142
PID 4936 wrote to memory of 4356	4936	cmd.exe	142
PID 4936 wrote to memory of 4072	4936	cmd.exe	143
PID 4936 wrote to memory of 4072	4936	cmd.exe	143
PID 4936 wrote to memory of 4072	4936	cmd.exe	143
PID 4936 wrote to memory of 2664	4936	cmd.exe	144
PID 4936 wrote to memory of 2664	4936	cmd.exe	144
PID 4936 wrote to memory of 2664	4936	cmd.exe	144
PID 5008 wrote to memory of 1812	5008	LB3.exe	149
PID 5008 wrote to memory of 1812	5008	LB3.exe	149
PID 5008 wrote to memory of 1812	5008	LB3.exe	149
PID 5008 wrote to memory of 1812	5008	LB3.exe	149
PID 1812 wrote to memory of 3980	1812	C209.tmp	150
PID 1812 wrote to memory of 3980	1812	C209.tmp	150
PID 1812 wrote to memory of 3980	1812	C209.tmp	150
PID 4132 wrote to memory of 4776	4132	OpenWith.exe	165
PID 4132 wrote to memory of 4776	4132	OpenWith.exe	165

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d.zip
1⤵
PID:2864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3460

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\" -spe -an -ai#7zMap30849:208:7zEvent23246
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:2760

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
PID:2228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 184
  2⤵
  - Program crash
  PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2228 -ip 2228
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\ProgramData\B5CE.tmp
  "C:\ProgramData\B5CE.tmp"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B5CE.tmp >> NUL
    3⤵
    PID:3064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\DECRYPTION_ID.txt.62ZdIU5ix
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1316

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
PID:748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 228
  2⤵
  - Program crash
  PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 748 -ip 748
1⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
PID:3660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 228
  2⤵
  - Program crash
  PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3660 -ip 3660
1⤵
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:2664

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5008
- C:\ProgramData\C209.tmp
  "C:\ProgramData\C209.tmp"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C209.tmp >> NUL
    3⤵
    PID:3980

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OwEGtgGxQ.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:220

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
PID:420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 268
  2⤵
  - Program crash
  PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 420 -ip 420
1⤵
PID:2404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe
"C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_exe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1928

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_dll.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\config.json
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\AAAAAAAAAAA

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\BBBBBBBBBBB

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\CCCCCCCCCCC

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\DDDDDDDDDDD

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\EEEEEEEEEEE

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\FFFFFFFFFFF

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\GGGGGGGGGGG

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HHHHHHHHHHH

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\IIIIIIIIIII

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\JJJJJJJJJJJ

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\KKKKKKKKKKK

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\LLLLLLLLLLL

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\MMMMMMMMMMM

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\NNNNNNNNNNN

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\OOOOOOOOOOO

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\PPPPPPPPPPP

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\QQQQQQQQQQQ

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RRRRRRRRRRR

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\SSSSSSSSSSS

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\TTTTTTTTTTT

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\UUUUUUUUUUU

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\VVVVVVVVVVV

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\WWWWWWWWWWW

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\XXXXXXXXXXX

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\YYYYYYYYYYY

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini

Filesize
129B

MD5
4fb52b66544ac904e4c82badffd5d6d6

SHA1
3053f3e5d1412a14aded86903e55dfcee179b6a5

SHA256
1fe811e12648145f170484f62f3694bf5c5c86d5f022fde6fbf4b969081d1068

SHA512
6bb89db7de28d1ad4293012e8b3bca3f4e236529551ca2a712780fae9d0f81f0b8637bbbb0827f8fed3e64ac98e570cb482c2877136353f063da416f31efdc01

Download Submit
C:\62ZdIU5ix.README.txt

Filesize
6KB

MD5
dd844fa8f294728b44502410c5d5006e

SHA1
a74635673c92ac3113906dcc427a1f10b2863680

SHA256
08abe702a210d4ee55c66b232e5f665cf23cbd17d48dac9431781590e575a582

SHA512
13e9feabde6a41fc9f8d1ee9160fa5034336e85d966e1993ff544bc24f61cd4598305e06eeb58cc6e70f7b1056b89eb4039828ebd01839e7b15a587fcd0afdd5

Download Submit
C:\ProgramData\B5CE.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\B5CE.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build.bat

Filesize
741B

MD5
4e46e28b2e61643f6af70a8b19e5cb1f

SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\DECRYPTION_ID.txt

Filesize
265B

MD5
ddd8b26e1add752ededed260c8eb0da6

SHA1
d80fce6421860a7c9b554e515196b59182a679bc

SHA256
a3d56cb3d004cd66ff496af6ae7c585b682403bb27f7bf5df2f58c0a790d07b2

SHA512
9703ffa0c41da7e158effba702622bfb0ac99bd2913051e68eee3e99063c81a15b68f81e9e07c1cddd370e2f7b41ad896a448a0be38f6c43c285c18de6390389

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\DECRYPTION_ID.txt.62ZdIU5ix

Filesize
265B

MD5
ddd8b26e1add752ededed260c8eb0da6

SHA1
d80fce6421860a7c9b554e515196b59182a679bc

SHA256
a3d56cb3d004cd66ff496af6ae7c585b682403bb27f7bf5df2f58c0a790d07b2

SHA512
9703ffa0c41da7e158effba702622bfb0ac99bd2913051e68eee3e99063c81a15b68f81e9e07c1cddd370e2f7b41ad896a448a0be38f6c43c285c18de6390389

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe

Filesize
153KB

MD5
9fa54c15b7983cd3b9dc88384cd4a5b0

SHA1
73a152eb067e949dc1a13b0b76f48ad670f46480

SHA256
fa30dc6dd4c05bbe7f5b923b93e2746ddadc85615eb3fb1e94a21f4c91410011

SHA512
ecb831275c0c55bffeb7c2192233b3e7bb2702c183d609aafb23f0ca70bee074bd3bcad99a10fffc790bb467ebc7e455a0825564f47a1797d4a5260de4bd0270

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3.exe

Filesize
153KB

MD5
9fa54c15b7983cd3b9dc88384cd4a5b0

SHA1
73a152eb067e949dc1a13b0b76f48ad670f46480

SHA256
fa30dc6dd4c05bbe7f5b923b93e2746ddadc85615eb3fb1e94a21f4c91410011

SHA512
ecb831275c0c55bffeb7c2192233b3e7bb2702c183d609aafb23f0ca70bee074bd3bcad99a10fffc790bb467ebc7e455a0825564f47a1797d4a5260de4bd0270

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe

Filesize
54KB

MD5
703e39a6e26258db1616f2a662fc3cef

SHA1
af729a61819a7a8e4e761d22b4c672826768db13

SHA256
c560694875093f2b7defb132029b05c05e82f52ad16a5444de2396d52d1be843

SHA512
91e6c217c57e0b5738df9808b5d84fbfb51939f5fe1b776cb63aa38aba2f2bfb3adf0f5a82d673583c7879bcab52788cf9162812d6d59c2828ae92a79707daab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3Decryptor.exe

Filesize
54KB

MD5
703e39a6e26258db1616f2a662fc3cef

SHA1
af729a61819a7a8e4e761d22b4c672826768db13

SHA256
c560694875093f2b7defb132029b05c05e82f52ad16a5444de2396d52d1be843

SHA512
91e6c217c57e0b5738df9808b5d84fbfb51939f5fe1b776cb63aa38aba2f2bfb3adf0f5a82d673583c7879bcab52788cf9162812d6d59c2828ae92a79707daab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe

Filesize
149KB

MD5
9ae278eaeca72e000cca998bb30dbe36

SHA1
fabfa9ec9180968dfe0941246c82b9563ed1a8bd

SHA256
d9c93aee203a266fb0b2b077904d6bd9b23244b6e17b826c1f30b4df94e80b88

SHA512
8beec575b8d7d6f52c31b0572b428e13f161309531c93c28fd18ba476a1bafda1b485585ea5a51c94c3e9ea777c6c1ad97500adbd0ec6cde372c48b1f8905909

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\LB3_pass.exe

Filesize
149KB

MD5
9ae278eaeca72e000cca998bb30dbe36

SHA1
fabfa9ec9180968dfe0941246c82b9563ed1a8bd

SHA256
d9c93aee203a266fb0b2b077904d6bd9b23244b6e17b826c1f30b4df94e80b88

SHA512
8beec575b8d7d6f52c31b0572b428e13f161309531c93c28fd18ba476a1bafda1b485585ea5a51c94c3e9ea777c6c1ad97500adbd0ec6cde372c48b1f8905909

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_dll.txt

Filesize
2KB

MD5
4b80b617c1455060ed5008eeb6624293

SHA1
cfa7f676ece915a7ad00af09359ac19973aa0bdb

SHA256
4f1bf2afefd9590395eab382a898872646abd3611c3158d42edb9dded5c3051d

SHA512
bebf2b92586cbf9e09128a31f0fac23a4cc6c25329432e88398d8551b41f84b41e5a7905d25374725062945f6bd457ccfb1c386a2f991a8995f4461fcad9ad3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\Password_exe.txt

Filesize
2KB

MD5
6726c79e0823177b6aaf8992c8bf67f5

SHA1
0b22d9b273ebdb05b24ebafe7c61bc35aedc753b

SHA256
c186fbb4cf5d8cc7049de11a9be58dbc65797ccbc395438f1df4180037155b40

SHA512
e030e0f137d417785d558f9d6029edebf3a6c8aaf6b58e338e79903f661c3e73766edf6f60f4671a458aee4d199d810e0fb12edee10a148d8b1fb32364492fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\priv.key

Filesize
344B

MD5
b643b31d0fad8b816a566de682b9f9ac

SHA1
02f95943b1b6841366607892258728f171d5ea21

SHA256
0c91172845ef5ba3da0bd98de8a485f2676702e15e1d9d138d7be311c18346b9

SHA512
584c9b4cf9f8999861e0d27df20c950dc0dbf425e4a07042d5201e7751c2da21667aaefbc4374dd879ab5d133a198fc5ec0bd956ecaa28c1f9847b75dce61c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\Build\pub.key

Filesize
344B

MD5
642e7a7907b04c58094b496357ceebd1

SHA1
9b8b1272c19d6f79cd7ee258503a1ff990b7e71a

SHA256
64acd213f8e7e63c90bd107e3f1f5595406f698842ba18faedcb213d14ae7827

SHA512
e11db46920bb0eff037a5b8c0c02df4fff70b765fbe0d475c5894844e3b8ad1113120874d7d94070a45d865d229868cf1c2871ade9cda3edf148c54950b6a844

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\config.json

Filesize
8KB

MD5
a6ba7b662de10b45ebe5b6b7edaa62a9

SHA1
f3ed67bdaef070cd5a213b89d53c5b8022d6f266

SHA256
3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8

SHA512
7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5bb65afe22627fbf9526fd316d32c368a986a4d65af31814ef2c18cef18422d\LockBit30\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.62ZdIU5ix

Filesize
380KB

MD5
587dd4810ce2a5038c1174336535b038

SHA1
6376085674d8bcdf6182935a55eb7449a3e125fd

SHA256
7f85ff5aca075660496af11b000d1b0ea9b3b347d94a29d6ff120a57ee7d0fe2

SHA512
65bb49750f77243dd2cd3c176d409d3071f20b834200468853da05c115b7b5e858c5edb352942181858f4bd67a068e7916875d55605938b9deb63a7065558c2d

Download Submit
C:\vcredist2010_x64.log.html.62ZdIU5ix

Filesize
85KB

MD5
d84d748cfc1741c8b9db2dbec355dbb9

SHA1
30f0eea8372fb00587c5933048c4bf688b9fa9fa

SHA256
a1691d2f6b67116ed81cad96825e741806c9b1f26f338af5d1e86f67a1369214

SHA512
9e63b847ddfb11dd40da371c25ac6189c1d78aab3f03f945031537627637bd89ab8a315094b55cda42b0d3fcddc22047c53153f529cf0c38cef0b92e5120545d

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.62ZdIU5ix

Filesize
395KB

MD5
fca4721f5597ed2b62e3480605c53906

SHA1
2a5e8ac06005d839d9d57d069a6d33b6c3a827e1

SHA256
c158930660d357bbdb2c6f457957f1323ba4916fb39ed4e328422cc227c98038

SHA512
3cebb785dc3c3bd53ce0ca9add399d59b227cb37d98427898ff5d12465713e5355e2f6df92a89375aea15669519d960630b50d939a184d62ecd9d28407f76b8b

Download Submit
C:\vcredist2010_x86.log.html.62ZdIU5ix

Filesize
80KB

MD5
f95ce212a6866530fcf15cec064aae70

SHA1
546ae22ff613d40215d978ebc792a195b60bbb85

SHA256
1338ac4e3b85d3d670d8fdfe4a33b40b780f8b74d8997255ba0472d9a6fc0cd8

SHA512
483a0b797be9075c77488e5f458e74af714a765d6578472e5c23fda1e7e47ade1d0f1dd92ffc9ad98c57fbc0b46f741be9ec21f932da1d1d8ef99884d71b4c25

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.62ZdIU5ix

Filesize
168KB

MD5
3d6258130855f4689ccbf9d2921724d6

SHA1
c87743baa769e2749066bfa0e11e975e3062672b

SHA256
b070be84ba994f12850a352e2871d18cf20faae54f43829131baff43dc7372eb

SHA512
408879465566226d68353883000e698027dc9691601d40bac43967392914b81a2d90b866a55d78610cf8e3e134ab713c03179bec9f8c67256dd7e414b71ca88e

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.62ZdIU5ix

Filesize
195KB

MD5
4c1e7be82105e7ee1f280bf6740f2daa

SHA1
86d747512178ab653f3c7174b575c5aac458f91c

SHA256
91561bd2ba2a687847113024391cddbdd3741326aecbf20b58a08e626c86af1f

SHA512
b1c8a3c2d883bc9dbbbe85d07a1e16f210b4be1b47448c08201f38e520a911cfaa8d7f3385c1f164dd0fb3ddfac4540c1d0575477de0a2786bbf7ce507da95ad

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.62ZdIU5ix

Filesize
171KB

MD5
a95c5cf05886565570b1a6c043902f60

SHA1
624fe06701413671ff677ed310df101fdc26e5b6

SHA256
e77b70d7b9c61f79f9c133240d29d1206f52ce76d7e1e4d2f20ecd228c722ff0

SHA512
0d60ecdc0952e5c5ee03bc0b28bf55ace0e032d7f9bb156fc427f0ac753a056cb39a6c69b067328162a642307d5c9fed3f5d799d463446508bbc92ae34983c32

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.62ZdIU5ix

Filesize
208KB

MD5
0981d66f020326b110975d246cc1e879

SHA1
e69c14e55b0a03c308fd0b892d3aa58e58b9f8bb

SHA256
e9f83e92b8847bb1ed995458cb1f3db47e91c9f4d8deceedebdf15fa85e4e61c

SHA512
7862e6ebfa2900921983859e3c0caed0a9ab879be06663ffb1d9291d7b0592917fa89a00d6dcfbf19f57660d234555dc01ec935c1b2a9c0896182b6524724ab7

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.62ZdIU5ix

Filesize
170KB

MD5
96b21a9e23f98f41b40e4de2ed876dc9

SHA1
8b11d8fe9a3119903dfe86b8cd443d43a41758b8

SHA256
cd97c4835cb6e76fa11495af5f166527c3b5c54a9a7125b6884039d07ebafe21

SHA512
07f2c501541786d72d87fcf5a76847d0f57a6d67406d725f58aade626a00fdad706236972c90b3f42966dba78bb438ed52c2d90561537716a9e649c39d2fe2a5

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.62ZdIU5ix

Filesize
191KB

MD5
3648d0aca02d8efa810466d623bcf8ad

SHA1
c9b0572b5f235c9986ebcf00714e51eab7a164e6

SHA256
acaec5cf05fdff31a113c17ede2519e31af7d2771f2a73a69db5f9d02834dc6b

SHA512
1c67e699a17c3820cdc1a34433a3445fbc41fe40880719d060e1d397899c546047535ac76d8848d2000e1be6bcf1f53d3df4cae636715be87fd72f92aad88caa

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.62ZdIU5ix

Filesize
170KB

MD5
82940fb09b2f1aaa45e09678732a5cda

SHA1
b75e1681b838926a35691c4e17ee6c802b5f26fd

SHA256
9781ee008e307c9087c19605b77014e9af26ea2b64da86291b73a040ab6094a4

SHA512
3fd8d60d2a071909894b429e54b608696ccc75ca490ca9d7718b1f0b40f2d6697bf138ced8c98f8b8d2c17021efc4ab1d000669d08aecdb26a5d55527763f9eb

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.62ZdIU5ix

Filesize
199KB

MD5
4ad47551cfdc9a9f4e78d2e5d6e79c6c

SHA1
655483c4736026c20187274ea0ce7c91f12d683f

SHA256
ad8240dadc312f54424a9abc542af4708314bf45df9f1599ca2400e2e724b1ce

SHA512
de577b2436b00f800cd1cd7d52e36d3aeb7e5ef5e4e2dec96d865d28f9a4933cc67e7b57c767db68ce330d7ce0d7783e09e100997a9e8ca49a8cf15af390f449

Download Submit
memory/64-197-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/64-211-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/420-223-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/748-212-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1812-222-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2228-157-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download