blackmatter | hxxps://github[.]com/3xp0rt/LockBit-Black-Builder

Resubmissions

22-09-2022 10:08

220922-l6m2ssbba9 10

21-09-2022 16:19

220921-tspx8sccdj 10

21-09-2022 15:04

220921-sfwpkscbcq 10

21-09-2022 14:54

220921-r93jjscbbk 10

Analysis

max time kernel
243s
max time network
243s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2022 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/3xp0rt/LockBit-Black-Builder

Score

10^/10

blackmatter ransomware spyware stealer

Malware Config

Extracted

Path

C:\KmNsi9A4W.README.txt

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 9B617CE0F0AFBA4BA11D3BC3552D9640 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Extracted

Family

blackmatter

Version

25.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Executes dropped EXE 10 IoCs

pid	Process
3304	keygen.exe
3064	builder.exe
3288	builder.exe
4760	builder.exe
1736	builder.exe
1796	builder.exe
4384	builder.exe
4256	LB3.exe
3824	F497.tmp
1848	LB3Decryptor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	F497.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	LB3.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\KmNsi9A4W.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\KmNsi9A4W.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3824	F497.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3552	5008	WerFault.exe	25

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KmNsi9A4W\DefaultIcon\ = "C:\\ProgramData\\KmNsi9A4W.ico"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\KMNSI9A4W\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.KMNSI9A4W	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmNsi9A4W	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmNsi9A4W\DefaultIcon	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\KmNsi9A4W	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.KmNsi9A4W	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.KmNsi9A4W\ = "KmNsi9A4W"	LB3.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3856	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	chrome.exe
3868	chrome.exe
3388	chrome.exe
3388	chrome.exe
2324	chrome.exe
2324	chrome.exe
1860	chrome.exe
1860	chrome.exe
3936	chrome.exe
3936	chrome.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe
4256	LB3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3676	7zG.exe
Token: 35	3676	7zG.exe
Token: SeSecurityPrivilege	3676	7zG.exe
Token: SeSecurityPrivilege	3676	7zG.exe
Token: SeAssignPrimaryTokenPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeDebugPrivilege	4256	LB3.exe
Token: 36	4256	LB3.exe
Token: SeImpersonatePrivilege	4256	LB3.exe
Token: SeIncBasePriorityPrivilege	4256	LB3.exe
Token: SeIncreaseQuotaPrivilege	4256	LB3.exe
Token: 33	4256	LB3.exe
Token: SeManageVolumePrivilege	4256	LB3.exe
Token: SeProfSingleProcessPrivilege	4256	LB3.exe
Token: SeRestorePrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSystemProfilePrivilege	4256	LB3.exe
Token: SeTakeOwnershipPrivilege	4256	LB3.exe
Token: SeShutdownPrivilege	4256	LB3.exe
Token: SeDebugPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeBackupPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe
Token: SeSecurityPrivilege	4256	LB3.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3676	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
4640	OpenWith.exe
4640	OpenWith.exe
4640	OpenWith.exe
4640	OpenWith.exe
4640	OpenWith.exe
4640	OpenWith.exe
4640	OpenWith.exe
4640	OpenWith.exe
4640	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
2964	OpenWith.exe
1848	LB3Decryptor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 64	3388	chrome.exe	85
PID 3388 wrote to memory of 64	3388	chrome.exe	85
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 4412	3388	chrome.exe	88
PID 3388 wrote to memory of 3868	3388	chrome.exe	89
PID 3388 wrote to memory of 3868	3388	chrome.exe	89
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90
PID 3388 wrote to memory of 4372	3388	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/3xp0rt/LockBit-Black-Builder
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa998c4f50,0x7ffa998c4f60,0x7ffa998c4f70
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:2
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4364 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,5482320622942567832,1452747941174074488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 5008 -ip 5008
1⤵
PID:2412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5008 -s 2460
1⤵
- Program crash
PID:3552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4640
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_LockBit-Black-Builder-main.zip\LockBit-Black-Builder-main\README.md
  2⤵
  PID:4988

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\LockBit30\" -spe -an -ai#7zMap17982:74:7zEvent20803
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2964
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\config.json
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit30\Build.bat" "
1⤵
PID:3704
- C:\Users\Admin\Desktop\LockBit30\keygen.exe
  keygen -path C:\Users\Admin\Desktop\LockBit30\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Users\Admin\Desktop\LockBit30\builder.exe
  builder -type dec -privkey C:\Users\Admin\Desktop\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Users\Admin\Desktop\LockBit30\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Users\Admin\Desktop\LockBit30\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Users\Admin\Desktop\LockBit30\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Users\Admin\Desktop\LockBit30\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Users\Admin\Desktop\LockBit30\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:4384

C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256
- C:\ProgramData\F497.tmp
  "C:\ProgramData\F497.tmp"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F497.tmp >> NUL
    3⤵
    PID:4980

C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\AAAAAAAAAAA

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\BBBBBBBBBBB

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\CCCCCCCCCCC

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\DDDDDDDDDDD

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\EEEEEEEEEEE

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\FFFFFFFFFFF

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\GGGGGGGGGGG

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HHHHHHHHHHH

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\IIIIIIIIIII

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\JJJJJJJJJJJ

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\KKKKKKKKKKK

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\LLLLLLLLLLL

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\MMMMMMMMMMM

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\NNNNNNNNNNN

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\OOOOOOOOOOO

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\PPPPPPPPPPP

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\QQQQQQQQQQQ

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RRRRRRRRRRR

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\SSSSSSSSSSS

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\TTTTTTTTTTT

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\UUUUUUUUUUU

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\VVVVVVVVVVV

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\WWWWWWWWWWW

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\XXXXXXXXXXX

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\YYYYYYYYYYY

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini

Filesize
129B

MD5
0ad8363f6e24361c4a093d612fa025ef

SHA1
8da1983f8193d32959100ac32a9e8fbe016e8ae4

SHA256
a314d39c653d722e664106888620cc838584dfbaf078577f14e623cbb8d23dea

SHA512
968b67237a45cf056b5081448a1d1527eede3b07ea89a4867d38d72bf847cb075dfba1df91dbc1c538212c8ca7f322699fbbe522b7a75ba4a426dcdb011a7dd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
346B

MD5
f58d1d2b4aa15dd33f06972894c24d11

SHA1
2d1cfea256eef61a3d3cfb337ed6cc03236275d9

SHA256
258d9d96274398d02edd0c2d5d7eb4256e01b102dded31af5689adbbae3719b3

SHA512
03ef149611fd85bf9508b421964b2c78ffabd74a5ed37cbb10ad367682ce8f71206e2cc46d90cb47cd1af446017b2c6c262f9b4060455f602f0dfee7792132fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
255B

MD5
5d6edd5a452ae2b158399c2c677df58c

SHA1
0b8e0a503429f7ca82071e5b4458335999c408c9

SHA256
4ec429720841acb2fb0590d03f11f12741670acd15d5f2ef13cbb335c6e0998d

SHA512
0f06ead6645979ce924f7b0c1f11f2f5ce1d5c4f3e42d7b45f9f1fded077c2e0deb14341947af87c9b4f4150a50c49b0df26e559c7510ac0ff9c9622633bf8de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
257B

MD5
25c303582b0ac80e24fdda3a9d7072c8

SHA1
b68b7dd87b9b34539925c3ad57bfdc52a96fd8c6

SHA256
af0ad510bec46711e35eb97cf300078ecc1608bddfc11d5e1a2bc84c0ca571d7

SHA512
126ef5a5c9443bfb0dc4540d8ac499d7e7689fdbb6bd4b2b8613fccebe909e27cd2776851ac572546fa93f6707549dd2706fabcbeb34bbffe4e49cf13febb224

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build.bat

Filesize
741B

MD5
4e46e28b2e61643f6af70a8b19e5cb1f

SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\DECRYPTION_ID.txt

Filesize
265B

MD5
b4df989f669e90b521e36e8471426999

SHA1
c4df0d61317b4d20e32a8c10d1bc2779132df87c

SHA256
fb13c2148e883cc87ad1a71160b2ac2ab29aaf767e7820aae24c2120a7ee79ed

SHA512
9bfb53d9ff1a6d4d1560e08fb07896c1ce47edd248de1b3ce7db9f4a9e6f91da041899f74e38d5c1087750ef859560ee5e54e6a438e06d3a105cdffea85e4344

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe

Filesize
153KB

MD5
c123c2a1c3c44d05bb5cdd02a0f7073b

SHA1
772ab17398cae353db0277964c697a7eb19f5a33

SHA256
fe48f1d26bed003dcde6576693159a53c3f9750bd1980c9c59a613d3855821d1

SHA512
d6e1d07bc4e9b7a839f50d1a1efefaa8d61143cbd573194524ebb037ecffa71202907cbbf59714896bf4aa5bb5b2009d386e522a3ad278d956783df436defbb6

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe

Filesize
153KB

MD5
c123c2a1c3c44d05bb5cdd02a0f7073b

SHA1
772ab17398cae353db0277964c697a7eb19f5a33

SHA256
fe48f1d26bed003dcde6576693159a53c3f9750bd1980c9c59a613d3855821d1

SHA512
d6e1d07bc4e9b7a839f50d1a1efefaa8d61143cbd573194524ebb037ecffa71202907cbbf59714896bf4aa5bb5b2009d386e522a3ad278d956783df436defbb6

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\Password_dll.txt

Filesize
2KB

MD5
4d4a5cb0fc62dd7e91b588eeffba0e53

SHA1
78fb02b7e9b2a5dc3d9d3ae49f8fdfe542c138f8

SHA256
e3547dde269ea3369276d578eca997c77f525fddd2078a69d2e9509ab97a8fa2

SHA512
0bdd167ba12dd8b45d48c167bd283ab2a0fb666b9df29b805371e9f26a6c803936d460b154dd58ee45f1bdc2559486a68311967fba96bfc55b393630dd3531f9

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\Password_exe.txt

Filesize
2KB

MD5
1683ab1a5d9887d00042331b1185693e

SHA1
17ff210dec7114a042a453af678fdb35fa9331d7

SHA256
86f4b8c2142b1d9b0c85f32570524649f0f2ee1412bd472dd245e02b4f21063f

SHA512
f0739a86f108ea52e664a240d2f1cf4241cee08509adcc67bedee8552fd5d8ca403e35b2095d43b5c4d022f346c61f3f91feea16d887aba03b4e2b2d1c3646d0

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\priv.key

Filesize
344B

MD5
ec90c92f804dc85997133678bf6eff46

SHA1
7a509cbdf152e72f6a586d1aca5ecea38d28889f

SHA256
34e3fae1bfb60ffe00c78341f21b0453898d8da4d272661a7cc99f55ef95ea25

SHA512
e6448c0cce0d7e9406ad5f40f45d1bdd512d2716c16ce05937df74aaa34448b79e66a3be34cef88d753a136c82e5f2e4e381c550c8d3d7e6b9f3e0b174f37e92

Download Submit
C:\Users\Admin\Desktop\LockBit30\Build\pub.key

Filesize
344B

MD5
6c7b8d3d631b0af8a5b98797b3cbf031

SHA1
8d7599f8128330b4d130ecec8f91163219aa832c

SHA256
e8da230ced240f1db3c3d6b68bb058756d65fe35a2291bf6fc82628f4385cb74

SHA512
2fdae7138cdabfa47cb4074f2dcab946652850e40f2fccffa1f3693a208e71da952fa18433c580c5d692dd02b3dd68196c08a86c618e5d0b0f2dbfcfcf0dffb0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit30\config.json

Filesize
8KB

MD5
a6ba7b662de10b45ebe5b6b7edaa62a9

SHA1
f3ed67bdaef070cd5a213b89d53c5b8022d6f266

SHA256
3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8

SHA512
7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1

Download Submit
C:\Users\Admin\Desktop\LockBit30\config.json

Filesize
8KB

MD5
a4246094ee4b631eec4edbe1db24b830

SHA1
c2078b62d63bcc54cc0d3cd92305cb0c3b7960c4

SHA256
6fbd1af8af5a2bb2eb69f4e753bf41815aca0596edeed640b29753b4758b1801

SHA512
43caa909e7cc8e535d46e078f314dd1f79d1f44b1fff7706119e68f90481f33f4191f29da0fd0e1c22b2d32f0769c485aa550ca83f4ce1e3f1a16a7a09ffe396

Download Submit
C:\Users\Admin\Desktop\LockBit30\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\Desktop\LockBit30\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\Downloads\LockBit-Black-Builder-main.zip

Filesize
290KB

MD5
c1feb08ac7b862ae99d2ab44d166c295

SHA1
f4441603e21c567687726da4a7b8f03506267c9e

SHA256
71ad2d8c8145a4b9490a9c6735e7a4fb2d404a3713f85a6e93ec22e989ecdc98

SHA512
948069661893063a0742b7cb1777478570ee2993a154c3bee7f189afadbbfaa0e1043abd264e89ef36b57fc923522e49c1fc64a6ceeec2af856beaa102b8a403

Download Submit
memory/3824-193-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download