blackmatter | 707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881

Resubmissions

05/02/2025, 10:54

250205-mzsjdatkc1 10

02/01/2025, 17:47

02/01/2025, 17:37

31/12/2024, 15:09

31/12/2024, 14:28

Analysis

max time kernel
62s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-main.zip
Size

292KB
MD5

68309717a780fd8b4d1a1680874d3e12
SHA1

4cfe4f5bbd98fa7e966184e647910d675cdbda43
SHA256

707bb3b958fbf4728d8a39b043e8df083e0fce1178dac60c0d984604ec23c881
SHA512

e16de0338b1e1487803d37da66d16bc2f2644138615cbce648ae355f088912a04d1ce128a44797ff8c4dfc53c998058432052746c98c687670e4100194013149
SSDEEP

6144:n42LBVCsV+PkMeW9zTiY/NaQmHst5ySPzmcfIMwmafvR:n4EzwkMeWgY1NmyESPB1/aXR

Score

10^/10

blackmatter lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Family

blackmatter

Version

25.239

Extracted

Path

C:\4rqQ7D1gV.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Blackmatter family
blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023ba3-18.dat	family_lockbit
behavioral2/files/0x000a000000023bae-38.dat	family_lockbit

Renames multiple (634) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	176C.tmp

Executes dropped EXE 12 IoCs

pid	Process
4296	keygen.exe
4148	builder.exe
3632	builder.exe
1480	builder.exe
4068	builder.exe
224	builder.exe
1012	builder.exe
4688	builder.exe
4384	builder.exe
4480	LB3.exe
6780	LB3Decryptor.exe
1524	176C.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPt8qt75_x1c20hh4lo__6z4a9b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP5w62ig8ry05jufkue2d0nd_0d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPiapk1hj6risx9m5nnea01luyb.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\4rqQ7D1gV.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\4rqQ7D1gV.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1524	176C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	176C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3Decryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\4rqQ7D1gV\DefaultIcon\ = "C:\\ProgramData\\4rqQ7D1gV.ico"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\4RQQ7D1GV\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\4rqQ7D1gV	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.4RQQ7D1GV	LB3Decryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.4rqQ7D1gV	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.4rqQ7D1gV\ = "4rqQ7D1gV"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\4rqQ7D1gV\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\4rqQ7D1gV	LB3.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6492	ONENOTE.EXE
6492	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe
4480	LB3.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
4480	LB3.exe
6780	LB3Decryptor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1960	7zFM.exe
Token: 35	1960	7zFM.exe
Token: SeSecurityPrivilege	1960	7zFM.exe
Token: SeAssignPrimaryTokenPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeDebugPrivilege	4480	LB3.exe
Token: 36	4480	LB3.exe
Token: SeImpersonatePrivilege	4480	LB3.exe
Token: SeIncBasePriorityPrivilege	4480	LB3.exe
Token: SeIncreaseQuotaPrivilege	4480	LB3.exe
Token: 33	4480	LB3.exe
Token: SeManageVolumePrivilege	4480	LB3.exe
Token: SeProfSingleProcessPrivilege	4480	LB3.exe
Token: SeRestorePrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSystemProfilePrivilege	4480	LB3.exe
Token: SeTakeOwnershipPrivilege	4480	LB3.exe
Token: SeShutdownPrivilege	4480	LB3.exe
Token: SeDebugPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeSecurityPrivilege	4480	LB3.exe
Token: SeBackupPrivilege	4480	LB3.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1960	7zFM.exe
1960	7zFM.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
6780	LB3Decryptor.exe
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE
6492	ONENOTE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4296	2852	cmd.exe	93
PID 2852 wrote to memory of 4296	2852	cmd.exe	93
PID 2852 wrote to memory of 4296	2852	cmd.exe	93
PID 2852 wrote to memory of 4148	2852	cmd.exe	94
PID 2852 wrote to memory of 4148	2852	cmd.exe	94
PID 2852 wrote to memory of 4148	2852	cmd.exe	94
PID 2852 wrote to memory of 3632	2852	cmd.exe	95
PID 2852 wrote to memory of 3632	2852	cmd.exe	95
PID 2852 wrote to memory of 3632	2852	cmd.exe	95
PID 2852 wrote to memory of 1480	2852	cmd.exe	96
PID 2852 wrote to memory of 1480	2852	cmd.exe	96
PID 2852 wrote to memory of 1480	2852	cmd.exe	96
PID 2852 wrote to memory of 4068	2852	cmd.exe	97
PID 2852 wrote to memory of 4068	2852	cmd.exe	97
PID 2852 wrote to memory of 4068	2852	cmd.exe	97
PID 2852 wrote to memory of 224	2852	cmd.exe	98
PID 2852 wrote to memory of 224	2852	cmd.exe	98
PID 2852 wrote to memory of 224	2852	cmd.exe	98
PID 2852 wrote to memory of 1012	2852	cmd.exe	99
PID 2852 wrote to memory of 1012	2852	cmd.exe	99
PID 2852 wrote to memory of 1012	2852	cmd.exe	99
PID 4480 wrote to memory of 6552	4480	LB3.exe	108
PID 4480 wrote to memory of 6552	4480	LB3.exe	108
PID 2328 wrote to memory of 6492	2328	printfilterpipelinesvc.exe	114
PID 2328 wrote to memory of 6492	2328	printfilterpipelinesvc.exe	114
PID 4480 wrote to memory of 1524	4480	LB3.exe	115
PID 4480 wrote to memory of 1524	4480	LB3.exe	115
PID 4480 wrote to memory of 1524	4480	LB3.exe	115
PID 4480 wrote to memory of 1524	4480	LB3.exe	115
PID 1524 wrote to memory of 6884	1524	176C.tmp	116
PID 1524 wrote to memory of 6884	1524	176C.tmp	116
PID 1524 wrote to memory of 6884	1524	176C.tmp	116

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit-main.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-main\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\Desktop\LockBit-main\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4296
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4148
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4068
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:224
- C:\Users\Admin\Desktop\LockBit-main\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1012

C:\Users\Admin\Desktop\LockBit-main\builder.exe
"C:\Users\Admin\Desktop\LockBit-main\builder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4688

C:\Users\Admin\Desktop\LockBit-main\builder.exe
"C:\Users\Admin\Desktop\LockBit-main\builder.exe"
1⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:6552
- C:\ProgramData\176C.tmp
  "C:\ProgramData\176C.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\176C.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:6652

C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:6780

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B8710E38-18BA-411D-B4A0-F497EBB49E92}.xps" 133801289709520000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-main\Build\Password_exe.txt
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\BBBBBBBBBBB

Filesize
129B

MD5
1ead198d9db868fa1953e7271bc98dfa

SHA1
e7a92efc42a514a989edfaaa6958845edbd66844

SHA256
4e49a862d90e7cf5a9a10c4298441314d492885aad0f8d9ce644014746ab5eec

SHA512
56a0cac94ed1cc094cb06a63eb341c612b4d890b12033d91356f613bb6d1a1a351d0e85ef60750dbddb2dd627e0500fa2d76d5f6ca3ea6810bcef47c571b3be9

Download Submit
C:\4rqQ7D1gV.README.txt

Filesize
6KB

MD5
dd746ace17e44ace00885b91400f11d5

SHA1
4a0302d2dca400598f396e4230fdae71779cbeaa

SHA256
b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272

SHA512
8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc

Filesize
36KB

MD5
eab75a01498a0489b0c35e8b7d0036e5

SHA1
fd80fe2630e0443d1a1cef2bdb21257f3a162f86

SHA256
fdf01d2265452465fcbed01f1fdd994d8cbb41a40bbb1988166604c5450ead47

SHA512
2ec6c4f34dcf00b6588b536f15e3fe4d98a0b663c8d2a2df06aa7cface88e072e2c2b1b9aaf4dc5a17b29023a85297f1a007ff60b5d6d0c65d1546bf0e12dd45

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656134012488.txt

Filesize
77KB

MD5
c0e4491397e1632f4c6779f98fe2ae67

SHA1
d56726882e08f1ac131178b7c935b8e8df05de7a

SHA256
d02b9da05522b36b841d5b4dc1eb3c142b46708b1ad449795ea5e52a3614fe96

SHA512
4578aa20251cad20dea402cbf7878d4df348cc3b79cbe9c98d2cbf676540e65a1b2087cb2eec8f64e8559c20e7fb54e0e5b827c124f7e400e1a68d435aaf7524

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658101903738.txt

Filesize
47KB

MD5
cb3c835fc52da4547a6cb9897ede57be

SHA1
9c24d5ce02566c79f727de45379dffdf62ebe7f1

SHA256
f4909f72e99bd64fdb03a651e54b8a4f7a1dd165215778e1ea5f4e922d40aa61

SHA512
88b0556be5937735d1f1749430862e10dcd99b58eb8d79c7b217039289fdacc4c9a5017bf7499a7e01673801d71c80b7069c6863e39238a42f88552dde10845e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664064470971.txt

Filesize
65KB

MD5
45f5e32d526230a0a91c803d040880ad

SHA1
dc6d20324ac7f9f7c813b85bb895c9ed3f72bd3c

SHA256
94e414deb8664f125e96af25d50ffc6dcb9ebe556a8113cdadb09e7c8c0a290f

SHA512
7b2cd12e8129f8c63265c09fa93e333abc8a0d7b38cb6957f9719cc16ff38d1d6d3f5b728a6ddfebecd2f12957a9ef54bdf6607efcc868f7a7e92cdd44668d74

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133801289514848510.txt

Filesize
75KB

MD5
d51568ad518490a361b9c2d58129115c

SHA1
bd2447b4786fc0e1b96df394daacbeac3cba303a

SHA256
61b3bd5591db4613587425b0bd0d8fd7a37a6f98967c90af780fa031571e51ec

SHA512
e77c4640b8b90c3ae396013afef1f7c2b1da9a6d617f718bad235d9d0e3f59569569f4c4eb564f6c909158f109f02b9f2f54db83ede7ca727ec8690c874fdc30

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat

Filesize
8KB

MD5
a8308d2f3dde0745e8b678bf69a2ecd0

SHA1
c0ee6155b9b6913c69678f323e2eabfd377c479a

SHA256
7fbb3e503ed8a4a8e5d5fab601883cbb31d2e06d6b598460e570fb7a763ee555

SHA512
9a86d28d40efc655390fea3b78396415ea1b915a1a0ec49bd67073825cfea1a8d94723277186e791614804a5ea2c12f97ac31fad2bf0d91e8e035bde2d026893

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm

Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
19dfc6df8220d8defe6c6871b57be2b9

SHA1
64ede7896dc552e69c66391f2c6f417f877127d8

SHA256
8f66796eca9e72b96bb43b0402c56b94af7d90b0931d32b4a28e2b4daecb9e94

SHA512
eb773f3bb1c16b4617083d0b13f4de5079fb36eca2c314f743aa34c6c6b54bc53ed3425d0bd5525d66e8f80ba2ce5b103898dad49703bb40cb7dc0e3273868b1

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build.bat

Filesize
1KB

MD5
b8f24efd1d30aac9d360db90c8717aee

SHA1
7d31372560f81ea24db57bb18d56143251a8b266

SHA256
95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed

SHA512
14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\DDDDDDD

Filesize
153KB

MD5
b21576baa87577e18bf131292f61dd21

SHA1
cf9079625a71c51988ffc0fdfaf7e1290f25f7f1

SHA256
2bfc66a6db7fe8ca7ca9ce5ecbe2ba253bac66e63c7ba76d1764bcc6dd8383f1

SHA512
b89ef8bdf50804a44d2a45526edef7c308d134c42ae9f32684e9f76e1cab8995f34fe8a1789c670d7d99e7e0a64f61ea686545f942d0a767871746cef82d1db0

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\DECRYPTION_ID.txt

Filesize
265B

MD5
3cd675e7331c60b7b0bd5ab0b516e546

SHA1
551a764b26d810b9c3ce382d99af56c25eb4b956

SHA256
2bb8eafc72cfdc5879c94c1e3b85c7b33f94c38b1c06dfd96e2e6467cc75058c

SHA512
790613112c9f4ca124daf7b2a12f50104a46bd2221e6ec4a2fe02746d8d9f950585914bc94663e811adc5f1d9bbf7cff5e27722e16db77ba96a47e4a649d6819

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\LB3.exe

Filesize
153KB

MD5
072505cadbb6670219cb4e5a7e3c5eb8

SHA1
5cc395cd38067a81e22aef97e552b2910866b1e0

SHA256
72dfab7d5857bc1c358d5719fb0f7cc851143002851155a7081e807bf1025bfa

SHA512
4a0a1720510d8b16da209fff9831edcd9f577969494a6bed1630fa30c908314ec9b1befe55041db9cb9132d60d6206050868cd1295a5f2d4fbee7a7972e7cd23

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\LB3Decryptor.exe

Filesize
54KB

MD5
255ae4d32b8ea42a3fbbe9c8fc40e481

SHA1
cd12144758a946537c0e8ad57965647d3387b2f1

SHA256
0df751329c62821f7fda006c6f24c9d9720d1aad75eb365dfb15f0a0ec107404

SHA512
ae349e33845ebd7e5033e208355e6db17ccedc3e76973400a434c533146f9bb35b7df5f58b288cf90493540a3fbe4b0bf75eb6eb643563e6ec89d58de3aedfc7

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\Password_dll.txt

Filesize
2KB

MD5
b1a0223ba60e1833695f07989736d442

SHA1
c9b383de5d2b6bade92b0b8539bd9f0f3ae11fed

SHA256
cdc6f98de70dda8d3f88a3792577fbd52b39eb19fbfd27b4b32f272a121d6c13

SHA512
476cfea0bb677d271b757e88d8d254a3bbcb377af981c498e9845a1ccc47122c1ade0e46fc85b69c523c24a4beaf65abdc75f60c37e0a2f2f2fb2f90210fb4df

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\Password_exe.txt

Filesize
2KB

MD5
d6960c532478a1522cf2850734961bfd

SHA1
6e12efaeda4d4793b835d0d14fda92de47178fc4

SHA256
16363e1ccf7a6bc3c7ed0293e1d21fbce7877292b01d043dbe09ce26b75e34e6

SHA512
373199befef493dc939d5a55f4a9ec4521c8ece74dba00a7c32b8fa2b704121ef1ebbabc002afa4b52cf7b3fae26af09426c120f78e70d9327d23e8caea1e10b

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\priv.key

Filesize
344B

MD5
9516b6bd999b5b315e199c5c934badc8

SHA1
21f1ce31cd94df118facb072fcbda172167b630d

SHA256
75e0fbc3a2bf6fa67019d758cb60414cdc2b104061cd269bd4a7fdadeddedb6e

SHA512
e190ff863a84ffadfc2ae33a43fbd78ad66a00b3e7debba9350dc047ef25e6a19ac0e98787c86d79715dc7822474c2e41bfcecb43ba7e70875c74f2040202654

Download Submit
C:\Users\Admin\Desktop\LockBit-main\Build\pub.key

Filesize
344B

MD5
7646505d94b376464f8932c8b5f9fab9

SHA1
41ed78aede49efc69b261bd341f050a93394e23e

SHA256
1311b06d1f4adaa5a945d4cf6c5ed9741eaede696f10c37d0ae5ddc0c331a613

SHA512
320d85b99653079a5c1e28f6a2996d825e100983358e7d0c9296a3bd9c724c58311ac11debf4e4d8a9b4da48286d5c9b22792bc7e0b3298f75202ccbd2d2f1c4

Download Submit
C:\Users\Admin\Desktop\LockBit-main\README.md

Filesize
4KB

MD5
d2a6c0f2726e529e9e434946db4d7015

SHA1
ae71e212526a4203939ea68a11a08803f40f8fd0

SHA256
21de073d7de49abaa4ac8cbe0483565e7fa94ee6a5037faa59a1c21bf0308db4

SHA512
c97a776ae8782f8204a3f93f7719d4b93728c1a3e19099f384e461815d7b4b3e4b6f8f8fc15efa1a10cab46ca20174af61faab84980c4a9a20552e3ea50f6484

Download Submit
C:\Users\Admin\Desktop\LockBit-main\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit-main\config.json

Filesize
8KB

MD5
de177fa08e9b2eaa378760afd53be6b2

SHA1
a18050f9e5f2412955df4b868ffb866209d2b84a

SHA256
d121f4293160e0a39cbb184c032cd45baf1372db00cd33afb0e166ac0a60ac4c

SHA512
44f4e745013eaa7d95486c91457c23fd9694f859920766f0139cf5ca9c84ff6c82d59be9675dd1a0c7b3216464c85cf732dbbdb0e641a5e47cbbf1830f4a0a8c

Download Submit
C:\Users\Admin\Desktop\LockBit-main\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.4rqQ7D1gV

Filesize
380KB

MD5
2f22e278ac06d35ab36235a4470486d8

SHA1
794ec62949578cdd5a7e141cf005a07df3dd9f9d

SHA256
811ec0cbbe0e048c7ea77387763ea0559c87e6d26711a7e42bb23d868ec77c5f

SHA512
66d7a632d7741873f5f7a9dc767734fb56e4fbbaf2ff8b0cfa7d0f81431bfa6884e7a03589a9ea20e38bdeffc7926f48202a78803b70203995eb23c1deb299af

Download Submit
C:\vcredist2010_x64.log.html.4rqQ7D1gV

Filesize
86KB

MD5
d54f62c8c4c4f078da690a069421d04c

SHA1
f3ccb094bbd680192b1e560b8f52742890320f20

SHA256
ccf6893b47c768527ee7b69e7da011839ff8b489fced25c5a8814cd005e9d45b

SHA512
eb805782a9ffd93a5ab1560ff0baf95bce4014ee243dd51932c96a327ec5f952becb90801eb3561cceaa014ffdb9baa6b4ee28c039783d6eb3ca28fef5647895

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.4rqQ7D1gV

Filesize
396KB

MD5
45641586382986f6700414583942a60e

SHA1
c2eed667c03667d4a6e2dd4fa52a91a5eb7a2e41

SHA256
a61d34239f7feb92597404853039450bcec9d889cb190b97d9c0e08c1b06a986

SHA512
b4e0bc460bc327bc23883b3fdb52f21e1f2ed8fb9ac574e0da3d58c35b417f893b9f10a5957949610085995c933745289a8ce1c3e05cac215d41389dc22f7ab7

Download Submit
C:\vcredist2010_x86.log.html.4rqQ7D1gV

Filesize
82KB

MD5
3ecca1e2281fc8d496efbcb669ce2506

SHA1
64739a1f9a5f457ef5b1994a8add25eed1402cab

SHA256
e6c2b122f0f157358929af4aba3c0f71b3722f8046a0b857a88d71d87deae62e

SHA512
839cfcf323926f35331d1cd7f7db705659575c4d08c2de5852df8cce84e5639bfd996150300cd4678d9a23606eff837aaf28791550276a1ab5cbf06df27d994a

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.4rqQ7D1gV

Filesize
168KB

MD5
24c3f40c53151e72261b9d64b063c106

SHA1
588cac8c85d9acf11d66836aab1f97036b8eec79

SHA256
6ffc95b20f77e8b143b9f87b6448cba9f0ef7316fdc12136f12fe72a835b7e99

SHA512
ad03d9d7e73fdb4bdbd66856d8fb59b58fc930c1d39d180e2335b6882608e70c3d62e1ef52d23331df93e2b3808b50331066328a9a41730491af5c7606393a7d

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.4rqQ7D1gV

Filesize
195KB

MD5
0325286469a4587a6c69b67284e05bd3

SHA1
1eb465bac873c5c1c12a1bfbec11f02e74dc4146

SHA256
0edcf49f224c8fa09c689e048770f6180390f3adbee9f9d61fdea528ca6b07d7

SHA512
353b2df45b4348f18a80cd46d6737c58380d80865e01ad6197f8953bb49ab18dddb33279e7c99f4273bc28db624a86e056db047cb8c61a628dbc2f8cd42d6d6d

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.4rqQ7D1gV

Filesize
171KB

MD5
130aab113d2e2dd2530f939769b0dac5

SHA1
f7ef463879c29e92a0bc64e553f5ebd78064cdcf

SHA256
028d18705f87e4fe38095a3d377649fad342cff826fc24d67f9f7909b903f8e8

SHA512
e32c1d1c743e1c6cdf97f4c672c3c642e207b5e11cf01150636f44a2558d7ac88ce5d429b2a026526296af392c18a9a2d49c9611a70077d383329ca5a44a5431

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.4rqQ7D1gV

Filesize
208KB

MD5
24e27c76950764c685aa23f3bda615d6

SHA1
0d3da261b25aa06326fcf2800b709a461eda08e5

SHA256
737cec10dc34435913569b563d6e27e8ce87514ac638c6a860baf8879d4abc7f

SHA512
9da979ad6feef631d58cb6912d654a952fee168daeb3d8289b177d4191870f83f2d887754be6197edad92b0201140719235e478fea703154450e2d0bf509bc0f

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.4rqQ7D1gV

Filesize
170KB

MD5
2abec299451d06912defd260c42ae395

SHA1
e8879ba9ad9f6647563f2cc27d4fde7368d5869a

SHA256
419f3ae37aa5f3af0d6abf769a5316b63534675e4a24893e8972db7855c9a698

SHA512
be58fca83827ae1bc1dbdfaba6078dd3b0e64f72039dd06d6c7cc1e7905567cb8f3dd3e596a431f5e83e0684cb3e6b39a7bbb5a5eeb84645ffcbabfe3f615905

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.4rqQ7D1gV

Filesize
191KB

MD5
527f808cf7799a9314c450892ff70540

SHA1
a85ee3b06bdfee825d4db46a1d29c72f2929cb89

SHA256
01c9c5ac5002243f958fef7e2cfb910f2a1f2c8d34f8b5ec9055216a7b6ebeb5

SHA512
7d7fe06075466d1933eed580250d086755c624e40d22e0612b47710416012a9c25ec029ed4ae2e5a49c708190c2659352d26f415b9f8ff7ee679aa5a54f09bd6

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.4rqQ7D1gV

Filesize
170KB

MD5
a93119765e7313bd85e65860fa88a3df

SHA1
90fd2cbad36ec112a8584aeb54a9e280df74b451

SHA256
6193ea4e874e616da8f53e67b99c52da4d9ab0d0c51c05ac36b919c600e68234

SHA512
b3a1017c9c58fdbbaec11a87779a469dc3234bc289d3638f53a92954587e367a4e486d12cc304da578c1122d23a42178ce03e25cd9a49b951185632d72271f9e

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.4rqQ7D1gV

Filesize
198KB

MD5
cb6a5818a183fad9e892a211084dc482

SHA1
763102925605f334869ec0b2260289638d91613e

SHA256
8f0557c1a9be34fbc42970e3fb17fd4f42a52caaa3b5f9356e52fb6bc37309e8

SHA512
b50527788066b66257b30d327301eac8a01b10072615f646d3243d587caa336f1db9800fb463fe32ce19e03a7a91e2531050dc4c902605122a04f8c4a6f2476b

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.4rqQ7D1gV

Filesize
123KB

MD5
c87e8c8eb228e4d28410cf4a08e906f2

SHA1
edbeff7b9c1e70e7cc3668cbbb86c6ac2251a68d

SHA256
dfc87a7289b82955b51901f980bfcd8ef440f2ec1e849b600b41b0881613a9d5

SHA512
4fd43031aca56b345343d39e84000a2473d9f69ac14b92419b9af6a25e4c49007f83bff3793b76f061fbf886308304ace60445aff5f6d51826f50d61ca68eb5b

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.4rqQ7D1gV

Filesize
130KB

MD5
100d76973de8962d4dc46e69536d0b79

SHA1
1c4499378a4dafffcf7b3c0ceefeba2bc83fa68e

SHA256
ef080cb227f50b693a3b1f388da6da7e3c5e5c2b9783f0081577df2cdd421d05

SHA512
8efa536b1affacba452002e1a171074d82da98277ee3e40b2d6f0357566ce6dcfb1760def09e6573259bae3c4d38cc55ed84cd77649d6e4ed265881fb209fdc4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\DDDDDDDDDDD

Filesize
129B

MD5
d8d6403554ab54d615e63c8e7e5dd00e

SHA1
3ac4374402466e3d25d2c8f09dddc263e9d04840

SHA256
ab3f48770bd278ca5c542744f67539bbb21e34746abf2618c8ce2fad74507ccb

SHA512
bc4923d40cb1a546af8114ec6a4dd17b81e2cb9a78386a9a7cd923b314336d634ba1070b101d55819dfa87b64c892e7aa1babcc842f50f1ff6a6958077c130a4

Download Submit
memory/6492-3568-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

Filesize
64KB

Download
memory/6492-3567-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

Filesize
64KB

Download
memory/6492-3569-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

Filesize
64KB

Download
memory/6492-3570-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

Filesize
64KB

Download
memory/6492-3573-0x00007FFEC4330000-0x00007FFEC4340000-memory.dmp

Filesize
64KB

Download
memory/6492-3566-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

Filesize
64KB

Download
memory/6492-3602-0x00007FFEC4330000-0x00007FFEC4340000-memory.dmp

Filesize
64KB

Download