Analysis Overview
Threat Level: Known bad
The file https://github.com/3xp0rt/LockBit-Black-Builder was found to be: Known bad.
Malicious Activity Summary
BlackMatter Ransomware
Modifies extensions of user files
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Modifies Control Panel
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-21 15:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-21 15:04
Reported
2022-09-21 15:13
Platform
win10v2004-20220812-it
Max time kernel
508s
Max time network
515s
Command Line
Signatures
BlackMatter Ransomware
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| N/A | N/A | C:\ProgramData\853F.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\HideLock.tif => C:\Users\Admin\Pictures\HideLock.tif.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SendSave.raw.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertLimit.png.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\HideLock.tif.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SendSave.raw => C:\Users\Admin\Pictures\SendSave.raw.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertLimit.png.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\HideLock.tif.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SendSave.raw.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertLimit.png => C:\Users\Admin\Pictures\ConvertLimit.png.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\ProgramData\853F.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7MndmOidL.bmp" | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7MndmOidL.bmp" | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallPaper | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\853F.tmp | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.7MndmOidL\ = "7MndmOidL" | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\7MndmOidL\DefaultIcon | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\7MndmOidL\DefaultIcon\ = "C:\\ProgramData\\7MndmOidL.ico" | C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\7MNDMOIDL\DEFAULTICON | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.7MndmOidL | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/3xp0rt/LockBit-Black-Builder
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedf234f50,0x7ffedf234f60,0x7ffedf234f70
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1996 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4260 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\LockBit30\" -spe -an -ai#7zMap9867:74:7zEvent16933
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4236 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,17552512017415052144,4770756426805288862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit30\Build.bat" "
C:\Users\Admin\Desktop\LockBit30\keygen.exe
keygen -path C:\Users\Admin\Desktop\LockBit30\Build -pubkey pub.key -privkey priv.key
C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type dec -privkey C:\Users\Admin\Desktop\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe
C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe
C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_Rundll32.dll
C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_Rundll32_pass.dll
C:\Users\Admin\Desktop\LockBit30\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\DECRYPTION_ID.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\Password_dll.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\Password_exe.txt
C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe
"C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1436 -ip 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 280
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\Password_exe.txt
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit30\Build\pub.key
C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe"
C:\ProgramData\853F.tmp
"C:\ProgramData\853F.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\853F.tmp >> NUL
C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LockBit30\Build\LB3Decryptor.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SaveComplete.txt
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SuspendExport.m4v"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RestartBackup.css
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d5855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| NL | 172.217.168.237:443 | accounts.google.com | tcp |
| NL | 142.250.179.174:443 | clients2.google.com | tcp |
| US | 140.82.113.4:443 | github.com | tcp |
| US | 140.82.113.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| US | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 142.251.36.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 140.82.112.5:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 140.82.114.10:443 | codeload.github.com | tcp |
| NL | 142.250.179.131:443 | ssl.gstatic.com | tcp |
| FR | 51.11.192.48:443 | tcp | |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| NL | 142.251.39.110:443 | sb-ssl.google.com | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| NL | 142.250.179.195:443 | update.googleapis.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| US | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 131.253.33.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 2472c6a0cb25f666543377fa4eabf8c1.clo.footprintdns.com | udp |
| CH | 20.199.196.24:443 | 2472c6a0cb25f666543377fa4eabf8c1.clo.footprintdns.com | tcp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
Files
\??\pipe\crashpad_2896_JQWAIHVZOXEUVWHU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\LockBit30\Build.bat
| MD5 | 4e46e28b2e61643f6af70a8b19e5cb1f |
| SHA1 | 804a1d0c4a280b18e778e4b97f85562fa6d5a4e6 |
| SHA256 | 8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339 |
| SHA512 | 009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b |
memory/4620-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\LockBit30\keygen.exe
| MD5 | 71c3b2f765b04d0b7ea0328f6ce0c4e2 |
| SHA1 | bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4 |
| SHA256 | ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37 |
| SHA512 | 1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035 |
C:\Users\Admin\Desktop\LockBit30\keygen.exe
| MD5 | 71c3b2f765b04d0b7ea0328f6ce0c4e2 |
| SHA1 | bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4 |
| SHA256 | ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37 |
| SHA512 | 1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035 |
memory/2772-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\Desktop\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\Desktop\LockBit30\config.json
| MD5 | a6ba7b662de10b45ebe5b6b7edaa62a9 |
| SHA1 | f3ed67bdaef070cd5a213b89d53c5b8022d6f266 |
| SHA256 | 3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8 |
| SHA512 | 7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1 |
C:\Users\Admin\Desktop\LockBit30\Build\priv.key
| MD5 | 52696bd99131f7082457051d9f442524 |
| SHA1 | fb0142a0e88b748ce56ca05a5968eb5182e45feb |
| SHA256 | 9473748830c66724655bcc0e8feb6f92d7b1569e7a2c375b934af5cb1350576a |
| SHA512 | 16612e1989a15e9dc5066bd4ef9a22a612bf927a604db6014f46620761388c3dd295b42d4528eeca3f2efe7e3458b208d3aa56bbd4317e0958608cbe96087380 |
memory/3952-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\Desktop\LockBit30\Build\pub.key
| MD5 | e86a924d3ee87a3394cd7a5586b8698b |
| SHA1 | 2a0e35bb929a7142be57c4c78a20630edddb8c78 |
| SHA256 | 612af64d4e0afa6cd917f0778028a945043daae732200f2b5aab136ec79c07aa |
| SHA512 | 9b9ee6178e966412240784dad1d624bfd03fb298a3f06490f99716cd1d6eee355906e631dd23603f97b19a68a8888b322f01b1475644a80cdb581ae38dbcd53a |
memory/4044-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
memory/2368-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
memory/4720-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
memory/4352-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\LockBit30\builder.exe
| MD5 | c2bc344f6dde0573ea9acdfb6698bf4c |
| SHA1 | d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 |
| SHA256 | a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db |
| SHA512 | d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0 |
C:\Users\Admin\Desktop\LockBit30\Build\DECRYPTION_ID.txt
| MD5 | df882b5d8d6bb9a10eef0489b19ab8f0 |
| SHA1 | bd23d8d8effce7ede9be86b8672d843520cd51d0 |
| SHA256 | 767c1443950e9c293eb98411faa9cffd043e0115c050572e5c3838eda05f4b34 |
| SHA512 | 2951a368b9bdeb81a2492a40d2abd49f32dbbdb9f1950a6038c0796342b2d05029200eb3ca9557321db9731f9a51931499263f3788aa5ed93f3d176da247858b |
C:\Users\Admin\Desktop\LockBit30\Build\Password_dll.txt
| MD5 | b0cc1e3eafa3176bf20c304035fd30f3 |
| SHA1 | 5294064911b8bec791438b2ac2c9ba15acb87f11 |
| SHA256 | c4f7358e9d412f164fe1ab18f6f6e428a7dd33edb7072e06f2e6de739c23acf2 |
| SHA512 | ce715da927e84f5893ae203d597aa931cfb40a68e536fc89ca97f15bbea5408ff5df441ed3bc8b057257d86a8666713ad03444853b6e45f663205087c6ab3e1e |
C:\Users\Admin\Desktop\LockBit30\Build\Password_exe.txt
| MD5 | 7e6d3c85f5a8b3a604dd998845761026 |
| SHA1 | c95ba7f7eb0c11ffe71859f0236df44958208bfd |
| SHA256 | 2d7a80435de7c8f543942ea163aef9b2e10689682b782ac1641b690f22d03469 |
| SHA512 | aeb576340a6be9d8ea54365893e1f0a93a339dbef25f62885341f7b84c2d034f0f47c0a1e346cc47bf7e0b0154560770a3838a0e99629d8fc975ca8253dc1535 |
C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe
| MD5 | 45caaa163205f69ff7b2a77aabd11e23 |
| SHA1 | 63945e8ba9ca0df17c6cc2ef2488a12c2adde36d |
| SHA256 | 22d00c4b20e2be1d2c5025fe9328d33edd8daaf8ccaf63b3fe0ee31696a4398d |
| SHA512 | 19efe6a6f7f79889d388c6068e9d8a8c443a2f903612ab9c70948f66db37b3eb9d76b39f747a1dc651cc4542cb5c41b7d6a4768d650159c6478434b5e4ceb1eb |
C:\Users\Admin\Desktop\LockBit30\Build\LB3_pass.exe
| MD5 | 45caaa163205f69ff7b2a77aabd11e23 |
| SHA1 | 63945e8ba9ca0df17c6cc2ef2488a12c2adde36d |
| SHA256 | 22d00c4b20e2be1d2c5025fe9328d33edd8daaf8ccaf63b3fe0ee31696a4398d |
| SHA512 | 19efe6a6f7f79889d388c6068e9d8a8c443a2f903612ab9c70948f66db37b3eb9d76b39f747a1dc651cc4542cb5c41b7d6a4768d650159c6478434b5e4ceb1eb |
memory/1436-159-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3864-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
| MD5 | f7cb62641b7958a73fb2fd84a24a223a |
| SHA1 | 37de3259b2b780e1af447c44476f1226f1857216 |
| SHA256 | 7549f1fdad2d362e6b9aeedce9a7690c2c9bcf7d07044e707f7a1ecef6e65c7f |
| SHA512 | 2a27b6adad1256783e868fff8a48b26fa0c2f9931b1ab70d75a897dc7bfcd7e5a33a433807f605f760dfa292905f97ef19b58b8ac65ac8f0403b542d35a4f114 |
C:\Users\Admin\Desktop\LockBit30\Build\LB3.exe
| MD5 | f7cb62641b7958a73fb2fd84a24a223a |
| SHA1 | 37de3259b2b780e1af447c44476f1226f1857216 |
| SHA256 | 7549f1fdad2d362e6b9aeedce9a7690c2c9bcf7d07044e707f7a1ecef6e65c7f |
| SHA512 | 2a27b6adad1256783e868fff8a48b26fa0c2f9931b1ab70d75a897dc7bfcd7e5a33a433807f605f760dfa292905f97ef19b58b8ac65ac8f0403b542d35a4f114 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\AAAAAAAAAAA
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\BBBBBBBBBBB
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\HHHHHHHHHHH
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\GGGGGGGGGGG
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\OOOOOOOOOOO
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\WWWWWWWWWWW
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\VVVVVVVVVVV
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\UUUUUUUUUUU
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\TTTTTTTTTTT
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\SSSSSSSSSSS
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\RRRRRRRRRRR
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\QQQQQQQQQQQ
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\PPPPPPPPPPP
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\NNNNNNNNNNN
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\MMMMMMMMMMM
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\LLLLLLLLLLL
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\KKKKKKKKKKK
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\JJJJJJJJJJJ
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\IIIIIIIIIII
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\FFFFFFFFFFF
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\EEEEEEEEEEE
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\DDDDDDDDDDD
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\CCCCCCCCCCC
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini
| MD5 | 830198dd3f169d41310015015afa5763 |
| SHA1 | 33cfd18395748f855e842fe948444ff000d2c143 |
| SHA256 | c722cd5d03658f3c7d4dfbba65debff5389119118d1937ed9354e44f0c473494 |
| SHA512 | c1167ef811ab3322a71853e6da4ea287824eaf12dc88a1c7e1b0a2d827b2836afffd776649e9254bd1061eac5d475f546dc9c62a4d0d5e41cfbd85eaa0cfb375 |
memory/976-187-0x0000000000000000-mapping.dmp
memory/976-188-0x0000000000400000-0x0000000000407000-memory.dmp
memory/5004-189-0x0000000000000000-mapping.dmp