blackmatter | hxxps://github[.]com/3xp0rt/LockBit-Black-Builder

Resubmissions

22-09-2022 10:08

220922-l6m2ssbba9 10

21-09-2022 16:19

220921-tspx8sccdj 10

21-09-2022 15:04

220921-sfwpkscbcq 10

21-09-2022 14:54

220921-r93jjscbbk 10

Analysis

max time kernel
434s
max time network
435s
platform
windows10-1703_x64
resource
win10-20220812-it
resource tags

arch:x64arch:x86image:win10-20220812-itlocale:it-itos:windows10-1703-x64systemwindows
submitted
21-09-2022 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/3xp0rt/LockBit-Black-Builder

Score

10^/10

blackmatter ransomware spyware stealer

Malware Config

Extracted

Path

C:\7FJH6jImX.README.txt

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B3AE82AB7E2A8D11950002FBCA1C81A1 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Extracted

Family

blackmatter

Version

25.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Executes dropped EXE 21 IoCs

pid	Process
2908	ChromeRecovery.exe
4560	keygen.exe
5076	builder.exe
4684	builder.exe
1780	builder.exe
3828	builder.exe
3784	builder.exe
4652	builder.exe
4560	LB3.exe
4148	4373.tmp
3468	LB3Decryptor.exe
4116	keygen.exe
4728	builder.exe
4976	builder.exe
1248	builder.exe
4948	builder.exe
1940	builder.exe
3116	builder.exe
3516	LB3.exe
2460	8D72.tmp
4888	LB3Decryptor.exe

Modifies extensions of user files 48 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\PopCompare.tiff => C:\Users\Admin\Pictures\PopCompare.tiff.7FJH6jImX	LB3.exe
File renamed	C:\Users\Admin\Pictures\SaveStep.tiff => C:\Users\Admin\Pictures\SaveStep.tiff.7FJH6jImX	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\FormatResolve.tif.7FJH6jImX	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\ShowFind.crw.7FJH6jImX	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\UpdateRename.raw => C:\Users\Admin\Pictures\UpdateRename.raw.BLHT3dkH1	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ResetHide.tif.7FJH6jImX	LB3.exe
File renamed	C:\Users\Admin\Pictures\ShowFind.crw => C:\Users\Admin\Pictures\ShowFind.crw.7FJH6jImX	LB3.exe
File renamed	C:\Users\Admin\Pictures\SaveStep.tiff.7FJH6jImX => C:\Users\Admin\Pictures\SaveStep.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\FormatResolve.tif.BLHT3dkH1	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\PopCompare.tiff	LB3.exe
File renamed	C:\Users\Admin\Pictures\PopCompare.tiff => C:\Users\Admin\Pictures\PopCompare.tiff.BLHT3dkH1	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateRename.raw.BLHT3dkH1	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\SaveStep.tiff.BLHT3dkH1 => C:\Users\Admin\Pictures\SaveStep.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\SaveStep.tiff	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SaveStep.tiff.7FJH6jImX	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SaveStep.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\ResetHide.tif.BLHT3dkH1	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\FormatResolve.tif.BLHT3dkH1	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\PopCompare.tiff.7FJH6jImX	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SaveStep.tiff.7FJH6jImX	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\FormatResolve.tif => C:\Users\Admin\Pictures\FormatResolve.tif.BLHT3dkH1	LB3.exe
File renamed	C:\Users\Admin\Pictures\PopCompare.tiff.BLHT3dkH1 => C:\Users\Admin\Pictures\PopCompare.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\PopCompare.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\FormatResolve.tif.7FJH6jImX	LB3.exe
File renamed	C:\Users\Admin\Pictures\PopCompare.tiff.7FJH6jImX => C:\Users\Admin\Pictures\PopCompare.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\PopCompare.tiff	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\ResetHide.tif => C:\Users\Admin\Pictures\ResetHide.tif.BLHT3dkH1	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\SaveStep.tiff	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ResetHide.tif.BLHT3dkH1	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\ShowFind.crw.BLHT3dkH1	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\SaveStep.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\PopCompare.tiff	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ShowFind.crw.7FJH6jImX	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ResetHide.tif.7FJH6jImX	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateRename.raw.7FJH6jImX	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\SaveStep.tiff => C:\Users\Admin\Pictures\SaveStep.tiff.BLHT3dkH1	LB3.exe
File renamed	C:\Users\Admin\Pictures\ShowFind.crw => C:\Users\Admin\Pictures\ShowFind.crw.BLHT3dkH1	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateRename.raw.BLHT3dkH1	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateRename.raw.7FJH6jImX	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\PopCompare.tiff.BLHT3dkH1	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ShowFind.crw.BLHT3dkH1	LB3.exe
File renamed	C:\Users\Admin\Pictures\FormatResolve.tif => C:\Users\Admin\Pictures\FormatResolve.tif.7FJH6jImX	LB3.exe
File renamed	C:\Users\Admin\Pictures\ResetHide.tif => C:\Users\Admin\Pictures\ResetHide.tif.7FJH6jImX	LB3.exe
File renamed	C:\Users\Admin\Pictures\UpdateRename.raw => C:\Users\Admin\Pictures\UpdateRename.raw.7FJH6jImX	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\PopCompare.tiff.7FJH6jImX	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\SaveStep.tiff.BLHT3dkH1	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\PopCompare.tiff.BLHT3dkH1	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\SaveStep.tiff.BLHT3dkH1	LB3Decryptor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\desktop.ini	LB3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\desktop.ini	LB3.exe

Sets desktop wallpaper using registry 2 TTPs 6 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7FJH6jImX.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\BLHT3dkH1.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\BLHT3dkH1.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7FJH6jImX.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4148	4373.tmp
2460	8D72.tmp

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\ChromeRecovery.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\Desktop	LB3Decryptor.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\json_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.BLHT3dkH1\ = "BLHT3dkH1"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BLHT3dkH1	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7FJH6jImX\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7FJH6jImX	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\json_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BLHT3dkH1\DefaultIcon	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BLHT3dkH1\DefaultIcon\ = "C:\\ProgramData\\BLHT3dkH1.ico"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7FJH6jImX\ = "7FJH6jImX"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\json_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\.json	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\.json\ = "json_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\json_auto_file\shell\open	OpenWith.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\BLHT3DKH1\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.BLHT3dkH1	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7FJH6jImX\DefaultIcon\ = "C:\\ProgramData\\7FJH6jImX.ico"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.7FJH6jImX	LB3Decryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\json_auto_file\shell\open\command\ = "\"%ProgramFiles%\\Windows NT\\Accessories\\WORDPAD.EXE\" \"%1\""	OpenWith.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\7FJH6JIMX\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\BLHT3dkH1	LB3Decryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7FJH6jImX	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7FJH6jImX	LB3Decryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.BLHT3dkH1	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
744	NOTEPAD.EXE
4860	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4852	chrome.exe
4852	chrome.exe
2180	chrome.exe
2180	chrome.exe
5104	chrome.exe
5104	chrome.exe
4072	chrome.exe
4072	chrome.exe
4316	chrome.exe
4316	chrome.exe
4992	chrome.exe
4960	chrome.exe
4960	chrome.exe
4992	chrome.exe
4716	chrome.exe
4716	chrome.exe
5060	chrome.exe
5060	chrome.exe
2180	chrome.exe
2180	chrome.exe
2236	chrome.exe
2236	chrome.exe
824	chrome.exe
824	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4856	chrome.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe
4560	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3500	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4520	7zG.exe
Token: 35	4520	7zG.exe
Token: SeSecurityPrivilege	4520	7zG.exe
Token: SeSecurityPrivilege	4520	7zG.exe
Token: SeAssignPrimaryTokenPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeDebugPrivilege	4560	LB3.exe
Token: 36	4560	LB3.exe
Token: SeImpersonatePrivilege	4560	LB3.exe
Token: SeIncBasePriorityPrivilege	4560	LB3.exe
Token: SeIncreaseQuotaPrivilege	4560	LB3.exe
Token: 33	4560	LB3.exe
Token: SeManageVolumePrivilege	4560	LB3.exe
Token: SeProfSingleProcessPrivilege	4560	LB3.exe
Token: SeRestorePrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSystemProfilePrivilege	4560	LB3.exe
Token: SeTakeOwnershipPrivilege	4560	LB3.exe
Token: SeShutdownPrivilege	4560	LB3.exe
Token: SeDebugPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeBackupPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe
Token: SeSecurityPrivilege	4560	LB3.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
4520	7zG.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
552	OpenWith.exe
552	OpenWith.exe
552	OpenWith.exe
552	OpenWith.exe
552	OpenWith.exe
3856	OpenWith.exe
3856	OpenWith.exe
3856	OpenWith.exe
3856	OpenWith.exe
3856	OpenWith.exe
3468	LB3Decryptor.exe
5012	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
3500	OpenWith.exe
5116	WORDPAD.EXE
5116	WORDPAD.EXE
5116	WORDPAD.EXE
5116	WORDPAD.EXE
5116	WORDPAD.EXE
1232	OpenWith.exe
4888	LB3Decryptor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2516	2180	chrome.exe	66
PID 2180 wrote to memory of 2516	2180	chrome.exe	66
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4116	2180	chrome.exe	68
PID 2180 wrote to memory of 4852	2180	chrome.exe	69
PID 2180 wrote to memory of 4852	2180	chrome.exe	69
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70
PID 2180 wrote to memory of 3356	2180	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/3xp0rt/LockBit-Black-Builder
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9e6c34f50,0x7ff9e6c34f60,0x7ff9e6c34f70
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1520 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 /prefetch:8
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,16443914320743882411,2817091248448673532,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2404 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:552
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\README.md
  2⤵
  PID:308

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:5020
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={20319e91-cc8a-4f84-a435-7d4c6ff40884} --system
  2⤵
  - Executes dropped EXE
  PID:2908

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\" -spe -an -ai#7zMap28685:182:7zEvent5733
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3856
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\config.json
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build.bat" "
1⤵
PID:4900
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\keygen.exe
  keygen -path C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type dec -privkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:4652

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OpenClear.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:4860

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\tte.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:744

C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
- C:\ProgramData\4373.tmp
  "C:\ProgramData\4373.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4373.tmp >> NUL
    3⤵
    PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:4812

C:\Users\Admin\Desktop\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\tte - Copia.txt
1⤵
PID:3852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3500
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\config.json"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build.bat" "
1⤵
PID:3216
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\keygen.exe
  keygen -path C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build -pubkey pub.key -privkey priv.key
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type dec -privkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3Decryptor.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3_pass.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3_Rundll32.dll
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3_Rundll32_pass.dll
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Executes dropped EXE
  PID:3116

C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe
"C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
PID:3516
- C:\ProgramData\8D72.tmp
  "C:\ProgramData\8D72.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8D72.tmp >> NUL
    3⤵
    PID:188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:5092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Users\Admin\Desktop\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\tte - Copia.txt
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\AAAAAAAAAAA

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\BBBBBBBBBBB

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\CCCCCCCCCCC

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\DDDDDDDDDDD

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\EEEEEEEEEEE

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\FFFFFFFFFFF

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\GGGGGGGGGGG

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\HHHHHHHHHHH

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\IIIIIIIIIII

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\JJJJJJJJJJJ

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\KKKKKKKKKKK

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\LLLLLLLLLLL

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\MMMMMMMMMMM

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\NNNNNNNNNNN

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\OOOOOOOOOOO

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\PPPPPPPPPPP

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\QQQQQQQQQQQ

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\RRRRRRRRRRR

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\SSSSSSSSSSS

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\TTTTTTTTTTT

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\$Recycle.Bin\S-1-5-21-2482096546-1136599444-1359412500-1000\desktop.ini

Filesize
129B

MD5
87b109b0065c9548907bcd1b11aa9699

SHA1
d085a98b3d3146c8d71b48befce502d970b43132

SHA256
e10af7b6cf07faf373e0d6c9368fce81e6d514b2747ef6c3bd6a80981a461c1e

SHA512
bbad9ea313abdeb2a3093a8efc27b14b3725e0507d9aa5834da900d39930fb9d9dc4e0a7390bb183019494fe4a356166a52be83c9eeb470a3651b1d13ceefcc8

Download Submit
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5020_942308856\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build.bat

Filesize
741B

MD5
4e46e28b2e61643f6af70a8b19e5cb1f

SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe

Filesize
153KB

MD5
ea4612a8f1527e076d251a5de0eebd17

SHA1
bd4daa56cc71a509d42b634b1cea8fa8f9e7604f

SHA256
4c36fc146fee7e6c3334e279f3f944e75650e0a17caab9c00e787c4f8d6f9eda

SHA512
93373b52347232759d348e771aaf2a68610c788e7e1b04161439737acd4410f00943f10f26c737162dc032a11bff988e3aefaa31dcc1b8581d8efda07e14c0cf

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe

Filesize
153KB

MD5
ea4612a8f1527e076d251a5de0eebd17

SHA1
bd4daa56cc71a509d42b634b1cea8fa8f9e7604f

SHA256
4c36fc146fee7e6c3334e279f3f944e75650e0a17caab9c00e787c4f8d6f9eda

SHA512
93373b52347232759d348e771aaf2a68610c788e7e1b04161439737acd4410f00943f10f26c737162dc032a11bff988e3aefaa31dcc1b8581d8efda07e14c0cf

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\priv.key

Filesize
344B

MD5
0eeef6d57d61d5aff96fb4f6db130621

SHA1
98e4af3368dd1b40f349c561bba6db9294d2e737

SHA256
a59165acd2b099febdb25853e5e6fb3b357fa2cb808cdc8bf60a1b4782c33fa9

SHA512
5fbbe99791c33c653e66a0518b8d2846200c867ddd07c6195bcad7344a168a53cb3130872a5bdb97df2ab3155814de67ddfcefd51ee2173f42058cf23d768026

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\Build\pub.key

Filesize
344B

MD5
982aa064c1ee0b32ab63d3e2247c4da7

SHA1
06ecbb94752078cce145ab6b7f04ff8237af30e3

SHA256
ec62377187e41598792288208938d4c11a7c815cd43f0e363dafc583a18c33fa

SHA512
c2a842bcccd77d93c065f4a5ec8dd6f894f1c86803a5311cb59c78a56bbfa47792ae5ad054f005e42ee036a125bb4b9d512ffabbb6de6b01b0f09327cda8b6ba

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\config.json

Filesize
8KB

MD5
a6ba7b662de10b45ebe5b6b7edaa62a9

SHA1
f3ed67bdaef070cd5a213b89d53c5b8022d6f266

SHA256
3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8

SHA512
7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\config.json

Filesize
8KB

MD5
af933cd61affa1ec8d44f8198be3f21f

SHA1
278ed051fbbeb8f3f4b7823f90b95ba525e378fa

SHA256
a6ed120dcaa50101fea183191d582b7b7f9fd2c3b025bdba31955559ab05331e

SHA512
856b0c91c6bf18324735664e508df162e36c00e8fc83b9373714886a9cb531142c840a8f1f2a52b8e9c54714e07c988488292a542155b96b621a1eb07b123de0

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit-Black-Builder-main\LockBit30\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
memory/2460-969-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2908-154-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-136-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-172-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-173-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-174-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-175-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-176-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-177-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-178-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-179-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-180-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-181-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-182-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-183-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-184-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-185-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-186-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-187-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-188-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-189-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-190-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-170-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-169-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-127-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-168-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-167-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-128-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-165-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-166-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-164-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-163-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-129-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-162-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-161-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-160-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-159-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-130-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-158-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-157-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-131-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-132-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-156-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-155-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-153-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-152-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-151-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-150-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-149-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-148-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-147-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-146-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-145-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-144-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-143-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-142-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-141-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-140-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-139-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-138-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-137-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-171-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-135-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-134-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-133-0x0000000077720000-0x00000000778AE000-memory.dmp

Filesize
1.6MB

Download
memory/4148-584-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4148-558-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download