blackmatter | 4dfa2dcbcfe39550255fcf5daaa4ee3b74e7ea3a32666c91c100fb6b8508544b

Analysis

max time kernel
641s
max time network
651s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBit-V3.zip
Size

293KB
MD5

f35c9e87f63d3f8d4db5b1a01a14e464
SHA1

7fd87ed64dbb2780b5deccc0a9d138b3b9402e8b
SHA256

4dfa2dcbcfe39550255fcf5daaa4ee3b74e7ea3a32666c91c100fb6b8508544b
SHA512

04d8f57d6a592d30b3af8ee96ed2480a2b594b25a37b500613a06aee994705045140ed6f4152c97f17e935122003d45d6ae64fad668a08cf7e6438f48e3167e3
SSDEEP

6144:50gWKhB5TA1yAmI28MqQoZNTelXsxRw5Bp0i49h/t1uDcMxDM074:50gWw5rA08MLCeG/i49JEcUE

Score

10^/10

blackmatter lockbit ransomware spyware stealer

Malware Config

Extracted

Family

blackmatter

Version

25.239

Extracted

Path

C:\Hr3ShnhBv.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018b38-15.dat	family_lockbit
behavioral1/files/0x0004000000019368-39.dat	family_lockbit
behavioral1/files/0x0004000000019385-268.dat	family_lockbit
behavioral1/memory/1752-309-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit

Renames multiple (328) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1096	7zG.exe

Executes dropped EXE 3 IoCs

pid	Process
2012	LB3.exe
1752	LB3_pass.exe
2184	LB3Decryptor.exe

Loads dropped DLL 4 IoCs

pid	Process
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini	LB3.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1492	1752	WerFault.exe	68

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop	LB3Decryptor.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\3\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Hr3ShnhBv	LB3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\3 = 560032007d7804007058f15c2020626173652e7a697000003e0008000400efbe7058f15c7058f15c2a000000a255000000001300000000000000000000000000000062006100730065002e007a0069007000000018000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.Hr3ShnhBv	LB3Decryptor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	chrome.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Hr3ShnhBv	LB3Decryptor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2220	NOTEPAD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs

pid	Process
1600	keygen.exe
1216	builder.exe
1408	builder.exe
1144	builder.exe
1952	builder.exe
2432	builder.exe
1512	builder.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2184	LB3Decryptor.exe
2184	LB3Decryptor.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe
2012	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1760	chrome.exe
944	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1816	7zG.exe
Token: 35	1816	7zG.exe
Token: SeSecurityPrivilege	1816	7zG.exe
Token: SeSecurityPrivilege	1816	7zG.exe
Token: SeRestorePrivilege	1856	7zG.exe
Token: 35	1856	7zG.exe
Token: SeSecurityPrivilege	1856	7zG.exe
Token: SeSecurityPrivilege	1856	7zG.exe
Token: SeRestorePrivilege	1096	7zG.exe
Token: 35	1096	7zG.exe
Token: SeSecurityPrivilege	1096	7zG.exe
Token: SeSecurityPrivilege	1096	7zG.exe
Token: SeRestorePrivilege	2508	7zG.exe
Token: 35	2508	7zG.exe
Token: SeSecurityPrivilege	2508	7zG.exe
Token: SeSecurityPrivilege	2508	7zG.exe
Token: SeAssignPrimaryTokenPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeDebugPrivilege	2012	LB3.exe
Token: 36	2012	LB3.exe
Token: SeImpersonatePrivilege	2012	LB3.exe
Token: SeIncBasePriorityPrivilege	2012	LB3.exe
Token: SeIncreaseQuotaPrivilege	2012	LB3.exe
Token: 33	2012	LB3.exe
Token: SeManageVolumePrivilege	2012	LB3.exe
Token: SeProfSingleProcessPrivilege	2012	LB3.exe
Token: SeRestorePrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe
Token: SeSystemProfilePrivilege	2012	LB3.exe
Token: SeTakeOwnershipPrivilege	2012	LB3.exe
Token: SeShutdownPrivilege	2012	LB3.exe
Token: SeDebugPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2184	LB3Decryptor.exe
Token: SeDebugPrivilege	2184	LB3Decryptor.exe
Token: 36	2184	LB3Decryptor.exe
Token: SeImpersonatePrivilege	2184	LB3Decryptor.exe
Token: SeIncBasePriorityPrivilege	2184	LB3Decryptor.exe
Token: SeIncreaseQuotaPrivilege	2184	LB3Decryptor.exe
Token: 33	2184	LB3Decryptor.exe
Token: SeManageVolumePrivilege	2184	LB3Decryptor.exe
Token: SeProfSingleProcessPrivilege	2184	LB3Decryptor.exe
Token: SeRestorePrivilege	2184	LB3Decryptor.exe
Token: SeSecurityPrivilege	2184	LB3Decryptor.exe
Token: SeSystemProfilePrivilege	2184	LB3Decryptor.exe
Token: SeTakeOwnershipPrivilege	2184	LB3Decryptor.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeBackupPrivilege	2012	LB3.exe
Token: SeSecurityPrivilege	2012	LB3.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1816	7zG.exe
1856	7zG.exe
1096	7zG.exe
2508	7zG.exe
2184	LB3Decryptor.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe
944	chrome.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1600	2988	cmd.exe	57
PID 2988 wrote to memory of 1600	2988	cmd.exe	57
PID 2988 wrote to memory of 1600	2988	cmd.exe	57
PID 2988 wrote to memory of 1600	2988	cmd.exe	57
PID 2988 wrote to memory of 1216	2988	cmd.exe	58
PID 2988 wrote to memory of 1216	2988	cmd.exe	58
PID 2988 wrote to memory of 1216	2988	cmd.exe	58
PID 2988 wrote to memory of 1216	2988	cmd.exe	58
PID 2988 wrote to memory of 1408	2988	cmd.exe	59
PID 2988 wrote to memory of 1408	2988	cmd.exe	59
PID 2988 wrote to memory of 1408	2988	cmd.exe	59
PID 2988 wrote to memory of 1408	2988	cmd.exe	59
PID 2988 wrote to memory of 1144	2988	cmd.exe	60
PID 2988 wrote to memory of 1144	2988	cmd.exe	60
PID 2988 wrote to memory of 1144	2988	cmd.exe	60
PID 2988 wrote to memory of 1144	2988	cmd.exe	60
PID 2988 wrote to memory of 1952	2988	cmd.exe	61
PID 2988 wrote to memory of 1952	2988	cmd.exe	61
PID 2988 wrote to memory of 1952	2988	cmd.exe	61
PID 2988 wrote to memory of 1952	2988	cmd.exe	61
PID 2988 wrote to memory of 2432	2988	cmd.exe	62
PID 2988 wrote to memory of 2432	2988	cmd.exe	62
PID 2988 wrote to memory of 2432	2988	cmd.exe	62
PID 2988 wrote to memory of 2432	2988	cmd.exe	62
PID 2988 wrote to memory of 1512	2988	cmd.exe	63
PID 2988 wrote to memory of 1512	2988	cmd.exe	63
PID 2988 wrote to memory of 1512	2988	cmd.exe	63
PID 2988 wrote to memory of 1512	2988	cmd.exe	63
PID 1752 wrote to memory of 1492	1752	LB3_pass.exe	69
PID 1752 wrote to memory of 1492	1752	LB3_pass.exe	69
PID 1752 wrote to memory of 1492	1752	LB3_pass.exe	69
PID 1752 wrote to memory of 1492	1752	LB3_pass.exe	69

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LockBit-V3.zip
1⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 --field-trial-handle=1212,i,9653051188243155594,8440383173622657957,131072 /prefetch:8
1⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=3920 --field-trial-handle=1212,i,9653051188243155594,8440383173622657957,131072 /prefetch:1
1⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1628 --field-trial-handle=1212,i,9653051188243155594,8440383173622657957,131072 /prefetch:8
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\LockBit-V3\" -spe -an -ai#7zMap18840:100:7zEvent16965
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1816

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap12027:92:7zEvent17146 -tzip -sae -- "C:\Users\Admin\AppData\Local\Temp\LockBit-V3.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1856

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap1132:92:7zEvent26722 -tzip -sae -- "C:\Users\Admin\AppData\Local\Temp\LockBit-V3.zip"
1⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1212,i,9653051188243155594,8440383173622657957,131072 /prefetch:8
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\LockBit-V3.zip.tmp
1⤵
PID:2132

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap12974:80:7zEvent10617 -tzip -sae -- "C:\Users\Admin\AppData\Local\Temp\base.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=892 --field-trial-handle=1212,i,9653051188243155594,8440383173622657957,131072 /prefetch:1
1⤵
PID:1156

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\base\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\base\keygen.exe
  keygen -path Build -pubkey pub.key -privkey priv.key
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\base\builder.exe
  builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\base\builder.exe
  builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1408
- C:\Users\Admin\AppData\Local\Temp\base\builder.exe
  builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\base\builder.exe
  builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\base\builder.exe
  builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\base\builder.exe
  builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1512

C:\Users\Admin\AppData\Local\Temp\base\Build\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\base\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Users\Admin\AppData\Local\Temp\base\Build\LB3_pass.exe
"C:\Users\Admin\AppData\Local\Temp\base\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 88
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1492

C:\Users\Admin\AppData\Local\Temp\base\Build\LB3Decryptor.exe
"C:\Users\Admin\AppData\Local\Temp\base\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2184

C:\Users\Admin\AppData\Local\Temp\base\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\base\keygen.exe"
1⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\base\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\base\keygen.exe"
1⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\base\builder.exe
"C:\Users\Admin\AppData\Local\Temp\base\builder.exe"
1⤵
PID:1856

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\base\Hr3ShnhBv.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini

Filesize
129B

MD5
07c140d0fbd5440dc11d6efbc1c60b91

SHA1
23cfe2f6eb1564d95ef7e4535ef8717ae361ac88

SHA256
1c60e643c5e9ea552b2bb709cb8d320cb09507c6756a811f2d728ce616f720e3

SHA512
c03fbcb19e11cd66724a08ca336f902c279d430f08f84b8926a86c226acc5c880eef1888e9fb37131ef2357342f2f926acd1a5506dcea379c3d564dea0075349

Download Submit
C:\Hr3ShnhBv.README.txt

Filesize
6KB

MD5
dd746ace17e44ace00885b91400f11d5

SHA1
4a0302d2dca400598f396e4230fdae71779cbeaa

SHA256
b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272

SHA512
8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst

Filesize
1KB

MD5
a908472f45f09e74907b53312551d8d5

SHA1
c36a6ae8e5019c7d944483ec3c2ba084e3703a47

SHA256
64386c3cbd6da2e5b38455b19ffca4b1919d46bc724d06d6b1de012eaaf31286

SHA512
5d503c4b1b2985d62a7265cd91b317da71771250a5a18bbe28a4e78e22df3d76462fd528b482533efe9bf962c0c545bc2528d7efbf126bf2462392af14f0aee0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc

Filesize
2KB

MD5
1aedd47ffa10f6f169c81f9833a5bdac

SHA1
6bd54c881ea6e16e060b4ce2ee6d46b417702b1c

SHA256
96ed299b41d18d67d13ad81804f55eba6df19b4b70590ae6a2be1abb5f5d9bd2

SHA512
0de8b7626d655dd7e89fb86006d6f9cb29a41c2ec743a5d5d0b9c8e2f46d24a505324fe2da03812221ce73a3ba79912f555c0bbe0cdef0030d045ffe8e8115ca

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc

Filesize
64KB

MD5
ce97194ed8977b834dc03af491a28c18

SHA1
f8d51efaf27cc8a751acf7290de6d8bd03f90db8

SHA256
09a7b2f969ade79cb4132031f3763b63ea8bddccf1482da4e75b9946a534e0f2

SHA512
8a3f5fc3bd88d57b1c36f050e4aea9d3a0263ed20f3999c7039c25be65540fd92d0f202969e4f296552bd9d78f47936bdadcc19cdc80f074c0a1aab457c813e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-65F583FA-B64.pma

Filesize
64KB

MD5
2d2cf4ccd6edf365bc9bc0dbdf5062ad

SHA1
0776b4abe3881d333e475eee73147ead16385649

SHA256
012f5e8852722dea1a79308dc6e192fd3f8525a5107a2b4241d3a2844c95a612

SHA512
ffaba8db1c1d06bc03414429be29e2a9618f8aa8719937deef699f59d0cb3b631e6ef845838f45caefb2934ef3760c018be68ca4b6268adb347f8bce7d56acff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
294d6278c7e065c14f83cda12e29ba12

SHA1
ef6bd33fd24a3866dd8c48c505fbc7b1c4d28e0a

SHA256
963c57847ff199029eabeb8832a4aa90a57a204ad56a18672a9bab23351590a3

SHA512
df42ddb3a364b7ac9adae110b0e9ccd9e2ef7592e256608d4c11ef1fed872de59a4f0ada05c35b3955f96c09f96a45a62fb910bb2caa09469c633c439987637a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\font_unique_name_table.pb

Filesize
64KB

MD5
6886780819777166d58dbb53ec708e3d

SHA1
0ce0812cac2ef342131e51c3fde372ab005bfe54

SHA256
5e58215a7b69256b6de9164151ec32bc0a9f6a336ee971c928d95481ebc67afb

SHA512
de702bfce9b57c53e98e89bc46f31f950819f1ea242310f1b53f3618eceb7cc01c96bb5dea0ec8a0de19864ee6bf2db2d42a45a73a7d7c4f290e85dcac9a9e69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
a9aa3a300a1b7697d5779ec4c9a9bfa7

SHA1
b65cae3bafe50e9e146ce88fd63d96d7c8072155

SHA256
d5bb73dafe0a6c96e4d944f5875a83134b916b3f4960751931da84eb4222aca4

SHA512
93bfed8c61608cf0a651aad79bd86645af2219f166164fcb6252a48a9c1548549ce558492747bdd6c5c55bccba79e5b804b4642400944c58449aec8bab1b064f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\index

Filesize
192KB

MD5
e94312480789511ea23c2e35aa67cff7

SHA1
7c9324dc5ee06320e3d2236d48f846a28afa24c1

SHA256
85da36df800bb0593dca973d083941c9ea97a838864f0d6dda95f77352a51b9d

SHA512
37ef880e9f62a78cd85e3d1e6ec71854a9dfd5625225ecb0ebacd314edd972e99dd75b3e369f2211e845cd064ef7600811ac02e58614ee9541e9e6d03f8b7259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
75KB

MD5
b6bce853e61faaa2612da8d61c83ec36

SHA1
517d1dc5861079ffc16d2e5d7065e7df46794378

SHA256
d7d5e79de1fb3da84b24d68d7be50a970e6094aa657ef5fdeb5403fc065d7879

SHA512
b8371597a2758c839d78db08a8aad95ac5b9e2a5190d628aae4b945b369335e1275aea033338ff64c2f36bda6b668acb426503b6fb4dc3494cdf5b3ce9c67ce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\index

Filesize
160KB

MD5
7cd6928d4c51f4c131b85c1f1fcbadf7

SHA1
154206a5f1825c4b8067dce044030dbdb37b5d54

SHA256
6fbb44b6fd6c12f1e930655c84fc185b54db84951d1a0c1ef46216bc7230ed55

SHA512
8e09568bca1eca59f95297c0ffa5355dea3143860bce8ec3b829f9f57788b0a8d095b17db04a32cfbbfe0665b39763e1dd8a5d89e47174ddfaeb6f338dafc0ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m9nu9nej.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3

Filesize
16KB

MD5
34c38b19d563d61b6cac0fb082ea90d3

SHA1
8c6f1bf23f8751c5a2d2a5b238db9bc2e4deb7a2

SHA256
db186254c7463c9a22f1734599937f74ea6b0b978e56cf93f7ae4076a29a5f51

SHA512
c891964fd901080d8272678d3ac4ea6beff65b5aeb201a37e62d38d4e75ac6114771c4948aac03e19b75962291dae39ee2a38771302c4083ca2cd8fe7a199849

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3.zip

Filesize
579KB

MD5
1b6bbdb506eb9f127ab208de1ab98c94

SHA1
7203abfaab8f9dcc781a5d6bc73d76c91a9382ea

SHA256
a89bbb6c2c09ae6916897a67d579a26684f1693b29906852aac9e607c0b443ab

SHA512
bcefd0b6090480bf08275a2a0fdb559400ba8dfb474813015e98c1c441a4745310c74b29908f0aed87ce8daf26f116bebcfc7fc6195fc54c91dcde60153ae4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3.zip.tmp

Filesize
293KB

MD5
c077942c61914ae2e8d4258e3b6f5a65

SHA1
dc95219ce9ace2f264898cffb56d576b0c2cb7da

SHA256
96267044d451d125f0eae07fbae8b15cec425261499a61a277ee9d8cb37a1735

SHA512
f3a0958ff1035336933a8d17aefdba04886d709ab27e3a9a088f1ff2f64b41a270307be306fbfd3f31cd4b4dad1c4b0775e9b8a86673510259620a0aecf5afa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\Build.bat

Filesize
1KB

MD5
b8f24efd1d30aac9d360db90c8717aee

SHA1
7d31372560f81ea24db57bb18d56143251a8b266

SHA256
95df1d82137315708931f1fc3411e891cd42d1cab413d4380b479788729248ed

SHA512
14ebf7905f15983593164d1c093bb99d098daf3963f1b7a913c1a9763acb950075a0d2cceab3558cce3e7269c2a2d5dacc2b3c6c55807b0b6bda6bfad62dd032

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\config.json

Filesize
8KB

MD5
de177fa08e9b2eaa378760afd53be6b2

SHA1
a18050f9e5f2412955df4b868ffb866209d2b84a

SHA256
d121f4293160e0a39cbb184c032cd45baf1372db00cd33afb0e166ac0a60ac4c

SHA512
44f4e745013eaa7d95486c91457c23fd9694f859920766f0139cf5ca9c84ff6c82d59be9675dd1a0c7b3216464c85cf732dbbdb0e641a5e47cbbf1830f4a0a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\keygen.exe

Filesize
31KB

MD5
71c3b2f765b04d0b7ea0328f6ce0c4e2

SHA1
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

SHA256
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

SHA512
1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

Download Submit
C:\Users\Admin\AppData\Local\Temp\LockBit-V3\macro.vbs

Filesize
407B

MD5
cf9c8e2a027b88086e591715ec8eb0a9

SHA1
cfb21043e3c4f9bc71a262df168a37f057ea1aa3

SHA256
42b8b8219f63345f6a3818ebd02cb394903c02b0f922636bb876831c0a06984b

SHA512
5091494e23a8a95cbd6987417430d55a12e50ba2e175ac3e0765927b0f44f5656bd4fe3a3f11d63d455e4013461a324e25a06a4ca328dfbc8a9fba48b597b295

Download Submit
C:\Users\Admin\AppData\Local\Temp\base.zip

Filesize
286KB

MD5
83635641f89212ba68896c92ec29cd45

SHA1
f6ba77d828b0a415e0a75a776660a8152a64335f

SHA256
23da524b0e5c7da6aeb2c3ba9f019b99501f404c0ff727c7db589e01fd5831ac

SHA512
fe3c52bc97fde007052106d56bccc3f5d12405e3961d6b5315cc51b40b9cc9ce8c9f153dc0e831bbf0f1c80b3d7b1df930fac4901cd8299a114f6c9f8486b2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\base\Build\DECRYPTION_ID.txt

Filesize
16B

MD5
8656b38f5fa731eb15fe68d739e90f89

SHA1
102880d80949107eec21e03fa537fb3f45489f90

SHA256
b61331066119454773e33d733746e0629106e9e48c3773cb003d132a9cf99e25

SHA512
cdb2b56790241a6157a22541957a914ee296a19f8e222602ec0591f4bd6ae0f37c0c95a3cf52e6e708f4be1b830d463f210ec8459b427435cdadc31862ca9c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\base\Build\LB3.exe

Filesize
153KB

MD5
e90c54d3487f77473aaf51eadbcc7ed2

SHA1
d7b4b517d9f4199056af2b5c7825624571bee9e6

SHA256
c96c1701336439a6c622525a9950391d286015e8449e9b75c4a34e738acb1193

SHA512
5d66d685f8a1fae480e64591a788f371ec94a705061f99e7e292b86457a48c5bf8f67c65c624424b1383d6943d5b048d2ef928491c1eee9dbb16b9ab2bc502bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\base\Build\LB3Decryptor.exe

Filesize
54KB

MD5
d316fe5c0bb18c0fc0ed02ddd5dccb3d

SHA1
7d2b06cdb7a9357245b4d99ec04bf5b5bb5343d0

SHA256
e31c75f649ee790bd33eb84a5cbc2351930532f551500c0a92f0284dea7efd6e

SHA512
caae32ccdba0406833ea93729a7bc358e0bdf8169ae363cbc93c730856fc288bffbbf6c430464c533375b0623b310d239858d65f2b8ebe96ea4f7fa7e1375339

Download Submit
C:\Users\Admin\AppData\Local\Temp\base\Build\LB3_pass.exe

Filesize
149KB

MD5
b13a9bfa77503a341027632f3e532cc8

SHA1
cb76b0749f91e13d5d7bf0e27f8bc7d9d03de5cb

SHA256
4314c9946a15a122b672af9af351cb9ec33972dd25e9f5effa2eeb61c7ff7a39

SHA512
1d9a13f680cb5fd4d3d5f9bfe7d13fbf6d012e2c3bc80ec0b78b0123a570dff0a1362fb70d96fb94459545af55959e7f285699d07f26458cad54a7fa4b07fb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\base\Build\Password_dll.txt

Filesize
1KB

MD5
0837a8325fab19e29870e18deeddd0bd

SHA1
8a1be53457db41494e7ebf1995b97e7d24d9bc04

SHA256
52b3e4107ff295c0cafd3f37d037cd3c7c3fc53fe4e4cca6887c1f20c745d9a6

SHA512
5cde96f0b6e064268d8c8df38733535a3a3d2f113d56bcef64e26ebe2d48067551ce1cec3210d5d7545ca2659d2c9847ed8df4f41da2a96de5cb87ebf21fdaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\base\Build\Password_exe.txt

Filesize
2KB

MD5
915703659e269538cbee0fd9146edd84

SHA1
1091f8ed33bdf6454ee1c5827f4bb76598180939

SHA256
46267a40805fab572bd285fab2c697d70b950a47d76eb1e6af0d0ed957711e5e

SHA512
8eb68cfcc6b04543f231a2063828997de55c0e5e94dcdfa296f95132c2843aed1259305c37ed8ddc39f0374be3864be144617ed911d821fa2a172147df6c14b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\base\Build\priv.key

Filesize
344B

MD5
35bd432e0b9b8a20aae3d75b42d9aa54

SHA1
16a62808210caa1a8a92865dbf4ede481a5f0013

SHA256
cb1b5c04534368c3d016f6821d86090ca90e8d76d09f53882c6b66908e1f4f1c

SHA512
6ff8f29fa3b6d23944c02651874d17fb5f106d9aafcceb6356574d0387895e338d8da198d50724f251b28c123a19b7c28978cd631099284968e6c11da5366765

Download Submit
C:\Users\Admin\AppData\Local\Temp\base\Build\pub.key

Filesize
344B

MD5
c098fd0181f28aaea0f46644e76d5898

SHA1
2659dc1ea2dbc9de8c63c6e068a3c4b54c8800cb

SHA256
b360b419e59cfe3ee74bce9d3009cb8840e9c269cf11286536478c7e7c32b46b

SHA512
fa63558d371cb69850202fa13aa366cf1ff1d48edc49905d1e2736ff48f5c5a5b921d33153f1831f7ec57be138834d149d07f82597053dbb97e20d46e0a9ba1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m9nu9nej.default-release\sessionstore-backups\upgrade.jsonlz4-20221007134813

Filesize
834B

MD5
a6f07450f9ccdbdb88a2a5647b68c78c

SHA1
a5d6a206f73aa2ba90e47e7eaf1428ed72a9d87f

SHA256
c51c22b1bc3d87a2ac126bf82402de4c5d1f0f3168d9838770a9f027cb32d46e

SHA512
0990fa98ea1aa109b6afdfd32d594b9c84ec0fb21f0efec9e1d26958d6ae7ed65869a96f0dcb8c508241bc39532cc58ed98747abe05b49a54139ffd1d561a219

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m9nu9nej.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
0711858670f8c462079bea4de39ea647

SHA1
8823f451a15461fbbe5b78b5e60406bbddc3e2fb

SHA256
6d6b8addf3381559600e3f0cafdc165e4dcd4e14eb1c391b490ae94916d7273b

SHA512
642fd78106ef15b8da9ea8cf9ea589e0f2b872a042465db30aa36b2830a69c52ee404b8e37e805a6bf7f38d45a4c2c742048b7b1a18ee95ec76b8a2f42aa5c4c

Download Submit
C:\Users\Admin\Desktop\SplitExit.temp

Filesize
128KB

MD5
11a14d077643482cb5747307561dca09

SHA1
f889e3292ef56a97dab87f676948893e22106897

SHA256
4335674c35fbf0dbfe1395f517f538e7f1319b5453e79cd8d35a724160f191d8

SHA512
561eff28acd926dc286abf36daac00ac4cca16613cbf4244756b6eda7ac5347a0800331593558bd8efab97d925c1b79eef7b0a6b79043e2ecdd64a33e7d28b67

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt

Filesize
363KB

MD5
5964f6fa4046dd438dfb80aeacad2bd2

SHA1
d57903ce1ab421b330264fbd74fac17c6141bb53

SHA256
ddb64a5afd27be89d680de6a8956ce56d1c9965d658a99989e9e028411bdf045

SHA512
52a959abad24ca07988ef26e1fe4e48630a8b11e62670780aa37e3806ab1ea5a3edf054bf0f8b5c117164694eda43e4d5e974c30f8b47eb99ca208660815deaa

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.Hr3ShnhBv

Filesize
364KB

MD5
cfb4c95525d5170b7796c382a7b002d4

SHA1
e0486a230ca6d5f8b178005901f434fc6b64f34e

SHA256
95c30edc43c9687c45bcbdb53e4393e6d6576e916851e7a13080c116dc33f362

SHA512
b6c45cc57dea31a12eeb3734711ab5b62cb56d0a9fa1d7455eb1c35ba8c733bdce156e27f8b23b02977930f3a9b6d937ff320957f5024089bfa469a34865adb6

Download Submit
C:\vcredist2010_x64.log.html

Filesize
86KB

MD5
ec2e9208dbfb0f4b3b1250438359b5ea

SHA1
c7fc710ffb7bcc3b36f5624618c759d3b7ae1677

SHA256
a6a32a61d49bd19de1057d02348d045965d60434e8f92c46c493ee35d7c1d24b

SHA512
0e6aa3a322594b05caf520d47af46a490c81a6ef70893a5c328b30ca5d8356edc758907bb6d616d02ccd4859bfa3f9c15efe12e485d0b428b33def6be2cfdcfc

Download Submit
C:\vcredist2010_x64.log.html.Hr3ShnhBv

Filesize
87KB

MD5
8ef50037e9426e5bfa6ff96c743b14d6

SHA1
b3b1860735025cd7dfecf1f2e63e951838b8048a

SHA256
b1e0b82104a4969fad99de220de4466b92814bda0c7fc9dd7785565b744bf465

SHA512
18610f70eca5f964fafb929eadc4ee86dce42693f84751cdf09ca05a18e02aa6924c9a7b6ec0b370893e7130a87d44a2d9543a2f59e14153c80f5a1719f0d2f3

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt

Filesize
320KB

MD5
36e1027c5bd9466fac2f9e43b2539c34

SHA1
11c63cdb5be90cdbc26e27d25ab3b3dd495e5cbe

SHA256
157bf305c438ac17cbb0b4f12a02663c14756d9cd3cc1f70bf8c13560ea35024

SHA512
d68d9e940cb9af1f16e7cbf7cc0f306ed5768340c312310dd9c2d2d85323edb6cb4d3e00d411f4db89ab1581243863603124bc854b9b91ea9342a5d0dbe345d2

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.Hr3ShnhBv

Filesize
379KB

MD5
dc955ceb1546ebd4553aa5c54b22d367

SHA1
283345291f127383f210a040a46bf912b27a2d16

SHA256
a8b2d41e80585d6caa47c20de6bbfefa9d314fb868b65641f227c44baefe679e

SHA512
67628ee66bd512aff4afa47fb5f1fb8d734ab93b25f39d49fa9efd129452b5f2ba1384c2a297f3096912016c2c199c47b750048e3adf82b7745bf4b97f48cb11

Download Submit
C:\vcredist2010_x86.log.html.Hr3ShnhBv

Filesize
81KB

MD5
0b7e63f7e76b8c85bc8c09e810f2f0c2

SHA1
bb0ed23817544be8bf77b9ab9cd77a040645efd6

SHA256
97cbda5318037cd7ae8f9e3a5540b3b7151fdbac189cb18a59f477c1dd16dd8f

SHA512
d7ce6451a9f333c3a582e66be0e7cf58717dbb329a22143fec15cc720ab4a29bb26d7e2d18d235b82869647d9a51d1253619d6a7bf2e7f3fb509f110ba540ebb

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.Hr3ShnhBv

Filesize
165KB

MD5
f01079172fc813374a3e2dfc4a58d262

SHA1
6b8f74c2aa8c527db1cbd39c1e9a1f57bf9998ad

SHA256
20722d6863d26148ae52642c74325fb600e02a491f9835d0e5511f0d6abebdd5

SHA512
6892f1436ad868e995087a2676b0db0582ebd15e613d00503ffa52bd09fb4c41c113ebd6ac679ed056559310c5f1ded48990525d5215ed751ed210c5b6e10c2c

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.Hr3ShnhBv

Filesize
193KB

MD5
29d07ddafe46266232294de688a394c9

SHA1
5c3c058d0a60c77f8dcda363a975de3cc3abd99e

SHA256
bea2a49e89c89bc4cc8ba1791936457514cedf2fe5a809ad48ed9b90c420e2d1

SHA512
37f0671ae0deff693c386aab7e379e9234613226bafe96288e7f7be043c8cfe7172510c5550abdcca6b2b27cebff87dc87b7af5867e777c5d026a49e07d51c63

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.Hr3ShnhBv

Filesize
169KB

MD5
52c733ec55538b103218d69f01d85b45

SHA1
b0f2a086d666561d76169db7f9c821fe02c3fb11

SHA256
d021e291633eb462ec82568e3fa1d9bcf36b240b869a3b9e5a4425e0356094a5

SHA512
33d508d745adadd7acb584d4c801a5d78d4ee7254bb38fe9517ace8a770cbcb54c288ef09bbc174a32cc04b847f9098fbddbf3f32f46b528e11cf51b9f000b29

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.Hr3ShnhBv

Filesize
206KB

MD5
8c592dae0b40a1215d49e44c90d7f6d9

SHA1
6e824e3574ee5e4fa99b739a543396d6dd32d5db

SHA256
fb03db9860e67f0717e6884af7271f8162342c066a49febcfb2ea5108dd92715

SHA512
276a29968d07e15076b0fab36b6b8778981d498a51efbbfde982130be913263deaa47fed9164565568b230fcbd41585bd3365bb4fb3bd97c4e5e2abfef086ec8

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.Hr3ShnhBv

Filesize
168KB

MD5
a28f9b1c910f53031527a948dc179413

SHA1
aacbe12885abe3eea9cb6d0dcc3a25855c2b854a

SHA256
db291dff4db0c6ea4578950dc84f8a97d47becab896780d33223e48b2455af46

SHA512
a2cf683b6ffa6cbbabc0ea5bc44040f50cf20e6ccd45dc23cd04a6ff571c8fd58c5346ad9f60404b5e9714fc573127b2116cc0b1872802db6579b7901782b975

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.Hr3ShnhBv

Filesize
188KB

MD5
5f91bf62a03eacd0bdf6d5bc3eca5a02

SHA1
e1f739894434213f771477601c1f01136485606c

SHA256
76d46614d63689a0031f09c59049c043524814afe50936e0b8ca9d40c80d9078

SHA512
01577193bd88d4eb6c45bd0c504118fbb14719ebfa2a3617e82687fe641c1ec4190611d08227787fa771c3693a955d0992af1eeeb2a52ee54d25adce5ea96ee5

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.Hr3ShnhBv

Filesize
168KB

MD5
f244c34f304c3f66013bee97e987cbad

SHA1
95fade784a76997a5f13907a6cf80b22538c2286

SHA256
a98544377d2084ce986ff60916c38cb4e5cc013caedf4022ba937c8c2a8e5829

SHA512
18f764ff369fd1934bc4f3593077da0a393fd9a9d760fde93a1c9e7cfd95455aff5c3cfdbf0f9a59efa7aa2a92c30ef8d3f155c8c44bcbebf2db35f915f54394

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.Hr3ShnhBv

Filesize
196KB

MD5
d2edeceff762c812ae5cf865d57a315a

SHA1
b24aa68d46501a9d4cb13d29dd4416e1c4de4692

SHA256
9864a4edf6c43df051d3a72f59f1246fc7e1ded1d6c34c6e6fd2fc822e0e7f09

SHA512
48a4d6aa6bd19de8e141a905ec74bac4a41d85c531f111c36cf200e4a4a16bc9a02c1a3671cbb1df55a9e2be6d645372430d8e561d01acde5114735d2cade498

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.Hr3ShnhBv

Filesize
121KB

MD5
d60e65a000dc5d087e02a6f5688fea8b

SHA1
ac1786f78a614afbf381a5b6ac80ce1c238077ac

SHA256
7bbe4ab71baaf1df4b287d3df67c74b43152957bbc61d6de07bce71652a47964

SHA512
b522ec3ba4add80153e0df8007086e6e4d20dd01408ce30c584fbd098fc148f8bfa5da8f7a43a11c22356d99fdc5f7709df993c3c5621c6526170a8bffaa1934

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.Hr3ShnhBv

Filesize
127KB

MD5
90b2984c4d94366142cfc046fc5f43b5

SHA1
ae749357eb05397a6bab50ea9b837d633ab64c22

SHA256
e81f3be7052ef65220e90653689df8259dbb4d12d9dce4f73d55d8b13d157d56

SHA512
9c59aac5347f204aba9da7fef539b13b87b73d50455b913856adaeb69febb24b65a76afa947485a0c78864498a48390bee90066e73edf0c7ab6b202e010f0f82

Download Submit
C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log.Hr3ShnhBv

Filesize
121KB

MD5
85e1331c1e4a262536b7d52694bae248

SHA1
59582101b96bdf50d35b3aac1de840f52940c619

SHA256
b2e598cff699959cbbecf51b23dbc6f3717f130a714f3059aef01bab30952318

SHA512
3f092c5e54c9abe3fe40fe38036b4cd57a08a45ed59095703daf3b2268a56a541e172b60e6ac4bebecb5278827de4c52c83f0d35325cd0e42ac86f2f64af9ed7

Download Submit
C:\vcredist2022_x86_002_vcRuntimeAdditional_x86.log.Hr3ShnhBv

Filesize
133KB

MD5
46f9a90d7efb2c5cb6c849ac7bd6efe9

SHA1
852486abfa629c494e3d28d8781207604af07aed

SHA256
d6c489cc3b444e42d68394d6fa1ca882e2caa78066aced26be61fb75ae28dc4b

SHA512
629edac43984a6d6e99a8c88ea0e6f40ad4d901b99e57a66feb0dc65d232b9a55d518ff289eb414272b039cd55e38347c34974527c80ddb826e149f82d19e2e3

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\DDDDDDDDDDD

Filesize
129B

MD5
a1b688a9d0c39a94f1fa0c09bceb01f6

SHA1
69551fe3111224f17ebeef0b93aedc713760d2e2

SHA256
d800120f6c6e6f440b2cbabe797d81fc035fb081bc4661c9183eee20ffc092ff

SHA512
1b843b530c5bb601485d7a9f095c2ee451e113ea1994198d96d0bea3efe3c37099011cedd8b44aadae36b2659778c381c877f313ff4002de2bb72b0a12814180

Download Submit
memory/1752-309-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2012-40-0x0000000000EE0000-0x0000000000F20000-memory.dmp

Filesize
256KB

Download