Analysis
-
max time kernel
165s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 18:01
Behavioral task
behavioral1
Sample
Lockbit 3 Builder.7z
Resource
win10v2004-20240704-en
General
-
Target
Lockbit 3 Builder.7z
-
Size
139KB
-
MD5
c9c2f3805f0012628e9d62e8f75af4dd
-
SHA1
b6269b1fc8813b93c11ec6066dc33d9f99f2e431
-
SHA256
b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10
-
SHA512
ed4cb425807bbef4da92fe9e17b78746e096612e6006521279162379b2fc65f8dec7647e9c5403c6a74e6eb9b61dce7ca1c74c65d77aafbd0719be79cb1d70ff
-
SSDEEP
3072:pYWJsCuSlRODbWhyyZZsZ77n4s31uZzd2ppyMPOLOcrgCz:pbuSlicZyx4W1uLYpyMPOLjhz
Malware Config
Extracted
blackmatter
65.239
Extracted
C:\VUMgQG2yL.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 11 IoCs
resource yara_rule behavioral1/files/0x0008000000023453-16.dat family_lockbit behavioral1/files/0x000700000002345e-35.dat family_lockbit behavioral1/files/0x0007000000023463-40.dat family_lockbit behavioral1/files/0x0007000000023460-37.dat family_lockbit behavioral1/files/0x0008000000023460-66.dat family_lockbit behavioral1/files/0x000800000002345e-64.dat family_lockbit behavioral1/files/0x0008000000023463-69.dat family_lockbit behavioral1/files/0x0009000000023460-99.dat family_lockbit behavioral1/memory/2456-100-0x0000000000400000-0x0000000000429000-memory.dmp family_lockbit behavioral1/memory/2456-102-0x0000000000400000-0x0000000000429000-memory.dmp family_lockbit behavioral1/files/0x000900000002345e-104.dat family_lockbit -
Renames multiple (584) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation B07B.tmp -
Executes dropped EXE 30 IoCs
pid Process 1608 keygen.exe 4808 builder.exe 3452 builder.exe 1264 builder.exe 4008 builder.exe 4360 builder.exe 2704 builder.exe 4024 keygen.exe 3236 builder.exe 1236 builder.exe 1592 builder.exe 3656 builder.exe 4492 builder.exe 4268 builder.exe 2232 keygen.exe 2220 builder.exe 2868 builder.exe 2228 builder.exe 1004 builder.exe 4812 builder.exe 228 builder.exe 2208 builder.exe 2652 builder.exe 3752 keygen.exe 3664 builder.exe 4888 LB3Decryptor.exe 2456 LB3_pass.exe 2800 LB3.exe 1940 B07B.tmp 5712 LB3Decryptor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-587429654-1855694383-2268796072-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-587429654-1855694383-2268796072-1000\desktop.ini LB3.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PP42n0el3erby9qkcj2xrdp65md.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPt0mh2z2fah4tokqtyhg4tgzq.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP09nezjuhvmqfdgi_k_ig0mc0c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\VUMgQG2yL.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\WallPaper LB3Decryptor.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\VUMgQG2yL.bmp" LB3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 4888 LB3Decryptor.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 1940 B07B.tmp 5712 LB3Decryptor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3620 2456 WerFault.exe 135 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe Key created \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop LB3Decryptor.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.VUMgQG2yL LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VUMgQG2yL\ = "VUMgQG2yL" LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VUMgQG2yL\DefaultIcon\ = "C:\\ProgramData\\VUMgQG2yL.ico" LB3.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\VUMGQG2YL\DEFAULTICON LB3Decryptor.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VUMgQG2yL LB3Decryptor.exe Key created \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VUMgQG2yL\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VUMgQG2yL LB3.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\.VUMGQG2YL LB3Decryptor.exe -
Opens file in notepad (likely ransom note) 5 IoCs
pid Process 1396 NOTEPAD.EXE 404 NOTEPAD.EXE 4604 NOTEPAD.EXE 372 NOTEPAD.EXE 1516 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 3312 vlc.exe 4004 ONENOTE.EXE 4004 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4888 LB3Decryptor.exe 4888 LB3Decryptor.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe 2800 LB3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3312 vlc.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 2800 LB3.exe 5712 LB3Decryptor.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 4156 7zG.exe Token: 35 4156 7zG.exe Token: SeSecurityPrivilege 4156 7zG.exe Token: SeSecurityPrivilege 4156 7zG.exe Token: SeBackupPrivilege 4888 LB3Decryptor.exe Token: SeDebugPrivilege 4888 LB3Decryptor.exe Token: 36 4888 LB3Decryptor.exe Token: SeImpersonatePrivilege 4888 LB3Decryptor.exe Token: SeIncBasePriorityPrivilege 4888 LB3Decryptor.exe Token: SeIncreaseQuotaPrivilege 4888 LB3Decryptor.exe Token: 33 4888 LB3Decryptor.exe Token: SeManageVolumePrivilege 4888 LB3Decryptor.exe Token: SeProfSingleProcessPrivilege 4888 LB3Decryptor.exe Token: SeRestorePrivilege 4888 LB3Decryptor.exe Token: SeSecurityPrivilege 4888 LB3Decryptor.exe Token: SeSystemProfilePrivilege 4888 LB3Decryptor.exe Token: SeTakeOwnershipPrivilege 4888 LB3Decryptor.exe Token: SeAssignPrimaryTokenPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeDebugPrivilege 2800 LB3.exe Token: 36 2800 LB3.exe Token: SeImpersonatePrivilege 2800 LB3.exe Token: SeIncBasePriorityPrivilege 2800 LB3.exe Token: SeIncreaseQuotaPrivilege 2800 LB3.exe Token: 33 2800 LB3.exe Token: SeManageVolumePrivilege 2800 LB3.exe Token: SeProfSingleProcessPrivilege 2800 LB3.exe Token: SeRestorePrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeSystemProfilePrivilege 2800 LB3.exe Token: SeTakeOwnershipPrivilege 2800 LB3.exe Token: SeShutdownPrivilege 2800 LB3.exe Token: SeDebugPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeBackupPrivilege 2800 LB3.exe Token: SeSecurityPrivilege 2800 LB3.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4156 7zG.exe 3312 vlc.exe 3312 vlc.exe 3312 vlc.exe 3312 vlc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3312 vlc.exe 3312 vlc.exe 3312 vlc.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 556 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 4888 LB3Decryptor.exe 3312 vlc.exe 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 4004 ONENOTE.EXE 5712 LB3Decryptor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 1608 2644 cmd.exe 100 PID 2644 wrote to memory of 1608 2644 cmd.exe 100 PID 2644 wrote to memory of 1608 2644 cmd.exe 100 PID 2644 wrote to memory of 4808 2644 cmd.exe 101 PID 2644 wrote to memory of 4808 2644 cmd.exe 101 PID 2644 wrote to memory of 4808 2644 cmd.exe 101 PID 2644 wrote to memory of 3452 2644 cmd.exe 102 PID 2644 wrote to memory of 3452 2644 cmd.exe 102 PID 2644 wrote to memory of 3452 2644 cmd.exe 102 PID 2644 wrote to memory of 1264 2644 cmd.exe 103 PID 2644 wrote to memory of 1264 2644 cmd.exe 103 PID 2644 wrote to memory of 1264 2644 cmd.exe 103 PID 2644 wrote to memory of 4008 2644 cmd.exe 104 PID 2644 wrote to memory of 4008 2644 cmd.exe 104 PID 2644 wrote to memory of 4008 2644 cmd.exe 104 PID 2644 wrote to memory of 4360 2644 cmd.exe 105 PID 2644 wrote to memory of 4360 2644 cmd.exe 105 PID 2644 wrote to memory of 4360 2644 cmd.exe 105 PID 2644 wrote to memory of 2704 2644 cmd.exe 106 PID 2644 wrote to memory of 2704 2644 cmd.exe 106 PID 2644 wrote to memory of 2704 2644 cmd.exe 106 PID 3008 wrote to memory of 4024 3008 cmd.exe 110 PID 3008 wrote to memory of 4024 3008 cmd.exe 110 PID 3008 wrote to memory of 4024 3008 cmd.exe 110 PID 3008 wrote to memory of 3236 3008 cmd.exe 111 PID 3008 wrote to memory of 3236 3008 cmd.exe 111 PID 3008 wrote to memory of 3236 3008 cmd.exe 111 PID 3008 wrote to memory of 1236 3008 cmd.exe 112 PID 3008 wrote to memory of 1236 3008 cmd.exe 112 PID 3008 wrote to memory of 1236 3008 cmd.exe 112 PID 3008 wrote to memory of 1592 3008 cmd.exe 113 PID 3008 wrote to memory of 1592 3008 cmd.exe 113 PID 3008 wrote to memory of 1592 3008 cmd.exe 113 PID 3008 wrote to memory of 3656 3008 cmd.exe 114 PID 3008 wrote to memory of 3656 3008 cmd.exe 114 PID 3008 wrote to memory of 3656 3008 cmd.exe 114 PID 3008 wrote to memory of 4492 3008 cmd.exe 116 PID 3008 wrote to memory of 4492 3008 cmd.exe 116 PID 3008 wrote to memory of 4492 3008 cmd.exe 116 PID 3008 wrote to memory of 4268 3008 cmd.exe 117 PID 3008 wrote to memory of 4268 3008 cmd.exe 117 PID 3008 wrote to memory of 4268 3008 cmd.exe 117 PID 1920 wrote to memory of 2232 1920 cmd.exe 120 PID 1920 wrote to memory of 2232 1920 cmd.exe 120 PID 1920 wrote to memory of 2232 1920 cmd.exe 120 PID 1920 wrote to memory of 2220 1920 cmd.exe 121 PID 1920 wrote to memory of 2220 1920 cmd.exe 121 PID 1920 wrote to memory of 2220 1920 cmd.exe 121 PID 1920 wrote to memory of 2868 1920 cmd.exe 122 PID 1920 wrote to memory of 2868 1920 cmd.exe 122 PID 1920 wrote to memory of 2868 1920 cmd.exe 122 PID 1920 wrote to memory of 2228 1920 cmd.exe 123 PID 1920 wrote to memory of 2228 1920 cmd.exe 123 PID 1920 wrote to memory of 2228 1920 cmd.exe 123 PID 1920 wrote to memory of 1004 1920 cmd.exe 124 PID 1920 wrote to memory of 1004 1920 cmd.exe 124 PID 1920 wrote to memory of 1004 1920 cmd.exe 124 PID 1920 wrote to memory of 4812 1920 cmd.exe 125 PID 1920 wrote to memory of 4812 1920 cmd.exe 125 PID 1920 wrote to memory of 4812 1920 cmd.exe 125 PID 1920 wrote to memory of 228 1920 cmd.exe 126 PID 1920 wrote to memory of 228 1920 cmd.exe 126 PID 1920 wrote to memory of 228 1920 cmd.exe 126 PID 3472 wrote to memory of 1516 3472 OpenWith.exe 128
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Lockbit 3 Builder.7z"1⤵
- Modifies registry class
PID:2992
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:556
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1656
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap17622:90:7zEvent181261⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4156
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LBLeak\Build.bat1⤵
- Opens file in notepad (likely ransom note)
PID:372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LBLeak\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\Desktop\LBLeak\keygen.exekeygen -path C:\Users\Admin\Desktop\LBLeak\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
PID:1608
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type dec -privkey C:\Users\Admin\Desktop\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
PID:4808
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe2⤵
- Executes dropped EXE
PID:3452
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe2⤵
- Executes dropped EXE
PID:1264
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
PID:4008
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
PID:4360
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LBLeak\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\Desktop\LBLeak\keygen.exekeygen -path C:\Users\Admin\Desktop\LBLeak\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
PID:4024
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type dec -privkey C:\Users\Admin\Desktop\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
PID:3236
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe2⤵
- Executes dropped EXE
PID:1236
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe2⤵
- Executes dropped EXE
PID:1592
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
PID:3656
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
PID:4492
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
PID:4268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LBLeak\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\Desktop\LBLeak\keygen.exekeygen -path C:\Users\Admin\Desktop\LBLeak\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
PID:2232
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type dec -privkey C:\Users\Admin\Desktop\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
PID:2220
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe2⤵
- Executes dropped EXE
PID:2868
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe2⤵
- Executes dropped EXE
PID:2228
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
PID:1004
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
PID:4812
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
PID:228
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LBLeak\config.json2⤵
- Opens file in notepad (likely ransom note)
PID:1516
-
-
C:\Users\Admin\Desktop\LBLeak\builder.exe"C:\Users\Admin\Desktop\LBLeak\builder.exe"1⤵
- Executes dropped EXE
PID:2208
-
C:\Users\Admin\Desktop\LBLeak\builder.exe"C:\Users\Admin\Desktop\LBLeak\builder.exe"1⤵
- Executes dropped EXE
PID:2652
-
C:\Users\Admin\Desktop\LBLeak\keygen.exe"C:\Users\Admin\Desktop\LBLeak\keygen.exe"1⤵
- Executes dropped EXE
PID:3752
-
C:\Users\Admin\Desktop\LBLeak\builder.exe"C:\Users\Admin\Desktop\LBLeak\builder.exe"1⤵
- Executes dropped EXE
PID:3664
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LBLeak\Build\Password_exe.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1396
-
C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe"C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4888
-
C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe"C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe"1⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 2642⤵
- Program crash
PID:3620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2456 -ip 24561⤵PID:3260
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LBLeak\Build\DECRYPTION_ID.txt1⤵
- Opens file in notepad (likely ransom note)
PID:404
-
C:\Users\Admin\Desktop\LB3.exe"C:\Users\Admin\Desktop\LB3.exe"1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:780
-
-
C:\ProgramData\B07B.tmp"C:\ProgramData\B07B.tmp"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B07B.tmp >> NUL3⤵PID:5240
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2444
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
PID:2052 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{0AAAE9D6-E23C-4696-8370-A5BA48E89F55}.xps" 1336493546285500002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4004
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\VUMgQG2yL.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4604
-
C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe"C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:5712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD58d49b769892ebbfd7209f3d6ec503a53
SHA1865f514ea9f6e12cd150607c5754e5fe683364fc
SHA2564ccd0c08a012fd56db9401c7af8df786e00fdc236da2f14e52bde175b30e1361
SHA512f38603444a08fbb1a9dca3b240a0f678f0be0227622d09a36786f958b8840129b11f6e1edb4961f700a9839d022a44a2c0569eaa0d9c9b1f301ba53442136052
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}
Filesize36KB
MD58aaad0f4eb7d3c65f81c6e6b496ba889
SHA1231237a501b9433c292991e4ec200b25c1589050
SHA256813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA5121a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc
Filesize36KB
MD5eab75a01498a0489b0c35e8b7d0036e5
SHA1fd80fe2630e0443d1a1cef2bdb21257f3a162f86
SHA256fdf01d2265452465fcbed01f1fdd994d8cbb41a40bbb1988166604c5450ead47
SHA5122ec6c4f34dcf00b6588b536f15e3fe4d98a0b663c8d2a2df06aa7cface88e072e2c2b1b9aaf4dc5a17b29023a85297f1a007ff60b5d6d0c65d1546bf0e12dd45
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b2206781-2b6c-4e21-82f5-5c577f462bdd}\0.2.filtertrie.intermediate.txt
Filesize5B
MD5c204e9faaf8565ad333828beff2d786e
SHA17d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645844182739081.txt
Filesize77KB
MD58d6adec90b1f0c8e35b87b83589a9899
SHA1ce259d6dad60394f654208a045dbaa587d0f7659
SHA256e85761ea6c839a64dedeebe6d26e03cd04c1072c16ff433c8df3dd215af65c47
SHA5121705fd2a3221474a70fc28e1c2a0e189b7780f2ce4e70d3c4d0492646258a5b9b0541cb2509d26afec79b4526b3ef9e693dca1a56e21114fb4d0cdd8f4597a48
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645849055511928.txt
Filesize47KB
MD590d68a664d9767df58ae3e6d921db0f8
SHA19d22b9b4c9eff59fd890fc29b9fd72cb1af7f85f
SHA2561820a2ca747cc781617b5caec13af2d3ff19bd16ae33309ba6947b2644475abd
SHA51219c767e7a9813efaf1f171684573604160279e6d52045ed08b8b4f0e816a3b816f319fb989db3160d993b63d4ebd7bba1b2fb50e19931439e05d6ab359bdf385
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133649353830701555.txt
Filesize75KB
MD56e31b65cd7ab8e91badc007aff158a64
SHA1a373c07b5328cdba0d434928df8f28f839bdcdde
SHA2561f39993abfba6ef2cd6af4f1f9ee66af2673780a38bc0bf9547960ab030ffe74
SHA512cc7726357446faeb0ca93df3c11fb9d6737a8a8e5059b3e12d1ed9df574d48756dfd7d940ee9a57f1cb5f83141fce5f6cf7c21c7a5efe59b54209fba7eeed758
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat
Filesize8KB
MD5a8308d2f3dde0745e8b678bf69a2ecd0
SHA1c0ee6155b9b6913c69678f323e2eabfd377c479a
SHA2567fbb3e503ed8a4a8e5d5fab601883cbb31d2e06d6b598460e570fb7a763ee555
SHA5129a86d28d40efc655390fea3b78396415ea1b915a1a0ec49bd67073825cfea1a8d94723277186e791614804a5ea2c12f97ac31fad2bf0d91e8e035bde2d026893
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4qx8f0t2.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize48KB
MD58c8937878b9cfd6f48c87650ef4a1356
SHA1d73c09375127145bda00283501ad4f81f9298e31
SHA25627d3bba73b5328cfc2a7d3dd67358f35e74a3b017b458f4f950663739abf195d
SHA51214b3c7af22e2509dd21054bc2b4b8bc5670b35de48c908f54d28303ce99f3558e3b561ebd2af05d82d19762002a7681fd012ab16d68b1c42395269cdd50944ef
-
Filesize
153KB
MD57d12a560f30e749d56b0ca50c8d976e8
SHA103542cf97fe1c00bdd88913153c8baaac4b7f707
SHA256bb1d39119bfa2b948d469595ad1a15a4dd0ae22c86b4e78b0fb5a76f0b2b0551
SHA512562c83d2d2e57be0e2ef48820f6a137e1b418e7b4acc60c3da58ec66f1d58d05e8e91ca236a5cce426c3c3ae6fafe33943fd4e7af18cb4a29ff20ef7130b0080
-
Filesize
153KB
MD5f62c5fef379b939cacc5a557eabb49f6
SHA15e0a4affe7645c4084a3fd812c5d16706ce14494
SHA2566669e14d8d061e2dad7771e0b8063966aa68c657e9f193be44111222484dfb80
SHA5125c3f5a567e9ae121995df4eab6b333bb5bcf4df8d8df652bcfbc6468ad5a0864859435d48af97e7df58c5c5b8c54355c88c54d21a957f90d3f8fdaefe115028f
-
Filesize
741B
MD54e46e28b2e61643f6af70a8b19e5cb1f
SHA1804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA2568e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b
-
Filesize
16B
MD51dec59fd6cda36f3ff42b064ee7da583
SHA1f7eac42bed91ef55715e11514d6b95368bd0d805
SHA25633de63647ac94f8b9f7ea7d1be790b41d04f4b725ad3d7b33be9bafcab919d40
SHA5128d472cf154b4d79aa6532c168f07a3b2557c52c619cc0558ebe36b41592c5ee54effccb9a54aece6ed19d8d7a8cfe93da1b08fed4296149a5da921ce668a7015
-
Filesize
16B
MD574b8606b53b4dbc94e40dfd134fb37c0
SHA1e7e945fc31c302a2820bfaa7df24c2b51f6ab066
SHA2564fd9682c26c9c68c2dc4908516c8ff4ccbd8586da1190d8da36bba4613f79e63
SHA512f41b5098da452316ec8fd05ee698ad0da8f567693d5d99f5ea878e52e45e73e3737b4ed76fdd93262048e4d2e0628f9c1f5e44d8d53c22afa74c97e7af2b350d
-
Filesize
16B
MD50bd0679a35a1b39e4d3fead3d2057ea2
SHA13ed50f2dda1535b59cd5e0aee5e5d984d3fdc467
SHA256bfa08208ada629b8578b088f11554446b3a9f179760c7b330d85fa24118cf3a5
SHA512d981f96a98525b0193c7cd28ef96e7e5da4fb23171fe36682f8d0fa1f52dde6c749908e94254f9a1801c9df17059093ebd1972d83be7583c1232ffe88faccc25
-
Filesize
153KB
MD57d7e3fd9432e217526d9952985e30f2d
SHA165fd60efcc98f03d44d5541e7d6a00a664c95afb
SHA256efda61fd4632b8784940508d4fb342581affe3ec57444b3897492fa26f96308a
SHA51231bf1555041ad262dac43202d67ef796a8441da4df5768d90486ff1ea3167fa8f89397758c89a40a7df6e126b796710cbd8fc831978ec6ae36e6ca6705eadfa7
-
Filesize
153KB
MD5ad862b53f5cc4ed408cd174c44007047
SHA1f66a7b9107e22143895d551b9eaa1ebae2c1495e
SHA25696934344f6096b4e3d4e7e79c1314fcdd52dff5ebf6d24dcd94ff37153d778bf
SHA512b7333780fb9bf70069d24f8dc8abda54082cb13b71333712707570dcdbf26aaf8759b79122109e1b978beb4a03758a05309aa21a124801b2ba0adb6006f24c9c
-
Filesize
54KB
MD5ed5eea3c08e1103c3368ef4c529a9ab3
SHA1deac09a37f8632a981bc16f15f32c76f15351c4d
SHA2560d0e07b30b43e00621a5d65bc727d34cd6b24bbe6415b7ee354197edb0006b80
SHA5123bbfdb9b3aa37cb0b426eb7982d455fb055b424800779f491b8bd4287288086f450131ed5300fbff0e04b7ee3dd675472dfce8e2d46b0f1ab5761cb09b3d0902
-
Filesize
54KB
MD5a5ba023cc4dd848fbec1b3cc97e1e0b9
SHA1f3f9922683448c4a56d809f6b9d4e81c46b3ca40
SHA2563315f597c08be9bd4c69d55e25f12e3c117e054b9b8f6a4e7f3774b8ebf679d4
SHA512fd32f67ccae87f858a4478b71ad2c1bc3d8e4c22964bd6d0d71b734633cb96f48e9094aa73413a8f2ce54fbaffd89dc430f0760eb9b2b4273327154c28a80842
-
Filesize
54KB
MD5f53ad486dffe58f507a2ca29aaf43e2e
SHA1a7117f03e487968d5b4640251ed271e585523b05
SHA2564ef7721fe21b31cd249549746939049d113ee9920a302fecf83e613c950b252e
SHA5120b307b9c917dbfe15b27753c4f5375b9cc17b44f667124784d5efc5c77ee1467137f19f295648d004187cef2148298591f4d9bf4cc6b43a1b51e2e2809e0b778
-
Filesize
107KB
MD5347ac69cd40289f97f1b3c6fab3205a5
SHA103e9486c788a4baf40cf306ea7d5b3fd99ba1fa6
SHA2560229f1bfa9a8336da1420a0e7ea5e287176ea2891712e3b3432b72145162e3cb
SHA5121357791eb702d5c04d6d3dddb46b7b3ea80ad7875232fe217973c7ae71c70602ae890b1da836b86ae37932748eb6ffd69b6af1731dddf7422901ec5b7ab28045
-
Filesize
107KB
MD5b90884bf56191ad11c75e46580686b2e
SHA1ea3d70040c5bd31bf72d4d9e0dbf38a9d28e330f
SHA25605a7d8d3989f5956bd45844f9dbc889209f9cd25e7c25a52b968272953a30710
SHA51233d3bef7f70d5b7f4aae120aabc849074c626a55c2a748c1ca98cac467941339bd07de2aff212cdea078711e44bbc3a29b9c4b03e64617791e01f4e0c40138e2
-
Filesize
152KB
MD5ae19268971f1607d1e8884c7307258bd
SHA11f34c9519cbee465dc211e4823355927d2d2cb6f
SHA25628104570c3bfac2a536ec4ed2259cd4907026c0edaab27154a8863e233f1fc94
SHA5123dcb4d2b167cb47ff79ab991e8888c67ab12e161d358390e256e8ad6123b9cf1b5c768f961a01ffe44e9029cc0072fc3f96e5b32f7574595d8d5efe2a731e99a
-
Filesize
152KB
MD591fc0e1219cb91507a3ccf12f5580e5a
SHA16c907d514957245d994a227113ef3a3e1d0b6f12
SHA256cebfae49ac7f84abf09d4f49df26ebab2bce8d3ad87950baa041901616aa8a05
SHA512a8014552c5843db6c4da439056d83779b1140c88883832085ade2c50fb6aaa3ea444ca4007ff16b8d5e30b4a49798c12b41eead2e9f75ab93692131c025b9556
-
Filesize
148KB
MD5c007e50ecd4c8d38d51ba63ddd99333d
SHA17834bdc2fb502058e7da47a910075a4b7ca54193
SHA2562c57347035c061753de49bb5cd81b3aa63c63c61539ae0773bd82eba5d0de2b7
SHA512836f521fc4861fc0e06640ddbcf9ed3ae49239d49ae42b662af910e6a5aecc8fc8d14f5606a0c89cfe6852da224e575b9b841e64f7b488444a50c461e3de8133
-
Filesize
148KB
MD567583abed126e4f3a1d63624e7a35693
SHA13c33aa9559ec019580a861327284d5b4d2aebdef
SHA2567ec39b5098cd379158c1f81c4b2ccc91c443ec12628b0951258ec5b6cf5aec40
SHA512405ae8d3e8fafe4e888d76b3299490e563de9bd7ce927621ef97e081d54be8750c0e204efffa21a6d7db700decb61b1dda4b9273f4585c53f998fb3141492880
-
Filesize
149KB
MD566fbb87b5030be11caeeefb753dc9e0b
SHA12b1e9cb2fe28616bc978fe1b6bfc036de9fcee32
SHA25618c52b5f7992db72fc3f564701fe34f1e92b73c6251fb60a356c8483f21bd1b5
SHA512521c40e660a58178020cb28d0f5156efd15cbcc1e09934d24ffe482b16ec7d36c57f9b03fb83f34bade294602105d36e6f9e419fcf6aca3c3d065039254f305a
-
Filesize
149KB
MD52802f63b5ecb0a3c0829e30e8f32bea7
SHA1d5a5e34c6c16553cb41f905ba3974b5cbd6b26d4
SHA2565fb617c65fb8aa330ddd99e61ee9868406844c88854b1af16c789b22e7465b3d
SHA5122b75a12332eb9cfabe298704b8868e58533eaa14aa600f0d8c8bdd42f002b48253e82df2d1d3d859522aa0492acbf97e03ae9893f93930f087c41dc8ad102f72
-
Filesize
149KB
MD56c4b84c25a27b6e786edc44fd5dd0cc9
SHA1f331ec107cd4bc18fa4e0a552abb40d1b842f0e0
SHA25632203f5f408a4e002f7b080a3556f9d7fc6687738cad35f011c33df53b091abd
SHA51299234feee9bcd9cd6d1294966dec323811d86df394228e6db8390f7f1e60968246f894c0917ad39aa058d513afbfa1b459024b580c8f0df6bdcd9472069687ca
-
Filesize
1KB
MD591913bade767b253973d11014ecff9c1
SHA17adb36fbe312e0bface5e2ebdfb778b18eaf30ee
SHA256344dacdce6dbc71c5e6b1508060658388e067c74e028952facb427ebd5e64d40
SHA5122a33667f41774173a8371812253f44258ff4499c1db90c696de0b5ec810c941eebe29ec15473b37ae550db6c72a133021ed53f740940695ba47b5828e1927080
-
Filesize
1KB
MD534d4ab1ebb5c14877d12328845e78fce
SHA1eff9a24c0ef50cdb945ab7cab98990dc7a736e38
SHA25673beea5961df9ae4a96c8b7dd2ef044ab4e3f06d190ff0c5bf5569ae3f07cf53
SHA51221feb053cd305504515b232838aee0b7019f87fef6d6ee102d81b0d3c0851c4fa7f9089baa3f594c19c37e1f6942cfdb675a79376fcaa37a2c87f244c6519cfe
-
Filesize
2KB
MD542e0c682e154793289ba53ba5c3baf19
SHA129b65650d229c43c46100023907eb8424779bf49
SHA2568188c61c580ea6cf99101ff8eb8c79a37f595945cd2280348b71689aa41947a0
SHA5120bc9fef93c9f29b78dcb6fdc204407d4af00e9a470e65427d5a14215e9d787459af6427bd0295f12ccbd2d49933551805f9dad24856d088649caaabd756e5032
-
Filesize
2KB
MD5f3396404086a0011c2ca297fe031469e
SHA130215b4fa8cd178442e2f4eab33033bf7737b5c5
SHA256df52bd8d3e21b979b07e9f5638711f05a766d1544775fb88e57dbb18cfb06955
SHA51218b15f144fde2291c6bb4d8ab9917047fc83819442a83d39315af3af3e8a29e94121b37cb87f2c6a09e57e8ca70340e36bc2e2714fd2c3611dc8815f4de764fa
-
Filesize
2KB
MD59eba23e26667a8ff66973b4acda98048
SHA15f9156880bfd10868a3235e6b901ae4db6027ac4
SHA2565bd4bf538e18a31aa1ed2122fdec3463a24b09169982ccfb7a76160023723444
SHA5126861e7a63c849ce58024b51bd5ae271e5de0729b47e99341ea4c9be82cb886c533e78ded2a61ce1184bc0d64453ca415f404bce78d499452d36e4912e6b51809
-
Filesize
344B
MD598dfcfa0983be1dd226b83389b172681
SHA1a1e75f96067962360dd688c42578c401f12ede83
SHA256f101ec17d0fb78a34baa7aaeb59913550cec9726f309cca6e0456ae174efbce0
SHA5123d24d518144942cfc691683a712bb367a03ab3dfaeb2ebd29edfa97dd3022cc52c25907b43b12dcb27243efaded56e211c729f7a083faac8d1dfccc8dc8a3958
-
Filesize
344B
MD51d65a380c92920dd47b926d18782ae82
SHA11a57a22c0510b8b5da5aeae4e10485193195ca8c
SHA256facc2b0ed0147f3c624430820974b8b9c1fa87f6f50dde3a0a70104ecd8bf01c
SHA51279aa828140409b92149f41abeb637bce2ec5257d20618742a36d290d7a64363f05b110e0677ef3244839dee6900cc43d78d50f00fc3f2f2b745aa753c064eeef
-
Filesize
344B
MD5b5d484b465fecf24d023db2f1a2e026d
SHA102cad3e5aaca9d94f964da1c32bd83b0993c1da1
SHA2566ace115bd203b52af93604ba69578d66d7ec662b44b7f11109bea73b85a445bf
SHA512bb20057884ecf4bba98fd21371c56cdb86bcfa8e81a13bf948c9422d729acae8b304aad2e212f252ef528e3a044151cbff85fb21f1b32cee76c0cc1d43cbdcc5
-
Filesize
344B
MD5dab64f4e553ebe2427a5d8e64b4efb83
SHA1d2a8cf7201502eb20e548662ad6ca6ba28d5eace
SHA2568d443624f09ff400086efe86d7ca2e9885749aedbc2ccf5c7804e777651c90e8
SHA51218d0b5165fcee72b0c4729e1c527d3834a6b92b4bde5b78d1a90f28902f8512ea4c4a63e63a56df1561b3db16bc754ffac1cf23612fc0d94a5ac0106c5845028
-
Filesize
344B
MD5c3c1f349255d21d7391a0c42519cf904
SHA1f1b46ed3d06ed4a1f2bd2e83622c667bcd5d0bfe
SHA25694b6ac99338e092bb2184e628e8b10a5ee4430a19793557c053a293f43170f1d
SHA51201b49fa548c9a55570e9c5f7b6262346c5166ac984041bb5385e7f9a5b294d42bb7f7852348f29ca4e76ba7a11f295817311b622aebc1048a7078cbd7fae0570
-
Filesize
344B
MD5155a4061f6820f79e6e96ff27b39ab2f
SHA12511bcb9980acc91bf2410317773b2dbfdb42eb6
SHA256fd816e330f866d98ef4f422517823ca3596092040cfa8148b4989252c256463b
SHA512a0df942d5da65a16552e8f96becd4090e2affd061766271e98ee8e12fe08e70b1153fc7b2d88c7b7e47b38e5757ccaa26dff0d0c9ca1a1b494cde3b7639200c9
-
Filesize
470KB
MD58c689dc9e82c9356b990d2b67b4943e1
SHA16bdc415b9c356bbeaea75c7336cd72910b95a644
SHA256e8e2deb0a83aebb1e2cc14846bc71715343372103f279d2d1622e383fb26d6ef
SHA512fb38a79dbcebde149736d5e1ca37dc15d274838be304d3f86e992d610b50c31d7fe4c30f6697c890f3753443af16eab712aef3f8da88d76ed00790083deb51e4
-
Filesize
8KB
MD5a6ba7b662de10b45ebe5b6b7edaa62a9
SHA1f3ed67bdaef070cd5a213b89d53c5b8022d6f266
SHA2563f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8
SHA5127fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1
-
Filesize
31KB
MD55e28c7c900e4dce08366051c22f07f84
SHA1ec03fd1551d31486e2f925d9c2db3b87ffcd7018
SHA256bb76f4d10ec2c1d24be904d2ee078f34a6b5bd11f3b40f295e116fea44824b89
SHA512fb45d7466d8a979ca78202be20175585e8d560a4cfcc81d3ef15edeb2d292cb5a05cdb93718cef685f1c8ee94cabf6c35ff010785d774057d045ba7b8a478a1e
-
Filesize
4KB
MD50ba75ec717f31d2e6733ad47b381e221
SHA153ac92daf1542165114c16d42252fd919d9a27b2
SHA25694f34c86315edd2c9dbc7e50763d6c7488891704b311110054d7863b4bcf8099
SHA512aa1a82c2553ae80245ba5b1803553bccf8bd454eab339a13a5de32560bcad0c986a54c06469e54a3abed069b7c6a7871aac22788b8a58bcf03942511df795c12
-
Filesize
6KB
MD5e745028bc85f9e743e59201469d868ad
SHA1a7e14c112b38cca5d2a7bed2c4756cf6360ecb0b
SHA256fd0bf2d8859f6e1f2d6a384d18253a53d9918adf20a69f23e970bee9fff8a715
SHA51217cccd35c1c6f278fb90d14c7284f84b8ecfe4d151c4247a5c8771ebeadf0f76846a4953aac460ad74e287fe505c80609ab4b9de3b3365517d29728db8f3fb72
-
Filesize
129B
MD57004691f8d1eded42105dddd1dc6895a
SHA1363c729bc1e500d5c9899c77081f9527cc0b3e1d
SHA256dd99b69b4d75dbe7e12998205518126b9f3060e95ee59fbed6eaf9e84c5a829a
SHA51222bc1b33a30e2a1523b3b77a6dd845feaa93edc025c0266eed09df22a3ddb072edeb83fed2ce4511ebb32ec6262390999e67166da8f742b5187392ecfb13262d