Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-11-2024 20:31
Behavioral task
behavioral1
Sample
LockBit-Black-Builder-main (1).zip
Resource
win11-20241007-en
General
-
Target
LockBit-Black-Builder-main (1).zip
-
Size
2.6MB
-
MD5
a5fbe0c5d0b5abd4dd0cb3bf69f3be6b
-
SHA1
fcc36b7c657a9187572ad3f527992b33c560f2e3
-
SHA256
34ae59b7acc09c2e82625640cae82c5158b649db1418ddbaa24138b51f1722c5
-
SHA512
a10b15c4368bbb836643d534a2c732c794bdac1034ca7c088ebd7c5333969763eea5be30977e6dd6b039e051e4b36acfef6fbb5129009d5bfd1eb75d706c7cdb
-
SSDEEP
49152:RXO172+O52uX9HaMAvqjw+6vfdTZseFqnC/6qZoAws4vxF8:Rp+OEuwy6ZDX/6woAws45C
Malware Config
Extracted
blackmatter
25.239
Extracted
C:\eo9QMbQjw.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Extracted
C:\HHuYRxB06.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Blackmatter family
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 7 IoCs
resource yara_rule behavioral1/files/0x001900000002abc9-80.dat family_lockbit behavioral1/files/0x001900000002abc8-83.dat family_lockbit behavioral1/files/0x001900000002abc2-78.dat family_lockbit behavioral1/files/0x001900000002abd2-95.dat family_lockbit behavioral1/files/0x001a00000002abc6-113.dat family_lockbit behavioral1/memory/4204-3630-0x0000000000400000-0x0000000000429000-memory.dmp family_lockbit behavioral1/memory/4204-3631-0x0000000000400000-0x0000000000429000-memory.dmp family_lockbit -
Renames multiple (577) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 12 IoCs
pid Process 3320 keygen.exe 3760 builder.exe 4288 builder.exe 2460 builder.exe 4916 builder.exe 4140 builder.exe 3468 builder.exe 1544 LB3.exe 844 2641.tmp 1288 LB3Decryptor.exe 4204 LB3_pass.exe 4392 LB3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2410826464-2353372766-2364966905-1000\desktop.ini LB3.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2410826464-2353372766-2364966905-1000\desktop.ini LB3.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2410826464-2353372766-2364966905-1000\desktop.ini LB3.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPgx07lifqa27e9n29hnz9m0gfe.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPuzid4hfuycfcwi68akuvyh67d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPeovpcj8uawxhd7q6v_mr9ej7.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\eo9QMbQjw.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\eo9QMbQjw.bmp" LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\WallPaper LB3Decryptor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 844 2641.tmp 4392 LB3.exe 4392 LB3.exe 4392 LB3.exe 4392 LB3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4072 4204 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2641.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3_pass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LB3Decryptor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop LB3Decryptor.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop LB3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\WallpaperStyle = "10" LB3.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06 LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.eo9QMbQjw\ = "eo9QMbQjw" LB3.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\EO9QMBQJW\DEFAULTICON LB3Decryptor.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\.EO9QMBQJW LB3Decryptor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\eo9QMbQjw\DefaultIcon\ = "C:\\ProgramData\\eo9QMbQjw.ico" LB3.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\eo9QMbQjw LB3Decryptor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06 LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.HHuYRxB06\ = "HHuYRxB06" LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.eo9QMbQjw LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\eo9QMbQjw\DefaultIcon LB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\eo9QMbQjw LB3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HHuYRxB06\DefaultIcon\ = "C:\\ProgramData\\HHuYRxB06.ico" LB3.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2804 ONENOTE.EXE 2804 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe 1544 LB3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2024 7zFM.exe -
Suspicious behavior: RenamesItself 3 IoCs
pid Process 1544 LB3.exe 1288 LB3Decryptor.exe 4392 LB3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2024 7zFM.exe Token: 35 2024 7zFM.exe Token: SeSecurityPrivilege 2024 7zFM.exe Token: SeAssignPrimaryTokenPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeDebugPrivilege 1544 LB3.exe Token: 36 1544 LB3.exe Token: SeImpersonatePrivilege 1544 LB3.exe Token: SeIncBasePriorityPrivilege 1544 LB3.exe Token: SeIncreaseQuotaPrivilege 1544 LB3.exe Token: 33 1544 LB3.exe Token: SeManageVolumePrivilege 1544 LB3.exe Token: SeProfSingleProcessPrivilege 1544 LB3.exe Token: SeRestorePrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSystemProfilePrivilege 1544 LB3.exe Token: SeTakeOwnershipPrivilege 1544 LB3.exe Token: SeShutdownPrivilege 1544 LB3.exe Token: SeDebugPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeSecurityPrivilege 1544 LB3.exe Token: SeBackupPrivilege 1544 LB3.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2024 7zFM.exe 2024 7zFM.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 2804 ONENOTE.EXE 1288 LB3Decryptor.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2820 wrote to memory of 3320 2820 cmd.exe 86 PID 2820 wrote to memory of 3320 2820 cmd.exe 86 PID 2820 wrote to memory of 3320 2820 cmd.exe 86 PID 2820 wrote to memory of 3760 2820 cmd.exe 87 PID 2820 wrote to memory of 3760 2820 cmd.exe 87 PID 2820 wrote to memory of 3760 2820 cmd.exe 87 PID 2820 wrote to memory of 4288 2820 cmd.exe 88 PID 2820 wrote to memory of 4288 2820 cmd.exe 88 PID 2820 wrote to memory of 4288 2820 cmd.exe 88 PID 2820 wrote to memory of 2460 2820 cmd.exe 89 PID 2820 wrote to memory of 2460 2820 cmd.exe 89 PID 2820 wrote to memory of 2460 2820 cmd.exe 89 PID 2820 wrote to memory of 4916 2820 cmd.exe 90 PID 2820 wrote to memory of 4916 2820 cmd.exe 90 PID 2820 wrote to memory of 4916 2820 cmd.exe 90 PID 2820 wrote to memory of 4140 2820 cmd.exe 91 PID 2820 wrote to memory of 4140 2820 cmd.exe 91 PID 2820 wrote to memory of 4140 2820 cmd.exe 91 PID 2820 wrote to memory of 3468 2820 cmd.exe 92 PID 2820 wrote to memory of 3468 2820 cmd.exe 92 PID 2820 wrote to memory of 3468 2820 cmd.exe 92 PID 1544 wrote to memory of 3212 1544 LB3.exe 97 PID 1544 wrote to memory of 3212 1544 LB3.exe 97 PID 1112 wrote to memory of 2804 1112 printfilterpipelinesvc.exe 100 PID 1112 wrote to memory of 2804 1112 printfilterpipelinesvc.exe 100 PID 1544 wrote to memory of 844 1544 LB3.exe 101 PID 1544 wrote to memory of 844 1544 LB3.exe 101 PID 1544 wrote to memory of 844 1544 LB3.exe 101 PID 1544 wrote to memory of 844 1544 LB3.exe 101 PID 844 wrote to memory of 1880 844 2641.tmp 102 PID 844 wrote to memory of 1880 844 2641.tmp 102 PID 844 wrote to memory of 1880 844 2641.tmp 102
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBit-Black-Builder-main (1).zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2024
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\keygen.exekeygen -path C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build -pubkey pub.key -privkey priv.key2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3320
-
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\builder.exebuilder -type dec -privkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3Decryptor.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3760
-
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4288
-
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3_pass.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460
-
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3_Rundll32.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916
-
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3_Rundll32_pass.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4140
-
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3468
-
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe"C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3.exe"1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:3212
-
-
C:\ProgramData\2641.tmp"C:\ProgramData\2641.tmp"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2641.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1880
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4140
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EB64AA86-AE05-4860-BC30-21654E4C73CD}.xps" 1337626275422500002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\eo9QMbQjw.README.txt1⤵PID:624
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3Decryptor.exe"C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit30\Build\LB3Decryptor.exe"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1288
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_pass.exe"C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3_pass.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 2762⤵
- Program crash
PID:4072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4204 -ip 42041⤵PID:4772
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit3Builder\Build\Password_exe.txt1⤵PID:1648
-
C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3.exe"C:\Users\Admin\Desktop\LockBit-Black-Builder-main\LockBit3Builder\Build\LB3.exe"1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: RenamesItself
PID:4392
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵PID:7812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD54088fbf67aaf55ffd2898c6feaafd2d0
SHA13a94dc45a092c297a00b6a7fea0776192c3be137
SHA25615e70df69aa0c220248b7d933ffcd09463c8ad4acfc849a4ab97b52d82997297
SHA512c5b5e98837df175756a471e8decf2d84fd0e99ba65d0ee3dcfcfb66bb959696278d538f948057e6aa4df16e1ad50f8c89b6b7d4a729f54759924d11bf8422d9d
-
Filesize
129B
MD597a566ee5055732ca637cce9fcd37336
SHA18776af54ded017bd394dfdab6c9f226a231c184f
SHA25634cf8fa25e479382b6e2385d4514053bf8f6476bc55b15a852c01ad7a51ee106
SHA5120eef44fc6a26ffc327407e79d0dd84a02520ecd8bc44cb871bfeeac9c4de7b6ef328507d8b148291b3510461ace5945ebbba9b864f6f1e16ddcb95e77708b4db
-
Filesize
6KB
MD582dbbaafb1db42ba176ac73388000bfe
SHA1d7f79bad8479eef8c93ec36f13ce39ad5a9104ef
SHA2567e8160679406dabe651dad33cc8e397108770218ef081a02e35ddcca2a317fa8
SHA512900aff216908e5db9c1bdec87b9faf219ea53cd87a5684a717cca0f1fa82bfc52b963bf060415df6d62104b20d228e657fe42dd57cdba10b116d4269f161874d
-
Filesize
3.0MB
MD5d1dd210d6b1312cb342b56d02bd5e651
SHA11e5f8def40bb0cb0f7156b9c2bab9efb49cfb699
SHA256bbd05cf6097ac9b1f89ea29d2542c1b7b67ee46848393895f5a9e43fa1f621e5
SHA51237a33d86aa47380aa21b17b41dfc8d04f464de7e71820900397436d0916e91b353f184cefe0ad16ae7902f0128aae786d78f14b58beee0c46d583cf1bfd557b8
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\settings.dat
Filesize8KB
MD5a8308d2f3dde0745e8b678bf69a2ecd0
SHA1c0ee6155b9b6913c69678f323e2eabfd377c479a
SHA2567fbb3e503ed8a4a8e5d5fab601883cbb31d2e06d6b598460e570fb7a763ee555
SHA5129a86d28d40efc655390fea3b78396415ea1b915a1a0ec49bd67073825cfea1a8d94723277186e791614804a5ea2c12f97ac31fad2bf0d91e8e035bde2d026893
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
Filesize
4KB
MD5dee09fb6c06bbe29f938b48aa2b66d60
SHA174f16115182609a7040075f7994f05128b8bc4bb
SHA256b99d6a703deb9e0a1e65fba99d8f95f9fc1f0300de05d83aca3fcb07ebdc3b6d
SHA5122d0a0cdd74d55ee221ab1a02d3baa64592cac21dc20af248ad817d15454d6a7ca41d0ab45c59be376d0d2934719b318938cf488f50b85963671e26f7252db7d7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
Filesize32KB
MD5b7c14ec6110fa820ca6b65f5aec85911
SHA1608eeb7488042453c9ca40f7e1398fc1a270f3f4
SHA256fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
SHA512d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize48KB
MD5c56fa3a54814d8da6c9d683838b83743
SHA114794da32c645c23d228965ee5971816b7e2fd4c
SHA25668bf3504d42a33446e6491c6e41dd279f7d751ed8d341ac6eb37df12c22bab50
SHA512807782a26419ceac895f5e1c4651577375dbe9d0b0515f83f3eaa980a820d5e735bb9abec68fad3b107a80f738c199fc9e4ea822d00460be5693641f8c7e34b6
-
Filesize
69KB
MD58322dcc2cb5f294b6c59270de01dae81
SHA10f77ce9e64f13082d828b63b58437577fb7c6280
SHA25682ac476d5bc09957d1c6a0a6cfd8e7a788da11eeb65be7b667db7ab99e64a1a5
SHA5126395500d881b8b66ced83379c36ba5cde8ed4fa72dd1602f36593b804f006f73576ee7fce2bac1be8d849dd39215eb4ebfa017ea2bbc9f29c1afedce3f3d5999
-
Filesize
119KB
MD57086d95b3312b14015a260aa593177d3
SHA1e38823e3e1ba2524ddab159158d5e265e857df51
SHA2565ce261e7ab946eac69255d10e4da76cfc8e8e9c10271591466d26f31902ee3ef
SHA512cbef452949efe963536907550c70479bc12ade533f33f784d8fb99c83a8bf54a20c2f11200980f305ac5c647f0801b0486a54f369db5095bdf5cdcf41f28bd61
-
Filesize
34KB
MD57a50a76de707f904df39e3d80de41969
SHA18b4ed888cc1ea1f1842f5366882ae20a43f410fd
SHA2562019e44250eb5ba40a9cc8a958206d93be374e4e38846dd1eb6d881aa6158eac
SHA5121e4656187e7a5c3c28f700cd903dcad8b4838f2dd8011face3b5a7e1120929b19ccf3b5c10cc7af97047b150d15a7514cda1b1efa748f2f799a85c0b9544579d
-
Filesize
733B
MD51905cc9973206fea5050b737f9303fb4
SHA1497524177d9478a4b5dca3e73cc230be6abf4ce0
SHA256e2f5b93040d57de6251d16256bcd04aa8eb337bde87308e602f01070efd345fb
SHA51295bae9406d01083f6fe6916ecf8e889afe20ff5863070f1787dc7a60d2d1d5af2cf3fd481a3c4fb531f16dd2cb7a685002aaac1dc907cf189c19c60f2816dd76
-
Filesize
153KB
MD579f57bb3138e0e96ebde289a1af1ffe7
SHA15a45711d035d9979a1bbf0bc31fc45d952dedded
SHA2562723e60391fde51e3d319dbb725cd5781c40f9641bf9ce53f27d95c2af2fad75
SHA512e8fff7e28be32edf46abaee2598c2f2503e65a97bd9f9f4a180a9da1aed4010a596dfb9f5512b29d02c1a0424f638f310755d474c35347c47dc1c3c2db04861d
-
Filesize
16B
MD5b1cd07d8c346e344042066aee57ea45b
SHA11dd2a84bcf04a59c7d643c0852661e09a983630a
SHA25647a9e1ce014c3ddeb3c19bbdfbe3671a5944f71313710ba2796e2ac058544322
SHA51210fdb9478115a137535db230779adb7a1c80a9f78aa8934b1e23a71210a24e986a800371d0b9e1f693d095dc8b646ea77a67d144e172b362d8b27d406c3d0e37
-
Filesize
153KB
MD5c73eac0c837c3c5caca3a885f46c17d9
SHA1a0ca9511b40c9c2451986ce179016ec4014e9adb
SHA256e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe
SHA512157c92e561cd18876ab60faf8a3d8e62633e7750accb965e86f3202b0d5ff902d3ae51fb41592d9be22672e67a713291e469a09be57e6f77dd6343090324792a
-
Filesize
153KB
MD53d3c958c2106899715c40ceed1759b70
SHA1de131ee1ad9ea255e5d9bcfa46a727cc6d841bfc
SHA25652fd6940f6c21942360aac7d78b75724ff8c8d640cafcd432c6fba62d258d5f5
SHA5123683acbac6384f719b9e69261eeb7c324b0090991fd9852aafc39f17b679c5c5133a6c8a09effc17e68e8bb2f1b740cd157226b5c293a935bc986c901a21d5b0
-
Filesize
54KB
MD5d1c15784587717fe03448d0c4dc8dd5b
SHA1f36ac101949a4fa8f604d561957fb9d3e1f73699
SHA2564973313c1c003a27190fba0a43dda1be78891552c9fabaa0c65e0051965ceee7
SHA512ef81b11962fb56a583c43ecdf0f8c66ef17850e85e56794b6c4ca328751609e4fe1fb1494e0e7315ff396510c467e440b74b62c105ce226f2fda49379d551a81
-
Filesize
106KB
MD52ecc319574b76994e76c4f971c820362
SHA18f3d04cab7c6be2220860ec391d75ba2f8f17b33
SHA256123797c18b044fb5aeba5dcccaf9ef1df0b7553413e9433876f1f94b8cd0584f
SHA51239c63668d424ff9efa625a82312edf5a30f7ca3edd896bd6ef1857ced02e5462cf191af54b6e55388b844fa5e50f77e3a6ce5b5983f61eb57a45c4b2fbb3567e
-
Filesize
152KB
MD5a451f94bf71b55142e64d65dda361e3d
SHA179dbdba2019c0bb2859cf2886ad4ceaadf769311
SHA25642a708a61e3bb54ac63748ac47bb96ded6e32bbe927a87c8e57094110293c325
SHA512a5336d7a3345a562214f8081459937f4c9c17882aa614fa514eea6ec7e3afd416e943560a92ecfe88ecc281729c9e6eefe2300d087b1ee510aaef0d3ac343803
-
Filesize
148KB
MD51cf36fecacae95acaed46247090fd4b6
SHA14dcf048521b7c8fcba54d20f06be6ea60131bce1
SHA2566eb4d985a52554d37c0efec1457258e4dfd4619ff0396c66e2f9a02d8381ce57
SHA5127b6c660245ed236a12e4c7e36e30283b5d2736de2d419da60d4ab584016de24dd40f7c4d407c5a4cee3c1995d136a775f72ed2ca16c911d75a2c9c2f4b57a99c
-
Filesize
149KB
MD54f6c3752e20422203d1bd00acb082ba5
SHA12d648879014bf464bf3ed640642c9f7665115ad4
SHA256500eeeb1927f1fb9304a2167d6ea7e318d242da0c68e03f3ec60d704acfa0add
SHA512310c78b0057ec044ce14eb4242729f958f4de2d3cb8cc8f8052d8b6ead5ff692a870ec027204dffb3fe3951e6c8bc5b59d6a21046c66643e7d14ac3a88c31271
-
Filesize
1KB
MD5cd73e5da7534c1cc75358e77bced80ba
SHA1684301a030de00bf594f32dbc58e6caed663ecd5
SHA256dd27eb7a55e7ef44d9d2e0cb92108637c8248d58532c22d59e8057e7da111580
SHA512fb747890e36a0e9144bb23917118d6b14cd5ea20434d3f241ceb1de8a21c92539d9cac07bac8d17ae69bae754f941f9326203c06e95d86d7cf20a542af0f060e
-
Filesize
2KB
MD568c7c951ecfca7322e1ecb486f42883e
SHA1882b636e399f6566b98a20923ad8cfc166bab2c1
SHA256706453b2bafdb0f723b55100d5034621f8a3b61822aad5a7bf875b6113017c74
SHA5123135ccc918dbd9ea08432d2b92bf272716b039d3ca9b4b94a32e4774f41cdb148e347fbc89f3d1285a2fe7389585e13790fd226d9adf9eadc69ceeac931cdd65
-
Filesize
344B
MD595dc3cc7a5702f8c2b7504f14a8d465f
SHA19a48c88b07ab58cb624bb0f9bc916865f0020f1d
SHA256f89e7aafae18b96cbf6549ef855d2b8c0e48e694bdce8580f4b45781bd2d5f39
SHA512e85cb3af3c68cbe65256571aefc481228d3f558723911b35fc63bb4f9f0946f0c179b3df4f0e908d81324d2a7ebbc2b6aaf20bbad9383093b7f8d0db8be8b5c6
-
Filesize
344B
MD55c921d5218cded9ed1191cdc4ed97d7d
SHA1eab783164203bd30ecd2f3420f028dd4e848025a
SHA256b1d546da15b30f5552430eb895ea046ef6418cad31e066dc595d6a22f95be145
SHA51212fb30c755dbc04c9f2a95e5d3dd50818306aab6ae4eba4a2483fb58b637a6a0d93bed3f0169fd23b8589d39562e5a9c0c4f5f77187e3359ad65975e6d80767a
-
Filesize
344B
MD5ba85a0b00c8a2cfeba6d94816855dad7
SHA10afdfad7a392faf24c070888104acbfb4643e3a6
SHA25691ec37166dd39d7d443a47365a3d83b330aeff5ba0cfefc6c5b64abf793dc16f
SHA5126c3a3404d3dc1dcb321d61cdc8bb0c55adfb3641ec32c9744ded3841b73fe01e29cdb5df6023717cb9af5d793883ae3eb309b893ca3340141f2c359be227df81
-
Filesize
344B
MD5875e12a5ff06453da1bf6e9b0ebaacc3
SHA1d21e086adafa13fe0518ad64a5e266f2cf07f154
SHA2560311e83b7c236a9c20a542b820c21c0f93191dffb27d9c73c72ebef69a4d1d6d
SHA5124d21aa6875208e5af1865e0376e4a02a0d419e182af8872fa76414f34b5a9317ab39897b45d1052cdc5238944733a5db59398be9a1dc0218e50b06c87f453934
-
Filesize
469KB
MD5c2bc344f6dde0573ea9acdfb6698bf4c
SHA1d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
SHA256a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
SHA512d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0
-
Filesize
8KB
MD512d844f76f1b59029eb6dd618d74c537
SHA17f971c7abb62a16c42b07ad8ce6601f0ffe3bb8d
SHA256af3f8aa4a82e548a4e0c3fbeec1f8199d540177c5ccdcc70b18325e736564d73
SHA512df6359a3551f32c9f06a2073de46c88366b5d4506fe59d9eda8e25d32de4ffe1be344e03f87c70d294c63f7a2a86fb052e26b10a09850a96515c228df8f2301a
-
Filesize
31KB
MD571c3b2f765b04d0b7ea0328f6ce0c4e2
SHA1bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4
SHA256ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37
SHA5121923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035
-
Filesize
265B
MD516b246c332462f346104d9cb7993e2fc
SHA1a1c90157a2947ea44fa61136f4bdd2383762f484
SHA256819fb44b79b9d0fd1ebbdfbdbd11a6e914443fd3b165c379668722da4fab1fb6
SHA512faafb915e4fb37a29471be5c86f81bf4bfcd66d12741e9d60ca738411af7c779129f49a69a518e3634aedb1a570776ad21d21f4d22c9ecb0d86a9baaeafe3bb2
-
Filesize
2KB
MD545edd11b2a1a7c1d20fea347e1e39cfa
SHA1baede0d4289dc4d1fda78ebe5de0ae148b0bbb5a
SHA256045acaeaa20eb67653d2ce844f22978a5f8a03a713e6706a50c5417ef09294ec
SHA512cbf3bf0066ff59a5714c31c01dc03df987fb8f904ab3bb0395323b33e14354ec1a8a715b470cfda5402fe0ae2d67af3280ede3a11b0e6d978268df8955b59bce
-
Filesize
2KB
MD5d1190dba7b884c4067b70935b6f87400
SHA1a552564366fb1665942c690137f24b421959b07d
SHA256a6f1fe0cc1bbcdec3030c70ecf3178fb463dae324ca6f2a8ab12486197069809
SHA512cbec94a6e982b5815bc5dd71816258064cd771168733a55674923357410a3dd92ebac416baf6197183641d7642380b61f3cb2f849e4fa81f0012bf35a9db28b0
-
Filesize
8KB
MD5e7668258531777020a31e4de7c3fa9cd
SHA103d59ccdb5b2e372a40f22b13c1749fa9cca922b
SHA2560a2c2ade842c066bbad0906109653e6b128b2b45490894ba944756658c687256
SHA512559385ffa36d9168c6fb3cfe86437c364a1c04178e82bb981a3c8fec45a2db356df4c3a772e8c50ac49d2f6aa8b6f3bf753e76132f442e150d32bf6d57f3f775
-
Filesize
1KB
MD5de2fc436c090904a60e3bc594c9ebc4d
SHA1afd4a7cd0c0593f450a8a4a58ce9d60db0298154
SHA25635af2170638669384a4b9608571a4695445a1e9132a499a202f83e0e74831c2d
SHA5125dc5567d63297801c4d8132f64746e651b0d10c2b55b7d7c0219e288422cb05ab71a8ab802cc60ee2adca904572d3c2b4c634eae8d13fc435c1b48ed22f290cf
-
Filesize
193KB
MD5ca22983598722c7adace441d98beff01
SHA1203a2894d27918dfae9a522d363b4ed7b5e1e1b0
SHA256067a9b4333f96f9536294cbfdc5e5eb52663224b23faf57d37ea48e37e4ed349
SHA512693cfc5fd13341bdfea90aa2b36226e5b6779eecccd49ccf94d565c96be9e2cc43ce1c9460cf4dbcfacd1328845bd12a238cacaf020bef1141cf4b6fb47a75a0
-
Filesize
198KB
MD5472121f216a253c023757d3ff77fd70b
SHA18ddc9a8fc14d6433b46a6b1459c0095e165150b5
SHA25684476dd41966d3c322d8656bac81b39314a47761480855bfb0d9bd4ba7a1594c
SHA512dbb60b53654f95dd7e7d052b5f930e3ab782b5f2dace35d9fde0226a1d2896125baf81fb35221a98f627ba352c8eff3edd737b1ca0e79a13ed78f848f0cd83fa
-
Filesize
113KB
MD58d8d2990615965213d5cdcbacddfa196
SHA1e603b82b7352a07d0d216e1d1beaf2b8aceb9cc1
SHA2567e11eec011244ee5340943d63733aaa1e2b23c09df1f1f56c5c635d257e84d79
SHA5121ec0ac2a526b4b13a26acb27ce570f9970d650cd41a77aba75f2ba34e200b02efcc18324d050001f96f41a6b8a4ac87d1db03b9b8ac569fcb00f01588b1f8c7c
-
Filesize
282KB
MD5b26d3cc24506feca26dbfae9d1596fff
SHA14a4db11db35c30f98c8ff0fd1c798a2260d68909
SHA256ba70a1f47bcf6fd31e9af2c614c9d5fc12078ea9df8194137e36694ed505a3ef
SHA51286182f37ad5c99dc82aafb0843c564532262073f04f03101cfc5dbc7f20072b6794a93ccd145e28fe8734948ac4532444bfacf3d2792e062a6a0a09ded12110a
-
Filesize
4KB
MD52ff21407b71a897c494f985c480df894
SHA126733d2753d63e997ec76c9e74186f09bf506e13
SHA256db228bb5739580ad76f33a95608af05cad0f76fdb18b221210e8918108001577
SHA512c2e2dc751e5ed73c9f421a6a9d87724e17be11e782d7e89706944fcff3b29dfd40515c3f3aea23cabdccba0fd5be2bbe92146c5987487a50dd7c7508a53adaff
-
Filesize
6KB
MD5b87473f20dc20eca4348504cfa031fcb
SHA11d277b2a1b028b74998441dcf1511d8f75a94501
SHA256e7620d39069209be0cef96b18ac56fa756041973199defa037f6e939df125d30
SHA512e97692b4b9710f221313fc08b17bc5587cc2507a1dcef3304510aff0afb17d973399b097e9bae7c03076d771953666c640018d8f6eb119d8fac0a6d59a1730a7
-
Filesize
129B
MD5bb158a59e89ff6a30441c97d8aa09adf
SHA1645cf08c0f975dca3525987e677ece1b9119b13a
SHA256a00a8d8d0c44e20d5db4cc708cd37849472b882f1acaf16fb7fd7cf5d7eaf9a6
SHA512a9622680849eb61d813e6580d70cb27421af7ff1a7c5c0da23ea70aadcff5a224218c38c59a680bcc45778a0946a96722af2b001d2a61ce8e80761e111eeab48