hxxps://github[.]com/3xp0rt/LockBit-Black-Builder

Resubmissions

22-09-2022 10:08

220922-l6m2ssbba9 10

21-09-2022 16:19

220921-tspx8sccdj 10

21-09-2022 15:04

220921-sfwpkscbcq 10

21-09-2022 14:54

220921-r93jjscbbk 10

Analysis

max time kernel
230s
max time network
240s
platform
windows10-2004_x64
resource
win10v2004-20220812-it
resource tags

arch:x64arch:x86image:win10v2004-20220812-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
21-09-2022 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/3xp0rt/LockBit-Black-Builder

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\E7ZI4vkMG.README.txt

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz >>>> Your personal DECRYPTION ID: D739480DC11A7A37AA26FE26355FCBB3 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

598954663666452@exploit.im

365473292355268@thesecure.biz

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Executes dropped EXE 10 IoCs

Processes:

keygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exeLB3.exeLB3Decryptor.exe3A5F.tmp

pid	process
4620	keygen.exe
3576	builder.exe
2348	builder.exe
3596	builder.exe
3244	builder.exe
4604	builder.exe
4952	builder.exe
1172	LB3.exe
5024	LB3Decryptor.exe
1620	3A5F.tmp

Modifies extensions of user files 42 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

LB3.exeLB3Decryptor.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConvertFromClear.tif => C:\Users\Admin\Pictures\ConvertFromClear.tif.E7ZI4vkMG	LB3.exe
File renamed	C:\Users\Admin\Pictures\MountCopy.tiff => C:\Users\Admin\Pictures\MountCopy.tiff.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\MoveSelect.tiff	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\PingSync.raw.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\WatchAssert.tiff.E7ZI4vkMG	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\MountCopy.tiff.E7ZI4vkMG => C:\Users\Admin\Pictures\MountCopy.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromPop.tiff.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeConvert.png.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\MountCopy.tiff.E7ZI4vkMG	LB3.exe
File renamed	C:\Users\Admin\Pictures\ResetConvertTo.png => C:\Users\Admin\Pictures\ResetConvertTo.png.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ResetConvertTo.png.E7ZI4vkMG	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromPop.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\MoveSelect.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\WatchAssert.tiff	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\InitializeConvert.png => C:\Users\Admin\Pictures\InitializeConvert.png.E7ZI4vkMG	LB3.exe
File renamed	C:\Users\Admin\Pictures\MoveSelect.tiff => C:\Users\Admin\Pictures\MoveSelect.tiff.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\WatchAssert.tiff	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromClear.tif.E7ZI4vkMG	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeConvert.png.E7ZI4vkMG	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\PingSync.raw.E7ZI4vkMG	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\WatchAssert.tiff.E7ZI4vkMG => C:\Users\Admin\Pictures\WatchAssert.tiff	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromPop.tiff => C:\Users\Admin\Pictures\ConvertFromPop.tiff.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\MoveSelect.tiff.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRename.tif.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\MountCopy.tiff.E7ZI4vkMG	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\MoveSelect.tiff.E7ZI4vkMG	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\ResetConvertTo.png.E7ZI4vkMG	LB3.exe
File renamed	C:\Users\Admin\Pictures\UnlockEnter.raw => C:\Users\Admin\Pictures\UnlockEnter.raw.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\WatchAssert.tiff.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockEnter.raw.E7ZI4vkMG	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromPop.tiff	LB3.exe
File renamed	C:\Users\Admin\Pictures\PingSync.raw => C:\Users\Admin\Pictures\PingSync.raw.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromPop.tiff.E7ZI4vkMG	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRename.tif.E7ZI4vkMG	LB3Decryptor.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromPop.tiff.E7ZI4vkMG => C:\Users\Admin\Pictures\ConvertFromPop.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\MountCopy.tiff	LB3.exe
File renamed	C:\Users\Admin\Pictures\WatchAssert.tiff => C:\Users\Admin\Pictures\WatchAssert.tiff.E7ZI4vkMG	LB3.exe
File renamed	C:\Users\Admin\Pictures\WatchRename.tif => C:\Users\Admin\Pictures\WatchRename.tif.E7ZI4vkMG	LB3.exe
File renamed	C:\Users\Admin\Pictures\MoveSelect.tiff.E7ZI4vkMG => C:\Users\Admin\Pictures\MoveSelect.tiff	LB3Decryptor.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromClear.tif.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockEnter.raw.E7ZI4vkMG	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\MountCopy.tiff	LB3Decryptor.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

3A5F.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 3A5F.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops desktop.ini file(s) 1 IoCs

Processes:

LB3.exe

description ioc process

File opened for modification C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini LB3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3A5F.tmp

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini	LB3.exe

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LB3.exeLB3Decryptor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\E7ZI4vkMG.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\E7ZI4vkMG.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

LB3.exeLB3Decryptor.exe3A5F.tmp

pid process

1172 LB3.exe
1172 LB3.exe
1172 LB3.exe
1172 LB3.exe
5024 LB3Decryptor.exe
1620 3A5F.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4108 1260 WerFault.exe

pid	process
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
5024	LB3Decryptor.exe
1620	3A5F.tmp

pid	pid_target	process	target process
4108	1260	WerFault.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

LB3Decryptor.exeLB3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies registry class 10 IoCs

Processes:

LB3Decryptor.exeLB3.exemspaint.exechrome.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\E7ZI4vkMG\DefaultIcon	LB3Decryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.E7ZI4vkMG	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\E7ZI4vkMG\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\E7ZI4vkMG	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\E7ZI4vkMG\DefaultIcon\ = "C:\\ProgramData\\E7ZI4vkMG.ico"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.E7ZI4vkMG\ = "E7ZI4vkMG"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\E7ZI4vkMG	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.E7ZI4vkMG	LB3Decryptor.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeLB3.exe

pid	process
2532	chrome.exe
2532	chrome.exe
4308	chrome.exe
4308	chrome.exe
2392	chrome.exe
2392	chrome.exe
5016	chrome.exe
5016	chrome.exe
4336	chrome.exe
4336	chrome.exe
60	chrome.exe
60	chrome.exe
4792	chrome.exe
4792	chrome.exe
4476	chrome.exe
4476	chrome.exe
1164	chrome.exe
1164	chrome.exe
552	chrome.exe
552	chrome.exe
4492	chrome.exe
4492	chrome.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe
1172	LB3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exeLB3.exe

description	pid	process
Token: SeRestorePrivilege	5104	7zG.exe
Token: 35	5104	7zG.exe
Token: SeSecurityPrivilege	5104	7zG.exe
Token: SeSecurityPrivilege	5104	7zG.exe
Token: SeAssignPrimaryTokenPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeDebugPrivilege	1172	LB3.exe
Token: 36	1172	LB3.exe
Token: SeImpersonatePrivilege	1172	LB3.exe
Token: SeIncBasePriorityPrivilege	1172	LB3.exe
Token: SeIncreaseQuotaPrivilege	1172	LB3.exe
Token: 33	1172	LB3.exe
Token: SeManageVolumePrivilege	1172	LB3.exe
Token: SeProfSingleProcessPrivilege	1172	LB3.exe
Token: SeRestorePrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSystemProfilePrivilege	1172	LB3.exe
Token: SeTakeOwnershipPrivilege	1172	LB3.exe
Token: SeShutdownPrivilege	1172	LB3.exe
Token: SeDebugPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeBackupPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe
Token: SeSecurityPrivilege	1172	LB3.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exechrome.exeLB3Decryptor.exe

pid	process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
5104	7zG.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
5024	LB3Decryptor.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

LB3Decryptor.exemspaint.exeOpenWith.exe

pid process

5024 LB3Decryptor.exe
2880 mspaint.exe
4808 OpenWith.exe

pid	process
5024	LB3Decryptor.exe
2880	mspaint.exe
4808	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4308 wrote to memory of 948	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 948	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1172	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 2532	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 2532	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe
PID 4308 wrote to memory of 1304	4308	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/3xp0rt/LockBit-Black-Builder
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8dd6a4f50,0x7ff8dd6a4f60,0x7ff8dd6a4f70
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1688 /prefetch:2
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
2⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:8
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4908 /prefetch:8
2⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
2⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,2217329367061812341,4741278940676214935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1260 -ip 1260
1⤵
PID:1256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1260 -s 848
1⤵
- Program crash
PID:4108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3664

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap27441:86:7zEvent31312
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8dd6a4f50,0x7ff8dd6a4f60,0x7ff8dd6a4f70
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 /prefetch:8
2⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1800 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1684 /prefetch:2
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
2⤵
PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5168 /prefetch:8
2⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11825648934462489100,7502274631939444568,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
2⤵
PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Build.bat" "
1⤵
PID:1064

C:\Users\Admin\Desktop\keygen.exe
keygen -path C:\Users\Admin\Desktop\Build -pubkey pub.key -privkey priv.key
2⤵
- Executes dropped EXE
PID:4620

C:\Users\Admin\Desktop\builder.exe
builder -type dec -privkey C:\Users\Admin\Desktop\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\Build\LB3Decryptor.exe
2⤵
- Executes dropped EXE
PID:3576

C:\Users\Admin\Desktop\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\Desktop\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Build\LB3.exe
2⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\Desktop\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Build\LB3_pass.exe
2⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\Desktop\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\Desktop\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Build\LB3_Rundll32.dll
2⤵
- Executes dropped EXE
PID:3244

C:\Users\Admin\Desktop\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Build\LB3_Rundll32_pass.dll
2⤵
- Executes dropped EXE
PID:4604

C:\Users\Admin\Desktop\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\Desktop\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\Build\LB3_ReflectiveDll_DllMain.dll
2⤵
- Executes dropped EXE
PID:4952

C:\Users\Admin\Desktop\Build\LB3.exe
"C:\Users\Admin\Desktop\Build\LB3.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\ProgramData\3A5F.tmp
"C:\ProgramData\3A5F.tmp"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3A5F.tmp >> NUL
3⤵
PID:2004

C:\Users\Admin\Desktop\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ProtectCompress.jpeg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f3904f50,0x7ff8f3904f60,0x7ff8f3904f70
2⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,15962466878093929122,10451224651664499088,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,15962466878093929122,10451224651664499088,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2052 /prefetch:8
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,15962466878093929122,10451224651664499088,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,15962466878093929122,10451224651664499088,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,15962466878093929122,10451224651664499088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:8
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,15962466878093929122,10451224651664499088,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
2⤵
PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
f9117eef265e523cfb5089ab5388e102

SHA1
13da751278466c6af5b00499ddc8f4cc129a6056

SHA256
97625a9a59a2481937e156777eb38537f212ad290e3c9d974f5c558ddd490268

SHA512
14fb42f95120fefe78ad63945521cbef00ddbeec7619b08855b580eef59769d051ccdd05a7409347bdbb0c85c1f934f4dc91928f9122ad12bd66dbb97934f6fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0
Filesize
44KB

MD5
31339a7eb4787a3f2465446b4742202e

SHA1
3d2ce86197f1275436cb921582bb0d5da7af17b7

SHA256
a832ca2942fd0fbf7f5c600ba264559c2ea8de47b2b339e9a57b66b6be49ce24

SHA512
d3ba74a56cfbf26d67b4676c01b5c09d68d79aeded10c865a4d863d8ee3ab54261be01a7fd5458389b96abb16116d05ff2f4b12c87ee772a4ae5dc85ae446cd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1
Filesize
264KB

MD5
9fdd118036f2436957b759bee2fff634

SHA1
ae5d998591c0402cc6809b1e5304c7ffb588e905

SHA256
08e034562b561dec635226b5074876544ef65843d9843b0bbbe4e8ee99bb918f

SHA512
a05833c0e75d48c1c3d5e913ea94c822324bc70f3c64f0bd28cbc6b7febd93fa3ef45d4ed8edb0403d1bda9311ea61a44e35f9a8233685d9569d8a3ea80b6b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2
Filesize
1.0MB

MD5
5dadec0cfdcd8deafd481bc388e1cac7

SHA1
61ec99b3c15b979fa685fa72fad6e25a398a97d7

SHA256
074769282ef83a7f62540475f957de204316dbcf85f56c28483fb3ee80b35638

SHA512
4c226729738fae9984d5d43c98d0776a30d1859b7cd037a610348ca74091a92a8a2cdf64ebe258df4e683a014fc469a1fa92b34bca986e048bda8f24576a43b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3
Filesize
4.0MB

MD5
80b57ca0230fbf0e2ef091c2833a520c

SHA1
2992e94b6882c3d2e820d0c7e8e8f9d35436ab5d

SHA256
2f68ded564dc5e780e2e96e48766d923cd6917265c185a4f13d29751d4b0bef2

SHA512
0a436d62b2080875c59ed4fa576042bb843efece78f6eba2446ac69846245096e5a06780bb669fad966166af5a178c4a9cb31631247bddf2d928ff010f58f6ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
5184d6bfb485c73166fdd3fc642251fe

SHA1
8f7d7ad51612e55b1ad7ffe54660efb7d408bed7

SHA256
f2c5b31161cdd8fee8ad0f2091ee15648d97001401ec9079b85535339c948826

SHA512
eda298760d61e1c136a285790265e49f74618f3d254ed088205c3d47c918bb4f09610ce21e6fa969fc623e7c9f0b54859ef6d9acfa1dcf83f125bbed4e3e0b96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
Filesize
20KB

MD5
a50a0769e2d240174e576d4d05a33930

SHA1
5a41c3daec9576cb7d678c54a04bc9988e20fe91

SHA256
659e456ad0a6b81e5683fb7a48f47547bc8776d75948d99a2c5b46c7be678af5

SHA512
f4c33bfc4f4ac792c9eda2ca70ee08ddae4e39e114270b8126905c043f3ecbe52bc6eb852955041c37666b04ae708c31287b0de7ba9b54fae61b39482259905d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json
Filesize
10KB

MD5
90f880064a42b29ccff51fe5425bf1a3

SHA1
6a3cae3996e9fff653a1ddf731ced32b2be2acbf

SHA256
965203d541e442c107dbc6d5b395168123d0397559774beae4e5b9abc44ef268

SHA512
d9cbfcd865356f19a57954f8fd952caf3d31b354112766c41892d1ef40bd2533682d4ec3f4da0e59a5397364f67a484b45091ba94e6c69ed18ab681403dfd3f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\verified_contents.json
Filesize
7KB

MD5
0834821960cb5c6e9d477aef649cb2e4

SHA1
7d25f027d7cee9e94e9cbdee1f9220c8d20a1588

SHA256
52a24fa2fb3bcb18d9d8571ae385c4a830ff98ce4c18384d40a84ea7f6ba7f69

SHA512
9aeafc3ece295678242d81d71804e370900a6d4c6a618c5a81cacd869b84346feac92189e01718a7bb5c8226e9be88b063d2ece7cb0c84f17bb1af3c5b1a3fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
Filesize
20KB

MD5
d8e53475d46fd400a099c6f6bbc51569

SHA1
39b1d2609a2a2e3d196107338efd043bf762c071

SHA256
8cc5df0c33ed578978ae8637f4e6c94d480868c721d9216c4910f866ccaf770a

SHA512
467501240325a3efbaef9e995c5da6f212c85d2d54979df59522ea2ad8da5f12a9ebfe8e0c6db336643d11edf4811a66b2efe5f6ed8a41df8dc380de0e8d9f16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
cbc9cec4a1be8db82ce28f415a05b616

SHA1
62ea3c68bcfe1752fa5fde3845c4e8c012639fa2

SHA256
8624fea9f674e4e4e53582f1044e280cc2c10274772d98de1a118f293c950761

SHA512
7a6d158f74a4e20197f988f819dd34326f6d0bf1a4738751179d98add6cd7525cdd0b2bd0ed4272949d5aea03addafcbc40ec678a24ff0d216994a462012c3c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
116KB

MD5
c713d735e6851eb098f9477409442e28

SHA1
d9b438d4b8fc9ecce0e5912ececd13d4b4ae279d

SHA256
d911dd7ceb5be7776ef6c69f2ecd5c28c21ce7672432bb56baad0ae25035c7ba

SHA512
b078aad62b4377d9aa47d1c9db96d9bcb02bdacc38873c711989f855295caba243b081679c054ea5ff000b6c251aba01fe0a766f5f94a3232b56952213a0f7fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache
Filesize
1KB

MD5
610e1b07eae16ae173231a2c95e75e2a

SHA1
517d8166333c548cfed54ef0fff6c0ae2389fc90

SHA256
ea32578229b7b53894cf867bbdd1e4862b3927c3fadae4c28d3113ae00db846a

SHA512
f9a4ee3a7a92d4d37eb7667b07b407ff5f7d0c54e8480958e2c5d697f51aaa5d111357b90f94c20effdd3270f3defdafb69bb3f7638c6878b2fa7cb722c2a058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Filesize
7KB

MD5
394403eab8dac4414ea90ea76c781bd3

SHA1
ec5d0c8f4498e1759e727eef0f796e023de1b997

SHA256
51425cf8f28287caf59e946388eb65ba56e13ccd413f01220300f667db543817

SHA512
c9dc833b4aa236172682327188214e8533292ea2b45883a43e9c7df33bf237daae54f10cfc281c4e947d8432df5c322aae0d83e765005da1a65fc1f0b4f175fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
332B

MD5
d37fdec8283529bc687b9842e2b30126

SHA1
55e80b577bb96cd01b0d306cd18c7facbe39de81

SHA256
8dbe579ae612994ce782a81a419f801dca1533413b592dca1e3b64897e0a2cee

SHA512
40e0ea13b9a46a8df720c9cb084dcf808b372491156b5840131862678044ba83d671bb40bf95d05d2fefd7ef2ba3c8fb278477f750d185beed65df42a9594096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State
Filesize
1KB

MD5
b0aaa4141fef8337015e77d8c8f1bd80

SHA1
9db6b7134b773e097719b899fac49ebb0f46941e

SHA256
f16ddca93b440abd22cc1c035346d88a861cdf24fff84b65a9f5fbccc15c3a0d

SHA512
91ddbf6d478968084cd7c540dd256b2f1948470cb5ef0268fc7138d33d985df7451fe3d8872580bf38e1d7eb2b672f08c6865ca27a44db862e16d0d8fb905dfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG
Filesize
331B

MD5
3c0a23f80e9ba1a5e56793ab0e0e6078

SHA1
114eaea752182b0d1710f783327232b6c5f90ec2

SHA256
95e30ef58bdb1203d9259ad55637dd6d73c43a4e77e37a5259b056370673e58b

SHA512
cb5e79498915b3d61b02e0b2857861afc88aa3b4a60487a98748f1c9a2e8e71c528b46ccd8be3ca1e5a22c62d1a284b2ecc391464f945ce3adc152d7225e4c8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
7c1d864556e4a7380a26b181b0019a94

SHA1
95769159539b4e53ac2c42993f6c8873a07b5d5d

SHA256
1b669ab9c540dd55071d08d65f0997d01601068eae251b4c5ee6c323283dfae8

SHA512
5678639361f6c6377b436de2e18f240b65f138fd65b1bf6f8f72f7909564ed8f340eb880101d5e9e56cfa5a60805d33fa583b4e5ae37d35f2abcec83512911f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
b66aa9201891e1be204af0889f72f1d3

SHA1
89d0c667cfa6d18c9e8146942f8038ad7297072e

SHA256
b433653414c149716fd8d67bb37bb3bef76aaf51fc36fa6bf65e62445fb9ee94

SHA512
3beca15c6b98df58302d73978221003d87c0e83daf5c6a7b1d2160e6528b272848079416be75909c163b0178b78d286fc845bc280b5cfcbf4b9fa9a8b0dd43c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log
Filesize
858B

MD5
fdf0510e91c49e471065bdfac5b9d9da

SHA1
37ddffb6b2d43624e55c3a839ad13c677dcf588e

SHA256
931af206c5c7532148a3261da3fb382fd3f4fa2679433241d6469fb365f04839

SHA512
df11d12d86879322670d9265f08b76bec9785048e62469799e2dc09026cfbf6cbcfeb77a279aa3bfb1971818da2dea6cdda22e5addcf20d9aa72ed81fe079ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
Filesize
314B

MD5
e324886d60b9ffac2135e52d1a81cb93

SHA1
f0a37295b81b7c9c66cf35e947ea9cb03f6a7864

SHA256
e2154bc54732d49abee79dc402a0a8e243d96c545a4113098d70e5ddf6b06111

SHA512
b30733c99d6acca43239f0ef41a710d65de7020929152b4e38bbc3ca0f1855c616083ab40a533d649967a8a517c5eae6dbe96451d74c55119f99e7f3b3e3660a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13308252886405722
Filesize
7KB

MD5
0da98bcfa08d1aef311e971ab579430f

SHA1
649c247b80a25811b76ef74197e905067aee342e

SHA256
5937504942dcf21181766496a1eb623aa8d554a60a14bd0c10c9b3ae753a1156

SHA512
cd6aaef328ffa233a103e25e83e187d23ad53314a9952d4af3f7f2c47f18671bb03b9e2af015aff9073a7afdb7a62e2c286440c19dc9b0731ab589ff5823a712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log
Filesize
112B

MD5
b90318090778d2890ce5a86d0b7d3d8e

SHA1
9d6620415f2ad1ac9fd6a9b96848103449296e94

SHA256
5aa99118162aa685f782aff1e4e5802d02244c5518766e75e0ed951ba989cade

SHA512
49abd28cc252e6e464fc2705ee3588f13a3e03e912f30c17649698f142f5b513d219033f283ff9acad5e184935499a5a119b8db8cf6ffd57712b8bd6c7f660a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
345B

MD5
3ab5320fe79225709646d3321e10c579

SHA1
113012cf56a595f504b23a1c0fb9f3cca5faac69

SHA256
ce949e9949706881ee38a5758775cb41d7d5c2c4cbc7d9dbdd837e0906d4c122

SHA512
4d5758378cf319b7f866207f5c734d0eeb39ba459277d72ada3994281dd176396a3ad1ec025b68fb416f1fcf59bc42512e0a13ee3d26574bfe1af1296febe4ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
Filesize
160B

MD5
de92ad90be6d3364745b2f73f4c3cf73

SHA1
9158681463bd30e5af4dda4baac81f93cedbda77

SHA256
0025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0

SHA512
9e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
Filesize
321B

MD5
aedf352d21f6516f9d4f362f1999c002

SHA1
bb84b65176f1fbfd4ac6983553ea5930ec595c6b

SHA256
f60572ba3bd10f1c50d746131770652a53a0ed3a54854e3d3f8241925f3ca07c

SHA512
32632f915762471e6e0c5315b37bc35bdd6c2623b6a49f341767a46af770da86f42e0999ebc61b6eded6ffdbce7166cffb21fecdcf10b9d059cca6f4cbe330c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
Filesize
1KB

MD5
342cb331ed51f9b39143e2aa0523f62b

SHA1
74b87ebb13eb9ac51dae777f91f7f5c2257f65aa

SHA256
8a211395d39f0e00ee62fefd0ffc4e2fd9cb3a594c5cb602cbf100c3ea22884e

SHA512
d144167c63b210c5dfa6598fa37f216c9037ce386c73c72cb98def10251ff56199f3ef6e05128e597390945af8c0a8cb00f860ee25a9c67114149fc253b927d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links
Filesize
128KB

MD5
6be46c91267eee13fd01494ca21ac073

SHA1
958101f29e8d15f22b04badd353ef003bce61aa8

SHA256
2cc746c409c9489d6ae54972bd76607155064d202bba71363d1ac12613743f34

SHA512
7e99f41e5a7d073eb2e86b54fdaefd1b1a2dfd9112a89cf8dd287b520e62f0e094abd6e82da0afe8671ffdf7273d9a10c2588668ea9111338b208b6cca17418f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG
Filesize
136B

MD5
c74d06588e5111057688b6d2558c4cdb

SHA1
e2346231ecdb2f6dddee098d5ff6145acc7859c1

SHA256
a20002434c6926da532cbb388d3d41a4aeb2c14e8885e5165352e51419dc85de

SHA512
0ac42f24aef1d68ad43ae5062e80552818f7e898e70bccea8e9c3218ec607953b82cdcbbdd614d5f0f8bba3d54c937565c8520fe703878172105e714242fdeba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004
Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
e797a9914842f75b791257344c727715

SHA1
7a8196d562649e0619d08560be83de8614d83cb0

SHA256
aaae3c3e3ebd26aab0ea19707ca69acf5a785ec8bdd8660be77960dde6445d4a

SHA512
f4c15ca1695df12ad1cfadd271b61ca281b2ad43af92fb33efd9c13257b7549dd4240a0d3593ca8d49722bdcbcc70f8be3d0d5938fd3d5323ec5c633134ff436

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser
Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
94KB

MD5
f30e1a609338657ee9e75177054c536b

SHA1
62acdfd916fffd69f4a22a0640c34791b2dec461

SHA256
1b8eec5ebdbc57d79b7b366750296dfa4c038dcf1f77b5ae31361486fde41407

SHA512
418a229159d324d8721705812245c0aab2ba4430104824e487128fd3486134d5f3bce05d49c047ce757838688314d23463c765b3590ca9e157e99732f0294b9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
e1f004df2313c9d25037c4476e5df5f1

SHA1
89071b5d958dffbcbf82bbf9a8fb0c18937644b0

SHA256
378efecfa0b5078691e69814611dc2b1ca5f468ab66e7a5652dfb31b50fb99c4

SHA512
e6639033dda3ee8cbf3781bb229f0b954bc7e67a17ddc832c4813c0e59c5ca578db00aa7dcc0a9e3f05cf486dca9cd0e423fd8c913af00bb12cf817cbbffb6ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
Filesize
4B

MD5
31355a9f37a6d22bfd8e39aadd33f331

SHA1
7236cb6c06114609f0859d188c927de632a1d226

SHA256
5e87666284e832f872e4b6f290c1a36a2240c4a9f84b3c854eaabde3f9afe577

SHA512
cb4f42991b7725b422907a3e9d6837fda4be6fca8fc4ee3b84a6c3c97d5169fb13e4413badccb028c93c8f22ece29c917d9ee26e1e5b9d81e39b90b3d757d716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.acl
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\crashpad_1164_TQEXAMUEEFACPUCY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4308_HOWKUCAALVTDACLJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1620-176-0x0000000000000000-mapping.dmp

Download
memory/1620-177-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2004-178-0x0000000000000000-mapping.dmp

Download
memory/3868-179-0x0000017E37E60000-0x0000017E37E70000-memory.dmp

Filesize
64KB

Download
memory/3868-180-0x0000017E37EA0000-0x0000017E37EB0000-memory.dmp

Filesize
64KB

Download