lockbit | b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10

Analysis

max time kernel
1624s
max time network
1596s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2023 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LBLeak/config.json
Size

8KB
MD5

a6ba7b662de10b45ebe5b6b7edaa62a9
SHA1

f3ed67bdaef070cd5a213b89d53c5b8022d6f266
SHA256

3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8
SHA512

7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1
SSDEEP

192:DLxgpmWU6ig4HJmLDHqlexR4qjIuoIyig4H8mLDHs:D1IhU6ApmZrIoyAcmM

Score

10^/10

lockbit persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ruurOinjW.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 7B239D09EC9BBA17A10B432970293BEF >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000f00000001db70-149.dat	family_lockbit
behavioral1/files/0x000f00000001db70-150.dat	family_lockbit

Renames multiple (712) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RevokeResolve.crw => C:\Users\Admin\Pictures\RevokeResolve.crw.ruurOinjW	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveSwitch.png.ruurOinjW	LB3.exe
File renamed	C:\Users\Admin\Pictures\BlockResize.crw => C:\Users\Admin\Pictures\BlockResize.crw.ruurOinjW	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\BlockResize.crw.ruurOinjW	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\PushComplete.tiff	LB3.exe
File renamed	C:\Users\Admin\Pictures\PushComplete.tiff => C:\Users\Admin\Pictures\PushComplete.tiff.ruurOinjW	LB3.exe
File renamed	C:\Users\Admin\Pictures\ResolveStart.raw => C:\Users\Admin\Pictures\ResolveStart.raw.ruurOinjW	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveStart.raw.ruurOinjW	LB3.exe
File renamed	C:\Users\Admin\Pictures\ApproveSwitch.png => C:\Users\Admin\Pictures\ApproveSwitch.png.ruurOinjW	LB3.exe
File renamed	C:\Users\Admin\Pictures\ExpandUnprotect.png => C:\Users\Admin\Pictures\ExpandUnprotect.png.ruurOinjW	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandUnprotect.png.ruurOinjW	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\PushComplete.tiff.ruurOinjW	LB3.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeResolve.crw.ruurOinjW	LB3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation	2628.tmp

Executes dropped EXE 4 IoCs

pid	Process
4012	LB3.exe
3204	LB3Decryptor.exe
6096	LB3Decryptor.exe
4456	2628.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2178924671-3779044592-2825503497-1000\desktop.ini	LB3.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\desktop.ini	LB3.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPad23plthsinw4krpqkebz6o2c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP3xvkc8gfao2f2gjx9piunfoid.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPqujua0hkv8pwu7w1g_5s8ho9b.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ruurOinjW.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ruurOinjW.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
3204	LB3Decryptor.exe
6096	LB3Decryptor.exe
4456	2628.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ruurOinjW\DefaultIcon	LB3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ruurOinjW\DefaultIcon\ = "C:\\ProgramData\\ruurOinjW.ico"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ruurOinjW	LB3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ruurOinjW\ = "ruurOinjW"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ruurOinjW	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a00310000000000d55627b9100053797374656d33320000420009000400efbe874f7748d55627b92e000000b90c00000000010000000000000000000000000000000cc37b00530079007300740065006d0033003200000018000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5600310000000000d556604b100057696e646f777300400009000400efbe874f7748d55627b92e00000000060000000001000000000000000000000000000000fc4c0400570069006e0064006f0077007300000016000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

pid	Process
1892	NOTEPAD.EXE
5032	NOTEPAD.EXE
4008	NOTEPAD.EXE
1032	NOTEPAD.EXE
272	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2080	ONENOTE.EXE
2080	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe
4012	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3292	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4012	LB3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeDebugPrivilege	4012	LB3.exe
Token: 36	4012	LB3.exe
Token: SeImpersonatePrivilege	4012	LB3.exe
Token: SeIncBasePriorityPrivilege	4012	LB3.exe
Token: SeIncreaseQuotaPrivilege	4012	LB3.exe
Token: 33	4012	LB3.exe
Token: SeManageVolumePrivilege	4012	LB3.exe
Token: SeProfSingleProcessPrivilege	4012	LB3.exe
Token: SeRestorePrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeSystemProfilePrivilege	4012	LB3.exe
Token: SeTakeOwnershipPrivilege	4012	LB3.exe
Token: SeShutdownPrivilege	4012	LB3.exe
Token: SeDebugPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4648	vssvc.exe
Token: SeRestorePrivilege	4648	vssvc.exe
Token: SeAuditPrivilege	4648	vssvc.exe
Token: SeBackupPrivilege	3204	LB3Decryptor.exe
Token: SeDebugPrivilege	3204	LB3Decryptor.exe
Token: 36	3204	LB3Decryptor.exe
Token: SeImpersonatePrivilege	3204	LB3Decryptor.exe
Token: SeIncBasePriorityPrivilege	3204	LB3Decryptor.exe
Token: SeIncreaseQuotaPrivilege	3204	LB3Decryptor.exe
Token: 33	3204	LB3Decryptor.exe
Token: SeManageVolumePrivilege	3204	LB3Decryptor.exe
Token: SeProfSingleProcessPrivilege	3204	LB3Decryptor.exe
Token: SeRestorePrivilege	3204	LB3Decryptor.exe
Token: SeSecurityPrivilege	3204	LB3Decryptor.exe
Token: SeSystemProfilePrivilege	3204	LB3Decryptor.exe
Token: SeTakeOwnershipPrivilege	3204	LB3Decryptor.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeBackupPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe
Token: SeSecurityPrivilege	4012	LB3.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4008	NOTEPAD.EXE
1032	NOTEPAD.EXE
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
3292	OpenWith.exe
1892	NOTEPAD.EXE
3204	LB3Decryptor.exe
3212	SearchApp.exe
6096	LB3Decryptor.exe
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2080	ONENOTE.EXE
2632	OpenWith.exe
1936	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1892	3292	OpenWith.exe	82
PID 3292 wrote to memory of 1892	3292	OpenWith.exe	82
PID 3384 wrote to memory of 1816	3384	cmd.exe	90
PID 3384 wrote to memory of 1816	3384	cmd.exe	90
PID 3384 wrote to memory of 1816	3384	cmd.exe	90
PID 3384 wrote to memory of 1444	3384	cmd.exe	91
PID 3384 wrote to memory of 1444	3384	cmd.exe	91
PID 3384 wrote to memory of 1444	3384	cmd.exe	91
PID 3384 wrote to memory of 5108	3384	cmd.exe	92
PID 3384 wrote to memory of 5108	3384	cmd.exe	92
PID 3384 wrote to memory of 5108	3384	cmd.exe	92
PID 3384 wrote to memory of 408	3384	cmd.exe	93
PID 3384 wrote to memory of 408	3384	cmd.exe	93
PID 3384 wrote to memory of 408	3384	cmd.exe	93
PID 3384 wrote to memory of 484	3384	cmd.exe	94
PID 3384 wrote to memory of 484	3384	cmd.exe	94
PID 3384 wrote to memory of 484	3384	cmd.exe	94
PID 3384 wrote to memory of 2632	3384	cmd.exe	95
PID 3384 wrote to memory of 2632	3384	cmd.exe	95
PID 3384 wrote to memory of 2632	3384	cmd.exe	95
PID 3384 wrote to memory of 4676	3384	cmd.exe	96
PID 3384 wrote to memory of 4676	3384	cmd.exe	96
PID 3384 wrote to memory of 4676	3384	cmd.exe	96
PID 4012 wrote to memory of 1672	4012	LB3.exe	110
PID 4012 wrote to memory of 1672	4012	LB3.exe	110
PID 2228 wrote to memory of 2080	2228	printfilterpipelinesvc.exe	113
PID 2228 wrote to memory of 2080	2228	printfilterpipelinesvc.exe	113
PID 4012 wrote to memory of 4456	4012	LB3.exe	114
PID 4012 wrote to memory of 4456	4012	LB3.exe	114
PID 4012 wrote to memory of 4456	4012	LB3.exe	114
PID 4012 wrote to memory of 4456	4012	LB3.exe	114
PID 4456 wrote to memory of 3908	4456	2628.tmp	115
PID 4456 wrote to memory of 3908	4456	2628.tmp	115
PID 4456 wrote to memory of 3908	4456	2628.tmp	115
PID 3680 wrote to memory of 4088	3680	chrome.exe	122
PID 3680 wrote to memory of 4088	3680	chrome.exe	122
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123
PID 3680 wrote to memory of 5256	3680	chrome.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\LBLeak\config.json
1⤵
- Modifies registry class
PID:1252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\config.json
  2⤵
  - Modifies registry class
  - Opens file in notepad (likely ransom note)
  - Suspicious use of SetWindowsHookEx
  PID:1892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LBLeak\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\LBLeak\Build -pubkey pub.key -privkey priv.key
  2⤵
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe
  2⤵
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_pass.exe
  2⤵
  PID:408
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32.dll
  2⤵
  PID:484
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32_pass.dll
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  PID:4676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\DECRYPTION_ID.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5032

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\Password_dll.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\Password_exe.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1032

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe"
1⤵
- Modifies extensions of user files
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1672
- C:\ProgramData\2628.tmp
  "C:\ProgramData\2628.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2628.tmp >> NUL
    3⤵
    PID:3908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe
"C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe
"C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6096

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\ruurOinjW.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4452

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EDDF34A5-A935-438D-B559-7DB87257E742}.xps" 133318627463290000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff93f2b9758,0x7ff93f2b9768,0x7ff93f2b9778
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:2
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3320 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:8
  2⤵
  PID:2936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\AAAAAAAAAAA

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\BBBBBBBBBBB

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\CCCCCCCCCCC

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\DDDDDDDDDDD

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\DDDDDDDDDDD

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\EEEEEEEEEEE

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\FFFFFFFFFFF

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\GGGGGGGGGGG

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\HHHHHHHHHHH

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\IIIIIIIIIII

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\JJJJJJJJJJJ

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\KKKKKKKKKKK

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\LLLLLLLLLLL

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\MMMMMMMMMMM

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\NNNNNNNNNNN

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\OOOOOOOOOOO

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\PPPPPPPPPPP

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\QQQQQQQQQQQ

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\RRRRRRRRRRR

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\SSSSSSSSSSS

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\TTTTTTTTTTT

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\UUUUUUUUUUU

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\VVVVVVVVVVV

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\WWWWWWWWWWW

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\XXXXXXXXXXX

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\YYYYYYYYYYY

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\desktop.ini

Filesize
129B

MD5
f24c0b089357588761cfa245b0029f07

SHA1
844696290ba3f9e5d7fc9a9f6240a62fd2cef79a

SHA256
8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da

SHA512
e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

Download Submit
C:\ProgramData\2628.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\2628.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\ruurOinjW.README.txt

Filesize
6KB

MD5
4722dfe8c1e5ffe6c54311a49a7f29dc

SHA1
cbfc86adc51ed727c2278b61921216f5bbaef7e0

SHA256
aedb1db1e7a2a6011b9fba16c9d3630e66343f0fb28bd58148a8bfa1de1c1596

SHA512
9e02fa87bcda45ae90e4855aace4c0df63c94a292a10a388bda96360f143c1140542940ff9add17c027fc891f7dfe53ec7ccda13ea94c07397b43a69b6a78cfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
ff6d9f3cee0b9e1f2af360ce1709419a

SHA1
220b5098fd26e6d821cd37a905e6f694157b4fd8

SHA256
a1b2ba848988160a897cfe6eca6b97fe616d68f81dd75776aaf2bd478c8fc266

SHA512
0bbd879dada2a91b999dd45d48b8a4101f27d55ce0d5f668763a5fad4211ec42ae4d44501116b2c6bc6dcc1b5e0f59f5818c8e940db2a396f42484d8ffcd53c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\f6279498-8af2-4888-a4b5-da4ff0ff732a.tmp

Filesize
1KB

MD5
2b1a9333b79e3ecf3e2ecc0e7bc6bc44

SHA1
402281b1ef7c84e20769b0ce611355851a8b39a2

SHA256
d1769d8aad9332294c08b3e7e3df8889588a9ca93e09bace82809bd5ad376c76

SHA512
36c7026f10936803eda7c892069b824eb661bad7c30bd81c0f594048747bfe3d5e0404095c08a1e6c332bd8d0b5181fe3e3d8edcfd56c9468c0cbf9108e18203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0e58f041142ad18e9a2d0fd4864a27dc

SHA1
1115ea75ed48daccf3e4aa250266ef882147cd8e

SHA256
6625402501cb838ae1cf6c1383d20ab55f05684e4fab309f61b2fc34a8bec47b

SHA512
e078ca41c70d3800bded726f43966ae1078f8571498ac166045cd1e75477e08854e93797dd61c67db3e812572eb1d407a39f2de5c15a21488e86a26134bb922d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
88KB

MD5
9c15e76e983adf6a8c75bae2bc944d2e

SHA1
5d55fd5c076c35902e74043d9f697f9d824c08b9

SHA256
e0aca73820dd79736fb55467cba66131e0346c2887b22d6c979d1f27b480b978

SHA512
8135ca0419f0464516a58ad48e55ae59a1c40eaa7f849a40d5b3add97491ba45e07377ccd443db453905a4a4f1873ce1443f40329cb9d0ea858eb99dd6384f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe5b9017.TMP

Filesize
947B

MD5
d4e4cf4ef4a16a7313985a3830ca7384

SHA1
a97c5ec122966b4347f5313bc7b2424442ff94df

SHA256
a1322a32460a0f1c4effcd3d2e5e4cf64f7347c8a6b55496673d7776f6a84a90

SHA512
a591f3d7a1009387057d17bc331a6ff92ca3740e9f75babd58a43b2e3f9c892591b0074b1c99d8d95094ce7b58fd50a426e1775b4ab2c1d93cb7816cc417b3e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\DDDDDDD

Filesize
153KB

MD5
3b3188cfa1daba94a3a1ec6f2eea9e0b

SHA1
280cbc13a194a003dabe5af54ebde5fa9e198ab0

SHA256
a12001a597d88c42765ef0876f2c2fd5a4ff1dbc0e4231edebc151f68047cc6f

SHA512
d55fdfe79397e43fd298275eb031f344c30312a4f984ec8175dacd860c57c3e59b97c04c8ae745ae8d19ad7c7740ef8c62f1aa6ae9dc73d7da0c4a4bbb039a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\DECRYPTION_ID.txt

Filesize
16B

MD5
8153903b913cded80b69e031826f01bb

SHA1
3c57043a3996c5afb6131123685021db6da35b0b

SHA256
0c22c8935f9e2c488fc5b95cbd429d354c589f16efe829be5879b8ab15b22347

SHA512
ce30cf480625fcf5b3fccab377a458ee67a5dca6e3f44acbea77707b9ac4c4dc1da03da46bc63262ccae0d60572df4cafd6d6380da8d9d57698631f521f9e942

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe

Filesize
153KB

MD5
f8f2b0cdb82271d9c631e942b46233a0

SHA1
18fd04e01fd482886f5e6db433cf5fe6bbb66708

SHA256
4f1b70a77457b4673bb6db89395f827fe96af24d3be205b832b5c268eb611a97

SHA512
fda94dea66f095a81a69cdfa95442e2c1c39c61c3e1958012726b13dd7fcbb8208f2560acceda972500883b48dd2b119ad4ad206ea2590b6f75571b5311867bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe

Filesize
153KB

MD5
f8f2b0cdb82271d9c631e942b46233a0

SHA1
18fd04e01fd482886f5e6db433cf5fe6bbb66708

SHA256
4f1b70a77457b4673bb6db89395f827fe96af24d3be205b832b5c268eb611a97

SHA512
fda94dea66f095a81a69cdfa95442e2c1c39c61c3e1958012726b13dd7fcbb8208f2560acceda972500883b48dd2b119ad4ad206ea2590b6f75571b5311867bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

Filesize
54KB

MD5
cf8a412ab7b10e2382934b8408362c3a

SHA1
f0d2446c607af7b3afd5a7ffdb99387a0270ba49

SHA256
59ce992bba8a9c29e6c4ac32f912b17026b22b77060b7f173f982ecd614e4f60

SHA512
14971e52ca4059fc3a1091004ea82435280eb1089d62dfd24ff0ada4528204a468353ed592cb3a938c750a278e4bffc4cd9040c62c00fa41493f1975d7265ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

Filesize
54KB

MD5
cf8a412ab7b10e2382934b8408362c3a

SHA1
f0d2446c607af7b3afd5a7ffdb99387a0270ba49

SHA256
59ce992bba8a9c29e6c4ac32f912b17026b22b77060b7f173f982ecd614e4f60

SHA512
14971e52ca4059fc3a1091004ea82435280eb1089d62dfd24ff0ada4528204a468353ed592cb3a938c750a278e4bffc4cd9040c62c00fa41493f1975d7265ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

Filesize
54KB

MD5
cf8a412ab7b10e2382934b8408362c3a

SHA1
f0d2446c607af7b3afd5a7ffdb99387a0270ba49

SHA256
59ce992bba8a9c29e6c4ac32f912b17026b22b77060b7f173f982ecd614e4f60

SHA512
14971e52ca4059fc3a1091004ea82435280eb1089d62dfd24ff0ada4528204a468353ed592cb3a938c750a278e4bffc4cd9040c62c00fa41493f1975d7265ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\Password_dll.txt

Filesize
1KB

MD5
17afb8eba1824d29118fa78a5a989078

SHA1
3d1c961da7b6561287b34769f4d38d43650dfdad

SHA256
200a31fc1aaae8f01183445b1eab5a959b7737a4acf2858c7541d5f4f05cb87a

SHA512
c6cb0cf50aad34e1c683cde00f9a6f93d7cd135a8dfa337afab9df040d22d1c560c079c5826e9e0c6ced434f61e4a8b361076c36043c23937bdad10d16a40b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\Password_exe.txt

Filesize
2KB

MD5
c098ba387e1b060ae581f586fd6cfd24

SHA1
50076d8b439859f8714fd84e884ce47608ae980c

SHA256
750cb108035d2d8e2af14502c0382f274fd1ec89005b771c625123f06d516a71

SHA512
1ebd1e3f6f319b1f43617eb25a0c8dfc145682ea23e8a4340f0add8b0444c4b6c2267b664b08aecfbc3bc100f034408557bbbc64ee7cb017636e7dd59ce4df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key

Filesize
344B

MD5
85d2ef748fa1850ed938711b562cbacc

SHA1
acc29bf00a99f45ce0d8b6d73af6c77d833b718f

SHA256
2aaf69dbbb22fcb2e45b184791b22f919848d28fe4f4306cbb228021ce9e0be2

SHA512
2392d61ec4132ea197bc82ceeee20757b78e94b2c07dc871381e2e4cc8e118a2d7d78be2941715fe1816fbb7583c6f15cd4db7faf6968465c5d37035370185af

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key

Filesize
344B

MD5
78064c943341103e8e5290cf77052312

SHA1
5e1c4f37d13a619a80d8230f58be2d04339b8fca

SHA256
47a5d319cbe0adef6d1b7eb1e66db76f70193f0a21b0f4fa49ddbcd3235e1706

SHA512
2a49357d1fa96e863fac4c6da201cd751e851e59080116e3674641db7729460bb2045a2760ae96435cdc8aac3c08c785e89b4fc1fd22fd6cc3a149a30e25154a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\ruurOinjW.README.txt

Filesize
6KB

MD5
4722dfe8c1e5ffe6c54311a49a7f29dc

SHA1
cbfc86adc51ed727c2278b61921216f5bbaef7e0

SHA256
aedb1db1e7a2a6011b9fba16c9d3630e66343f0fb28bd58148a8bfa1de1c1596

SHA512
9e02fa87bcda45ae90e4855aace4c0df63c94a292a10a388bda96360f143c1140542940ff9add17c027fc891f7dfe53ec7ccda13ea94c07397b43a69b6a78cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D04CC6C8-F6F1-494F-A467-7C2A4D291078}

Filesize
4KB

MD5
8b57089479f61111dbebb584bd4d81c0

SHA1
0d83fe15741448885f666872ef2349d25a2e102f

SHA256
2be83bb38102d1c06a44f5aa01ac6e765ebcdcfc76a93603deed6baa68aba1bb

SHA512
9bbfa45eadb54e321c2241dc6c8206c9daf6db9fc9ed41ca439c1990b6a4c634ebe2ebfaea6c0390663f406af0aec79470cec2cd24d98e2c306d9ae7daf6cbd9

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
c9ba50ddd5b4c49a33735036f6bd305f

SHA1
5de3c543e6bc71d2cd61c3a207ba4cb5ee630f6c

SHA256
832991a252e06b01472c6cdc5ce00b169a76ed2b7158e141d3f11563acaaa612

SHA512
e9ab311feab70ce0b687025eed0070bffaa5e149353e8a2c3b8205c690bb2d85b74f45ddd194341aa0599d2737a416abd66155a44a1ae1e07ea4d530b005be33

Download Submit
C:\ruurOinjW.README.txt

Filesize
6KB

MD5
4722dfe8c1e5ffe6c54311a49a7f29dc

SHA1
cbfc86adc51ed727c2278b61921216f5bbaef7e0

SHA256
aedb1db1e7a2a6011b9fba16c9d3630e66343f0fb28bd58148a8bfa1de1c1596

SHA512
9e02fa87bcda45ae90e4855aace4c0df63c94a292a10a388bda96360f143c1140542940ff9add17c027fc891f7dfe53ec7ccda13ea94c07397b43a69b6a78cfb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2178924671-3779044592-2825503497-1000\EEEEEEEEEEE

Filesize
129B

MD5
97794816f4596b568c71f688fc229056

SHA1
4123643bd09cf3cb315cae101b78a5ee53804bbe

SHA256
a9ed26425d1c0f62826023a7472b6555e1c91e71c880b923141319ebfc155bd9

SHA512
9e7d26eea2918456350694db92b2a7fb3287af23ba030d45ade5c7175775abc9772e7274c1b5fbb4ddab394c9f867063967c3e518dad4a779ad135cab5a1192d

Download Submit
memory/2080-3538-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

Filesize
64KB

Download
memory/2080-3537-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

Filesize
64KB

Download
memory/2080-3540-0x00007FF91B1A0000-0x00007FF91B1B0000-memory.dmp

Filesize
64KB

Download
memory/2080-3566-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

Filesize
64KB

Download
memory/2080-3567-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

Filesize
64KB

Download
memory/2080-3568-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

Filesize
64KB

Download
memory/2080-3569-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

Filesize
64KB

Download
memory/2080-3534-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

Filesize
64KB

Download
memory/2080-3535-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

Filesize
64KB

Download
memory/2080-3536-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

Filesize
64KB

Download
memory/2080-3539-0x00007FF91B1A0000-0x00007FF91B1B0000-memory.dmp

Filesize
64KB

Download
memory/3212-3381-0x00000229AABC0000-0x00000229AABE0000-memory.dmp

Filesize
128KB

Download
memory/3212-3377-0x00000229AAC00000-0x00000229AAC20000-memory.dmp

Filesize
128KB

Download
memory/3212-3383-0x00000229AAFD0000-0x00000229AAFF0000-memory.dmp

Filesize
128KB

Download
memory/4012-3483-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4012-151-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4012-152-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4012-153-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4012-3484-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download