Malware Analysis Report

2024-10-16 03:21

Sample ID 230621-24zktada6s
Target Lockbit 3 Builder.7z
SHA256 b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10
Tags
lockbit blackmatter persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10

Threat Level: Known bad

The file Lockbit 3 Builder.7z was found to be: Known bad.

Malicious Activity Summary

lockbit blackmatter persistence ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit

Blackmatter family

Lockbit family

Renames multiple (712) files with added filename extension

Modifies extensions of user files

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

Modifies Control Panel

Checks processor information in registry

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Suspicious behavior: RenamesItself

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-21 23:08

Signatures

Blackmatter family

blackmatter

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-21 23:08

Reported

2023-06-21 23:39

Platform

win10v2004-20230621-en

Max time kernel

1624s

Max time network

1596s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\LBLeak\config.json

Signatures

Lockbit

ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (712) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\RevokeResolve.crw => C:\Users\Admin\Pictures\RevokeResolve.crw.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ApproveSwitch.png.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\BlockResize.crw => C:\Users\Admin\Pictures\BlockResize.crw.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockResize.crw.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushComplete.tiff C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\PushComplete.tiff => C:\Users\Admin\Pictures\PushComplete.tiff.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveStart.raw => C:\Users\Admin\Pictures\ResolveStart.raw.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveStart.raw.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\ApproveSwitch.png => C:\Users\Admin\Pictures\ApproveSwitch.png.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandUnprotect.png => C:\Users\Admin\Pictures\ExpandUnprotect.png.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandUnprotect.png.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushComplete.tiff.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\RevokeResolve.crw.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation C:\ProgramData\2628.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2178924671-3779044592-2825503497-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPad23plthsinw4krpqkebz6o2c.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP3xvkc8gfao2f2gjx9piunfoid.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPqujua0hkv8pwu7w1g_5s8ho9b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ruurOinjW.bmp" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ruurOinjW.bmp" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ruurOinjW\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ruurOinjW\DefaultIcon\ = "C:\\ProgramData\\ruurOinjW.ico" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ruurOinjW\ = "ruurOinjW" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ruurOinjW C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a00310000000000d55627b9100053797374656d33320000420009000400efbe874f7748d55627b92e000000b90c00000000010000000000000000000000000000000cc37b00530079007300740065006d0033003200000018000000 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\NOTEPAD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5600310000000000d556604b100057696e646f777300400009000400efbe874f7748d55627b92e00000000060000000001000000000000000000000000000000fc4c0400570069006e0064006f0077007300000016000000 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\NOTEPAD.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 1892 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 3292 wrote to memory of 1892 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 3384 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
PID 3384 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
PID 3384 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
PID 3384 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 3384 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
PID 4012 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe C:\Windows\splwow64.exe
PID 4012 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe C:\Windows\splwow64.exe
PID 2228 wrote to memory of 2080 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 2228 wrote to memory of 2080 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4012 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe C:\ProgramData\2628.tmp
PID 4012 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe C:\ProgramData\2628.tmp
PID 4012 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe C:\ProgramData\2628.tmp
PID 4012 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe C:\ProgramData\2628.tmp
PID 4456 wrote to memory of 3908 N/A C:\ProgramData\2628.tmp C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 3908 N/A C:\ProgramData\2628.tmp C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 3908 N/A C:\ProgramData\2628.tmp C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 4088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 4088 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3680 wrote to memory of 5256 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\LBLeak\config.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\config.json

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LBLeak\Build.bat" "

C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe

keygen -path C:\Users\Admin\AppData\Local\Temp\LBLeak\Build -pubkey pub.key -privkey priv.key

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_pass.exe

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32.dll

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32_pass.dll

C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe

builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\DECRYPTION_ID.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\Password_dll.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\Password_exe.txt

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

"C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

"C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\ruurOinjW.README.txt

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EDDF34A5-A935-438D-B559-7DB87257E742}.xps" 133318627463290000

C:\ProgramData\2628.tmp

"C:\ProgramData\2628.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2628.tmp >> NUL

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff93f2b9758,0x7ff93f2b9768,0x7ff93f2b9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3320 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1876,i,16850746484986660168,7055652474417454512,131072 /prefetch:8

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 16.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 75.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 99.113.223.173.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key

MD5 85d2ef748fa1850ed938711b562cbacc
SHA1 acc29bf00a99f45ce0d8b6d73af6c77d833b718f
SHA256 2aaf69dbbb22fcb2e45b184791b22f919848d28fe4f4306cbb228021ce9e0be2
SHA512 2392d61ec4132ea197bc82ceeee20757b78e94b2c07dc871381e2e4cc8e118a2d7d78be2941715fe1816fbb7583c6f15cd4db7faf6968465c5d37035370185af

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key

MD5 78064c943341103e8e5290cf77052312
SHA1 5e1c4f37d13a619a80d8230f58be2d04339b8fca
SHA256 47a5d319cbe0adef6d1b7eb1e66db76f70193f0a21b0f4fa49ddbcd3235e1706
SHA512 2a49357d1fa96e863fac4c6da201cd751e851e59080116e3674641db7729460bb2045a2760ae96435cdc8aac3c08c785e89b4fc1fd22fd6cc3a149a30e25154a

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\DECRYPTION_ID.txt

MD5 8153903b913cded80b69e031826f01bb
SHA1 3c57043a3996c5afb6131123685021db6da35b0b
SHA256 0c22c8935f9e2c488fc5b95cbd429d354c589f16efe829be5879b8ab15b22347
SHA512 ce30cf480625fcf5b3fccab377a458ee67a5dca6e3f44acbea77707b9ac4c4dc1da03da46bc63262ccae0d60572df4cafd6d6380da8d9d57698631f521f9e942

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\Password_dll.txt

MD5 17afb8eba1824d29118fa78a5a989078
SHA1 3d1c961da7b6561287b34769f4d38d43650dfdad
SHA256 200a31fc1aaae8f01183445b1eab5a959b7737a4acf2858c7541d5f4f05cb87a
SHA512 c6cb0cf50aad34e1c683cde00f9a6f93d7cd135a8dfa337afab9df040d22d1c560c079c5826e9e0c6ced434f61e4a8b361076c36043c23937bdad10d16a40b75

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\Password_exe.txt

MD5 c098ba387e1b060ae581f586fd6cfd24
SHA1 50076d8b439859f8714fd84e884ce47608ae980c
SHA256 750cb108035d2d8e2af14502c0382f274fd1ec89005b771c625123f06d516a71
SHA512 1ebd1e3f6f319b1f43617eb25a0c8dfc145682ea23e8a4340f0add8b0444c4b6c2267b664b08aecfbc3bc100f034408557bbbc64ee7cb017636e7dd59ce4df2b

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe

MD5 f8f2b0cdb82271d9c631e942b46233a0
SHA1 18fd04e01fd482886f5e6db433cf5fe6bbb66708
SHA256 4f1b70a77457b4673bb6db89395f827fe96af24d3be205b832b5c268eb611a97
SHA512 fda94dea66f095a81a69cdfa95442e2c1c39c61c3e1958012726b13dd7fcbb8208f2560acceda972500883b48dd2b119ad4ad206ea2590b6f75571b5311867bf

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe

MD5 f8f2b0cdb82271d9c631e942b46233a0
SHA1 18fd04e01fd482886f5e6db433cf5fe6bbb66708
SHA256 4f1b70a77457b4673bb6db89395f827fe96af24d3be205b832b5c268eb611a97
SHA512 fda94dea66f095a81a69cdfa95442e2c1c39c61c3e1958012726b13dd7fcbb8208f2560acceda972500883b48dd2b119ad4ad206ea2590b6f75571b5311867bf

memory/4012-151-0x0000000002840000-0x0000000002850000-memory.dmp

memory/4012-152-0x0000000002840000-0x0000000002850000-memory.dmp

memory/4012-153-0x0000000002840000-0x0000000002850000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\DDDDDDDDDDD

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\SSSSSSSSSSS

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\YYYYYYYYYYY

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\XXXXXXXXXXX

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

F:\$RECYCLE.BIN\S-1-5-21-2178924671-3779044592-2825503497-1000\EEEEEEEEEEE

MD5 97794816f4596b568c71f688fc229056
SHA1 4123643bd09cf3cb315cae101b78a5ee53804bbe
SHA256 a9ed26425d1c0f62826023a7472b6555e1c91e71c880b923141319ebfc155bd9
SHA512 9e7d26eea2918456350694db92b2a7fb3287af23ba030d45ade5c7175775abc9772e7274c1b5fbb4ddab394c9f867063967c3e518dad4a779ad135cab5a1192d

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\WWWWWWWWWWW

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\VVVVVVVVVVV

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\UUUUUUUUUUU

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\RRRRRRRRRRR

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\QQQQQQQQQQQ

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\PPPPPPPPPPP

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\OOOOOOOOOOO

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\NNNNNNNNNNN

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\MMMMMMMMMMM

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\LLLLLLLLLLL

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\KKKKKKKKKKK

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\JJJJJJJJJJJ

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\IIIIIIIIIII

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\HHHHHHHHHHH

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\TTTTTTTTTTT

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\GGGGGGGGGGG

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\FFFFFFFFFFF

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\EEEEEEEEEEE

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\DDDDDDDDDDD

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\CCCCCCCCCCC

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\BBBBBBBBBBB

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\AAAAAAAAAAA

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\$Recycle.Bin\S-1-5-21-2178924671-3779044592-2825503497-1000\desktop.ini

MD5 f24c0b089357588761cfa245b0029f07
SHA1 844696290ba3f9e5d7fc9a9f6240a62fd2cef79a
SHA256 8a99a4d9d3c4ef6c1e0dc18a46755d71de8f933ea0a56dbd9fbca3d7d84ec7da
SHA512 e168919cf0edda2c2e40d2faa5247876d1ee331cd8879f95b4935b566152eb2eb12e701607b1c5326224aba35a2bd110d8cc8e63e53d7c55ee5b841957515e4f

C:\ruurOinjW.README.txt

MD5 4722dfe8c1e5ffe6c54311a49a7f29dc
SHA1 cbfc86adc51ed727c2278b61921216f5bbaef7e0
SHA256 aedb1db1e7a2a6011b9fba16c9d3630e66343f0fb28bd58148a8bfa1de1c1596
SHA512 9e02fa87bcda45ae90e4855aace4c0df63c94a292a10a388bda96360f143c1140542940ff9add17c027fc891f7dfe53ec7ccda13ea94c07397b43a69b6a78cfb

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

MD5 cf8a412ab7b10e2382934b8408362c3a
SHA1 f0d2446c607af7b3afd5a7ffdb99387a0270ba49
SHA256 59ce992bba8a9c29e6c4ac32f912b17026b22b77060b7f173f982ecd614e4f60
SHA512 14971e52ca4059fc3a1091004ea82435280eb1089d62dfd24ff0ada4528204a468353ed592cb3a938c750a278e4bffc4cd9040c62c00fa41493f1975d7265ccf

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

MD5 cf8a412ab7b10e2382934b8408362c3a
SHA1 f0d2446c607af7b3afd5a7ffdb99387a0270ba49
SHA256 59ce992bba8a9c29e6c4ac32f912b17026b22b77060b7f173f982ecd614e4f60
SHA512 14971e52ca4059fc3a1091004ea82435280eb1089d62dfd24ff0ada4528204a468353ed592cb3a938c750a278e4bffc4cd9040c62c00fa41493f1975d7265ccf

memory/3212-3377-0x00000229AAC00000-0x00000229AAC20000-memory.dmp

memory/3212-3381-0x00000229AABC0000-0x00000229AABE0000-memory.dmp

memory/3212-3383-0x00000229AAFD0000-0x00000229AAFF0000-memory.dmp

memory/4012-3483-0x0000000002840000-0x0000000002850000-memory.dmp

memory/4012-3484-0x0000000002840000-0x0000000002850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe

MD5 cf8a412ab7b10e2382934b8408362c3a
SHA1 f0d2446c607af7b3afd5a7ffdb99387a0270ba49
SHA256 59ce992bba8a9c29e6c4ac32f912b17026b22b77060b7f173f982ecd614e4f60
SHA512 14971e52ca4059fc3a1091004ea82435280eb1089d62dfd24ff0ada4528204a468353ed592cb3a938c750a278e4bffc4cd9040c62c00fa41493f1975d7265ccf

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\ruurOinjW.README.txt

MD5 4722dfe8c1e5ffe6c54311a49a7f29dc
SHA1 cbfc86adc51ed727c2278b61921216f5bbaef7e0
SHA256 aedb1db1e7a2a6011b9fba16c9d3630e66343f0fb28bd58148a8bfa1de1c1596
SHA512 9e02fa87bcda45ae90e4855aace4c0df63c94a292a10a388bda96360f143c1140542940ff9add17c027fc891f7dfe53ec7ccda13ea94c07397b43a69b6a78cfb

C:\ProgramData\2628.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\2628.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\DDDDDDD

MD5 3b3188cfa1daba94a3a1ec6f2eea9e0b
SHA1 280cbc13a194a003dabe5af54ebde5fa9e198ab0
SHA256 a12001a597d88c42765ef0876f2c2fd5a4ff1dbc0e4231edebc151f68047cc6f
SHA512 d55fdfe79397e43fd298275eb031f344c30312a4f984ec8175dacd860c57c3e59b97c04c8ae745ae8d19ad7c7740ef8c62f1aa6ae9dc73d7da0c4a4bbb039a81

memory/2080-3534-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

memory/2080-3535-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

memory/2080-3536-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

memory/2080-3537-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

memory/2080-3538-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

memory/2080-3539-0x00007FF91B1A0000-0x00007FF91B1B0000-memory.dmp

memory/2080-3540-0x00007FF91B1A0000-0x00007FF91B1B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{D04CC6C8-F6F1-494F-A467-7C2A4D291078}

MD5 8b57089479f61111dbebb584bd4d81c0
SHA1 0d83fe15741448885f666872ef2349d25a2e102f
SHA256 2be83bb38102d1c06a44f5aa01ac6e765ebcdcfc76a93603deed6baa68aba1bb
SHA512 9bbfa45eadb54e321c2241dc6c8206c9daf6db9fc9ed41ca439c1990b6a4c634ebe2ebfaea6c0390663f406af0aec79470cec2cd24d98e2c306d9ae7daf6cbd9

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 c9ba50ddd5b4c49a33735036f6bd305f
SHA1 5de3c543e6bc71d2cd61c3a207ba4cb5ee630f6c
SHA256 832991a252e06b01472c6cdc5ce00b169a76ed2b7158e141d3f11563acaaa612
SHA512 e9ab311feab70ce0b687025eed0070bffaa5e149353e8a2c3b8205c690bb2d85b74f45ddd194341aa0599d2737a416abd66155a44a1ae1e07ea4d530b005be33

memory/2080-3566-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

memory/2080-3567-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

memory/2080-3568-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

memory/2080-3569-0x00007FF91D350000-0x00007FF91D360000-memory.dmp

\??\pipe\crashpad_3680_DOQAJPZLNGRHDJKQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0e58f041142ad18e9a2d0fd4864a27dc
SHA1 1115ea75ed48daccf3e4aa250266ef882147cd8e
SHA256 6625402501cb838ae1cf6c1383d20ab55f05684e4fab309f61b2fc34a8bec47b
SHA512 e078ca41c70d3800bded726f43966ae1078f8571498ac166045cd1e75477e08854e93797dd61c67db3e812572eb1d407a39f2de5c15a21488e86a26134bb922d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9c15e76e983adf6a8c75bae2bc944d2e
SHA1 5d55fd5c076c35902e74043d9f697f9d824c08b9
SHA256 e0aca73820dd79736fb55467cba66131e0346c2887b22d6c979d1f27b480b978
SHA512 8135ca0419f0464516a58ad48e55ae59a1c40eaa7f849a40d5b3add97491ba45e07377ccd443db453905a4a4f1873ce1443f40329cb9d0ea858eb99dd6384f2e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe5b9017.TMP

MD5 d4e4cf4ef4a16a7313985a3830ca7384
SHA1 a97c5ec122966b4347f5313bc7b2424442ff94df
SHA256 a1322a32460a0f1c4effcd3d2e5e4cf64f7347c8a6b55496673d7776f6a84a90
SHA512 a591f3d7a1009387057d17bc331a6ff92ca3740e9f75babd58a43b2e3f9c892591b0074b1c99d8d95094ce7b58fd50a426e1775b4ab2c1d93cb7816cc417b3e4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ff6d9f3cee0b9e1f2af360ce1709419a
SHA1 220b5098fd26e6d821cd37a905e6f694157b4fd8
SHA256 a1b2ba848988160a897cfe6eca6b97fe616d68f81dd75776aaf2bd478c8fc266
SHA512 0bbd879dada2a91b999dd45d48b8a4101f27d55ce0d5f668763a5fad4211ec42ae4d44501116b2c6bc6dcc1b5e0f59f5818c8e940db2a396f42484d8ffcd53c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\f6279498-8af2-4888-a4b5-da4ff0ff732a.tmp

MD5 2b1a9333b79e3ecf3e2ecc0e7bc6bc44
SHA1 402281b1ef7c84e20769b0ce611355851a8b39a2
SHA256 d1769d8aad9332294c08b3e7e3df8889588a9ca93e09bace82809bd5ad376c76
SHA512 36c7026f10936803eda7c892069b824eb661bad7c30bd81c0f594048747bfe3d5e0404095c08a1e6c332bd8d0b5181fe3e3d8edcfd56c9468c0cbf9108e18203

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\ruurOinjW.README.txt

MD5 4722dfe8c1e5ffe6c54311a49a7f29dc
SHA1 cbfc86adc51ed727c2278b61921216f5bbaef7e0
SHA256 aedb1db1e7a2a6011b9fba16c9d3630e66343f0fb28bd58148a8bfa1de1c1596
SHA512 9e02fa87bcda45ae90e4855aace4c0df63c94a292a10a388bda96360f143c1140542940ff9add17c027fc891f7dfe53ec7ccda13ea94c07397b43a69b6a78cfb