blackmatter | b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10

Resubmissions

08-07-2024 18:01

240708-wl5ffsterh 10

08-07-2024 17:58

240708-wj81vs1dpq 10

Analysis

max time kernel
165s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lockbit 3 Builder.7z
Size

139KB
MD5

c9c2f3805f0012628e9d62e8f75af4dd
SHA1

b6269b1fc8813b93c11ec6066dc33d9f99f2e431
SHA256

b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10
SHA512

ed4cb425807bbef4da92fe9e17b78746e096612e6006521279162379b2fc65f8dec7647e9c5403c6a74e6eb9b61dce7ca1c74c65d77aafbd0719be79cb1d70ff
SSDEEP

3072:pYWJsCuSlRODbWhyyZZsZ77n4s31uZzd2ppyMPOLOcrgCz:pbuSlicZyx4W1uLYpyMPOLjhz

Score

10^/10

blackmatter lockbit ransomware spyware stealer

Malware Config

Extracted

Family

blackmatter

Version

65.239

Extracted

Path

C:\VUMgQG2yL.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 55AAE02C2A0C3738768AE3E6AF10E3B5 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\LBLeak\builder.exe	family_lockbit
C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe	family_lockbit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll	family_lockbit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe	family_lockbit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe	family_lockbit
C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe	family_lockbit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll	family_lockbit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe	family_lockbit
behavioral1/memory/2456-100-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit
behavioral1/memory/2456-102-0x0000000000400000-0x0000000000429000-memory.dmp	family_lockbit
C:\Users\Admin\Desktop\LB3.exe	family_lockbit

Renames multiple (584) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

B07B.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation B07B.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	B07B.tmp

Executes dropped EXE 30 IoCs

Processes:

keygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exekeygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exekeygen.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exebuilder.exekeygen.exebuilder.exeLB3Decryptor.exeLB3_pass.exeLB3.exeB07B.tmpLB3Decryptor.exe

pid	process
1608	keygen.exe
4808	builder.exe
3452	builder.exe
1264	builder.exe
4008	builder.exe
4360	builder.exe
2704	builder.exe
4024	keygen.exe
3236	builder.exe
1236	builder.exe
1592	builder.exe
3656	builder.exe
4492	builder.exe
4268	builder.exe
2232	keygen.exe
2220	builder.exe
2868	builder.exe
2228	builder.exe
1004	builder.exe
4812	builder.exe
228	builder.exe
2208	builder.exe
2652	builder.exe
3752	keygen.exe
3664	builder.exe
4888	LB3Decryptor.exe
2456	LB3_pass.exe
2800	LB3.exe
1940	B07B.tmp
5712	LB3Decryptor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

LB3.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-587429654-1855694383-2268796072-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-587429654-1855694383-2268796072-1000\desktop.ini	LB3.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\PP42n0el3erby9qkcj2xrdp65md.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPt0mh2z2fah4tokqtyhg4tgzq.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP09nezjuhvmqfdgi_k_ig0mc0c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LB3.exeLB3Decryptor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\VUMgQG2yL.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\WallPaper	LB3Decryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\VUMgQG2yL.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

LB3Decryptor.exeLB3.exeB07B.tmpLB3Decryptor.exe

pid process

4888 LB3Decryptor.exe
2800 LB3.exe
2800 LB3.exe
2800 LB3.exe
2800 LB3.exe
1940 B07B.tmp
5712 LB3Decryptor.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3620 2456 WerFault.exe LB3_pass.exe

pid	pid_target	process	target process
3620	2456	WerFault.exe	LB3_pass.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Modifies Control Panel 3 IoCs

evasion

Processes:

LB3.exeLB3Decryptor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\Desktop	LB3Decryptor.exe

Modifies registry class 11 IoCs

Processes:

OpenWith.exeLB3.exeLB3Decryptor.execmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.VUMgQG2yL	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VUMgQG2yL\ = "VUMgQG2yL"	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VUMgQG2yL\DefaultIcon\ = "C:\\ProgramData\\VUMgQG2yL.ico"	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\VUMGQG2YL\DEFAULTICON	LB3Decryptor.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VUMgQG2yL	LB3Decryptor.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VUMgQG2yL\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VUMgQG2yL	LB3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.VUMGQG2YL	LB3Decryptor.exe

Opens file in notepad (likely ransom note) 5 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

1396 NOTEPAD.EXE
404 NOTEPAD.EXE
4604 NOTEPAD.EXE
372 NOTEPAD.EXE
1516 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

vlc.exeONENOTE.EXE

pid process

3312 vlc.exe
4004 ONENOTE.EXE
4004 ONENOTE.EXE

pid	process
1396	NOTEPAD.EXE
404	NOTEPAD.EXE
4604	NOTEPAD.EXE
372	NOTEPAD.EXE
1516	NOTEPAD.EXE

pid	process
3312	vlc.exe
4004	ONENOTE.EXE
4004	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

LB3Decryptor.exeLB3.exe

pid	process
4888	LB3Decryptor.exe
4888	LB3Decryptor.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe
2800	LB3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

3312 vlc.exe
Suspicious behavior: RenamesItself 2 IoCs

Processes:

LB3.exeLB3Decryptor.exe

pid process

2800 LB3.exe
5712 LB3Decryptor.exe

pid	process
3312	vlc.exe

pid	process
2800	LB3.exe
5712	LB3Decryptor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exeLB3Decryptor.exeLB3.exe

description	pid	process
Token: SeRestorePrivilege	4156	7zG.exe
Token: 35	4156	7zG.exe
Token: SeSecurityPrivilege	4156	7zG.exe
Token: SeSecurityPrivilege	4156	7zG.exe
Token: SeBackupPrivilege	4888	LB3Decryptor.exe
Token: SeDebugPrivilege	4888	LB3Decryptor.exe
Token: 36	4888	LB3Decryptor.exe
Token: SeImpersonatePrivilege	4888	LB3Decryptor.exe
Token: SeIncBasePriorityPrivilege	4888	LB3Decryptor.exe
Token: SeIncreaseQuotaPrivilege	4888	LB3Decryptor.exe
Token: 33	4888	LB3Decryptor.exe
Token: SeManageVolumePrivilege	4888	LB3Decryptor.exe
Token: SeProfSingleProcessPrivilege	4888	LB3Decryptor.exe
Token: SeRestorePrivilege	4888	LB3Decryptor.exe
Token: SeSecurityPrivilege	4888	LB3Decryptor.exe
Token: SeSystemProfilePrivilege	4888	LB3Decryptor.exe
Token: SeTakeOwnershipPrivilege	4888	LB3Decryptor.exe
Token: SeAssignPrimaryTokenPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeDebugPrivilege	2800	LB3.exe
Token: 36	2800	LB3.exe
Token: SeImpersonatePrivilege	2800	LB3.exe
Token: SeIncBasePriorityPrivilege	2800	LB3.exe
Token: SeIncreaseQuotaPrivilege	2800	LB3.exe
Token: 33	2800	LB3.exe
Token: SeManageVolumePrivilege	2800	LB3.exe
Token: SeProfSingleProcessPrivilege	2800	LB3.exe
Token: SeRestorePrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeSystemProfilePrivilege	2800	LB3.exe
Token: SeTakeOwnershipPrivilege	2800	LB3.exe
Token: SeShutdownPrivilege	2800	LB3.exe
Token: SeDebugPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeBackupPrivilege	2800	LB3.exe
Token: SeSecurityPrivilege	2800	LB3.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7zG.exevlc.exe

pid process

4156 7zG.exe
3312 vlc.exe
3312 vlc.exe
3312 vlc.exe
3312 vlc.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

vlc.exe

pid process

3312 vlc.exe
3312 vlc.exe
3312 vlc.exe

pid	process
4156	7zG.exe
3312	vlc.exe
3312	vlc.exe
3312	vlc.exe
3312	vlc.exe

pid	process
3312	vlc.exe
3312	vlc.exe
3312	vlc.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

OpenWith.exeOpenWith.exeLB3Decryptor.exevlc.exeONENOTE.EXELB3Decryptor.exe

pid	process
556	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
3472	OpenWith.exe
4888	LB3Decryptor.exe
3312	vlc.exe
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
4004	ONENOTE.EXE
5712	LB3Decryptor.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.exeOpenWith.exe

description	pid	process	target process
PID 2644 wrote to memory of 1608	2644	cmd.exe	keygen.exe
PID 2644 wrote to memory of 1608	2644	cmd.exe	keygen.exe
PID 2644 wrote to memory of 1608	2644	cmd.exe	keygen.exe
PID 2644 wrote to memory of 4808	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 4808	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 4808	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 3452	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 3452	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 3452	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 1264	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 1264	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 1264	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 4008	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 4008	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 4008	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 4360	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 4360	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 4360	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 2704	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 2704	2644	cmd.exe	builder.exe
PID 2644 wrote to memory of 2704	2644	cmd.exe	builder.exe
PID 3008 wrote to memory of 4024	3008	cmd.exe	keygen.exe
PID 3008 wrote to memory of 4024	3008	cmd.exe	keygen.exe
PID 3008 wrote to memory of 4024	3008	cmd.exe	keygen.exe
PID 3008 wrote to memory of 3236	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 3236	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 3236	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 1236	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 1236	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 1236	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 1592	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 1592	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 1592	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 3656	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 3656	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 3656	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 4492	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 4492	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 4492	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 4268	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 4268	3008	cmd.exe	builder.exe
PID 3008 wrote to memory of 4268	3008	cmd.exe	builder.exe
PID 1920 wrote to memory of 2232	1920	cmd.exe	keygen.exe
PID 1920 wrote to memory of 2232	1920	cmd.exe	keygen.exe
PID 1920 wrote to memory of 2232	1920	cmd.exe	keygen.exe
PID 1920 wrote to memory of 2220	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 2220	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 2220	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 2868	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 2868	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 2868	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 2228	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 2228	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 2228	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 1004	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 1004	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 1004	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 4812	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 4812	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 4812	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 228	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 228	1920	cmd.exe	builder.exe
PID 1920 wrote to memory of 228	1920	cmd.exe	builder.exe
PID 3472 wrote to memory of 1516	3472	OpenWith.exe	NOTEPAD.EXE

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lockbit 3 Builder.7z"
1⤵
- Modifies registry class
PID:2992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1656

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap17622:90:7zEvent18126
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4156

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LBLeak\Build.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LBLeak\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\Desktop\LBLeak\keygen.exe
keygen -path C:\Users\Admin\Desktop\LBLeak\Build -pubkey pub.key -privkey priv.key
2⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type dec -privkey C:\Users\Admin\Desktop\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe
2⤵
- Executes dropped EXE
PID:4808

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe
2⤵
- Executes dropped EXE
PID:3452

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe
2⤵
- Executes dropped EXE
PID:1264

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32.dll
2⤵
- Executes dropped EXE
PID:4008

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll
2⤵
- Executes dropped EXE
PID:4360

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LBLeak\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\Desktop\LBLeak\keygen.exe
keygen -path C:\Users\Admin\Desktop\LBLeak\Build -pubkey pub.key -privkey priv.key
2⤵
- Executes dropped EXE
PID:4024

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type dec -privkey C:\Users\Admin\Desktop\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe
2⤵
- Executes dropped EXE
PID:3236

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe
2⤵
- Executes dropped EXE
PID:1236

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe
2⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32.dll
2⤵
- Executes dropped EXE
PID:3656

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll
2⤵
- Executes dropped EXE
PID:4492

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
2⤵
- Executes dropped EXE
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\LBLeak\Build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\Desktop\LBLeak\keygen.exe
keygen -path C:\Users\Admin\Desktop\LBLeak\Build -pubkey pub.key -privkey priv.key
2⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type dec -privkey C:\Users\Admin\Desktop\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe
2⤵
- Executes dropped EXE
PID:2220

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -exe -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe
2⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -exe -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe
2⤵
- Executes dropped EXE
PID:2228

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -dll -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32.dll
2⤵
- Executes dropped EXE
PID:1004

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -dll -pass -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll
2⤵
- Executes dropped EXE
PID:4812

C:\Users\Admin\Desktop\LBLeak\builder.exe
builder -type enc -ref -pubkey C:\Users\Admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Desktop\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
2⤵
- Executes dropped EXE
PID:228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LBLeak\config.json
2⤵
- Opens file in notepad (likely ransom note)
PID:1516

C:\Users\Admin\Desktop\LBLeak\builder.exe
"C:\Users\Admin\Desktop\LBLeak\builder.exe"
1⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\Desktop\LBLeak\builder.exe
"C:\Users\Admin\Desktop\LBLeak\builder.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Users\Admin\Desktop\LBLeak\keygen.exe
"C:\Users\Admin\Desktop\LBLeak\keygen.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\Users\Admin\Desktop\LBLeak\builder.exe
"C:\Users\Admin\Desktop\LBLeak\builder.exe"
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LBLeak\Build\Password_exe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1396

C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe
"C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe"
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 264
2⤵
- Program crash
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2456 -ip 2456
1⤵
PID:3260

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LBLeak\Build\DECRYPTION_ID.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:404

C:\Users\Admin\Desktop\LB3.exe
"C:\Users\Admin\Desktop\LB3.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:780

C:\ProgramData\B07B.tmp
"C:\ProgramData\B07B.tmp"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B07B.tmp >> NUL
3⤵
PID:5240

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2444

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:2052

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{0AAAE9D6-E23C-4696-8370-A5BA48E89F55}.xps" 133649354628550000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\VUMgQG2yL.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4604

C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe
"C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:5712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-587429654-1855694383-2268796072-1000\desktop.ini

Filesize
129B

MD5
8d49b769892ebbfd7209f3d6ec503a53

SHA1
865f514ea9f6e12cd150607c5754e5fe683364fc

SHA256
4ccd0c08a012fd56db9401c7af8df786e00fdc236da2f14e52bde175b30e1361

SHA512
f38603444a08fbb1a9dca3b240a0f678f0be0227622d09a36786f958b8840129b11f6e1edb4961f700a9839d022a44a2c0569eaa0d9c9b1f301ba53442136052

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc

Filesize
36KB

MD5
eab75a01498a0489b0c35e8b7d0036e5

SHA1
fd80fe2630e0443d1a1cef2bdb21257f3a162f86

SHA256
fdf01d2265452465fcbed01f1fdd994d8cbb41a40bbb1988166604c5450ead47

SHA512
2ec6c4f34dcf00b6588b536f15e3fe4d98a0b663c8d2a2df06aa7cface88e072e2c2b1b9aaf4dc5a17b29023a85297f1a007ff60b5d6d0c65d1546bf0e12dd45

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b2206781-2b6c-4e21-82f5-5c577f462bdd}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645844182739081.txt

Filesize
77KB

MD5
8d6adec90b1f0c8e35b87b83589a9899

SHA1
ce259d6dad60394f654208a045dbaa587d0f7659

SHA256
e85761ea6c839a64dedeebe6d26e03cd04c1072c16ff433c8df3dd215af65c47

SHA512
1705fd2a3221474a70fc28e1c2a0e189b7780f2ce4e70d3c4d0492646258a5b9b0541cb2509d26afec79b4526b3ef9e693dca1a56e21114fb4d0cdd8f4597a48

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645849055511928.txt

Filesize
47KB

MD5
90d68a664d9767df58ae3e6d921db0f8

SHA1
9d22b9b4c9eff59fd890fc29b9fd72cb1af7f85f

SHA256
1820a2ca747cc781617b5caec13af2d3ff19bd16ae33309ba6947b2644475abd

SHA512
19c767e7a9813efaf1f171684573604160279e6d52045ed08b8b4f0e816a3b816f319fb989db3160d993b63d4ebd7bba1b2fb50e19931439e05d6ab359bdf385

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133649353830701555.txt

Filesize
75KB

MD5
6e31b65cd7ab8e91badc007aff158a64

SHA1
a373c07b5328cdba0d434928df8f28f839bdcdde

SHA256
1f39993abfba6ef2cd6af4f1f9ee66af2673780a38bc0bf9547960ab030ffe74

SHA512
cc7726357446faeb0ca93df3c11fb9d6737a8a8e5059b3e12d1ed9df574d48756dfd7d940ee9a57f1cb5f83141fce5f6cf7c21c7a5efe59b54209fba7eeed758

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\settings.dat

Filesize
8KB

MD5
a8308d2f3dde0745e8b678bf69a2ecd0

SHA1
c0ee6155b9b6913c69678f323e2eabfd377c479a

SHA256
7fbb3e503ed8a4a8e5d5fab601883cbb31d2e06d6b598460e570fb7a763ee555

SHA512
9a86d28d40efc655390fea3b78396415ea1b915a1a0ec49bd67073825cfea1a8d94723277186e791614804a5ea2c12f97ac31fad2bf0d91e8e035bde2d026893

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctF20C.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4qx8f0t2.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

Filesize
48KB

MD5
8c8937878b9cfd6f48c87650ef4a1356

SHA1
d73c09375127145bda00283501ad4f81f9298e31

SHA256
27d3bba73b5328cfc2a7d3dd67358f35e74a3b017b458f4f950663739abf195d

SHA512
14b3c7af22e2509dd21054bc2b4b8bc5670b35de48c908f54d28303ce99f3558e3b561ebd2af05d82d19762002a7681fd012ab16d68b1c42395269cdd50944ef

Download Submit
C:\Users\Admin\Desktop\EEEEEEE

Filesize
153KB

MD5
7d12a560f30e749d56b0ca50c8d976e8

SHA1
03542cf97fe1c00bdd88913153c8baaac4b7f707

SHA256
bb1d39119bfa2b948d469595ad1a15a4dd0ae22c86b4e78b0fb5a76f0b2b0551

SHA512
562c83d2d2e57be0e2ef48820f6a137e1b418e7b4acc60c3da58ec66f1d58d05e8e91ca236a5cce426c3c3ae6fafe33943fd4e7af18cb4a29ff20ef7130b0080

Download Submit
C:\Users\Admin\Desktop\LB3.exe

Filesize
153KB

MD5
f62c5fef379b939cacc5a557eabb49f6

SHA1
5e0a4affe7645c4084a3fd812c5d16706ce14494

SHA256
6669e14d8d061e2dad7771e0b8063966aa68c657e9f193be44111222484dfb80

SHA512
5c3f5a567e9ae121995df4eab6b333bb5bcf4df8d8df652bcfbc6468ad5a0864859435d48af97e7df58c5c5b8c54355c88c54d21a957f90d3f8fdaefe115028f

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build.bat

Filesize
741B

MD5
4e46e28b2e61643f6af70a8b19e5cb1f

SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6

SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339

SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\DECRYPTION_ID.txt

Filesize
16B

MD5
1dec59fd6cda36f3ff42b064ee7da583

SHA1
f7eac42bed91ef55715e11514d6b95368bd0d805

SHA256
33de63647ac94f8b9f7ea7d1be790b41d04f4b725ad3d7b33be9bafcab919d40

SHA512
8d472cf154b4d79aa6532c168f07a3b2557c52c619cc0558ebe36b41592c5ee54effccb9a54aece6ed19d8d7a8cfe93da1b08fed4296149a5da921ce668a7015

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\DECRYPTION_ID.txt

Filesize
16B

MD5
74b8606b53b4dbc94e40dfd134fb37c0

SHA1
e7e945fc31c302a2820bfaa7df24c2b51f6ab066

SHA256
4fd9682c26c9c68c2dc4908516c8ff4ccbd8586da1190d8da36bba4613f79e63

SHA512
f41b5098da452316ec8fd05ee698ad0da8f567693d5d99f5ea878e52e45e73e3737b4ed76fdd93262048e4d2e0628f9c1f5e44d8d53c22afa74c97e7af2b350d

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\DECRYPTION_ID.txt

Filesize
16B

MD5
0bd0679a35a1b39e4d3fead3d2057ea2

SHA1
3ed50f2dda1535b59cd5e0aee5e5d984d3fdc467

SHA256
bfa08208ada629b8578b088f11554446b3a9f179760c7b330d85fa24118cf3a5

SHA512
d981f96a98525b0193c7cd28ef96e7e5da4fb23171fe36682f8d0fa1f52dde6c749908e94254f9a1801c9df17059093ebd1972d83be7583c1232ffe88faccc25

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe

Filesize
153KB

MD5
7d7e3fd9432e217526d9952985e30f2d

SHA1
65fd60efcc98f03d44d5541e7d6a00a664c95afb

SHA256
efda61fd4632b8784940508d4fb342581affe3ec57444b3897492fa26f96308a

SHA512
31bf1555041ad262dac43202d67ef796a8441da4df5768d90486ff1ea3167fa8f89397758c89a40a7df6e126b796710cbd8fc831978ec6ae36e6ca6705eadfa7

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3.exe

Filesize
153KB

MD5
ad862b53f5cc4ed408cd174c44007047

SHA1
f66a7b9107e22143895d551b9eaa1ebae2c1495e

SHA256
96934344f6096b4e3d4e7e79c1314fcdd52dff5ebf6d24dcd94ff37153d778bf

SHA512
b7333780fb9bf70069d24f8dc8abda54082cb13b71333712707570dcdbf26aaf8759b79122109e1b978beb4a03758a05309aa21a124801b2ba0adb6006f24c9c

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe

Filesize
54KB

MD5
ed5eea3c08e1103c3368ef4c529a9ab3

SHA1
deac09a37f8632a981bc16f15f32c76f15351c4d

SHA256
0d0e07b30b43e00621a5d65bc727d34cd6b24bbe6415b7ee354197edb0006b80

SHA512
3bbfdb9b3aa37cb0b426eb7982d455fb055b424800779f491b8bd4287288086f450131ed5300fbff0e04b7ee3dd675472dfce8e2d46b0f1ab5761cb09b3d0902

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe

Filesize
54KB

MD5
a5ba023cc4dd848fbec1b3cc97e1e0b9

SHA1
f3f9922683448c4a56d809f6b9d4e81c46b3ca40

SHA256
3315f597c08be9bd4c69d55e25f12e3c117e054b9b8f6a4e7f3774b8ebf679d4

SHA512
fd32f67ccae87f858a4478b71ad2c1bc3d8e4c22964bd6d0d71b734633cb96f48e9094aa73413a8f2ce54fbaffd89dc430f0760eb9b2b4273327154c28a80842

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3Decryptor.exe

Filesize
54KB

MD5
f53ad486dffe58f507a2ca29aaf43e2e

SHA1
a7117f03e487968d5b4640251ed271e585523b05

SHA256
4ef7721fe21b31cd249549746939049d113ee9920a302fecf83e613c950b252e

SHA512
0b307b9c917dbfe15b27753c4f5375b9cc17b44f667124784d5efc5c77ee1467137f19f295648d004187cef2148298591f4d9bf4cc6b43a1b51e2e2809e0b778

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll

Filesize
107KB

MD5
347ac69cd40289f97f1b3c6fab3205a5

SHA1
03e9486c788a4baf40cf306ea7d5b3fd99ba1fa6

SHA256
0229f1bfa9a8336da1420a0e7ea5e287176ea2891712e3b3432b72145162e3cb

SHA512
1357791eb702d5c04d6d3dddb46b7b3ea80ad7875232fe217973c7ae71c70602ae890b1da836b86ae37932748eb6ffd69b6af1731dddf7422901ec5b7ab28045

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll

Filesize
107KB

MD5
b90884bf56191ad11c75e46580686b2e

SHA1
ea3d70040c5bd31bf72d4d9e0dbf38a9d28e330f

SHA256
05a7d8d3989f5956bd45844f9dbc889209f9cd25e7c25a52b968272953a30710

SHA512
33d3bef7f70d5b7f4aae120aabc849074c626a55c2a748c1ca98cac467941339bd07de2aff212cdea078711e44bbc3a29b9c4b03e64617791e01f4e0c40138e2

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32.dll

Filesize
152KB

MD5
ae19268971f1607d1e8884c7307258bd

SHA1
1f34c9519cbee465dc211e4823355927d2d2cb6f

SHA256
28104570c3bfac2a536ec4ed2259cd4907026c0edaab27154a8863e233f1fc94

SHA512
3dcb4d2b167cb47ff79ab991e8888c67ab12e161d358390e256e8ad6123b9cf1b5c768f961a01ffe44e9029cc0072fc3f96e5b32f7574595d8d5efe2a731e99a

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32.dll

Filesize
152KB

MD5
91fc0e1219cb91507a3ccf12f5580e5a

SHA1
6c907d514957245d994a227113ef3a3e1d0b6f12

SHA256
cebfae49ac7f84abf09d4f49df26ebab2bce8d3ad87950baa041901616aa8a05

SHA512
a8014552c5843db6c4da439056d83779b1140c88883832085ade2c50fb6aaa3ea444ca4007ff16b8d5e30b4a49798c12b41eead2e9f75ab93692131c025b9556

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll

Filesize
148KB

MD5
c007e50ecd4c8d38d51ba63ddd99333d

SHA1
7834bdc2fb502058e7da47a910075a4b7ca54193

SHA256
2c57347035c061753de49bb5cd81b3aa63c63c61539ae0773bd82eba5d0de2b7

SHA512
836f521fc4861fc0e06640ddbcf9ed3ae49239d49ae42b662af910e6a5aecc8fc8d14f5606a0c89cfe6852da224e575b9b841e64f7b488444a50c461e3de8133

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_Rundll32_pass.dll

Filesize
148KB

MD5
67583abed126e4f3a1d63624e7a35693

SHA1
3c33aa9559ec019580a861327284d5b4d2aebdef

SHA256
7ec39b5098cd379158c1f81c4b2ccc91c443ec12628b0951258ec5b6cf5aec40

SHA512
405ae8d3e8fafe4e888d76b3299490e563de9bd7ce927621ef97e081d54be8750c0e204efffa21a6d7db700decb61b1dda4b9273f4585c53f998fb3141492880

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe

Filesize
149KB

MD5
66fbb87b5030be11caeeefb753dc9e0b

SHA1
2b1e9cb2fe28616bc978fe1b6bfc036de9fcee32

SHA256
18c52b5f7992db72fc3f564701fe34f1e92b73c6251fb60a356c8483f21bd1b5

SHA512
521c40e660a58178020cb28d0f5156efd15cbcc1e09934d24ffe482b16ec7d36c57f9b03fb83f34bade294602105d36e6f9e419fcf6aca3c3d065039254f305a

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe

Filesize
149KB

MD5
2802f63b5ecb0a3c0829e30e8f32bea7

SHA1
d5a5e34c6c16553cb41f905ba3974b5cbd6b26d4

SHA256
5fb617c65fb8aa330ddd99e61ee9868406844c88854b1af16c789b22e7465b3d

SHA512
2b75a12332eb9cfabe298704b8868e58533eaa14aa600f0d8c8bdd42f002b48253e82df2d1d3d859522aa0492acbf97e03ae9893f93930f087c41dc8ad102f72

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\LB3_pass.exe

Filesize
149KB

MD5
6c4b84c25a27b6e786edc44fd5dd0cc9

SHA1
f331ec107cd4bc18fa4e0a552abb40d1b842f0e0

SHA256
32203f5f408a4e002f7b080a3556f9d7fc6687738cad35f011c33df53b091abd

SHA512
99234feee9bcd9cd6d1294966dec323811d86df394228e6db8390f7f1e60968246f894c0917ad39aa058d513afbfa1b459024b580c8f0df6bdcd9472069687ca

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\Password_dll.txt

Filesize
1KB

MD5
91913bade767b253973d11014ecff9c1

SHA1
7adb36fbe312e0bface5e2ebdfb778b18eaf30ee

SHA256
344dacdce6dbc71c5e6b1508060658388e067c74e028952facb427ebd5e64d40

SHA512
2a33667f41774173a8371812253f44258ff4499c1db90c696de0b5ec810c941eebe29ec15473b37ae550db6c72a133021ed53f740940695ba47b5828e1927080

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\Password_dll.txt

Filesize
1KB

MD5
34d4ab1ebb5c14877d12328845e78fce

SHA1
eff9a24c0ef50cdb945ab7cab98990dc7a736e38

SHA256
73beea5961df9ae4a96c8b7dd2ef044ab4e3f06d190ff0c5bf5569ae3f07cf53

SHA512
21feb053cd305504515b232838aee0b7019f87fef6d6ee102d81b0d3c0851c4fa7f9089baa3f594c19c37e1f6942cfdb675a79376fcaa37a2c87f244c6519cfe

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\Password_exe.txt

Filesize
2KB

MD5
42e0c682e154793289ba53ba5c3baf19

SHA1
29b65650d229c43c46100023907eb8424779bf49

SHA256
8188c61c580ea6cf99101ff8eb8c79a37f595945cd2280348b71689aa41947a0

SHA512
0bc9fef93c9f29b78dcb6fdc204407d4af00e9a470e65427d5a14215e9d787459af6427bd0295f12ccbd2d49933551805f9dad24856d088649caaabd756e5032

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\Password_exe.txt

Filesize
2KB

MD5
f3396404086a0011c2ca297fe031469e

SHA1
30215b4fa8cd178442e2f4eab33033bf7737b5c5

SHA256
df52bd8d3e21b979b07e9f5638711f05a766d1544775fb88e57dbb18cfb06955

SHA512
18b15f144fde2291c6bb4d8ab9917047fc83819442a83d39315af3af3e8a29e94121b37cb87f2c6a09e57e8ca70340e36bc2e2714fd2c3611dc8815f4de764fa

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\Password_exe.txt

Filesize
2KB

MD5
9eba23e26667a8ff66973b4acda98048

SHA1
5f9156880bfd10868a3235e6b901ae4db6027ac4

SHA256
5bd4bf538e18a31aa1ed2122fdec3463a24b09169982ccfb7a76160023723444

SHA512
6861e7a63c849ce58024b51bd5ae271e5de0729b47e99341ea4c9be82cb886c533e78ded2a61ce1184bc0d64453ca415f404bce78d499452d36e4912e6b51809

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\priv.key

Filesize
344B

MD5
98dfcfa0983be1dd226b83389b172681

SHA1
a1e75f96067962360dd688c42578c401f12ede83

SHA256
f101ec17d0fb78a34baa7aaeb59913550cec9726f309cca6e0456ae174efbce0

SHA512
3d24d518144942cfc691683a712bb367a03ab3dfaeb2ebd29edfa97dd3022cc52c25907b43b12dcb27243efaded56e211c729f7a083faac8d1dfccc8dc8a3958

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\priv.key

Filesize
344B

MD5
1d65a380c92920dd47b926d18782ae82

SHA1
1a57a22c0510b8b5da5aeae4e10485193195ca8c

SHA256
facc2b0ed0147f3c624430820974b8b9c1fa87f6f50dde3a0a70104ecd8bf01c

SHA512
79aa828140409b92149f41abeb637bce2ec5257d20618742a36d290d7a64363f05b110e0677ef3244839dee6900cc43d78d50f00fc3f2f2b745aa753c064eeef

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\priv.key

Filesize
344B

MD5
b5d484b465fecf24d023db2f1a2e026d

SHA1
02cad3e5aaca9d94f964da1c32bd83b0993c1da1

SHA256
6ace115bd203b52af93604ba69578d66d7ec662b44b7f11109bea73b85a445bf

SHA512
bb20057884ecf4bba98fd21371c56cdb86bcfa8e81a13bf948c9422d729acae8b304aad2e212f252ef528e3a044151cbff85fb21f1b32cee76c0cc1d43cbdcc5

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\pub.key

Filesize
344B

MD5
dab64f4e553ebe2427a5d8e64b4efb83

SHA1
d2a8cf7201502eb20e548662ad6ca6ba28d5eace

SHA256
8d443624f09ff400086efe86d7ca2e9885749aedbc2ccf5c7804e777651c90e8

SHA512
18d0b5165fcee72b0c4729e1c527d3834a6b92b4bde5b78d1a90f28902f8512ea4c4a63e63a56df1561b3db16bc754ffac1cf23612fc0d94a5ac0106c5845028

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\pub.key

Filesize
344B

MD5
c3c1f349255d21d7391a0c42519cf904

SHA1
f1b46ed3d06ed4a1f2bd2e83622c667bcd5d0bfe

SHA256
94b6ac99338e092bb2184e628e8b10a5ee4430a19793557c053a293f43170f1d

SHA512
01b49fa548c9a55570e9c5f7b6262346c5166ac984041bb5385e7f9a5b294d42bb7f7852348f29ca4e76ba7a11f295817311b622aebc1048a7078cbd7fae0570

Download Submit
C:\Users\Admin\Desktop\LBLeak\Build\pub.key

Filesize
344B

MD5
155a4061f6820f79e6e96ff27b39ab2f

SHA1
2511bcb9980acc91bf2410317773b2dbfdb42eb6

SHA256
fd816e330f866d98ef4f422517823ca3596092040cfa8148b4989252c256463b

SHA512
a0df942d5da65a16552e8f96becd4090e2affd061766271e98ee8e12fe08e70b1153fc7b2d88c7b7e47b38e5757ccaa26dff0d0c9ca1a1b494cde3b7639200c9

Download Submit
C:\Users\Admin\Desktop\LBLeak\builder.exe

Filesize
470KB

MD5
8c689dc9e82c9356b990d2b67b4943e1

SHA1
6bdc415b9c356bbeaea75c7336cd72910b95a644

SHA256
e8e2deb0a83aebb1e2cc14846bc71715343372103f279d2d1622e383fb26d6ef

SHA512
fb38a79dbcebde149736d5e1ca37dc15d274838be304d3f86e992d610b50c31d7fe4c30f6697c890f3753443af16eab712aef3f8da88d76ed00790083deb51e4

Download Submit
C:\Users\Admin\Desktop\LBLeak\config.json

Filesize
8KB

MD5
a6ba7b662de10b45ebe5b6b7edaa62a9

SHA1
f3ed67bdaef070cd5a213b89d53c5b8022d6f266

SHA256
3f7518d88aefd4b1e0a1d6f9748f9a9960c1271d679600e34f5065d8df8c9dc8

SHA512
7fc9d4d61742a26def74c7dd86838482e3fc1e4e065cb3a06ae151e2c8614c9c36e8816ae0a3560ad5dd3cc02be131cb232c7deacc7f7b5a611e8eec790feea1

Download Submit
C:\Users\Admin\Desktop\LBLeak\keygen.exe

Filesize
31KB

MD5
5e28c7c900e4dce08366051c22f07f84

SHA1
ec03fd1551d31486e2f925d9c2db3b87ffcd7018

SHA256
bb76f4d10ec2c1d24be904d2ee078f34a6b5bd11f3b40f295e116fea44824b89

SHA512
fb45d7466d8a979ca78202be20175585e8d560a4cfcc81d3ef15edeb2d292cb5a05cdb93718cef685f1c8ee94cabf6c35ff010785d774057d045ba7b8a478a1e

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
0ba75ec717f31d2e6733ad47b381e221

SHA1
53ac92daf1542165114c16d42252fd919d9a27b2

SHA256
94f34c86315edd2c9dbc7e50763d6c7488891704b311110054d7863b4bcf8099

SHA512
aa1a82c2553ae80245ba5b1803553bccf8bd454eab339a13a5de32560bcad0c986a54c06469e54a3abed069b7c6a7871aac22788b8a58bcf03942511df795c12

Download Submit
C:\VUMgQG2yL.README.txt

Filesize
6KB

MD5
e745028bc85f9e743e59201469d868ad

SHA1
a7e14c112b38cca5d2a7bed2c4756cf6360ecb0b

SHA256
fd0bf2d8859f6e1f2d6a384d18253a53d9918adf20a69f23e970bee9fff8a715

SHA512
17cccd35c1c6f278fb90d14c7284f84b8ecfe4d151c4247a5c8771ebeadf0f76846a4953aac460ad74e287fe505c80609ab4b9de3b3365517d29728db8f3fb72

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-587429654-1855694383-2268796072-1000\DDDDDDDDDDD

Filesize
129B

MD5
7004691f8d1eded42105dddd1dc6895a

SHA1
363c729bc1e500d5c9899c77081f9527cc0b3e1d

SHA256
dd99b69b4d75dbe7e12998205518126b9f3060e95ee59fbed6eaf9e84c5a829a

SHA512
22bc1b33a30e2a1523b3b77a6dd845feaa93edc025c0266eed09df22a3ddb072edeb83fed2ce4511ebb32ec6262390999e67166da8f742b5187392ecfb13262d

Download Submit
memory/2456-100-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-102-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3312-2817-0x00007FFECE370000-0x00007FFECF420000-memory.dmp

Filesize
16.7MB

Download
memory/3312-2814-0x00007FF7D3E10000-0x00007FF7D3F08000-memory.dmp

Filesize
992KB

Download
memory/3312-2815-0x00007FFEDFA60000-0x00007FFEDFA94000-memory.dmp

Filesize
208KB

Download
memory/3312-2816-0x00007FFECF420000-0x00007FFECF6D6000-memory.dmp

Filesize
2.7MB

Download
memory/4004-2899-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/4004-2900-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/4004-2830-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/4004-2832-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/4004-2831-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/4004-2829-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/4004-2901-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/4004-2836-0x00007FFEAC960000-0x00007FFEAC970000-memory.dmp

Filesize
64KB

Download
memory/4004-2898-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/4004-2833-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/4004-2866-0x00007FFEAC960000-0x00007FFEAC970000-memory.dmp

Filesize
64KB

Download