lockbit | d50d651083ad69e043488da182d603c7bf7356e1cf9103525989d3c950a96cd1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LB3.exe
Size

153KB
MD5

21d260863368a8641f764cd86deec51b
SHA1

2095cfa4b394171968fa6fa774a66434bd208ee6
SHA256

d50d651083ad69e043488da182d603c7bf7356e1cf9103525989d3c950a96cd1
SHA512

28f10027b172568451111dc13f70e59b85daa1cfb9c5756595649f16526208c4f39ffef1652180212c45ef9597d53d3be524958dd25cdb0c625fdc5b1a27fdc1
SSDEEP

3072:oqJogYkcSNm9V7Dho50KwhXyWAN5UGl0T:oq2kc4m9tDLzAR

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\smpT5Oejp.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Renames multiple (580) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	125B.tmp

Deletes itself 1 IoCs

pid	Process
3752	125B.tmp

Executes dropped EXE 1 IoCs

pid	Process
3752	125B.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini	LB3.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPpj9u30l5_vollid1u7r3nodac.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP_gthzkk9iv8unqhq191zw46jb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPumho95z_4pqhm1r3gyr3tmtyb.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\smpT5Oejp.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\smpT5Oejp.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3752	125B.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	125B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133672891277256618"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.smpT5Oejp	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.smpT5Oejp\ = "smpT5Oejp"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\smpT5Oejp\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\smpT5Oejp	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\smpT5Oejp\DefaultIcon\ = "C:\\ProgramData\\smpT5Oejp.ico"	LB3.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2684	NOTEPAD.EXE
4476	NOTEPAD.EXE
1680	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4396	ONENOTE.EXE
4396	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe
4388	LB3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp
3752	125B.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeDebugPrivilege	4388	LB3.exe
Token: 36	4388	LB3.exe
Token: SeImpersonatePrivilege	4388	LB3.exe
Token: SeIncBasePriorityPrivilege	4388	LB3.exe
Token: SeIncreaseQuotaPrivilege	4388	LB3.exe
Token: 33	4388	LB3.exe
Token: SeManageVolumePrivilege	4388	LB3.exe
Token: SeProfSingleProcessPrivilege	4388	LB3.exe
Token: SeRestorePrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSystemProfilePrivilege	4388	LB3.exe
Token: SeTakeOwnershipPrivilege	4388	LB3.exe
Token: SeShutdownPrivilege	4388	LB3.exe
Token: SeDebugPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeBackupPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe
Token: SeSecurityPrivilege	4388	LB3.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE
4396	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3376	4388	LB3.exe	89
PID 4388 wrote to memory of 3376	4388	LB3.exe	89
PID 3688 wrote to memory of 4396	3688	printfilterpipelinesvc.exe	92
PID 3688 wrote to memory of 4396	3688	printfilterpipelinesvc.exe	92
PID 4388 wrote to memory of 3752	4388	LB3.exe	93
PID 4388 wrote to memory of 3752	4388	LB3.exe	93
PID 4388 wrote to memory of 3752	4388	LB3.exe	93
PID 4388 wrote to memory of 3752	4388	LB3.exe	93
PID 3752 wrote to memory of 4140	3752	125B.tmp	94
PID 3752 wrote to memory of 4140	3752	125B.tmp	94
PID 3752 wrote to memory of 4140	3752	125B.tmp	94
PID 4512 wrote to memory of 1352	4512	chrome.exe	112
PID 4512 wrote to memory of 1352	4512	chrome.exe	112
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 1508	4512	chrome.exe	113
PID 4512 wrote to memory of 4756	4512	chrome.exe	114
PID 4512 wrote to memory of 4756	4512	chrome.exe	114
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115
PID 4512 wrote to memory of 792	4512	chrome.exe	115

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:3376
- C:\ProgramData\125B.tmp
  "C:\ProgramData\125B.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\125B.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1788

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{DD929962-19AB-45F0-93C6-A3E1941B5D4E}.xps" 133672890106470000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4396

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5044

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\smpT5Oejp.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:876

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnregisterEnable.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4476

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\smpT5Oejp.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa9ffecc40,0x7ffa9ffecc4c,0x7ffa9ffecc58
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2000,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:8
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4800,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4840,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4588,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3336,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4064,i,6047921339267088006,9248031961294845918,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:5096

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\UUUUUUUUUUU

Filesize
129B

MD5
7a015c20c82a9ff732792437e8fef788

SHA1
b155aca4c77cff1d1eb30c281dc9b596df8e1db3

SHA256
4678f99cc9528e4551f82b2013098ccefd309b5c713c7e91da8126924b81b628

SHA512
b5125345507bee15f176f9ae26f625b4b7f32805845f737f6636b6ecd22c07bc82053999b8232817b69bc0c203c8fc48e3ac93dbd0ae36eabe3d3357ede6c97f

Download Submit
C:\ProgramData\125B.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66ACE405-4C8.pma.smpT5Oejp

Filesize
4.0MB

MD5
b0e9ea8dced8ad0d29d2eb4d7bbc0221

SHA1
0656eea8e9ee7d030ce8ffb57a2a24f727c0de31

SHA256
41970b557c3a72b2bca9b5e1bcb11544a2522e79fbcc2b7e4c33d0a82609aa91

SHA512
bfdea320a8023fba8a118e7f026bc0d71b53cdfa85f40fb28c3ddb4ff6404f04d01484cff0596b2ebe157b2047f2dbdb7ffb49bdbce2e4f2123606c869ce9bde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b9821ab45de3b31c7e53a3a4fe6578f2

SHA1
68aa5f12fdc53a96821d0229c1ba329ee12fca0f

SHA256
57d98306de3e6ff657db86a7d5f37425780da965d273e05f9602fc092ba8ee95

SHA512
a5acde85de51514d7dc47d9a7b399fd3a8ae714425a76b5678386ca7eb2b192857d238b416c7bac0ebf8735494c3708bc0e485019236d620078cc51879c78cdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6faf97ff917ac83aba0c507ceaf8d90f

SHA1
ab80c0fa39d07996190a377dd492edd043d907f7

SHA256
420ce9ce533f8f2e76ac055fc563b9c42f50483bca9ff9bdb9a8ae06ad8b4c7f

SHA512
5f4280758b4fb3f6241d41ed060b57de8713c9149dea38726f543d75b24e52ae3f25f1a6270899f6a3edd8ec447492561a53a2a39554335031152341e34c79fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
309899fbc50e6bf83110b45e6794bed6

SHA1
e1642084ea9a5f8c6d79ca465990dfc476042ae7

SHA256
84043447ba20b55227b386f75c39389139ebe027ec91af496339e5dd60fa6ab9

SHA512
00923aa10d303f992b0bec20405dd491c0a93abcbba8b219e71831cbf24e39263ebdb82254c9a0c6d42b87f3e1711780e0d3dd95d2f32916a1d6674635462b3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
686bd7e91463f55f19c6aa525c668936

SHA1
9f995f6b294c6e4796b01b5d234fc42ddd9bb2f2

SHA256
d913e2cd7f9dc41bec9c275117a0f2fd087f1f8959d476541e6586b91d3fed9c

SHA512
7bb66045afc1956bda02c1b0742fc129cd2e2ec5c164ad6773d6b43f6994deeeea196c44300a987927482da145db7dd45dd37540df64b9f8c9368deb421254fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
4dee4f8423f4050c45a9c713553aa32f

SHA1
92b5f400d53aa6f1f71bbc85ee27c4988e407fd8

SHA256
bcbef97db2680f09b17b2cfb4a9c7d54a7d9ad8bdf48e7fbeb06c225a8604295

SHA512
9b5875dc7486dc96f3a274f58f9a089a97bcf89a10b2ad07248b36b1f18dc164b4e0a8b0483159c8118c5f92105eb875883133282738489cd631bdf00205f783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe59e257.TMP

Filesize
1KB

MD5
af427e0a1b1d1431e761b2b35986c75b

SHA1
1674849cd5a889927c67850c3506d2444fc965e8

SHA256
49b3618a11fefefe3974843fdd1a9e11bad4ba91a4d5f547f444f4c04282ae6a

SHA512
e070358d8df5d65458ba8d6881b1d764752a2b1bf268364c60bd0c908523a976391a8fab65fa392bfa897f0aadb2b143fcf359433c0daaf9e441b2d487b2c5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
153KB

MD5
6183c689bd0d4bcb51f1a0a16230b737

SHA1
6d70dbac97c9e4c1084249270e8b85f651c408e6

SHA256
7721fe377d9a6c0740b025f2e34dbca8031a1797b46947a8a27743216c930fb7

SHA512
b1d4803f8e5a25529162d4c7171db32ff6174da290bf99012532998d8a727ad707a8a94f16463485ed36ea339a1e0acda709931fc3f23d3ef67d2a627c2be190

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6B6030D7-3D20-40CC-B994-62D2962C7913}

Filesize
4KB

MD5
401789c50281c65e72e0b810eb8aef22

SHA1
55969915fb45e21540ed1d0185458e42d93fdde2

SHA256
ddd44d05a0f3a2eef52d0219404c8a540586fe6cdc20d3db78dfba9b905eae59

SHA512
a346702725bdd81516e93c7b3b84fd188d8a971c5186d4e171d3865803f87caf94888320b0ef94a3c394c31181a359bae9fa19174b88a7b03de79353619c92ac

Download Submit
C:\Users\Admin\Desktop\UnregisterEnable.txt

Filesize
338KB

MD5
6d9d11ce76ef257f26d590e592d8e8da

SHA1
d0b4659a3ae9050c1e5fa11f9ff7e5650355358e

SHA256
093d07f77451cb2af88f92a809e1bbe78118d928f787b655b27ab9d3be3aa9d2

SHA512
29739eed8d7e5e21343efdc6e9b4e90cdc69af9f7b166961e9cdceee8ee014d6a3836f41bc0859aab21ab22a92118c346cf230d1b34b21a29ec69f6e4f19965b

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
22cb248605a35f5660deef9630033359

SHA1
7a24729b4d4628b6da7b329775402fae4bf6bfd4

SHA256
38b0fce740559445bbe66a53c656b1b459b7b35ef5821c5262377463dd104dec

SHA512
5357429860a2fbc0a12e556a8da0e48f2c588ed97404fffc3bbc7c6e3c891e0692b0a4a02e3faa1a605ef49bb81583a018dfaa23e254dc1e1008f1ef4376fd2d

Download Submit
C:\smpT5Oejp.README.txt

Filesize
6KB

MD5
dd746ace17e44ace00885b91400f11d5

SHA1
4a0302d2dca400598f396e4230fdae71779cbeaa

SHA256
b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272

SHA512
8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\DDDDDDDDDDD

Filesize
129B

MD5
a663ed5ead17005f0480648dbf5f0d96

SHA1
467d949bf180fa69a0b07711c26c7d7e58b5f98e

SHA256
1927fac6e157e4a28b40b4e43809c0ced41cc236196b98330bca735f1535ec04

SHA512
64bd1db064d1c8f3886cfd920d63068b7d49d48f5ecd550fc5711a581011654598d192c6e036b047b1125090d8aa52aa4b540f1dff003caffb5abfa2ba63efdb

Download Submit
memory/4388-2-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/4388-1-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/4388-0-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/4396-2814-0x00007FFA6E490000-0x00007FFA6E4A0000-memory.dmp

Filesize
64KB

Download
memory/4396-2746-0x00007FFA6E490000-0x00007FFA6E4A0000-memory.dmp

Filesize
64KB

Download
memory/4396-2748-0x00007FFA6E490000-0x00007FFA6E4A0000-memory.dmp

Filesize
64KB

Download
memory/4396-2747-0x00007FFA6E490000-0x00007FFA6E4A0000-memory.dmp

Filesize
64KB

Download
memory/4396-2750-0x00007FFA6E490000-0x00007FFA6E4A0000-memory.dmp

Filesize
64KB

Download
memory/4396-2751-0x00007FFA6E490000-0x00007FFA6E4A0000-memory.dmp

Filesize
64KB

Download
memory/4396-2780-0x00007FFA6BBC0000-0x00007FFA6BBD0000-memory.dmp

Filesize
64KB

Download
memory/4396-2781-0x00007FFA6BBC0000-0x00007FFA6BBD0000-memory.dmp

Filesize
64KB

Download
memory/4396-2813-0x00007FFA6E490000-0x00007FFA6E4A0000-memory.dmp

Filesize
64KB

Download
memory/4396-2815-0x00007FFA6E490000-0x00007FFA6E4A0000-memory.dmp

Filesize
64KB

Download
memory/4396-2816-0x00007FFA6E490000-0x00007FFA6E4A0000-memory.dmp

Filesize
64KB

Download
memory/5044-2817-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2824-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2825-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2827-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2828-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2818-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2829-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2826-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2823-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download
memory/5044-2819-0x000002385C8D0000-0x000002385C8D1000-memory.dmp

Filesize
4KB

Download