lockbit | 744214bbe4ab445a2778cc66eb4a8a5b64673b245cfbf3500e14ed70f5906ef1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14-02-2025 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LBLeak/Build.bat
Size

741B
MD5

4e46e28b2e61643f6af70a8b19e5cb1f
SHA1

804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
SHA256

8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
SHA512

009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b

Score

10^/10

lockbit discovery ransomware

Malware Config

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000027fb0-666.dat	family_lockbit
behavioral1/files/0x0007000000027fad-663.dat	family_lockbit
behavioral1/files/0x0007000000027fab-661.dat	family_lockbit

Downloads MZ/PE file 1 IoCs

flow	pid	Process
152	1476	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5996	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2460122153-424179005-3852593011-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\LBLeak.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 3052	564	cmd.exe	86
PID 564 wrote to memory of 3052	564	cmd.exe	86
PID 564 wrote to memory of 3052	564	cmd.exe	86
PID 564 wrote to memory of 3800	564	cmd.exe	87
PID 564 wrote to memory of 3800	564	cmd.exe	87
PID 564 wrote to memory of 3800	564	cmd.exe	87
PID 564 wrote to memory of 4296	564	cmd.exe	88
PID 564 wrote to memory of 4296	564	cmd.exe	88
PID 564 wrote to memory of 4296	564	cmd.exe	88
PID 564 wrote to memory of 332	564	cmd.exe	89
PID 564 wrote to memory of 332	564	cmd.exe	89
PID 564 wrote to memory of 332	564	cmd.exe	89
PID 564 wrote to memory of 4900	564	cmd.exe	90
PID 564 wrote to memory of 4900	564	cmd.exe	90
PID 564 wrote to memory of 4900	564	cmd.exe	90
PID 564 wrote to memory of 1620	564	cmd.exe	91
PID 564 wrote to memory of 1620	564	cmd.exe	91
PID 564 wrote to memory of 1620	564	cmd.exe	91
PID 564 wrote to memory of 4644	564	cmd.exe	92
PID 564 wrote to memory of 4644	564	cmd.exe	92
PID 564 wrote to memory of 4644	564	cmd.exe	92
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 1044 wrote to memory of 5108	1044	firefox.exe	101
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102
PID 5108 wrote to memory of 2060	5108	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LBLeak\Build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\LBLeak\keygen.exe
  keygen -path C:\Users\Admin\AppData\Local\Temp\LBLeak\Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3800
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4296
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:332
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\LBLeak\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 27346 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b444a3ae-3ea9-4f90-aceb-1bd63045a4a3} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" gpu
    3⤵
    PID:2060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 27224 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c92488ea-b771-4d89-89d0-4fee8dbf6b11} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" socket
    3⤵
    PID:1580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3004 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77f148b9-ae14-4a7d-a66c-237aa614d67b} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" tab
    3⤵
    PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4216 -childID 2 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 32598 -prefMapSize 244628 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05430631-77f0-4fc0-8008-267dea3c1571} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" tab
    3⤵
    PID:4148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4848 -prefMapHandle 4844 -prefsLen 32598 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae6dce87-582f-427d-868f-1464a6afa60d} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" utility
    3⤵
    - Checks processor information in registry
    PID:3924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 5252 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea5acf0-dd74-4c6d-9a99-c0e9525ae6d6} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" tab
    3⤵
    PID:5504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5224 -prefMapHandle 5252 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {538f5db6-d101-44d0-b99c-7769f1c985a5} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" tab
    3⤵
    PID:5588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5656 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d24754f-7670-4bcb-a465-3749721c68ab} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" tab
    3⤵
    PID:5636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -childID 6 -isForBrowser -prefsHandle 4936 -prefMapHandle 4820 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbfb7f33-dcb2-4df6-b0f7-0d6cb09b29e4} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" tab
    3⤵
    PID:216

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUY0MzUzOTEtQjhFNi00QUE2LUFBQjYtQkFCQTZDQ0RDREMyfSIgdXNlcmlkPSJ7MzY0QjgxNTQtODI4NS00NEFCLTlCOEYtNTE3NUI3MDk5QjMyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzQ5RTNDMzEtNzUzMy00QTEwLTg5RjUtRDZDMkZFMTUyRDQzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjY5OTk1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5ODgwODMwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQxOTExMzQ0MiIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\LBLeak\Build.bat" "
1⤵
PID:5784
- C:\Users\Admin\Downloads\LBLeak\keygen.exe
  keygen -path C:\Users\Admin\Downloads\LBLeak\Build -pubkey pub.key -privkey priv.key
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5732
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type dec -privkey C:\Users\Admin\Downloads\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5292
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6048
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6044
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3836
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6136
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2000

C:\Users\Admin\Downloads\LBLeak\builder.exe
"C:\Users\Admin\Downloads\LBLeak\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6000

C:\Users\Admin\Downloads\LBLeak\builder.exe
"C:\Users\Admin\Downloads\LBLeak\builder.exe"
1⤵
PID:4676

C:\Users\Admin\Downloads\LBLeak\builder.exe
"C:\Users\Admin\Downloads\LBLeak\builder.exe"
1⤵
PID:3360

C:\Users\Admin\Downloads\LBLeak\keygen.exe
"C:\Users\Admin\Downloads\LBLeak\keygen.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2632

C:\Users\Admin\Downloads\LBLeak\keygen.exe
"C:\Users\Admin\Downloads\LBLeak\keygen.exe"
1⤵
PID:4364

C:\Users\Admin\Downloads\LBLeak\keygen.exe
"C:\Users\Admin\Downloads\LBLeak\keygen.exe"
1⤵
PID:268

C:\Users\Admin\Downloads\LBLeak\keygen.exe
"C:\Users\Admin\Downloads\LBLeak\keygen.exe"
1⤵
PID:2156

C:\Users\Admin\Downloads\LBLeak\builder.exe
"C:\Users\Admin\Downloads\LBLeak\builder.exe"
1⤵
PID:1184

C:\Users\Admin\Downloads\LBLeak\builder.exe
"C:\Users\Admin\Downloads\LBLeak\builder.exe"
1⤵
PID:4760

C:\Users\Admin\Downloads\LBLeak\builder.exe
"C:\Users\Admin\Downloads\LBLeak\builder.exe"
1⤵
PID:5036

C:\Users\Admin\Downloads\LBLeak\builder.exe
"C:\Users\Admin\Downloads\LBLeak\builder.exe"
1⤵
PID:4052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\LBLeak\Build.bat"
1⤵
PID:4560
- C:\Users\Admin\Downloads\LBLeak\keygen.exe
  keygen -path C:\Users\Admin\Downloads\LBLeak\Build -pubkey pub.key -privkey priv.key
  2⤵
  PID:1140
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type dec -privkey C:\Users\Admin\Downloads\LBLeak\Build\priv.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3Decryptor.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1044
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -exe -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -exe -pass -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3_pass.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5160
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -dll -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3_Rundll32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5128
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -dll -pass -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3_Rundll32_pass.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Users\Admin\Downloads\LBLeak\builder.exe
  builder -type enc -ref -pubkey C:\Users\Admin\Downloads\LBLeak\Build\pub.key -config config.json -ofile C:\Users\Admin\Downloads\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gscu8qjs.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
df78268e7a990badff887863253e4800

SHA1
514a52734250da8df8b0cd3f54eca946a7b1563f

SHA256
51a4b3ad6aed850f822187425e17de1de07c20dcac75cb7635048a04b70510bf

SHA512
77961fc8e03f169ae53b6002547cfd8aed6b0310e98598e2686b4701883fb91b97b98a08e19facf7327bed9d0a28fb7c8d07e34b86344fb154e3dbadcf61de58

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\priv.key

Filesize
344B

MD5
8790482984443ac0e276e931128a5978

SHA1
dbec21ec5405f154397c79005674720bb128f0aa

SHA256
007c89deaba91a5daae9b823779a28291d470a2a56f7841fad51d5273fd9b257

SHA512
c2cdb69bd3a8a3bbf6c391493adf14ff794ffce525dae1eef5c4fde3e2ec25071eaf74a07de4e2058db3c03a6b658056775ecc8b2c67011d73b6b61af4492557

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBLeak\Build\pub.key

Filesize
344B

MD5
76caf62bb0f67b9afee1d5ec0e87f540

SHA1
db6d161e0f0020037c7d4c743a07de305c0dc985

SHA256
6c7d7b5def21933526c4907f4783b829c65db2f9a71c5c1bdb21c4928b16224b

SHA512
b2abff5ec3000e2ec70725ec2d7acc8407d19f94a841d0c206bddd5f317bcf4089cdccccd46ff688cd30943df68e2a76a045bbc0dd3ace206af9bde79b4c7394

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\AlternateServices.bin

Filesize
8KB

MD5
dad6dadb4a0c89e27b6c165bfb14ef73

SHA1
a02d6b78fbfbff607e212f392a3192a058980c25

SHA256
d01c82e10e7d6d1381f1caf86292376f793506fa6af9f4c3bc0113bdf5f0f38f

SHA512
afe9c01bbe2f806444e5e9de55d6a2654dc2c0334bdd0656162f66d8e05118e8bef54c87b825ec3c3f2db97dcd2c4c9163afa3df65216a443732f110773ef5b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
041eb23c722c7a143d6066386c0f2181

SHA1
3d61bdd5479ee27f363b052b51583870fbb413c2

SHA256
2ff33a5fdbd0c1cab789b4709092e7d8666f406da0fd4e27ceaa2cd400581d02

SHA512
7931b8b51070d236fadb8314cf358b76627acc5c96b32ff493bcd12d4684bd10703db9b7c791819ac206632f8b1c33e83eb3facee01470043074ae6e47edb18e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
fd89ecebc8de4246bd8866b37b0dc3b5

SHA1
191e2d05ccff14c2a362ca0e93c10445d102c91a

SHA256
f1563cee22f3d9378ddcf134c3c10076538f073ba45da88a5573d0c5ec1fe650

SHA512
c4544062ba74ffdf1028410715581a1cbd4a804dcb02a1902e4e76f5fbe91e20fd4ca2fde31957a99afe5ed3b994c9adf8f7aa0eb462b9a5815e1064d9daf554

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4e3d3b563e96bf7e2a7796abde8b3a2d

SHA1
8181cca5c40841b5286af08988c0f5853c9e25a2

SHA256
4241e6797dec257469666239606824c4addf43f4826a9434b4a879e1a40097ac

SHA512
a0d75a150908a377cf652919c8f4d3b6feb3dc947f55b4c5fc0208af0a8053771f422ea2408024c4bfe81074a672f8f1dc1b6b0c6f8504db7f6bd68d35bffeb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
bbdd39035087ed157d4bb046f47429b1

SHA1
966fbbd191aeef65b8938fc62b708304b7c33895

SHA256
a0224964747033b100ac621341c1832ceb202c30bf8e99524d0ed68c82011c2c

SHA512
de03e5106c0f7acd57502ba4873fbb8bde04472ad9ae5acd4bc3692b932467b5d063da56e2b6b259ddd5bb0e465f16cbb60fd8af9cb263e67d409db18a968055

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\datareporting\glean\pending_pings\0a21b1dc-fe22-465b-a9b9-0a9153f0f82b

Filesize
25KB

MD5
c73b4195a877ef780d13cb4a7cff7509

SHA1
b609b683a02fa628327a1f352deb2c7272170b76

SHA256
86e21422e390ea1e80af96ab068a5e9fbaa363ee3bce71d4f494cfc13497deb2

SHA512
d9251f058f23c0c378f05af0960c9a6319cf62b2a7a248e3c966967fc09d5d6a5ff21d45f6662b685f18a8917e0f9f395f42bb37eecf5f2c4f61312b6b153503

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\datareporting\glean\pending_pings\561e7309-3f00-4f97-9349-1764dff6f05f

Filesize
982B

MD5
4ada0800860ff2eca41408dc9288b829

SHA1
c6ebf257c56fb7a1cef7c48efcaec8cc5feb06ea

SHA256
7b028ad132661f9bb58101b25501fa6cfc99ed28a2ff1698f1c8b40a28eaaf2f

SHA512
ed10dbb07ae5e1b4709494fa23065d67f484eb093fa9243dabdc7ecca44d6d10aa6acc9aa68be6222cbdef174f0a187a3b0c27631ea40fcb9b0514dab9d2e38f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\datareporting\glean\pending_pings\8ebcc427-0e64-4658-92c8-2a71d4163ea0

Filesize
671B

MD5
e505e1d3ec59c15a7a8a0d3123ad0fec

SHA1
5ba1217487ffcd22d823435b9700c2614a303d2b

SHA256
3c446adfe66215640583d2d82cb867e51863b0e48902615306b0123cdd4410b6

SHA512
8d42892e2c57492e6b5d5e590dbb952bc0d4337b230615e1f8ce4f886e4645061ec7628e3e9a6bdf55b3181e54b1c54c1532ae82ee33396e0e3f43453342860d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\prefs-1.js

Filesize
10KB

MD5
8f2b690595a2891d1c466bb422780a7a

SHA1
48ff34d66c7314c074e049ab3e0849e2e7c23f48

SHA256
b1e626c82b38fc7f5d48e9b19fbb7434c01498f398c31a67f62cd626c7ca3f7d

SHA512
2bb08080111f3b1ddbbe348ba1d971b06a4b181115040868af87903aec73b85dad24d9e47243f6e861426c19326359218e98f51e23cbfc0137d141dde737716b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\prefs.js

Filesize
9KB

MD5
24296a815398155140459a759457e6bc

SHA1
ddcd25673e80b47dc244c07a8898aa0c810da97c

SHA256
4ba16913a9d68cb1320642f08c799bf689e349ecfce3e96ea8bedeba88d0395f

SHA512
7b3f63176540f88f4e897c20d3666aca4e2d4c83ead195c2dadab6aac28726f0eeae43845c8929843fbfe2cb45efa4d88591beb51be623b20b933802774e45f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\prefs.js

Filesize
9KB

MD5
d00e84f9e0d9d44f715d8d3002129239

SHA1
767d01a4a7d5b8a149c488314fe745422b138cb8

SHA256
2dc86db78a3407fe4d8a021417e360062a879cbdd8ae2570569f4eec58fc2adc

SHA512
96cfc45e50648642f3305fe060299e1db89a77655b2a152a06226aa901c1aafd5022c1d789d52cba2b40007fc32f334319c9bf505a9911fbdaff302a3406b06f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\prefs.js

Filesize
10KB

MD5
2ec4efbc29a2b533c7f95e88d160bb49

SHA1
e3b17612aa2b6b9ef5d95c2199448b642a549d7e

SHA256
067150651e01e4729e03418786ce559b592199a42482525401662065bd34db4a

SHA512
7e5fd93254d956da09401dac7c3f90ca4c2e4318fcb716b4fe2a4135f55c8a6c015fcc8be73ea11f5efde2fade2728e9f105c7ee362b22fcf7cad0a4411a79b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
4b83bfe3fd5e8b66ac6b6c72e2179040

SHA1
e69490633d8c3bfce6a3d3d992dcc6b4274ab197

SHA256
9d01ed769b53be2c8c2ccb146c19c5fc4dd8568ad8a59977442e9680f6138e19

SHA512
d4b9a002594d04231bb6675f20f33ef48d9c896ca9464641169afd5d99fdf47054e775b612ead3e116e185fffe07bda82cb9a5a0a2a01ed616ce6ac9a9ac9477

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
5669095b53e0192725aa9234b0009af1

SHA1
e2bc826ba8a2141f6672d7eb859083118cad0eeb

SHA256
f42248e4df1a039e40c4d65e8fe80b9742c428df90b88641036bc82d5efa4abe

SHA512
f0bbf5a268b33a2ab810336432d3c768cdab254488de7044d2d65a7a5ac3c2d3a75d1bbb4e3641e21918116d0a696fe61652d8e09ccc7f2d387caf8349667b53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
16dfb752cb6d3c48e37e69cb00077797

SHA1
24bfce372cbfcb66b506a814e67ed1b89839741e

SHA256
871c289fbb38493a1b8c3f3430d7a922dc6aec4d73c9a6c1f8f61a68b3234f88

SHA512
1d4897315fef9bbb293bee97d881ee95d7ba881068dcea05a691d8e7fd26957f41df82547668553857f9c476f7a616c4c12a8f2db2c477f8fc69760e5b286c56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gscu8qjs.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
f67cfa52085361effec26d5df90838f5

SHA1
2c9fbe0af23752423a407bfd152ad1d568f4b857

SHA256
8a10fa1f7524f170e6e30bb5cfbbd3ed08545a45763875f121b1225b2fd9c9a4

SHA512
42033316ea51b6a474ebb3d2ae0c24caeda9abf91735bc088c94e9c7003a96977acbd35c3ce74bc9cc2ac108d8f62f7383700e79fb9f15032beff2e3f5d82c24

Download Submit
C:\Users\Admin\Downloads\LBLeak.tJqM2PiN.zip.part

Filesize
292KB

MD5
2e2b742c193749a0a4980c884e0688c2

SHA1
d077620634960e6ac82706970db2158bb6198874

SHA256
744214bbe4ab445a2778cc66eb4a8a5b64673b245cfbf3500e14ed70f5906ef1

SHA512
dd8e846008ba3327a37393141f4719ff92c06b5bdfcdbad6e2cbc49c1bfb679b0c5cd315b14a7e4ab36cc0c593b1001b536cd5d6e603312c5675b9d666f0381d

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\DECRYPTION_ID.txt

Filesize
16B

MD5
52401cf56af0c10bbb574f2bb71c4896

SHA1
cda309d94662f383b4dcd78313bbe75cad4821ac

SHA256
e98a77f6da2a9aa06b9bf3560c9f55ae2668c74c1e808587b7ab84f3a37da06e

SHA512
c9776f98ad85f3201c7c30beb0a080ff2390a9810e4449150a265631bd9fd6bc0163d6a0693596a55f6a0a1070332dcecc9207dad3629a6b73337c39f845b520

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\LB3.exe

Filesize
153KB

MD5
8c23a42efcdc664c65fcaa5ea5ddf412

SHA1
b59eb8c130827e1b6fb31b467794cc736cfa5482

SHA256
5ba70f10b73c0ea4e2c7faa3f2113cc3c38780177bbf3e4b4a6c746e44cad195

SHA512
68fa25813b7bb9cc344bd2abb34be7b08238df755ace6c326da3f41074843579abf8c5b9354881078d91f0b5a9190f0b267653741dc66c0396d4b866c8142932

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\LB3Decryptor.exe

Filesize
54KB

MD5
95f0de20bf5311afbcfdd1822a92deae

SHA1
db39750e571ce47ce4da11446b1bcd850c32369b

SHA256
8fdd05d9be3fef97970a4b0b1e3729690e21de181283850893ebe650d7a9b514

SHA512
d78de29da28f37875e26a5f92267e96423e6f9711cf9979c46298e676eb34145141517d73ff084d73536577fb1f381dc59838871ec190111b50295aff849e196

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\LB3_ReflectiveDll_DllMain.dll

Filesize
107KB

MD5
c2f0e1144252e4223da96a2fbbe2c53c

SHA1
48a62306bc73fddf8738919519256620c16396d6

SHA256
21de344bf2af894deca24395a7e2f9204a016ccc98b251ab85e99dca1742c271

SHA512
ad0acf22a6e885b5f0bbb1732cff54e8b70819568457eccd092bceebd9e30803a5c13e4026b9a9afd2bcbfdb0dd7d853a8878a6b4bc8e254d647818d7156a2ba

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\LB3_Rundll32.dll

Filesize
152KB

MD5
39ab487f108c29fd3af66d2d0fb9da70

SHA1
e84932921e8937d3137a12ec28fc14690a9da823

SHA256
bd6f24cd9dd333cbfc26efb9066a12afcf2908ea8333cbec2edf86c4520e1bc2

SHA512
2e7c93c2e86673877e071e08f0a968e59a0b311b3e06517621254c7bf40fa9b1f2f15531531d5c3d631b416f6ff4ceba2b6f215cfce3be4de55bf003612f840d

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\LB3_Rundll32_pass.dll

Filesize
148KB

MD5
06109097cd01abf0f44b4518a6024c0d

SHA1
a3067c8294c32496f1bada4787c1b0bdb602c9af

SHA256
4f5e433b6a19515a0140a5f5a40b55ff2be726a2ff58ddc2c7f7b3932bc379c0

SHA512
0b3b486c897a55e3c17937df6006629a11487372566688d0c750ae6d6f6125579e448cb83726c208785a4649b9514986cbe3862421f16793f0f900069ebda1dc

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\LB3_pass.exe

Filesize
149KB

MD5
7d7abd1456c57cd10fadea94dde87564

SHA1
8d020df2fbd66b17a1659fa92be46289f7db379c

SHA256
4341f67b69052639a3cbb262cd8e1c76402c11fc515d1ec3d7547f67f5d57a92

SHA512
de2cbbb795ca5665c3fa71c2605afa47171e05e21dc2379b2a8b5c6696c5b1ca9f4e103c4ae16c4ed6b9fab8a1202b34056a7b351f87b15edba5d0d776e390f4

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\Password_dll.txt

Filesize
1KB

MD5
227c521fee4055c0e8ab68904d969713

SHA1
f162cfdab8d562402748ae0d5d75f61a6fbfa9c3

SHA256
2f74bcd82a10d3c40d0bfd3a35c7ab4cbd11175eac9f4944e4c7841da3052736

SHA512
da5b77f16d41d4d1f6ccd5b0237ba4546400ad5d92cadf979ff7c56e433103f67c7e79bf6707b5c7a05422ab6c1fec07aa0d0ae5faf3226944b10205a9c4e086

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\Password_exe.txt

Filesize
2KB

MD5
f2f345e3b06513f1c42c243d266befc5

SHA1
dd6eb9c92556c99edf790dc35541dc252d5194ae

SHA256
a33a86455ca1f07824f5fc000564e537a21d23f024d2c5e129153e708a3d8c64

SHA512
cd6c0059c39122cd4086c763ea76021e8bbd7c9506c1ab605c75e2270fe130a5b22c327d82a114c31fbd6905a079922d8b3de7cb9db945fd6c062f65de4c5e14

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\priv.key

Filesize
344B

MD5
fdf3e8443f2087b3ee3453aea0be0cd9

SHA1
ab3975cb0d85b0e70361d37cf3b92a9f8c3ba0ba

SHA256
86b4f8607dea56a1e8675bedf63ea81c85cdf5af3cca9d6bf2dd4a3a426735c8

SHA512
c3198d8f30476fcfd459d19175f08eb7cf6649610fc7646e6742251db325752c0d0ae1d927f65311189b439619c7470d5ac15782d91214a176bc63dd86c57e81

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\priv.key

Filesize
344B

MD5
4e72c135389532bb8b4a6e368347ad6f

SHA1
9c82b6d8b4ad027edcc1bb281ab5775cb52ef8c8

SHA256
198d3f18419fab0fc4af3d6b7bad8233b3e9f1d197479474dd2975475a18e820

SHA512
041ac89fa6a0566aa34223c085928f2b281503a64235054da7d210d5868540565bd150a15649c61ee7c7bd2100340d125cb22b24f95be819c5a8178dfb0d4739

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\pub.key

Filesize
344B

MD5
4f870a9128cd20126eca067067ae7382

SHA1
d69572b44650327c17f49c367fba81fd691ef72f

SHA256
88876853777161909230db0d937064b90b3f8a671187751701d7dcbd38000636

SHA512
e9aa263c4eb1031f42a0cb8cb331fa330c55a924d185061271ffdf2e1274c19d69b8ac5335239509c45eb34f3cdfa482f1a3b127243cee59e488a90127eb2716

Download Submit
C:\Users\Admin\Downloads\LBLeak\Build\pub.key

Filesize
344B

MD5
f4047c27f4b53e6b5aa334c3525893c8

SHA1
7cedf27baf56a2b63f35166e9254b6c82d24af09

SHA256
7a6fd648ef6cefd4ac838373b5e4863796b00bbdca48c68c25f3ccda69eda977

SHA512
78ed0c42f021c2a27ef549ac20bfe7f011d6ca7cdda06c910a6452a2239806e6b0ee3fa7a62826083d5c57dc85d8e4b84dfaabc83076013041a48bc29f912064

Download Submit