vidar | hxxps://github[.]com/download-8748/Fortnite

Analysis

max time kernel
188s
max time network
189s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-02-2025 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/download-8748/Fortnite

Score

10^/10

vidar discovery execution stealer

Malware Config

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1732-376-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4956	powershell.exe
3868	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
46	32	Installer.exe
57	4088	Installer.exe

Executes dropped EXE 2 IoCs

pid	Process
4540	lem.exe
2076	lem.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
15	camo.githubusercontent.com
16	camo.githubusercontent.com
28	href.li
32	href.li
33	href.li
14	camo.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4540 set thread context of 1732	4540	lem.exe	105

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133832296840776128"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\prem_V0.5.0.2Lt.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1284	NOTEPAD.EXE
2196	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
4956	powershell.exe
4956	powershell.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
3868	powershell.exe
3868	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe
Token: SeShutdownPrivilege	3684	chrome.exe
Token: SeCreatePagefilePrivilege	3684	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4616	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 2064	3684	chrome.exe	78
PID 3684 wrote to memory of 2064	3684	chrome.exe	78
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 848	3684	chrome.exe	79
PID 3684 wrote to memory of 1600	3684	chrome.exe	80
PID 3684 wrote to memory of 1600	3684	chrome.exe	80
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81
PID 3684 wrote to memory of 2492	3684	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/download-8748/Fortnite
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3662cc40,0x7ffd3662cc4c,0x7ffd3662cc58
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2312,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2308 /prefetch:2
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2532 /prefetch:3
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1876,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3752,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3220,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4968,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4980,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4428,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4936,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4508,i,9123862388239704736,10586895118160106164,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4416

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2196

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1092

C:\Users\Admin\AppData\Local\Temp\Temp1_Installer.zip\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Installer.zip\Installer.exe"
1⤵
- Downloads MZ/PE file
PID:32
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\lem.exe
  "C:\Users\Admin\AppData\Local\Temp\lem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4540
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_prem_V0.5.0.2Lt.zip\Readmi.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1284

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_prem_V0.5.0.2Lt.zip\Readmi.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2196

C:\Users\Admin\AppData\Local\Temp\Temp1_Installer.zip\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Installer.zip\Installer.exe"
1⤵
- Downloads MZ/PE file
PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\lem.exe
  "C:\Users\Admin\AppData\Local\Temp\lem.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e6f3f302390bc6c08c37ae507072b70f

SHA1
e1ed452ed48cf593266c5bf1cf68fc08b5560a3b

SHA256
028445c096ac3fa66a7b982728d4af116e0327c27aabbd5ec02af696a3adf728

SHA512
e965e3e06739e78dbbaaf4c39031622da3af20ce2eb2754f36c7299713c6fa35b49ffe391d9e73e5eee0f687084993119c06a34910f3b70a76b91f24df15a6bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
ae074dd7a6a961786d12c8069f390e2f

SHA1
72fe61a9ba681126f4bfb19dfe9fda062600990c

SHA256
50819c3542bdf73938c7dcd6a1c2c1f0ac3c3166b90ec3ed6e74e8e6fa171957

SHA512
8b1e645b7a879033400b54d4abf8009d762d136f4cb84a46a2c5bdb613b84d5fd67518b7535a48916102d8e6fd5ecdc9d563b37ca87ffa4b9b8a7cebee01b49a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8d0707ee9315d9d40f64285f1525d0c9

SHA1
05507896c75176a3fcf3df05a724d44237a0d676

SHA256
829ec23ad657c8bb84b1ee5ad21a74f8a565935a4871c22caa295338528894af

SHA512
e2e82ba6e18113d645da62a131166281b8e40db9a5f2ed922a7f260ecc1198238254d619437331fc043a33cf9165a343945c6a479d9c78838100af439ba0dff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d61e507dafd648aa4cf5eb891fafd639

SHA1
c7776b6558a26736dfb27d8b38d859c4c0902afa

SHA256
fb89421cb1b0a0f7192c538024fc9d3ed8bb281ce4cbce3793d34b7349fdffe9

SHA512
50d9a405f871a5b8bedcb62377dbf3fa5997e59df365fe000ec7bd521698693f228aa1acfe67db7ec6acc4b2a583ebc9bae51b8d62f58141dab51fdc0bf3f6d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
3fdcd292d540ad055344ea1e9f3952f5

SHA1
4ce5de0f5046d77423075a54b9b652dc7a1def7c

SHA256
c1857f1ace9f972c759fa2d64e6d1b27d5b714dce2a3be5b11f623114bb6b972

SHA512
57c485b61c8e748d9119857ac122d5f5ed742e60de78e3003fd6ef920c4c6bbe19bc52caf07f017e4b5541c3cdfe566e551951b72030bacdfd6a99701d0c0cff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
607d67fd981d7468d68d7ab505a22f0a

SHA1
1708193a55e11017f6e6eb4bee3a718a55c7e70b

SHA256
f4046f8a2db2d8084ce1cfa3af8055110af0fb0237b3d6bee40e4ca9de962861

SHA512
04a850d1ded338e476fe0655fc94c995c2afb2c91ed823430be3a21e2afdde3e690de5e4fe4bff590e6ce6acf4f806931086abaaa6d6e43b79c7c20a481c2645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
5eca0ff841992c0bee1d2eec42f2685d

SHA1
dc1c8fb5c70868e47bfc006630c8f1496615bfc8

SHA256
19f7de71afe7321d76803f6c7bb3df5a1ce4f6143f6af6e7c7e9817639cf18db

SHA512
f1f1d93d31e4c63660c37498af645a460a25d4a79fe122d8e204ae9556e466b894e11e66df7ca9c103f23eb778871438740f60bcd59ef8fb364d8738bec02001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
355c5c8ecaac9063e392dab82b88baea

SHA1
16f4c1c20e218e149b00064accc4a9980d90e1f0

SHA256
df87d0e4ca928dd10ee20963852f3cd66f49689263ce7ed80faa12619078ea48

SHA512
de6074866863daf4bbc42bc51adddfcdba8680c89f16592a2e107da5b9f189f403b1e02cdc0a52f3445ab282e79aa31bfabd689d776cfcab454a01a05bcd1054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c58e01b2d30f855d62ffb2fd8f5f6ca4

SHA1
7006086e4075a6c3208848ceaecfb6b1e4f361d7

SHA256
257e9d4355b768b31e516fdfbde10f7e15d6b5ba8fd4d71c082eff56bbb47d19

SHA512
efbd414c7a77d3d5c6575344faae96ed8c7f1df99767f4c444fafbb984e3caef5670bb66ac7cb092b3f29b3bbd1d58c3c92a14fcdc6479f812b7984815141a3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3b1f356754bc7593b5fd60eabd553702

SHA1
25645ea9e33cacd5481d9b5f432ace096fc51511

SHA256
90fe1469ceba2efd9849c481a67adad3ce3149c07c3d41890767409fba618c37

SHA512
fde56bd1b1fc509272ecdaf675830341fdab9cf940021653cb7b3e0996b9033c07b9bcfa657cc0ae908c142e6b29e1f78e53b9157ab7dde9377882484a9295a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d7d83fbbf82f2afaab727d63ceaf1101

SHA1
aaee9c3380de0ae38c45df53ff8149ce678a09c8

SHA256
13a3924ae8bfc7b228cb3a1416f167e242808f30bd6e43f8d71276479fa77610

SHA512
31225dfa45b6b2f9d094cbfacc0edb7f0a3ad3242ab67eb140f67af22cfefc063a7b6b7a46c7040d55674201f6c8e46c2d1ffe96cb9cacaf5cbdfee1732485f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4fe2344a697845fb4b86ce70e70e0f8c

SHA1
9037760221de3da49b8379c81ca235031a6c34c4

SHA256
31e252f586c228cc3778da5302bec8b707bb0b39c679cc484547b9baeedfc99c

SHA512
50b15845d65c0a1583c843303194db8bea5eb5b86caaf7c0158ca5aaef037249faa898fb260e0d7863736a3d931140ff7c922eec4fe68d96578cbe0dfdf59459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
87c71912f55a422111b359b19540a398

SHA1
ef71ca63ea3c9abc67555f98ae5c8ae56f649bfd

SHA256
eb4840364e28ca832c6e870ef10dc1f5d50d0c922b9a9bf64923180538ad91bd

SHA512
7bb3e7e59e16db0c7571725d78cfafe47a5fd530f0a548f987814a7178d74210bb596972d41abbea43c10e4b17bd1647e3a2837e7b164d8caf6c56aac79ac02a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cfff2059845197026f8eedede89d2f02

SHA1
f96c96135c5313beda6506bf22b8213a06887133

SHA256
28621a675f0e1fd8760ebdcf162ccb5d4c3ce81266ae67305d27de035c8ee1c3

SHA512
5df7aa742f480bc0700157db34483fb87ecc3ec356780bec846621927056093baba6b1c2bf4c4bd6beeff3fd78005accace080267ebc908071b54361df436cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0c3c1bc3efde48fd922326f9e0435e0b

SHA1
3094a0c08b946833f49403ffb503272e8a011a6c

SHA256
9c58636f8fab2b6ab68bbc1ac44efcb029c12d2ffdec6e772dab9040268699e9

SHA512
94f0dcebb0c7bda03214063f6cd0882f14f10706825caf93f44fd3dfe688e771e61a351569516dafa4969eb67ce46c9729dc10d53ab9c202192b74055b0c1494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57fe55975ba8f9c96b1a37bfd3e25b9d

SHA1
356bc3c0afc5073fd556d78e203256f1139f27cd

SHA256
84fdde1cca12b7fb5be85c0c1011634e237ffe7afb225d63cbf1b92c506fc4f2

SHA512
9350c2f4e0c0a17d8df3f8b9f7e9fa8feef87e4fef91d8cc4c6521cf323fc7aadd29c212cf35a8fc7df2eb1c17790c2a010dc45e0b560a3bde439f096091c595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4d10d94f90d613f57c9d590d7cbd40bc

SHA1
ff3d7797273853153ffb34ed28d48551d29ef52a

SHA256
b2b49a4ad4972a4738f112cc7766b0a765428e772251db4a7dc948ef9a3f7585

SHA512
7c6b34ac37318e2ed5e506c2c92d12825c1c7339f5c22ef15bd0e582ed299b113874c63913f85b4c2dd004324c2bd086ef252a31f7467bd8962aec01f347ca26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20f526a77dee48deb708a73f227d42c9

SHA1
ce22574476f8ccc5a862bcb518994f8015adf7e8

SHA256
dbaa06655d89ceba2742c2edc1797457324e91ec03aec991c8eb216785b2d075

SHA512
adf83d08bb1178d159525fd42bcd8862f4580fbbe72ac24e0656a2491a4e8c6af7ef9b76206bbc15a4727b66641b6c253094cb6e96338456ab90ea48397b6af9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
763e68af2c72301edb522999ab1a1224

SHA1
fe2f3dd8d2b902ea2749f60b10a0a36a28a36c64

SHA256
b9f7b258dac31fabb89cfcf4edaf0a891966b3338779408b894411c02614a6bb

SHA512
4c515b947327711b57fe9d2069a96db4494bf80034996e6d41787efda81d5d7b83f6fe53d370d074aaac3790ada8d3b3a3cb135c58ea8222091f25a04c728ce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9259619b82c60a7075cb8684c9677e34

SHA1
97822f85616d893ab1b7f82420fee1c21f0e6e11

SHA256
bb3be41e7a8d5a1256787298993be0cc802ffdb45109429259fb1c00262a9f78

SHA512
6d537d5b74a76c407db53c04d2ad49b914f267c35bc558c45fedd78835db2094fe68ba6c230138bc232acf2af0846b4549b6a1b05e3ed4e43726420346c0c56f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ca075ffd6ad67e540021967d1dfba7b7

SHA1
ee8495dbab036305fffbf86ffe447cd36f98c9be

SHA256
2f88b39391f58056eb76e7f255c54589b82d74d462c579632ad15c377b455204

SHA512
cace1d279288285b3c360836b9a0bded34de46fa2b2c3e8415100ad3301e01f788226c856bd5905310fa34e0f56549ce38a6c89f83a738f34d60532bae6b432e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c84daac4bd6a6e94003f7258a2fd83e6

SHA1
5d55ff90d4be82c5e15650a663084129d5229437

SHA256
cb62f192bffbe47e33f8e5c51054a418b18b188902d7da1db490802bed3ab2e0

SHA512
08c84fc21153053843fd387ca458bf9ef9271d03ed25baa05d69f59c005c7d420ddb1ff06eb3e10ecd17b8be8dbe31fa9666892536598c113110ec124104f6fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
73e110e0e982a7c35404ea7cb0303a22

SHA1
ebbea7bb2904156856f84fa0d006545ded5b0e9f

SHA256
c1c6b27cc561f3d09807e19fb524210b89a449edeb92c8b257d6f6784392403b

SHA512
6f620985a71f73cbd4f3870788b391d3c30e41da48f0e58ce427bbf9d4e2feef5625ccd05dd17e05633cf774c107ef713b6fe030e5b3e699479191490b959e55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
64d1975a924331f985e6be7308a849af

SHA1
8ef9de0b69d6ee52c875e957034eba5baf10d41e

SHA256
d90b564f9775e2169e2e7607fefb70679d1bc6a22f36c1717181a851ba451a99

SHA512
4189bfb7b83602ffd0556bbfa8aea6a19ddb1857b00b16c43ef07ea31c244f817ee02ac1c53f8707be9227fe1000d11237f94d01263576d9112d68dc3f5de755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
e14089f5c1fe6899a4e1524f9072f5dd

SHA1
726b5e75a78e9d9926b7ac093e3e714d47f9faf3

SHA256
efe93a880575a1d52602c10dfd1e4eb29dbf23d58d6002b3ae0ea07ae6784739

SHA512
0ab07b0999723222d2276605dcaa6063f5a44e3df15afcabf993ba4083a72757bf9b55b0b82a12bf9c8eb95817a8ac1b73a002ff4d64e61c8f3951ad1ca1edb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
9f2f877ab0d01c28b36bb03fd0f436ae

SHA1
55cda0a0776abc74f5be97bcc6d13edaa71d7f62

SHA256
3d7f3fd038a7cb520097f38daeac05fd08e16ab45e02cbb97e348c565d908a28

SHA512
4f87c061c9910005659c74c92c084781420958e76d40c7c0baa70f14dfad998578cdf15990173665048cef2a349efff3da3bffd715481e7932602dc88956d1a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c65a2d02-12f7-4489-b140-fe480b5680af.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yoamdjpn.ick.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lem.exe

Filesize
4.5MB

MD5
10d60fa8fdc147554cee177e8de2d98c

SHA1
8d528adf5a1736fa47de472dd86f8c0a858f6337

SHA256
cedb81c4665ea6e96d6bce5b08546fa776d37f2ed10fee4eb65d216ba90bd839

SHA512
0631b78614a5cfd5c29fb1d81fa07a959a22073b6739bb430001005c1cd70d5d825d1a56857edc8c93fbd2089b368c3a0bb9385ebe1ae4b86a2d544bf305addd

Download Submit
C:\Users\Admin\Downloads\prem_V0.5.0.2Lt.zip

Filesize
31.3MB

MD5
58c2fc7ff263f26b89c288062ff95a2f

SHA1
bc564b300ae6e4f3d44a807128ec1d318ebe8f15

SHA256
efa3a9fba83093713dbfa378a37786259343088effc0b3e8acfd7bb15107f43c

SHA512
533e57bffadd8b898eda0daa44eb0fbb1a37c4e4d2687eed8dcc881c8a6f44f7cd6835c13dd2028a60d7e3c25c511a5cd51bcee5475998c47cb8423824a83562

Download Submit
C:\Users\Admin\Downloads\prem_V0.5.0.2Lt.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1732-376-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1732-375-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4956-292-0x00000181CAAC0000-0x00000181CAAE2000-memory.dmp

Filesize
136KB

Download