vidar | 88bd9484b884ae95a3df7310d69e76872f3de844c1c6e45639e464b38a8a805b

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xtsle.exe
Size

903KB
MD5

8555e55165d3cda3bb72d6f7a0693a69
SHA1

300eaed89a5d8edea974a7118655fe919ba5abff
SHA256

88bd9484b884ae95a3df7310d69e76872f3de844c1c6e45639e464b38a8a805b
SHA512

db212f7ffe972b1cb2069e57dece38bc72410c2dc196ee659b60454ea1c00dc3900d6a31d2f4b7ab79f1f1d82c147c957e4b38873960ac353a1bbe8fc36e9320
SSDEEP

12288:1tCXUjIKWxqiJJd0RA89Em2AYpBs+AsSiFd+BtdCxCQjlMs/xv78pEOBl:1tCXUjIJJJdr8RY+cj6tdeMs/R8yOj

Score

10^/10

vidar 2b5f49da02542664c0ff260da932bacc credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Extracted

Family

vidar

Version

13.2

Botnet

2b5f49da02542664c0ff260da932bacc

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Signatures

Detect Vidar Stealer 23 IoCs

stealer

resource	yara_rule
behavioral1/memory/756-377-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-378-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-379-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-380-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-528-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-549-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-554-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-575-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-578-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-602-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-623-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-627-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-648-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-664-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-719-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-743-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-740-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-766-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-787-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-788-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-850-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-871-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7
behavioral1/memory/756-872-0x0000000003470000-0x0000000003499000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3008	chrome.exe
1540	chrome.exe
1860	chrome.exe
1648	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
756	Beings.com

Loads dropped DLL 1 IoCs

pid	Process
2520	CMD.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2472	tasklist.exe
1528	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LawsuitGuy	xtsle.exe
File opened for modification	C:\Windows\MuchInterventions	xtsle.exe
File opened for modification	C:\Windows\InclusionSculpture	xtsle.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtsle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beings.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2028	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Beings.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Beings.com

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2336	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Beings.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Beings.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Beings.com

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
756	Beings.com
756	Beings.com
756	Beings.com
756	Beings.com
756	Beings.com
3008	chrome.exe
3008	chrome.exe
756	Beings.com
756	Beings.com

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	tasklist.exe
Token: SeDebugPrivilege	1528	tasklist.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
756	Beings.com
756	Beings.com
756	Beings.com
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
756	Beings.com
756	Beings.com
756	Beings.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2520	2512	xtsle.exe	30
PID 2512 wrote to memory of 2520	2512	xtsle.exe	30
PID 2512 wrote to memory of 2520	2512	xtsle.exe	30
PID 2512 wrote to memory of 2520	2512	xtsle.exe	30
PID 2520 wrote to memory of 2472	2520	CMD.exe	32
PID 2520 wrote to memory of 2472	2520	CMD.exe	32
PID 2520 wrote to memory of 2472	2520	CMD.exe	32
PID 2520 wrote to memory of 2472	2520	CMD.exe	32
PID 2520 wrote to memory of 2432	2520	CMD.exe	33
PID 2520 wrote to memory of 2432	2520	CMD.exe	33
PID 2520 wrote to memory of 2432	2520	CMD.exe	33
PID 2520 wrote to memory of 2432	2520	CMD.exe	33
PID 2520 wrote to memory of 1528	2520	CMD.exe	35
PID 2520 wrote to memory of 1528	2520	CMD.exe	35
PID 2520 wrote to memory of 1528	2520	CMD.exe	35
PID 2520 wrote to memory of 1528	2520	CMD.exe	35
PID 2520 wrote to memory of 696	2520	CMD.exe	36
PID 2520 wrote to memory of 696	2520	CMD.exe	36
PID 2520 wrote to memory of 696	2520	CMD.exe	36
PID 2520 wrote to memory of 696	2520	CMD.exe	36
PID 2520 wrote to memory of 2908	2520	CMD.exe	37
PID 2520 wrote to memory of 2908	2520	CMD.exe	37
PID 2520 wrote to memory of 2908	2520	CMD.exe	37
PID 2520 wrote to memory of 2908	2520	CMD.exe	37
PID 2520 wrote to memory of 1856	2520	CMD.exe	38
PID 2520 wrote to memory of 1856	2520	CMD.exe	38
PID 2520 wrote to memory of 1856	2520	CMD.exe	38
PID 2520 wrote to memory of 1856	2520	CMD.exe	38
PID 2520 wrote to memory of 2052	2520	CMD.exe	39
PID 2520 wrote to memory of 2052	2520	CMD.exe	39
PID 2520 wrote to memory of 2052	2520	CMD.exe	39
PID 2520 wrote to memory of 2052	2520	CMD.exe	39
PID 2520 wrote to memory of 2028	2520	CMD.exe	40
PID 2520 wrote to memory of 2028	2520	CMD.exe	40
PID 2520 wrote to memory of 2028	2520	CMD.exe	40
PID 2520 wrote to memory of 2028	2520	CMD.exe	40
PID 2520 wrote to memory of 2528	2520	CMD.exe	41
PID 2520 wrote to memory of 2528	2520	CMD.exe	41
PID 2520 wrote to memory of 2528	2520	CMD.exe	41
PID 2520 wrote to memory of 2528	2520	CMD.exe	41
PID 2520 wrote to memory of 756	2520	CMD.exe	42
PID 2520 wrote to memory of 756	2520	CMD.exe	42
PID 2520 wrote to memory of 756	2520	CMD.exe	42
PID 2520 wrote to memory of 756	2520	CMD.exe	42
PID 2520 wrote to memory of 2720	2520	CMD.exe	43
PID 2520 wrote to memory of 2720	2520	CMD.exe	43
PID 2520 wrote to memory of 2720	2520	CMD.exe	43
PID 2520 wrote to memory of 2720	2520	CMD.exe	43
PID 756 wrote to memory of 3008	756	Beings.com	46
PID 756 wrote to memory of 3008	756	Beings.com	46
PID 756 wrote to memory of 3008	756	Beings.com	46
PID 756 wrote to memory of 3008	756	Beings.com	46
PID 3008 wrote to memory of 2672	3008	chrome.exe	47
PID 3008 wrote to memory of 2672	3008	chrome.exe	47
PID 3008 wrote to memory of 2672	3008	chrome.exe	47
PID 3008 wrote to memory of 2780	3008	chrome.exe	48
PID 3008 wrote to memory of 2780	3008	chrome.exe	48
PID 3008 wrote to memory of 2780	3008	chrome.exe	48
PID 3008 wrote to memory of 2744	3008	chrome.exe	49
PID 3008 wrote to memory of 2744	3008	chrome.exe	49
PID 3008 wrote to memory of 2744	3008	chrome.exe	49
PID 3008 wrote to memory of 2744	3008	chrome.exe	49
PID 3008 wrote to memory of 2744	3008	chrome.exe	49
PID 3008 wrote to memory of 2744	3008	chrome.exe	49

C:\Users\Admin\AppData\Local\Temp\xtsle.exe
"C:\Users\Admin\AppData\Local\Temp\xtsle.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\CMD.exe
  "C:\Windows\system32\CMD.exe" /c copy Proc.midi Proc.midi.bat & Proc.midi.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\SysWOW64\findstr.exe
    findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 147655
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Walnut.midi
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1856
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Davis" Jade
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 147655\Beings.com + Impression + Teaching + Mapping + Distributions + Ruled + Amanda + Approximately + Sustainability + Inspector + Teddy + Tm 147655\Beings.com
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Pubmed.midi + ..\Vocal.midi + ..\Griffin.midi + ..\Pre.midi E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\147655\Beings.com
    Beings.com E
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef73b9758,0x7fef73b9768,0x7fef73b9778
        5⤵
        
        PID:2672
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:2
        5⤵
        
        PID:2744
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:8
        5⤵
        
        PID:2636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:8
        5⤵
        
        PID:3020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1540
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2108 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:2
        5⤵
        
        PID:1892
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2388 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:8
        5⤵
        
        PID:2100
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3616 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:8
        5⤵
        
        PID:1832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 --field-trial-handle=1232,i,15226567746762719673,7633326055848004759,131072 /prefetch:8
        5⤵
        
        PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\p8y5f" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:1492
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2336
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76aff62b299fb55cbcedbdc0d7ef99dc

SHA1
e8e76e56178bc4fc7831279fbce7d8d944e3472e

SHA256
7c3617283f354aec9570fd9f847a90bca4c1dfb1ec5712b2363f7c22111a92ba

SHA512
91a43a2260e997384096a852f5e21c8d7e3d56052be179015754d58f389ccabade2ee332d358251dcbd2a6bb6c75dd651b490257d9e25e305672e27efe3c0548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\147655\Beings.com

Filesize
1KB

MD5
69dcb65fc56459a48665ec1bd552b22d

SHA1
6dfbef88d328e613ff69730923e4f48965a3fb3c

SHA256
a6ddc8aa95144e68c23aa84840bdc4c0337393a8cb2e2251ff3a0378a1c145ec

SHA512
493d02f1b75e1abf80a7c5b16d33a60fcf77bb123db442f3c4a16a981bfbe69c51b8191fa01836b69c8aff591555b546a66b865ae23a68d605fda36b51fa6e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\147655\Beings.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\147655\E

Filesize
280KB

MD5
6c238bd3176c3a08e0faea75d0f94ab5

SHA1
d0ef37edebb79d678192955f38f928584d86dc31

SHA256
1a1a1ae6629e23532f67cc01444f983971fbf050302e0a6fcf50b12570c90d89

SHA512
40381ec59f46e340f40869a69dcdd235137080b1ce84be4a00ae8897ce6fdc7a334dca8fa4c2d136697650693e43b553e53a7d6ffbd45cf61df946cfa5a3a8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amanda

Filesize
61KB

MD5
9037762495ae581d827403dc640287d3

SHA1
a467d0f1d1f3da913ab71c99823fe52e78f728f7

SHA256
ecaf8f7b38fd43f4f42839194e3a305b7f57514503fe84052011c49e5dfd5c51

SHA512
7d471ce7c2ed6f7a8818416bd3ce62b43056fdd68416f4192b65db4c5c666d6af63b4eee19645f12e5790dd1cd8427d66093a5e507801749ee09eafebd31eb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Approximately

Filesize
99KB

MD5
2c5b82547a1ab667eef9b5cec43041de

SHA1
3c7a43242145bec204a2e7d831661029c589ee23

SHA256
2f2cf32cb08bd97f87a4ac57d7a1516980da16eedbbc3458c8d91a237d022ef4

SHA512
36014fabd18f3581324c9c565e452a3f46a7510270b2985831a6a4da2853a148c034e2491eab1d75d7a26c821eef37c87ca87697d5718eb025af0f6e2d06d0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Distributions

Filesize
119KB

MD5
1e5217963534318739028ead0d007d23

SHA1
87542058c488cfc4b72de4d1f37a5368a429c77d

SHA256
658259006fcfec417e6b464de8fb5ed275646405cdad3a2bae8a5b6a08841631

SHA512
cda1ff394a5fd9e055168d38ce6f6761189c4db2037f8711ae0ba550bbc2ebee90e5be71aabd35d63c719fd644709b099386cd7de1e02cf9bd1d9a4382918d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Griffin.midi

Filesize
58KB

MD5
216e51f4926d2d948bdb519c3f396e10

SHA1
f57672967feea8533b07c4077ef6cfd96671d5b2

SHA256
2c35964b5a2f3f3c109481d8338daddd92fbe2fd1bcaf331b440898c8c28efea

SHA512
93a8e992db5f2c787ed65e3fdba879fbcf552cc90f52c0fee19bee065cf235b5f1e3282b549251bbb281e054ad6ae06d4c475ed7252462bfcf2551a29f4aee3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Impression

Filesize
61KB

MD5
f47a82e9b9c7ed76648c38887c2eb0e8

SHA1
fa6b31a84e3e5ec2e6869d5fcc222831ea1dc330

SHA256
6399993126acdf239833c5e5f8ba549aa5dda9201a3f10a5de57199f4363c21d

SHA512
1656eb8cbbaeb8558448fe93763f8ddeab9f51225ff47a7dfd49864c783e9bb153e6467f2f7e4d4566a6a8dab5ae28119e3bc8a082fd4907107bbe3d4e3fd080

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inspector

Filesize
112KB

MD5
be71b3eb9230955bd352cc92e5d276c1

SHA1
f8bdb1f9abc1376fcd494c1c16cdc7197e2a9ec0

SHA256
f56637d5a317720e9225cfa67de6f9cea9f53ba9e0b5e0bba8b0c9fe51cec455

SHA512
c63f91afd83e1521e432ea8d33fd92cff1f3cec134dc0814eb1152c74d0c1339bc425c4d097c4c9671ebfdc96136a6ad0f51e95fad914afe3f1f96263146f8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jade

Filesize
1KB

MD5
69f403d0eff18354415a970ac44d3cd9

SHA1
2a79d3b77df9f420673d2c779068461c6cef139c

SHA256
b5def29d95f2f37ca33f57c0613faafdfdcab3c9f1f6ac09759911867cbc06f5

SHA512
92f7b9dc2f2de83391a7afc0bd0f92d7e0d3a0ec5a679b7e49f1aa150d6db635818ee0f068a33d364d6e80df3c05cbf8ce1abcd991227a1ef695ad158fa6bebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mapping

Filesize
93KB

MD5
34337428bdfeef8717c5340f1acffdab

SHA1
4c3ef2859a65309bb4e4b3aaa7502656c362b165

SHA256
f30bed810527a82f2566b04d1b6bcb7c62c04af662149ee8b63d7c5ede3716d0

SHA512
235980fe6369a1af4c63bc87d5de8ee16837cd15e6db273b1e3a483ab1f9900f1386dc2bc283725f3297a3aed635d492ad0fb6c1ef73eb532cb9e121a42245f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pre.midi

Filesize
82KB

MD5
a959dd26fb0b148c6d118a92429ea87c

SHA1
124cb6c9cf860dd391cd66d053b977d4e4b73819

SHA256
93b6c66744658b09bb58ff1d8a37a4fb393c2b29e4eac1c0ab16b017a5062961

SHA512
5a993a48cc9ceb24dbc68435d682546793006aa7aa06027a0915149e958fa10a317df504f66a423b0906f961f6d51dddc2b94697669a5177f8b90553f6047584

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proc.midi

Filesize
14KB

MD5
a2beee25a217d1825e523a3072414152

SHA1
96fd3d8234d47ff0b3942fbdb752715045be68d9

SHA256
0df3c06b19f06e242fd4f98e91c6bf6f035e3200a9db03f4975100e482aeb01a

SHA512
d5f154bedf6f3face0d5cc88ee397057c860285e47a9e7d0a284a72db4668b7aef3c98ab4a33932ec1b953bf959f82ab843add8ce2bf4eaef29f00b210fb6989

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pubmed.midi

Filesize
78KB

MD5
22e7d61a19bffde28238eb0426ed252c

SHA1
2f84a1ffeb6052cfeba1608beb70621267bb32a6

SHA256
5117e3cb15cc8381f9185a86eaa38487e4a36007079e1bbaa87fea6bfaac44b7

SHA512
59c7bfd1d78fe1a75eca6099929dafafb763867d03ce4f6c94a4305219b7a758b70058841e97d7dbdbbe522b471df15efeae5e2f168915c361c2b59da0a0f841

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruled

Filesize
89KB

MD5
22406d2f4a9a6addb5cf916eda59fc1e

SHA1
9253db29f04d25ca675e3b886755d2a2ec2405c9

SHA256
d51c8f3837b731af5e7d69eee93e9de71a839adbfdd582fde804732209ddb051

SHA512
f15e3b9ebfab9375cbac4be0519e0644c5882523380b44e20f7e2bf21104bdcbe0ecb5a1d59ee85e4b8899490e53c571b68df2ebe7d6bf8e93fcb31982017035

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sustainability

Filesize
121KB

MD5
5ef05b82f84e68a3f85b1bda6e9128c1

SHA1
6d81073b15752e67daeb7b6efe73dc8067f5c250

SHA256
1c7f571ea3f2665940b209cd6f13c7e0054a334dfc7a5a328d31b1b93ec00665

SHA512
300960bacae9bc2c8fe589166dad7bee02c57db4661eae3d72d303f488f286f3e06cef6a1ecb3328d3ca570d2466097b408da5b672679f08f5bc620b3af2a299

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD994.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teaching

Filesize
72KB

MD5
977869d4d15b8fca4917059d9c7b02ce

SHA1
4879e990add8303549e79479e39e41e1a9de36cf

SHA256
e1e208351cef88030ffefa96877b005a3d72b8bea475da65c22dd11ab8bd38ba

SHA512
a597cfeac51799c706228624790f15430335227211f2e74d564788e728be46e1a9d96f1df1f2585973155156bbd3ae6b5d5256cfc6563eedcb1e74f9453be263

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teddy

Filesize
54KB

MD5
77c02ece79ae548cd628b1736f332521

SHA1
6a18c88c735e6b37a1241aa1ed55b9b159545cf8

SHA256
f411cf6678cb722690c1a7477b1a204e7826953d2c7058d9aa8f8f2b0ec4e62a

SHA512
927d3bcfc40c2e0aca0354dcde6f4075c1fb33321948c1862fc9cb558c9a90dfab4260af71340954700f3196f7ff8223d7b8150bd2af26174c0c3636840c648c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tm

Filesize
42KB

MD5
e7eb568dc0beed154f2733b165fd6f83

SHA1
78e32254b2fe3ebd01ed75a922da241f680c3419

SHA256
a497a8270093ed44f18e81e68eed22b5a626e7abbb0093fde63034ef0382fbe9

SHA512
2f8b78f15ac83ccf66b950d3c5a752023b5f9fc22fbc8e84d7dadd07c0ee42c2482d82de59a41f0eac732f33b5d75c559d50f029014f7ac955b9d99d8efccc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vocal.midi

Filesize
62KB

MD5
ff526ff553503d407138373a04f18123

SHA1
60ec43141ae4fb55e60baa80e466e2bdb3287189

SHA256
def1687f5f21a9239a2175363a74e2b729e247468aa72ac4a8b80c8f77d309bc

SHA512
448a769fa14fca646e93a7b8c78da791bfe650c1c47de9f323185ae3bfdb65b7a5e82ba879c737df4a50f7805ed0b04a067ad59d13ba96b863a0bf0f222f3080

Download Submit
C:\Users\Admin\AppData\Local\Temp\Walnut.midi

Filesize
478KB

MD5
6194690737f0b608d390bfff4c915c69

SHA1
db2f1f90f974e3b2cfe4baf6b8e1bd3ae3baf2a1

SHA256
406439e9dbd75d454921f3d6e3206864bb8e961a94d55db3c425597314d8daa7

SHA512
9cdfc0aa8cdbbd12aa35cdd5e0648e4d9029568599ee2bcd944488c7a173855962288890f4de4ff832babfde05fc1f01daaf94d2d306c9388b72baa676e99874

Download Submit
memory/756-378-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-380-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-379-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-377-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-528-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-549-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-554-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-575-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-578-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-602-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-623-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-627-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-648-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-376-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-664-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-375-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-374-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-373-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-719-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-743-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-740-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-766-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-787-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-788-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-850-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-871-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download
memory/756-872-0x0000000003470000-0x0000000003499000-memory.dmp

Filesize
164KB

Download