Malware Analysis Report

2024-11-16 13:06

Sample ID 240325-xtr1rsag2x
Target https://cdn.discordapp.com/attachments/1221895306933833802/1221898554881212558/Client-built.rar?ex=661440b5&is=6601cbb5&hm=e16a2b4f69f372f8313a451d1f5bbdb43f419fd93e13b4647f2b56f9f9616461&
Tags
discordrat persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://cdn.discordapp.com/attachments/1221895306933833802/1221898554881212558/Client-built.rar?ex=661440b5&is=6601cbb5&hm=e16a2b4f69f372f8313a451d1f5bbdb43f419fd93e13b4647f2b56f9f9616461& was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer

Discord RAT

Executes dropped EXE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

NTFS ADS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 19:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 19:09

Reported

2024-03-25 19:10

Platform

win10v2004-20240226-en

Max time kernel

46s

Max time network

37s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://cdn.discordapp.com/attachments/1221895306933833802/1221898554881212558/Client-built.rar?ex=661440b5&is=6601cbb5&hm=e16a2b4f69f372f8313a451d1f5bbdb43f419fd93e13b4647f2b56f9f9616461&"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Client-built\Client-built.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Client-built.rar:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Client-built\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2396 wrote to memory of 4432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 5040 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 5040 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4432 wrote to memory of 5040 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://cdn.discordapp.com/attachments/1221895306933833802/1221898554881212558/Client-built.rar?ex=661440b5&is=6601cbb5&hm=e16a2b4f69f372f8313a451d1f5bbdb43f419fd93e13b4647f2b56f9f9616461&"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://cdn.discordapp.com/attachments/1221895306933833802/1221898554881212558/Client-built.rar?ex=661440b5&is=6601cbb5&hm=e16a2b4f69f372f8313a451d1f5bbdb43f419fd93e13b4647f2b56f9f9616461&

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.0.1577052757\1668171635" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d34ca7b-971c-46bd-aabc-ab232ddf3f9b} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 1952 1a61b4db458 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.1.1661933245\1301339035" -parentBuildID 20221007134813 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b85625ac-c9b0-4495-b732-3dc743303eca} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 2428 1a60e5ece58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.2.1232387339\920252788" -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f5ec2cd-4cc9-4dd0-af4b-57600ecc8be3} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 3096 1a61eee5758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.3.770715586\1806165305" -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ac22b2d-1820-4338-811c-692dedaa0ee4} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 3428 1a61d8b7a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.4.1844973132\208204205" -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 4392 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3102cadd-0edc-4ed8-9ee5-14c3ab7f6d38} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 5408 1a60e569658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.5.598913774\1512322779" -childID 4 -isForBrowser -prefsHandle 5552 -prefMapHandle 5556 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aa83c0a-236d-4af9-8681-c59d6f5bc9b3} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 5544 1a62219f458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4432.6.1095825991\809794408" -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 26340 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2868ae3b-19a4-43a0-a9b6-f9f6e2773f81} 4432 "\\.\pipe\gecko-crash-server-pipe.4432" 5744 1a62219fd58 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Client-built\" -spe -an -ai#7zMap16888:86:7zEvent16521

C:\Users\Admin\Downloads\Client-built\Client-built.exe

"C:\Users\Admin\Downloads\Client-built\Client-built.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
N/A 127.0.0.1:55499 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 52.13.152.141:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 162.159.133.233:443 cdn.discordapp.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 197.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 141.152.13.52.in-addr.arpa udp
N/A 127.0.0.1:55507 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.136.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\7dc57f6b-3049-444e-a94c-e41fee7c672a

MD5 496c98147e960b26fd82299da1db5f59
SHA1 8178ab43d6bbc41ce1e4555dc59fbe141327150f
SHA256 9452fe018f33fa9af3c97399acab7b0bf1287e49e0b160c4b76c877e8004243b
SHA512 8abf16ead568adf7d4421518ed8630ea98fde5a5f39f4e004a096978701e5b90044e7a9265c44e0b5c40ac1e4704eaa397beba4dbfe263d0921ae002520d8f4a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\ca2e6c91-e6c2-4970-b465-ad2be9daf8f5

MD5 fceb4dfc1b19de4990e87460f6271c6c
SHA1 24254531e8aa5a8f616cb4734551d37009df0410
SHA256 37021217278793751ebbeee9dcab00baa5f8fa9b399a86bf93b3eacd85ab2c03
SHA512 17c6adcea7bf4fb74c75139552d7ee144e5071038e5c969aee22df18538bcd05aaa5886f8def709802184976d48c527cdde97b0f135c2ec22c453bbe2f0fdb72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\db\data.safe.bin

MD5 8b74f0369b5414ad0603a42eca47d72f
SHA1 3a8bdd9428e635f6115e11579facaf13afc41994
SHA256 953d25d94989a86099c68ea542074512f3eb5736f0a9a49cb1c080a837f34297
SHA512 b237cacda7647b93cebd7d43938b0f2f0fa3f63f20e6da27670d0b7ed472e6fa131fb0277261a95c47062bb2e6020a57a0dc7e58c6963c5bb8130f3726e37199

C:\Users\Admin\Downloads\fviFdtjZ.rar.part

MD5 9add42f59c08775d4837d367ad6ab39d
SHA1 178a554579ae84da18889444b7649695f85089a1
SHA256 f148119bf8c8ed3d9006b25c1ed94ff56a6a8c6506818f5c9e939dac085991f0
SHA512 deb273b9a8205632b71f1e31c18ea6090b711356f4d4148be3cd4db70c3459b174f9be49c1a021d0b71d4e23257a284da3e8ca20a150938fae9b61c33835a2d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

MD5 14954438b03539a1344050c31f6235d4
SHA1 c2bc51be3a7c9d29aa58d5def238be22c2f72f30
SHA256 4f42b2251ae795745091693dd5636e05c4749393f11e651c0a64f1b9d92740c5
SHA512 68985ad323491644f4a7b085c2a9cf0a15bda063e5c5a5d1d88c731a3dc2fd0938903b4a7c4f3f7b6a93eddd33e28439e6fc7044055563fea459b9dee67a78cb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

MD5 58ce08cd9930c4c2be1b3af7137b1b07
SHA1 cccd94d643cfb765837514f4ee4bf08aadbbe1a2
SHA256 9a2949c02b2c7638e7ac9efe66eab6a192bc91e5e34c5c74468da3d2d59a61ba
SHA512 1f53707fbf7baac7662904f6466d731f1245901cde70afaeac160ab5c7b0990c57a5c9dfa70bd70eeaeb99590635d49e43425ea301528a0cd9ddbc7c8ffb7f43

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4b1375476c90d40fefae33dd5d14e4dc
SHA1 20b11313940517e4d7dc4e823e6d181e16fc60b8
SHA256 347864bb12f08057da0827efe8714be15d31d60fc3759e52c62fab2fb3eb88f5
SHA512 dd2bc6e389317bd5c1c5023c70649130aaf9097ff91af44ed3d575982806b0930a7ecb812b9ffbe23b77d6e9d5cef90303ab87d51818ac317ac66a158d7988a9

C:\Users\Admin\Downloads\Client-built\Client-built.exe

MD5 c457f37d56b3dcae201872b6db4920e4
SHA1 274486769ff007717b29bb05512ddbe8f264b8dd
SHA256 d9b2081ba5292d8ddc0fa95e031a84be520c07aba878e169a0d3c8be10048a16
SHA512 d14328d8272bc2421606ee51336c9b10deaa514352751e9ee6827e259f078e87f58bbcf13930cb480a158fce191c99c1b4fb99172b1dc39991b2a95be529441a

memory/5712-121-0x000001A913BD0000-0x000001A913BE8000-memory.dmp

memory/5712-122-0x000001A92E270000-0x000001A92E432000-memory.dmp

memory/5712-124-0x000001A92E150000-0x000001A92E160000-memory.dmp

memory/5712-123-0x00007FFDE7A20000-0x00007FFDE84E1000-memory.dmp

memory/5712-125-0x000001A92EAB0000-0x000001A92EFD8000-memory.dmp

memory/6016-130-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/6016-131-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/6016-132-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/6016-136-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/6016-137-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/6016-139-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/6016-140-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/6016-141-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/6016-142-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/6016-138-0x00000251FE560000-0x00000251FE561000-memory.dmp

memory/5712-143-0x00007FFDE7A20000-0x00007FFDE84E1000-memory.dmp

memory/5712-145-0x000001A92E150000-0x000001A92E160000-memory.dmp