discordrat | 8fe2c7bdf8198ffe699d528d6f59ac9400b9cbbb239c83652796690637dda4b7

Resubmissions

11-06-2024 19:21

240611-x2ytaaycjl 10

11-06-2024 19:20

240611-x17d2ayarf 10

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

40907421415227a30c883fd57a7b4fe4
SHA1

912da0188ac70f09a42bd7933702966cd13c3006
SHA256

8fe2c7bdf8198ffe699d528d6f59ac9400b9cbbb239c83652796690637dda4b7
SHA512

7b4bca177fa7029a5c77144e442840e0bccfe85be85cb4b0623c25b08aaa1e090413192ff0183fc313e0ca03f7420d66860dfbed5728802d1ac0206a8f7c9666
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NzU2MDQxNjM0Nzk1MTEyNA.GtsxfD.DgWuDtTP5_alrH-e1pb51ojdXlaPF6goQ2izm0
server_id
1247937473548648579

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

7 discord.com
8 discord.com
17 discord.com

flow	ioc
7	discord.com
8	discord.com
17	discord.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Client-built.exefirefox.exe

description pid process

Token: SeDebugPrivilege 4756 Client-built.exe
Token: SeDebugPrivilege 224 firefox.exe
Token: SeDebugPrivilege 224 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

224 firefox.exe
224 firefox.exe
224 firefox.exe
224 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

224 firefox.exe
224 firefox.exe
224 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

224 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	4756	Client-built.exe
Token: SeDebugPrivilege	224	firefox.exe
Token: SeDebugPrivilege	224	firefox.exe

pid	process
224	firefox.exe
224	firefox.exe
224	firefox.exe
224	firefox.exe

pid	process
224	firefox.exe
224	firefox.exe
224	firefox.exe

pid	process
224	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 3128 wrote to memory of 224	3128	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 2992	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe
PID 224 wrote to memory of 3164	224	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.0.473266513\452574821" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a155b76-7b6a-458a-818c-e0bf1a6ef9cf} 224 "\\.\pipe\gecko-crash-server-pipe.224" 1852 22103a0ff58 gpu
3⤵
PID:2992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.1.1329227464\1451653353" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {301e4d5e-196f-4af0-8ed5-c6c0ed300564} 224 "\\.\pipe\gecko-crash-server-pipe.224" 2420 22103f79b58 socket
3⤵
PID:3164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.2.229434667\1924265790" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea4eb0b-8dcf-4449-8813-117c6df37808} 224 "\\.\pipe\gecko-crash-server-pipe.224" 2848 2210690bc58 tab
3⤵
PID:3332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.3.1403409763\724762833" -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3672 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7c3666a-ca1d-42b9-b4a0-0d7084b4f872} 224 "\\.\pipe\gecko-crash-server-pipe.224" 3332 22108b69558 tab
3⤵
PID:2736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.4.1886639612\771462532" -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5256 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db37b1e8-496f-477d-8fd5-280e44f7cf56} 224 "\\.\pipe\gecko-crash-server-pipe.224" 5264 221086fd658 tab
3⤵
PID:5112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.5.1912792205\1072426679" -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27acec6d-2053-44bc-956b-cbf409264007} 224 "\\.\pipe\gecko-crash-server-pipe.224" 5492 221086fdc58 tab
3⤵
PID:1436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.6.1928796574\598267265" -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0336f053-6db3-4abb-bd8d-28f3137618cb} 224 "\\.\pipe\gecko-crash-server-pipe.224" 5696 221086feb58 tab
3⤵
PID:524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.7.1233766120\1153290894" -childID 6 -isForBrowser -prefsHandle 6072 -prefMapHandle 6076 -prefsLen 31087 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d141446-c1e9-410c-97d8-1db0cb0f14e0} 224 "\\.\pipe\gecko-crash-server-pipe.224" 6104 22112d2d658 tab
3⤵
PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
29b181d0093a10971600436f50465c58

SHA1
ca4983ec2be367e6d04a20c01f5980352e3cb10c

SHA256
ab46991ce9951706af1d5833beef5b995fe9beb502ababe5528c35311100b7ac

SHA512
a6ea7849bf0b266ddb2809cd10f4c7f9f287fcec42888ff18092ef633318024a5e14d515fd0e9ce140bf2321e59cb25b4c96018e5fa563bc12b4420727b9e5de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
Filesize
13KB

MD5
3104963ddc0836036ab098769fef19d7

SHA1
d940ce4ad210d16289901a84ec86cf3ecdd3df9e

SHA256
9fbb91352a70e38664e6cf56bffabafc9d4183dfaf829ee80a5c5c1de3db7d5d

SHA512
fd4989ec80c047d5dd78cd23a29b49e07b486d46489d698b955e415af24e2dc6521175925c16ed3790210d7699b8ffdc10a209cd991809f72e1f04f982f9596b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js
Filesize
7KB

MD5
7a457e3fd89fd580cddb041bb518896e

SHA1
dab9fa72a307208c84d5e39c3c0ca5539af8cd6b

SHA256
615a1a418721eca43d69243846f789abcb618c160674ebe639eccb7bdbb3f6ab

SHA512
7a4c934cd8ce79a62294ad3b85c705ac5ac7d4d436115469ca1a76be457049b4ebc1c4f681015b2cdddcf24644851e1d92c7dbd2c6e93f2d5afc647556268f6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js
Filesize
10KB

MD5
b1e3b0cd9919681e2183d35d33c7a831

SHA1
81bf3c80dfdb5836e4fdfa322f14c00b61b1fec1

SHA256
bd261120157359524913629a0be0cc9891b286157f516f4c00d9ea8e73fd1bd3

SHA512
39e28ac87589d4d0f317727a5c233caadfab7f738571a86a49a17074cf336ff6c5ac313f480a06c698b8f61acd15e3ca4d844534719a4a669f2967fea4cfe1f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
dec33d0367621691a987aeaec83a94f6

SHA1
f38f0116881bd00f7f5a42f67ee39dbd392f408d

SHA256
45758efd94a10838da3627ec2add5bec8480dc34bd75a3c62cdc75ab7ae41f19

SHA512
b83fa378b38a440a8eae7239a3894f9d8961e2d5de124e495857d316f3aedaeb7d23b6bf49c04b203b9cdd2170ce00c97b9df8efa17b74fd7db7cb54c7af7450

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
1a6977cd76ada6e5ebf1c3522857a78c

SHA1
015b0e1bad3a5b81afb3e11ac470d2c1da44d52a

SHA256
dce8ce89c4501c6a8c7ea14d1df8fe153a623072d489a7bc9b9c3a0bb42900f4

SHA512
1cf3e97bc12c396eadaa52ac3ad4f06b7c7a4a9d031438184d04766e5a29c02740cf13d930bf51fb279aae8192ebc6ccca0b6856215bc2acb994f25e068f5529

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
8316e376a2a191dc0b4ca9a0d015d5a5

SHA1
475812cc6fa57f240f6f3190ec59045fcb98ba0f

SHA256
f419d69ecf6b7c934a7ebe44bb1da0e8d89251bad319830d0f2d1a9b18af3313

SHA512
b2480c23d095742e313ba49cf61539425e1f22a0d9f718d758b0e571867309172cafefb098901cc04d9cb1840099d7b8b486aa56ca52c4fe0c627988c600ed6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
b12b3d365108fc073c1a5f73f63d4f94

SHA1
0535028797b44f8831c04620620c92fa9810f572

SHA256
2f691c9ab14fe89573b904ac43a47fb56f60df3728f7af4273a2ad467c2b01fc

SHA512
da72e72c0744dced78620d092af56f5c09cf5278a712008fac8cc4735d4accacc66db5e6c2a34ee5284b2a840c850006045dd28b38ebb63322a09cf9129836c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
8d1da30acd654a9bb7ab1f062cba42f1

SHA1
ac12a23d8c58ccff33967b21638e45d25f4c23fc

SHA256
267820f91f2b7406659ab8cbbb9437287c116bcd9aad2667720de805c8442b0c

SHA512
40fcf30b14cea7556059750ba67ea55938e23a3830d972e13b1aeab567d502ce623dd4bd8a6671228fcd0d227e96fc90203a7cc83cb4b4e080e6e241b59b5531

Download Submit
memory/4756-5-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp

Filesize
8KB

Download
memory/4756-1-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp

Filesize
8KB

Download
memory/4756-2-0x000001C3E7B20000-0x000001C3E7CE2000-memory.dmp

Filesize
1.8MB

Download
memory/4756-3-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

Filesize
10.8MB

Download
memory/4756-4-0x000001C3E8320000-0x000001C3E8848000-memory.dmp

Filesize
5.2MB

Download
memory/4756-0-0x000001C3CD430000-0x000001C3CD448000-memory.dmp

Filesize
96KB

Download
memory/4756-6-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

Filesize
10.8MB

Download